summaryrefslogtreecommitdiffstats
path: root/scripts/dns-blacklist.nse
blob: 0ffd7f21c225b486f1d1b18658c552909b768630 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
local dnsbl = require "dnsbl"
local ipOps = require "ipOps"
local stdnse = require "stdnse"
local table = require "table"

description = [[
Checks target IP addresses against multiple DNS anti-spam and open
proxy blacklists and returns a list of services for which an IP has been flagged.  Checks may be limited by service category (eg: SPAM,
PROXY) or to a specific service name.  ]]

---
-- @usage
-- nmap --script dns-blacklist --script-args='dns-blacklist.ip=<ip>'
-- or
-- nmap -sn <ip> --script dns-blacklist
--
-- @output
-- Pre-scan script results:
-- | dns-blacklist:
-- | 1.2.3.4
-- |   PROXY
-- |     dnsbl.tornevall.org - PROXY
-- |       IP marked as "abusive host".
-- |       Proxy is working
-- |       Proxy has been scanned
-- |   SPAM
-- |     dnsbl.inps.de - SPAM
-- |       Spam Received See: http://www.sorbs.net/lookup.shtml?1.2.3.4
-- |     l2.apews.org - SPAM
-- |     list.quorum.to - SPAM
-- |     bl.spamcop.net - SPAM
-- |_    spam.dnsbl.sorbs.net - SPAM
--
-- Supported blacklist list mode (--script-args dns-blacklist.list):
-- | dns-blacklist:
-- |   PROXY
-- |     socks.dnsbl.sorbs.net
-- |     http.dnsbl.sorbs.net
-- |     misc.dnsbl.sorbs.net
-- |     dnsbl.tornevall.org
-- |   SPAM
-- |     dnsbl.inps.de
-- |     bl.nszones.com
-- |     l2.apews.org
-- |     list.quorum.to
-- |     all.spamrats.com
-- |     bl.spamcop.net
-- |     spam.dnsbl.sorbs.net
-- |_    sbl.spamhaus.org
--
-- @args dns-blacklist.ip string containing the IP to check only needed if
--       running the script as a prerule.
--
-- @args dns-blacklist.mode string containing either "short" or "long"
--       long mode can sometimes provide additional information to why an IP
--       has been blacklisted. (default: long)
--
-- @args dns-blacklist.list lists all services that are available for a
--       certain category.
--
-- @args dns-blacklist.services string containing a comma-separated list of
--       services to query. (default: all)
--
-- @args dns-blacklist.category string containing the service category to query
--       eg. spam or proxy (default: all)
--
--

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"external", "safe"}


-- The script can be run either as a host- or pre-rule
hostrule = function() return true end
prerule = function() return true end

local arg_IP       = stdnse.get_script_args(SCRIPT_NAME .. ".ip")
local arg_mode     = stdnse.get_script_args(SCRIPT_NAME .. ".mode") or "long"
local arg_list     = stdnse.get_script_args(SCRIPT_NAME .. ".list")
local arg_services  = stdnse.get_script_args(SCRIPT_NAME .. ".services")
local arg_category  = stdnse.get_script_args(SCRIPT_NAME .. ".category") or "all"

local function listServices()
  local result = {}
  if ( "all" == arg_category ) then
    for cat in pairs(dnsbl.SERVICES) do
      local helper = dnsbl.Helper:new(cat, arg_mode)
      local cat_res= helper:listServices()
      cat_res.name = cat
      table.insert(result, cat_res)
    end
  else
    result = dnsbl.Helper:new(arg_category, arg_mode):listServices()
  end
  return stdnse.format_output(true, result)
end

local function formatResult(result)
  local output = {}
  for _, svc in ipairs(result) do
    if ( svc.result.details ) then
      svc.result.details.name = ("%s - %s"):format(svc.name, svc.result.state)
      table.insert(output, svc.result.details)
    else
      table.insert(output, ("%s - %s"):format(svc.name, svc.result.state))
    end
  end
  return output
end

local function fail (err) return stdnse.format_output(false, err) end

dnsblAction = function(host)

  local helper
  if ( arg_services and ( not(arg_category) or "all" == arg_category:lower() ) ) then
    return fail("A service filter can't be used without a specific category")
  elseif( "all" ~= arg_category ) then
    helper = dnsbl.Helper:new(arg_category, arg_mode)
    helper:setFilter(arg_services)
    local status, err = helper:validateFilter()
    if ( not(status) ) then
      return fail(("%s"):format(err))
    end
  end

  local output = {}
  if ( helper ) then
    local result = helper:checkBL(host.ip)
    if ( #result == 0 ) then return end
    output = formatResult(result)
  else
    for cat in pairs(dnsbl.SERVICES) do
      helper = dnsbl.Helper:new(cat, arg_mode)
      local result = helper:checkBL(host.ip)
      local out_part = formatResult(result)
      if ( #out_part > 0 ) then
        out_part.name = cat
        table.insert(output, out_part)
      end
    end
    if ( #output == 0 ) then return end
  end

  if ( "prerule" == SCRIPT_TYPE ) then
    output.name = host.ip
  end

  return stdnse.format_output(true, output)
end


-- execute the action function corresponding to the current rule
action = function(...)

  if ( arg_mode ~= "short" and arg_mode ~= "long" ) then
    return fail("Invalid argument supplied, mode should be either 'short' or 'long'")
  end

  if ( arg_IP and not(ipOps.todword(arg_IP)) ) then
    return fail("Invalid IP address was supplied")
  end

  -- if the list argument was given, just list the services and abort
  if ( arg_list ) then
    return listServices()
  end

  if ( arg_IP and "prerule" == SCRIPT_TYPE ) then
    return dnsblAction( { ip = arg_IP } )
  elseif ( "hostrule" == SCRIPT_TYPE ) then
    return dnsblAction(...)
  end

end