Nmap http-virustotal NSE Script
This page contains detailed information about how to use the http-virustotal NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
| Select: |
|---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/http-virustotal.nse
Script categories: safe, malware, external
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Script Description
The http-virustotal.nse script checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page:
The scripts supports both sending a file to the server for analysis or checking whether a checksum (supplied as an argument or calculated from a local file) was previously discovered as malware.
As uploaded files are queued for analysis, this mode simply returns a URL where status of the queued file may be checked.
Http-virustotal NSE Script Arguments
This is a full list of arguments supported by the http-virustotal.nse script:
http-virustotal.apikeyAn API key acquired from the virustotal web page
http-virustotal.checksumA SHA1, SHA256, MD5 checksum of a file to check
http-virustotal.filenameThe full path of the file to checksum or upload
http-virustotal.uploadTrue if the file should be uploaded and scanned, false if a checksum should be calculated of the local file (default: false)
smbdomainThe domain to log in with. If you aren't in a domain environment, then anything will (should?) be accepted by the server.
smbhashA password hash to use when logging in. This is given as a single hex string (32 characters) or a pair of hex strings (both 32 characters, optionally separated by a single character). These hashes are the LanMan or NTLM hash of the user's password, and are stored on disk or in memory. They can be retrieved from memory using the fgdump or pwdump tools.
smbnoguestUse to disable usage of the 'guest' account.
smbpasswordThe password to connect with. Be cautious with this, since some servers will lock accounts if the incorrect password is given. Although it's rare that the Administrator account can be locked out, in the off chance that it can, you could get yourself in trouble. To use a blank password, leave this parameter off altogether.
smbtypeThe type of SMB authentication to use. These are the possible options:
v1: Sends LMv1 and NTLMv1.LMv1: Sends LMv1 only.NTLMv1: Sends NTLMv1 only (default).v2: Sends LMv2 and NTLMv2.LMv2: Sends LMv2 only.NTLMv2: Doesn't exist; the protocol doesn't support NTLMv2 alone. The default,NTLMv1, is a pretty decent compromise between security and compatibility. If you are paranoid, you might want to usev2orlmv2for this. (Actually, if you're paranoid, you should be avoiding this protocol altogether!). If you're using an extremely old system, you might need to set this tov1orlm, which are less secure but more compatible. For information, seesmbauth.lua.
The SMB username to log in with. The forms "DOMAIN\username" and "username@DOMAIN" are not understood. To set a domain, use the smbdomain argument.
Debug level at which default callbacks will print detailed parsing info. Default: 3
http.host
The value to use in the Host header of all requests unless otherwise set. By default, the Host header uses the output of stdnse.get_hostname().
Limit the received body to specific number of bytes. An oversized body results in an error unless script argument http.truncated-ok or request option truncated_ok is set to true. The default is 2097152 (2MB). Use value -1 to disable the limit altogether. This argument can be overridden case-by-case with request option max_body_size.
The maximum memory size (in bytes) of the cache.
http.max-pipeline
If set, it represents the number of outstanding HTTP requests that should be sent together in a single burst. Defaults to http.pipeline (if set), or to what function get_pipeline_limit returns.
If set, it represents the number of HTTP requests that'll be sent on one connection. This can be set low to make debugging easier, or it can be set high to test how a server reacts (its chosen max is ignored).
http.truncated-ok
Do not treat oversized body as error. (Use response object flag truncated to check if the returned body has been truncated.) This argument can be overridden case-by-case with request option truncated_ok.
The value of the User-Agent header field sent with requests. By default it is "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)". A value of the empty string disables sending the User-Agent header field.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:
nmap --script=http-virustotal --script-args http-virustotal.apikey=value,http-virustotal.checksum=value <target>Http-virustotal NSE Script Example Usage
Here's an example of how to use the http-virustotal.nse script:
nmap --script http-virustotal --script-args='http-virustotal.apikey="<key>",http-virustotal.checksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"'
Http-virustotal NSE Script Example Output
Here's a sample output from the http-virustotal.nse script:
Pre-scan script results:
| http-virustotal:
| Permalink: https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1333633817/
| Scan date: 2012-04-05 13:50:17
| Positives: 41
| digests
| SHA1: 3395856ce81f2b7382dee72602f798b642f14140
| SHA256: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
| MD5: 44d88612fea8a8f36de82e1278abb02f
| Results
| name result date version
| AhnLab-V3 EICAR_Test_File 20120404 2012.04.05.00
| AntiVir Eicar-Test-Signature 20120405 7.11.27.24
| Antiy-AVL AVTEST/EICAR.ETF 20120403 2.0.3.7
| Avast EICAR Test-NOT virus!!! 20120405 6.0.1289.0
| AVG EICAR_Test 20120405 10.0.0.1190
| BitDefender EICAR-Test-File (not a virus) 20120405 7.2
| ByteHero - 20120404 1.0.0.1
| CAT-QuickHeal EICAR Test File 20120405 12.00
| ClamAV Eicar-Test-Signature 20120405 0.97.3.0
| Commtouch EICAR_Test_File 20120405 5.3.2.6
| Comodo Exploit.EICAR-Test-File 20120405 12000
| DrWeb EICAR Test File (NOT a Virus!) 20120405 7.0.1.02210
| Emsisoft EICAR-ANTIVIRUS-TESTFILE!IK 20120405 5.1.0.11
| eSafe EICAR Test File 20120404 7.0.17.0
| eTrust-Vet the EICAR test string 20120405 37.0.9841
| F-Prot EICAR_Test_File 20120405 4.6.5.141
| F-Secure EICAR_Test_File 20120405 9.0.16440.0
| Fortinet EICAR_TEST_FILE 20120405 4.3.392.0
| GData EICAR-Test-File 20120405 22
| Ikarus EICAR-ANTIVIRUS-TESTFILE 20120405 T3.1.1.118.0
| Jiangmin EICAR-Test-File 20120331 13.0.900
| K7AntiVirus EICAR_Test_File 20120404 9.136.6595
| Kaspersky EICAR-Test-File 20120405 9.0.0.837
| McAfee EICAR test file 20120405 5.400.0.1158
| McAfee-GW-Edition EICAR test file 20120404 2012.1
| Microsoft Virus:DOS/EICAR_Test_File 20120405 1.8202
| NOD32 Eicar test file 20120405 7031
| Norman Eicar_Test_File 20120405 6.08.03
| nProtect EICAR-Test-File 20120405 2012-04-05.01
| Panda EICAR-AV-TEST-FILE 20120405 10.0.3.5
| PCTools Virus.DOS.EICAR_test_file 20120405 8.0.0.5
| Rising EICAR-Test-File 20120405 24.04.02.03
| Sophos EICAR-AV-Test 20120405 4.73.0 TP
| SUPERAntiSpyware NotAThreat.EICAR[TestFile] 20120402 4.40.0.1006
| Symantec EICAR Test String 20120405 20111.2.0.82
| TheHacker EICAR_Test_File 20120405 6.7.0.1.440
| TrendMicro Eicar_test_file 20120405 9.500.0.1008
| TrendMicro-HouseCall Eicar_test_file 20120405 9.500.0.1008
| VBA32 EICAR-Test-File 20120405 3.12.16.4
| VIPRE EICAR (v) 20120405 11755
| ViRobot EICAR-test 20120405 2012.4.5.5025
|_ VirusBuster EICAR_test_file 20120404 14.2.11.0
Http-virustotal NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.
Author
- Patrik Karlsson
References
- https://nmap.org/nsedoc/scripts/http-virustotal.html
- https://github.com/nmap/nmap/tree/master/scripts/http-virustotal.nse
- http://www.virustotal.com
- https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1333633817/
See Also
Visit Nmap NSE Library for more scripts.
The http-virustotal.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Failed to open file: %s
Here is a relevant code snippet related to the "Failed to open file: %s" error message:
102: prerule = function() return true end
103:
104: local function readFile(filename)
105: local f = io.open(filename, "r")
106: if ( not(f) ) then
107: return false, ("Failed to open file: %s"):format(filename)
108: end
109:
110: local str = f:read("a")
111: f:close()
112: if ( not(str) ) then
Failed to read file contents
Here is a relevant code snippet related to the "Failed to read file contents" error message:
108: end
109:
110: local str = f:read("a")
111: f:close()
112: if ( not(str) ) then
113: return false, "Failed to read file contents"
114: end
115: return true, str
116: end
117:
118: local function requestFileScan(filename)
Failed to request file scan
Here is a relevant code snippet related to the "Failed to request file scan" error message:
135: local port = { number = 80, protocol = "tcp" }
136: local path = "/vtapi/v2/file/scan"
137:
138: local response = http.post( host, port, path, {any_af = true, header = header }, nil, postdata )
139: if ( not(response) or response.status ~= 200 ) then
140: return false, "Failed to request file scan"
141: end
142:
143: local status, json_data = json.parse(response.body)
144: if ( not(status) ) then
145: return false, "Failed to parse JSON response"
Failed to parse JSON response
Here is a relevant code snippet related to the "Failed to parse JSON response" error message:
140: return false, "Failed to request file scan"
141: end
142:
143: local status, json_data = json.parse(response.body)
144: if ( not(status) ) then
145: return false, "Failed to parse JSON response"
146: end
147:
148: return true, json_data
149: end
150:
Failed to retrieve scan report
Here is a relevant code snippet related to the "Failed to retrieve scan report" error message:
155: local path = "/vtapi/v2/file/report"
156:
157:
158: local response = http.post(host, port, path, {any_af=true}, nil, { ["apikey"] = arg_apiKey, ["resource"] = resource })
159: if ( not(response) or response.status ~= 200 ) then
160: return false, "Failed to retrieve scan report"
161: end
162:
163: local status, json_data = json.parse(response.body)
164: if ( not(status) ) then
165: return false, "Failed to parse JSON response"
Failed to parse JSON response
Here is a relevant code snippet related to the "Failed to parse JSON response" error message:
160: return false, "Failed to retrieve scan report"
161: end
162:
163: local status, json_data = json.parse(response.body)
164: if ( not(status) ) then
165: return false, "Failed to parse JSON response"
166: end
167:
168: return true, json_data
169: end
170:
An API key is required in order to use this script (see description)
Here is a relevant code snippet related to the "An API key is required in order to use this script (see description)" error message:
210: local function fail(err) return stdnse.format_output(false, err) end
211:
212: action = function()
213:
214: if ( not(arg_apiKey) ) then
215: return fail("An API key is required in order to use this script (see description)")
216: end
217:
218: local resource
219: if ( arg_upload == "true" and arg_filename ) then
220: local status, json_data = requestFileScan(arg_filename, arg_apiKey)
Failed to calculate SHA256 checksum for file
Here is a relevant code snippet related to the "Failed to calculate SHA256 checksum for file" error message:
228: table.insert(output, { name = "To check the current status visit:", json_data['permalink'] })
229: return stdnse.format_output(true, output)
230: elseif ( arg_filename ) then
231: local status, sha256 = calcSHA256(arg_filename)
232: if ( not(status) ) then
233: return fail("Failed to calculate SHA256 checksum for file")
234: end
235: resource = sha256
236: elseif ( arg_checksum ) then
237: resource = arg_checksum
238: else
Failed to retrieve file scan report
Here is a relevant code snippet related to the "Failed to retrieve file scan report" error message:
241:
242: local status, response
243:
244: local status, response = getFileScanReport(resource)
245: if ( not(status) ) then
246: return fail("Failed to retrieve file scan report")
247: end
248:
249: if ( not(response.response_code) or 0 == tonumber(response.response_code) ) then
250: return fail(("Failed to retrieve scan report for resource: %s"):format(resource))
251: end
Failed to retrieve scan report for resource: %s
Here is a relevant code snippet related to the "Failed to retrieve scan report for resource: %s" error message:
244: local status, response = getFileScanReport(resource)
245: if ( not(status) ) then
246: return fail("Failed to retrieve file scan report")
247: end
248:
249: if ( not(response.response_code) or 0 == tonumber(response.response_code) ) then
250: return fail(("Failed to retrieve scan report for resource: %s"):format(resource))
251: end
252:
253: return stdnse.format_output(true, parseScanReport(response))
254: end
Version
This page has been created based on Nmap version 7.92.
Go back to menu.
