Monday, September 30, 2013

Patch to Nmap: adding APT1 malware fingerprints

Mandiant company released fingerprints of SSL certificates used by APT1 malware, it's valuable threat intelligence data so I thought it's worth to add it to Nmap.

With this simple patch Nmap gained capability to warn you when it finds a HTTPS server which supposedly belongs to APT1's attack infrastructure. Simply run:
 $ nmap -n -P0 -p 443 --script ssl-known-key <YOUR-NETWORK-IP-RANGE>
to discover signs of APT1 in your network.