local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
description = [[
Attempts to retrieve the XML HNAP generated on infected Linksys router systems by "The Moon" Malware.
Quick help on NSE: to install copy script to nse scripts directory (e.g. /usr/local/share/nmap/scripts) then run "sudo nmap --update-db". Then use it like "nmap --script=http-linksys-vuln -p 8080 10.0.0.0/24"
Link:
* http://threatpost.com/moon-worm-spreading-on-linksys-home-and-smb-routers/104268
]]
---
-- @output
-- PORT STATE SERVICE REASON
-- 8080/tcp open http syn-ack
-- |_LinkSys system likely INFECTED - HNAP string found in response
author = "Florian Roth"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "malware"}
portrule = shortport.port_or_service(8080)
action = function(host, port)
local response
local lines
local infected
-- LynkSys Malware Test
response = http.get(host, port, "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n")
if response.body and response.status == 200 then
if string.match(response.body, "/HNAP1/") then
infected = true
end
end
lines = {}
if infected then
lines[#lines + 1] = "LinkSys system likely INFECTED - HNAP string found in response"
end
if #lines > 0 then
return stdnse.strjoin("\n", lines)
end
end