This recipe shows system administrators how to check if a host has been flagged by Google’s Safe Browsing Service as being used in phishing attacks or distributing malware. Nmap allows us to systematically check if a host is known for distributing malware or being used in phishing attacks, with some help from the Google Safe Browsing API. Nmap -sn –script whois –script-args whois.whodb=nocache Ĭhecking if a host is known for malicious activities To disable the cache we could set the script argument whodbto nocache: Sometimes cached responses will be preferred over querying the WHOIS service, and this might prevent the discovery of an IP address assignment. Nmap -sn –script whois -v -iL hosts.txt (hosts.txt contains a list of hosts or IP addresses) To query the WHOIS records of a hostname list (-iL ) without launching a port scan (-sn). Nmap –script whois –script-args whois.whodb=nofollow ![]() To ignore the referral records, use the value nofollow: This script will query, sequentially, a list of WHOIS providers until the record or a referral to the record is found. ![]() Nmap –script whois –script-args whois.whodb=arin+ripe+afrinic Alternatively, we could override this behavior and select the order of the service providers to use in the argument whodb: This script uses the IANA’s Assignments Data to select the RIR and it caches the results locally. The argument –script whois tells Nmap to query a Regional Internet Registries WHOIS database in order to obtain the records of a given target. Open up the command line and write the commands like: System administrators have been using WHOIS for years now, and although here are many tools available to query this protocol, Nmap proves itself invaluable because of its ability to deal with IP ranges and hostname lists. WHOIS records often contain important data such as the registrar name and contact information. ![]() So we have to submit a new database to Nmap. Sometimes the location may be wrong, because the location depends upon the maxmind database. Nmap –script ip-geolocation-* ip Submitting a new geo-location provider Put into the /usr/local/share/nmap/nselib/data and run the following command: Extract it to your local Nmap data folder ($NMAP_DATA/nselib/data/).įire up the command line and enter the command to download the scripts: This will show us how to set up and use the geo location scripts included with Nmap NSE.įor the NSE script to be run under Nmap, download Maxmind’s city database from. Gorjan Petrovski submitted Nmap NSE scripts that help us geo locate a remote IP address: ip-geolocation-maxmind, ip-geolocation-ipinfodb, and ipgeolocation-geobytes.
0 Comments
Leave a Reply. |