diff options
Diffstat (limited to 'scripts/auth-spoof.nse')
-rw-r--r-- | scripts/auth-spoof.nse | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/scripts/auth-spoof.nse b/scripts/auth-spoof.nse new file mode 100644 index 0000000..42f0c4d --- /dev/null +++ b/scripts/auth-spoof.nse @@ -0,0 +1,37 @@ +local comm = require "comm" +local shortport = require "shortport" + +description = [[ +Checks for an identd (auth) server which is spoofing its replies. + +Tests whether an identd (auth) server responds with an answer before +we even send the query. This sort of identd spoofing can be a sign of +malware infection, though it can also be used for legitimate privacy +reasons. +]] + +--- +-- @output +-- PORT STATE SERVICE REASON +-- 113/tcp open auth syn-ack +-- |_auth-spoof: Spoofed reply: 0, 0 : USERID : UNIX : OGJdvM + +author = "Diman Todorov" + +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" + +categories = {"malware", "safe"} + + +portrule = shortport.port_or_service(113, "auth") + +action = function(host, port) + local status, owner = comm.get_banner(host, port, {lines=1}) + + if not status then + return + end + + return "Spoofed reply: " .. owner +end + |