From 0d47952611198ef6b1163f366dc03922d20b1475 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 17 Apr 2024 09:42:04 +0200
Subject: Adding upstream version 7.94+git20230807.3be01efb1+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 scripts/auth-spoof.nse | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 scripts/auth-spoof.nse

(limited to 'scripts/auth-spoof.nse')

diff --git a/scripts/auth-spoof.nse b/scripts/auth-spoof.nse
new file mode 100644
index 0000000..42f0c4d
--- /dev/null
+++ b/scripts/auth-spoof.nse
@@ -0,0 +1,37 @@
+local comm = require "comm"
+local shortport = require "shortport"
+
+description = [[
+Checks for an identd (auth) server which is spoofing its replies.
+
+Tests whether an identd (auth) server responds with an answer before
+we even send the query.  This sort of identd spoofing can be a sign of
+malware infection, though it can also be used for legitimate privacy
+reasons.
+]]
+
+---
+-- @output
+-- PORT    STATE SERVICE REASON
+-- 113/tcp open  auth    syn-ack
+-- |_auth-spoof: Spoofed reply: 0, 0 : USERID : UNIX : OGJdvM
+
+author = "Diman Todorov"
+
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+categories = {"malware", "safe"}
+
+
+portrule = shortport.port_or_service(113, "auth")
+
+action = function(host, port)
+  local status, owner = comm.get_banner(host, port, {lines=1})
+
+  if not status then
+    return
+  end
+
+  return "Spoofed reply: " .. owner
+end
+
-- 
cgit v1.2.3