http-google-malware NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Checks if hosts are on Google’s blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google’s Safe Browsing service.
To do this the script queries the Google’s Safe Browsing service and you need to have your own API key to access Google’s Safe Browsing Lookup services. Sign up for yours at <http://code.google.com/apis/safebrowsing/key_signup.html>
-
To learn more about Google’s Safe Browsing:
<http://code.google.com/apis/safebrowsing/> -
To register and get your personal API key:
<http://code.google.com/apis/safebrowsing/key_signup.html>
Script Arguments
http-google-malware.url
URL to check. Default: http/https://host
http-google-malware.api
API key for Google’s Safe Browsing Lookup service
slaxml.debug
See the documentation for the slaxml library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap -p80 --script http-google-malware <host>
Script Output
PORT STATE SERVICE
80/tcp open http
|_http-google-malware.nse: Host is known for distributing malware.
Requires
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
description = [[
Checks if hosts are on Google's blacklist of suspected malware and phishing
servers. These lists are constantly updated and are part of Google's Safe
Browsing service.
To do this the script queries the Google's Safe Browsing service and you need
to have your own API key to access Google's Safe Browsing Lookup services. Sign
up for yours at http://code.google.com/apis/safebrowsing/key_signup.html
* To learn more about Google's Safe Browsing:
http://code.google.com/apis/safebrowsing/
* To register and get your personal API key:
http://code.google.com/apis/safebrowsing/key_signup.html
]]
---
-- @usage
-- nmap -p80 --script http-google-malware <host>
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- |_http-google-malware.nse: Host is known for distributing malware.
--
-- @args http-google-malware.url URL to check. Default: <code>http/https</code>://<code>host</code>
-- @args http-google-malware.api API key for Google's Safe Browsing Lookup service
---
author = "Paulino Calderon <[email protected]>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"malware", "discovery", "safe", "external"}
portrule = shortport.http
---#########################
--ENTER YOUR API KEY HERE #
---#########################
local APIKEY = ""
---#########################
--Builds Google Safe Browsing query
--@param apikey Api key
--@return Url
local function build_qry(apikey, url)
return string.format("https://sb-ssl.google.com/safebrowsing/api/lookup?client=%s&apikey=%s&appver=1.5.2&pver=3.0&url=%s", SCRIPT_NAME, apikey, url)
end
local function fail (err) return stdnse.format_output(false, err) end
---
--MAIN
---
action = function(host, port)
local apikey = stdnse.get_script_args("http-google-malware.api") or APIKEY
local malware_found = false
local target
local output_lns = {}
--Use the host IP if a hostname isn't available
if not(host.targetname) then
target = host.ip
else
target = host.targetname
end
local target_url = stdnse.get_script_args("http-google-malware.url") or string.format("%s://%s", port.service, target)
if string.len(apikey) < 25 then
return fail(("No API key found. Use the %s.api argument"):format(SCRIPT_NAME))
end
stdnse.debug1("Checking host %s", target_url)
local qry = build_qry(apikey, target_url)
local req = http.get_url(qry, {any_af=true})
stdnse.debug2("%s", qry)
if ( req.status > 400 ) then
return fail("Request failed (invalid API key?)")
end
--The Safe Lookup API responds with a type when site is on the lists
if req.body then
if http.response_contains(req, "malware") then
output_lns[#output_lns+1] = "Host is known for distributing malware."
malware_found = true
end
if http.response_contains(req, "phishing") then
output_lns[#output_lns+1] = "Host is known for being used in phishing attacks."
malware_found = true
end
end
--For the verbose lovers
if req.status == 204 and nmap.verbosity() >= 2 and not(malware_found) then
output_lns[#output_lns+1] = "Host is safe to browse."
end
if #output_lns > 0 then
return table.concat(output_lns, "\n")
end
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%