System administrators hosting users often struggle with monitoring their servers against malware distribution. Nmap allows us to systematically check if a host is known for distributing malware or being used in phishing attacks, with some help from the Google Safe Browsing API.
This recipe shows system administrators how to check if a host has been flagged by Google's Safe Browsing Service as being used in phishing attacks or distributing malware.
The script http-google-malware depends on Google's Safe Browsing service and it requires you to register to get an API key. Register at http://code.google.com/apis/safebrowsing/key_signup.html.
Open your favorite terminal and type:
$nmap -p80 --script http-google-malware --script-args http-google-malware.api=<API> <target>
The script will return a message indicating if the server is known by Google's Safe Browsing for distributing malware or being used in a phishing attack.
Nmap scan report for mertsssooopa.in (203.170.193.102) Host is up (0.60s latency). PORT STATE SERVICE 80/tcp open http |_http-google-malware: Host is known for distributing malware.
The script http-google-malware queries Google Safe Browsing Service to determine if a host is suspected to be malicious. This service is used by web browsers such as Mozilla Firefox and Google Chrome to protect its users, and the lists are updated very frequently.
# nmap -p80 --script http-google-malware -v scanme.nmap.org
The output will be as follows:
NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating Ping Scan at 12:28 Scanning scanme.nmap.org (74.207.244.221) [4 ports] Completed Ping Scan at 12:28, 0.21s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 12:28 Completed Parallel DNS resolution of 1 host. at 12:28, 0.19s elapsed Initiating SYN Stealth Scan at 12:28 Scanning scanme.nmap.org (74.207.244.221) [1 port] Discovered open port 80/tcp on 74.207.244.221 Completed SYN Stealth Scan at 12:29, 0.26s elapsed (1 total ports) NSE: Script scanning 74.207.244.221. Initiating NSE at 12:29 Completed NSE at 12:29, 0.77s elapsed Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.15s latency). PORT STATE SERVICE 80/tcp open http |_http-google-malware: Host is safe to browse.
If you don't want to use the http-google-malware.api argument every time you launch this script, you can edit the http-google-malware.nse file and hardcode your API key into the script. Look for the following section and store your key in the variable APIKEY:
---######################### --ENTER YOUR API KEY HERE # ---######################### local APIKEY = "" ---#########################
For complete documentation visit http://nmap.org/nsedoc/scripts/http-google-malware.html.
- The Geolocating an IP address recipe
- The Getting information from WHOIS records recipe
- The Discovering hostnames pointing to the same IP address recipe
- The Matching services with known security vulnerabilities recipe
- The Spoofing the origin IP of a port scan recipe
- The Brute forcing DNS records recipe
- The Discovering UDP services recipe
- The Generating a network topology graph with Zenmap recipe in Chapter 8, Generating Scan Reports