Want more features on Pastebin? Sign Up, it's FREE!

Nmap Script to detect Linksys "The Moon" malware

By: JohnGalt14 on Feb 16th, 2014  |  syntax: Lua  |  size: 1.42 KB  |  views: 421  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. local http = require "http"
  2. local nmap = require "nmap"
  3. local shortport = require "shortport"
  4. local stdnse = require "stdnse"
  5. local string = require "string"
  6.  
  7. description = [[
  8. Attempts to retrieve the XML HNAP generated on infected Linksys router systems by "The Moon" Malware.
  9.  
  10. Quick help on NSE: to install copy script to nse scripts directory (e.g. /usr/local/share/nmap/scripts) then run "sudo nmap --update-db". Then use it like "nmap --script=http-linksys-vuln -p 8080 10.0.0.0/24"
  11.  
  12. Link:
  13. * http://threatpost.com/moon-worm-spreading-on-linksys-home-and-smb-routers/104268
  14. ]]
  15.  
  16. ---
  17. -- @output
  18. -- PORT   STATE SERVICE REASON
  19. -- 8080/tcp open  http    syn-ack
  20. -- |_LinkSys system likely INFECTED - HNAP string found in response
  21.  
  22. author = "Florian Roth"
  23. license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
  24. categories = {"discovery", "malware"}
  25.  
  26. portrule = shortport.port_or_service(8080)
  27.  
  28. action = function(host, port)
  29.         local response
  30.         local lines
  31.         local infected
  32.  
  33.         -- LynkSys Malware Test
  34.         response = http.get(host, port, "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n")
  35.  
  36.         if response.body and response.status == 200 then
  37.                 if string.match(response.body, "/HNAP1/") then
  38.                         infected = true
  39.                 end
  40.         end
  41.  
  42.         lines = {}
  43.         if infected then
  44.                 lines[#lines + 1] = "LinkSys system likely INFECTED - HNAP string found in response"
  45.         end
  46.  
  47.         if #lines > 0 then
  48.                 return stdnse.strjoin("\n", lines)
  49.         end
  50. end
clone this paste RAW Paste Data