diff options
Diffstat (limited to 'scripts/http-google-malware.nse')
-rw-r--r-- | scripts/http-google-malware.nse | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/scripts/http-google-malware.nse b/scripts/http-google-malware.nse new file mode 100644 index 0000000..7006fd6 --- /dev/null +++ b/scripts/http-google-malware.nse @@ -0,0 +1,109 @@ +local http = require "http" +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local table = require "table" + +description = [[ +Checks if hosts are on Google's blacklist of suspected malware and phishing +servers. These lists are constantly updated and are part of Google's Safe +Browsing service. + +To do this the script queries the Google's Safe Browsing service and you need +to have your own API key to access Google's Safe Browsing Lookup services. Sign +up for yours at http://code.google.com/apis/safebrowsing/key_signup.html + +* To learn more about Google's Safe Browsing: +http://code.google.com/apis/safebrowsing/ + +* To register and get your personal API key: +http://code.google.com/apis/safebrowsing/key_signup.html +]] + +--- +-- @usage +-- nmap -p80 --script http-google-malware <host> +-- +-- @output +-- PORT STATE SERVICE +-- 80/tcp open http +-- |_http-google-malware.nse: Host is known for distributing malware. +-- +-- @args http-google-malware.url URL to check. Default: <code>http/https</code>://<code>host</code> +-- @args http-google-malware.api API key for Google's Safe Browsing Lookup service +--- + +author = "Paulino Calderon <calderon@websec.mx>" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"malware", "discovery", "safe", "external"} + + +portrule = shortport.http + +---######################### +--ENTER YOUR API KEY HERE # +---######################### +local APIKEY = "" +---######################### + +--Builds Google Safe Browsing query +--@param apikey Api key +--@return Url +local function build_qry(apikey, url) + return string.format("https://sb-ssl.google.com/safebrowsing/api/lookup?client=%s&apikey=%s&appver=1.5.2&pver=3.0&url=%s", SCRIPT_NAME, apikey, url) +end + +local function fail (err) return stdnse.format_output(false, err) end + +--- +--MAIN +--- +action = function(host, port) + local apikey = stdnse.get_script_args("http-google-malware.api") or APIKEY + local malware_found = false + local target + local output_lns = {} + + --Use the host IP if a hostname isn't available + if not(host.targetname) then + target = host.ip + else + target = host.targetname + end + + local target_url = stdnse.get_script_args("http-google-malware.url") or string.format("%s://%s", port.service, target) + + if string.len(apikey) < 25 then + return fail(("No API key found. Use the %s.api argument"):format(SCRIPT_NAME)) + end + + stdnse.debug1("Checking host %s", target_url) + local qry = build_qry(apikey, target_url) + local req = http.get_url(qry, {any_af=true}) + stdnse.debug2("%s", qry) + + if ( req.status > 400 ) then + return fail("Request failed (invalid API key?)") + end + + --The Safe Lookup API responds with a type when site is on the lists + if req.body then + if http.response_contains(req, "malware") then + output_lns[#output_lns+1] = "Host is known for distributing malware." + malware_found = true + end + if http.response_contains(req, "phishing") then + output_lns[#output_lns+1] = "Host is known for being used in phishing attacks." + malware_found = true + end + end + --For the verbose lovers + if req.status == 204 and nmap.verbosity() >= 2 and not(malware_found) then + output_lns[#output_lns+1] = "Host is safe to browse." + end + + if #output_lns > 0 then + return table.concat(output_lns, "\n") + end +end |