summaryrefslogtreecommitdiffstats
path: root/scripts/http-google-malware.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/http-google-malware.nse')
-rw-r--r--scripts/http-google-malware.nse109
1 files changed, 109 insertions, 0 deletions
diff --git a/scripts/http-google-malware.nse b/scripts/http-google-malware.nse
new file mode 100644
index 0000000..7006fd6
--- /dev/null
+++ b/scripts/http-google-malware.nse
@@ -0,0 +1,109 @@
+local http = require "http"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+
+description = [[
+Checks if hosts are on Google's blacklist of suspected malware and phishing
+servers. These lists are constantly updated and are part of Google's Safe
+Browsing service.
+
+To do this the script queries the Google's Safe Browsing service and you need
+to have your own API key to access Google's Safe Browsing Lookup services. Sign
+up for yours at http://code.google.com/apis/safebrowsing/key_signup.html
+
+* To learn more about Google's Safe Browsing:
+http://code.google.com/apis/safebrowsing/
+
+* To register and get your personal API key:
+http://code.google.com/apis/safebrowsing/key_signup.html
+]]
+
+---
+-- @usage
+-- nmap -p80 --script http-google-malware <host>
+--
+-- @output
+-- PORT STATE SERVICE
+-- 80/tcp open http
+-- |_http-google-malware.nse: Host is known for distributing malware.
+--
+-- @args http-google-malware.url URL to check. Default: <code>http/https</code>://<code>host</code>
+-- @args http-google-malware.api API key for Google's Safe Browsing Lookup service
+---
+
+author = "Paulino Calderon <calderon@websec.mx>"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"malware", "discovery", "safe", "external"}
+
+
+portrule = shortport.http
+
+---#########################
+--ENTER YOUR API KEY HERE #
+---#########################
+local APIKEY = ""
+---#########################
+
+--Builds Google Safe Browsing query
+--@param apikey Api key
+--@return Url
+local function build_qry(apikey, url)
+ return string.format("https://sb-ssl.google.com/safebrowsing/api/lookup?client=%s&apikey=%s&appver=1.5.2&pver=3.0&url=%s", SCRIPT_NAME, apikey, url)
+end
+
+local function fail (err) return stdnse.format_output(false, err) end
+
+---
+--MAIN
+---
+action = function(host, port)
+ local apikey = stdnse.get_script_args("http-google-malware.api") or APIKEY
+ local malware_found = false
+ local target
+ local output_lns = {}
+
+ --Use the host IP if a hostname isn't available
+ if not(host.targetname) then
+ target = host.ip
+ else
+ target = host.targetname
+ end
+
+ local target_url = stdnse.get_script_args("http-google-malware.url") or string.format("%s://%s", port.service, target)
+
+ if string.len(apikey) < 25 then
+ return fail(("No API key found. Use the %s.api argument"):format(SCRIPT_NAME))
+ end
+
+ stdnse.debug1("Checking host %s", target_url)
+ local qry = build_qry(apikey, target_url)
+ local req = http.get_url(qry, {any_af=true})
+ stdnse.debug2("%s", qry)
+
+ if ( req.status > 400 ) then
+ return fail("Request failed (invalid API key?)")
+ end
+
+ --The Safe Lookup API responds with a type when site is on the lists
+ if req.body then
+ if http.response_contains(req, "malware") then
+ output_lns[#output_lns+1] = "Host is known for distributing malware."
+ malware_found = true
+ end
+ if http.response_contains(req, "phishing") then
+ output_lns[#output_lns+1] = "Host is known for being used in phishing attacks."
+ malware_found = true
+ end
+ end
+ --For the verbose lovers
+ if req.status == 204 and nmap.verbosity() >= 2 and not(malware_found) then
+ output_lns[#output_lns+1] = "Host is safe to browse."
+ end
+
+ if #output_lns > 0 then
+ return table.concat(output_lns, "\n")
+ end
+end