local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"

description = [[
Attempts to retrieve the XML HNAP generated on infected Linksys router systems by "The Moon" Malware.

Quick help on NSE: to install copy script to nse scripts directory (e.g. /usr/local/share/nmap/scripts) then run "sudo nmap --update-db". Then use it like "nmap --script=http-linksys-vuln -p 8080 10.0.0.0/24"

Link:
* http://threatpost.com/moon-worm-spreading-on-linksys-home-and-smb-routers/104268
]]

---
-- @output
-- PORT   STATE SERVICE REASON
-- 8080/tcp open  http    syn-ack
-- |_LinkSys system likely INFECTED - HNAP string found in response

author = "Florian Roth"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "malware"}

portrule = shortport.port_or_service(8080)

action = function(host, port)
	local response
	local lines
	local infected

	-- LynkSys Malware Test
	response = http.get(host, port, "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n")

	if response.body and response.status == 200 then
		if string.match(response.body, "/HNAP1/") then
			infected = true
		end
	end

	lines = {}
	if infected then
		lines[#lines + 1] = "LinkSys system likely INFECTED - HNAP string found in response"
	end

	if #lines > 0 then
		return stdnse.strjoin("\n", lines)
	end
end