DATABASE RESOURCES PRICING ABOUT US

{"id": "NMAP:LU-ENUM.NSE", "vendorId": null, "type": "nmap", "bulletinFamily": "scanner", "title": "lu-enum NSE Script", "description": "Attempts to enumerate Logical Units (LU) of TN3270E servers. \n\nWhen connecting to a TN3270E server you are assigned a Logical Unit (LU) or you can tell the TN3270E server which LU you'd like to use. Typically TN3270E servers are configured to give you an LU from a pool of LUs. They can also have LUs set to take you to a specific application. This script attempts to guess valid LUs that bypass the default LUs you are assigned. For example, if a TN3270E server sends you straight to TPX you could use this script to find LUs that take you to TSO, CICS, etc.\n\n## Script Arguments \n\n#### lu-enum.path \n\nFolder used to store valid logical unit 'screenshots' Defaults to `None` and doesn't store anything. This stores all valid logical units.\n\n#### lulist \n\nPath to list of Logical Units to test. Defaults the initial Logical Unit TN3270E provides, replacing the last two characters with `00-99`.\n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n## Example Usage \n\n * nmap --script lu-enum -p 23 <targets>\n \n\n * nmap --script lu-enum --script-args lulist=lus.txt,\n lu-enum.path=\"/home/dade/screenshots/\" -p 23 -sV <targets>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON VERSION\n 23/tcp open tn3270 syn-ack IBM Telnet TN3270 (TN3270E)\n | lu-enum: \n | Logical Units: \n | LU:BSLVLU69 - Valid credentials\n |_ Statistics: Performed 7 guesses in 7 seconds, average tps: 1.0\n \n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n * [tn3270](<../lib/tn3270.html>)\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [unpwdb](<../lib/unpwdb.html>)\n * [io](<>)\n * [nmap](<../lib/nmap.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "published": "2019-03-21T04:15:20", "modified": "2019-03-21T04:15:20", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://nmap.org/nsedoc/scripts/lu-enum.html", "reporter": "Philip Young aka Soldier of Fortran", "references": [], "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "immutableFields": [], "lastseen": "2022-02-15T21:41:03", "viewCount": 176, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2017-834"]}, {"type": "archlinux", "idList": ["ASA-201705-22"]}, {"type": "attackerkb", "idList": ["AKB:49AAF9A1-B710-4CA1-AAFA-3C022294A5D4"]}, {"type": "avleonov", "idList": ["AVLEONOV:40C2BE2DE75816DD7ED47DA106AF9627"]}, {"type": "canvas", "idList": ["CVE_2012_1182", "CVE_2012_1182_NONX", "SAMBA_IS_KNOWN_PIPENAME"]}, {"type": "centos", "idList": ["CESA-2012:0465", "CESA-2012:0466", "CESA-2013:0506", "CESA-2013:0515", "CESA-2017:1270", "CESA-2017:1271"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-317", "CPAI-2013-2506", "CPAI-2017-0444"]}, {"type": "cisa", "idList": ["CISA:384A71FB1AD858FAC86EEB1A7660E778", "CISA:C73BC9C5DAF991808EA4A267072DA584"]}, {"type": "cisco", "idList": ["CISCO-SA-20170530-SAMBA"]}, {"type": "cve", "idList": ["CVE-2012-1182", "CVE-2017-7494"]}, {"type": "debian", "idList": ["DEBIAN:BSA-070:68853", "DEBIAN:DLA-951-1:1BAA2", "DEBIAN:DLA-951-1:51380", "DEBIAN:DSA-2450-1:77F45", "DEBIAN:DSA-3860-1:8B793", "DEBIAN:DSA-3860-1:E96B1"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2012-1182", "DEBIANCVE:CVE-2017-7494"]}, {"type": "exploitdb", "idList": ["EDB-ID:42060", "EDB-ID:42084"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:11BDEE18B40708887778CCF837705185"]}, {"type": "f5", "idList": ["F5:K13551136", "F5:K13719", "SOL13719"]}, {"type": "fedora", "idList": ["FEDORA:02833211E6", "FEDORA:095C220955", "FEDORA:0B8006061CC2", "FEDORA:219F3605E539", "FEDORA:30FE721464", "FEDORA:4B045219BA", "FEDORA:77AFB20FC7", "FEDORA:77E132110D", "FEDORA:79D7720B02", "FEDORA:7D08020F24", "FEDORA:BC7B0601FC16", "FEDORA:D3501201B6"]}, {"type": "freebsd", "idList": ["6F4D96C0-4062-11E7-B291-B499BAEBFEAF", "BAF37CD2-8351-11E1-894E-00215C6A37BB"]}, {"type": "gentoo", "idList": ["GLSA-201206-22", "GLSA-201805-07"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170613-01-SAMBA", "HUAWEI-SA-20171129-01-SAMBA"]}, {"type": "ibm", "idList": ["82248DC9C1F555BF98367B4387954D2C23BFE20908CE565E0127C6A3FC16193E", "85D41384B88C530DBAB70791D41DFCF1CF314D456CBDB72E9AFA9ACC54A10939", "CE6756539D503C94C0FE819367133FAF5CF98E845923A4230C5E49923B068701"]}, {"type": "ics", "idList": ["ICSA-17-180-02"]}, {"type": "kitploit", "idList": ["KITPLOIT:4101563004973700412", "KITPLOIT:5052987141331551837"]}, {"type": "mageia", "idList": ["MGASA-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-SAMBA-IS_KNOWN_PIPENAME-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786440", "MYHACK58:62201786477", "MYHACK58:62201786521", "MYHACK58:62201786995"]}, {"type": "nessus", "idList": ["6443.PRM", "700127.PRM", "ALA_ALAS-2017-834.NASL", "CENTOS_RHSA-2012-0465.NASL", "CENTOS_RHSA-2012-0466.NASL", "CENTOS_RHSA-2013-0506.NASL", "CENTOS_RHSA-2013-0515.NASL", "CENTOS_RHSA-2017-1270.NASL", "CENTOS_RHSA-2017-1271.NASL", "DEBIAN_DLA-951.NASL", "DEBIAN_DSA-2450.NASL", "DEBIAN_DSA-3860.NASL", "EULEROS_SA-2017-1104.NASL", "EULEROS_SA-2017-1105.NASL", "FEDORA_2012-5793.NASL", "FEDORA_2012-5805.NASL", "FEDORA_2012-5843.NASL", "FEDORA_2012-6349.NASL", "FEDORA_2012-6382.NASL", "FEDORA_2017-570C0071C4.NASL", "FEDORA_2017-642A0ECA75.NASL", "FEDORA_2017-C729C6123C.NASL", "FREEBSD_PKG_6F4D96C0406211E7B291B499BAEBFEAF.NASL", "FREEBSD_PKG_BAF37CD2835111E1894E00215C6A37BB.NASL", "GENTOO_GLSA-201206-22.NASL", "GENTOO_GLSA-201805-07.NASL", "JUNIPER_SPACE_JSA_10826.NASL", "MACOSX_SECUPD2012-002.NASL", "MANDRIVA_MDVSA-2012-055.NASL", "NEWSTART_CGSL_NS-SA-2019-0096_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2019-0100_SAMBA4.NASL", "OPENSUSE-2012-223.NASL", "OPENSUSE-2012-224.NASL", "OPENSUSE-2017-613.NASL", "OPENSUSE-2017-618.NASL", "ORACLELINUX_ELSA-2012-0465.NASL", "ORACLELINUX_ELSA-2012-0466.NASL", "ORACLELINUX_ELSA-2012-0478.NASL", "ORACLELINUX_ELSA-2013-0506.NASL", "ORACLELINUX_ELSA-2013-0515.NASL", "ORACLELINUX_ELSA-2017-1270.NASL", "ORACLELINUX_ELSA-2017-1271.NASL", "ORACLELINUX_ELSA-2017-1272.NASL", "REDHAT-RHSA-2012-0465.NASL", "REDHAT-RHSA-2012-0466.NASL", "REDHAT-RHSA-2013-0506.NASL", "REDHAT-RHSA-2013-0515.NASL", "REDHAT-RHSA-2017-1270.NASL", "REDHAT-RHSA-2017-1271.NASL", "REDHAT-RHSA-2017-1272.NASL", "REDHAT-RHSA-2017-1273.NASL", "REDHAT-RHSA-2017-1390.NASL", "SAMBA_4_6_4.NASL", "SAMBA_RPC_MULTIPLE_BUFFER_OVERFLOWS.NASL", "SLACKWARE_SSA_2017-144-01.NASL", "SL_20120410_SAMBA3X_ON_SL5_X.NASL", "SL_20120410_SAMBA_ON_SL5_X.NASL", "SL_20130221_OPENCHANGE_ON_SL6_X.NASL", "SL_20130221_SAMBA4_ON_SL6_X.NASL", "SL_20170524_SAMBA4_ON_SL6_X.NASL", "SL_20170524_SAMBA_ON_SL6_X.NASL", "SOLARIS11_SAMBA_20121016.NASL", "SUSE_11_CIFS-MOUNT-120411.NASL", "SUSE_11_LDAPSMB-120415.NASL", "SUSE_CIFS-MOUNT-8058.NASL", "SUSE_SU-2017-1391-1.NASL", "SUSE_SU-2017-1392-1.NASL", "SUSE_SU-2017-1393-1.NASL", "SUSE_SU-2017-1396-1.NASL", "UBUNTU_USN-1423-1.NASL", "UBUNTU_USN-3296-1.NASL", "UBUNTU_USN-3296-2.NASL", "VIRTUOZZO_VZLSA-2017-1270.NASL", "VIRTUOZZO_VZLSA-2017-1271.NASL"]}, {"type": "nmap", "idList": ["NMAP:ACARSD-INFO.NSE", "NMAP:ADDRESS-INFO.NSE", "NMAP:AFP-BRUTE.NSE", "NMAP:AFP-LS.NSE", "NMAP:AFP-PATH-VULN.NSE", "NMAP:AFP-SERVERINFO.NSE", "NMAP:AFP-SHOWMOUNT.NSE", "NMAP:AJP-AUTH.NSE", "NMAP:AJP-BRUTE.NSE", "NMAP:AJP-HEADERS.NSE", "NMAP:AJP-METHODS.NSE", "NMAP:AJP-REQUEST.NSE", "NMAP:ALLSEEINGEYE-INFO.NSE", "NMAP:AMQP-INFO.NSE", "NMAP:ASN-QUERY.NSE", "NMAP:AUTH-OWNERS.NSE", "NMAP:AUTH-SPOOF.NSE", "NMAP:BACKORIFICE-BRUTE.NSE", "NMAP:BACKORIFICE-INFO.NSE", "NMAP:BACNET-INFO.NSE", "NMAP:BANNER.NSE", "NMAP:BITCOIN-GETADDR.NSE", "NMAP:BITCOIN-INFO.NSE", "NMAP:BITCOINRPC-INFO.NSE", "NMAP:BITTORRENT-DISCOVERY.NSE", "NMAP:BJNP-DISCOVER.NSE", "NMAP:BROADCAST-ATAOE-DISCOVER.NSE", "NMAP:BROADCAST-AVAHI-DOS.NSE", "NMAP:BROADCAST-BJNP-DISCOVER.NSE", "NMAP:BROADCAST-DB2-DISCOVER.NSE", "NMAP:BROADCAST-DHCP-DISCOVER.NSE", "NMAP:BROADCAST-DHCP6-DISCOVER.NSE", "NMAP:BROADCAST-DNS-SERVICE-DISCOVERY.NSE", "NMAP:BROADCAST-DROPBOX-LISTENER.NSE", "NMAP:BROADCAST-EIGRP-DISCOVERY.NSE", "NMAP:BROADCAST-HID-DISCOVERYD.NSE", "NMAP:BROADCAST-IGMP-DISCOVERY.NSE", "NMAP:BROADCAST-JENKINS-DISCOVER.NSE", "NMAP:BROADCAST-LISTENER.NSE", "NMAP:BROADCAST-MS-SQL-DISCOVER.NSE", "NMAP:BROADCAST-NETBIOS-MASTER-BROWSER.NSE", "NMAP:BROADCAST-NETWORKER-DISCOVER.NSE", "NMAP:BROADCAST-NOVELL-LOCATE.NSE", "NMAP:BROADCAST-OSPF2-DISCOVER.NSE", "NMAP:BROADCAST-PC-ANYWHERE.NSE", "NMAP:BROADCAST-PC-DUO.NSE", "NMAP:BROADCAST-PIM-DISCOVERY.NSE", "NMAP:BROADCAST-PING.NSE", "NMAP:BROADCAST-PPPOE-DISCOVER.NSE", "NMAP:BROADCAST-RIP-DISCOVER.NSE", "NMAP:BROADCAST-RIPNG-DISCOVER.NSE", "NMAP:BROADCAST-SONICWALL-DISCOVER.NSE", "NMAP:BROADCAST-SYBASE-ASA-DISCOVER.NSE", "NMAP:BROADCAST-TELLSTICK-DISCOVER.NSE", "NMAP:BROADCAST-UPNP-INFO.NSE", "NMAP:BROADCAST-VERSANT-LOCATE.NSE", "NMAP:BROADCAST-WAKE-ON-LAN.NSE", "NMAP:BROADCAST-WPAD-DISCOVER.NSE", "NMAP:BROADCAST-WSDD-DISCOVER.NSE", "NMAP:BROADCAST-XDMCP-DISCOVER.NSE", "NMAP:CASSANDRA-BRUTE.NSE", "NMAP:CASSANDRA-INFO.NSE", "NMAP:CCCAM-VERSION.NSE", "NMAP:CICS-ENUM.NSE", "NMAP:CICS-INFO.NSE", "NMAP:CICS-USER-BRUTE.NSE", "NMAP:CICS-USER-ENUM.NSE", "NMAP:CITRIX-BRUTE-XML.NSE", "NMAP:CITRIX-ENUM-APPS-XML.NSE", "NMAP:CITRIX-ENUM-APPS.NSE", "NMAP:CITRIX-ENUM-SERVERS-XML.NSE", "NMAP:CITRIX-ENUM-SERVERS.NSE", "NMAP:CLAMAV-EXEC.NSE", "NMAP:CLOCK-SKEW.NSE", "NMAP:COAP-RESOURCES.NSE", "NMAP:COUCHDB-DATABASES.NSE", "NMAP:COUCHDB-STATS.NSE", "NMAP:CREDS-SUMMARY.NSE", "NMAP:CUPS-INFO.NSE", "NMAP:CUPS-QUEUE-INFO.NSE", "NMAP:CVS-BRUTE-REPOSITORY.NSE", "NMAP:CVS-BRUTE.NSE", "NMAP:DAAP-GET-LIBRARY.NSE", "NMAP:DAYTIME.NSE", "NMAP:DB2-DAS-INFO.NSE", "NMAP:DELUGE-RPC-BRUTE.NSE", "NMAP:DHCP-DISCOVER.NSE", "NMAP:DICOM-BRUTE.NSE", "NMAP:DICOM-PING.NSE", "NMAP:DICT-INFO.NSE", "NMAP:DISTCC-CVE2004-2687.NSE", "NMAP:DNS-BLACKLIST.NSE", "NMAP:DNS-BRUTE.NSE", "NMAP:DNS-CACHE-SNOOP.NSE", "NMAP:DNS-CHECK-ZONE.NSE", "NMAP:DNS-CLIENT-SUBNET-SCAN.NSE", "NMAP:DNS-FUZZ.NSE", "NMAP:DNS-IP6-ARPA-SCAN.NSE", "NMAP:DNS-NSEC-ENUM.NSE", "NMAP:DNS-NSEC3-ENUM.NSE", "NMAP:DNS-NSID.NSE", "NMAP:DNS-RANDOM-SRCPORT.NSE", "NMAP:DNS-RANDOM-TXID.NSE", "NMAP:DNS-RECURSION.NSE", "NMAP:DNS-SERVICE-DISCOVERY.NSE", "NMAP:DNS-SRV-ENUM.NSE", "NMAP:DNS-UPDATE.NSE", "NMAP:DNS-ZEUSTRACKER.NSE", "NMAP:DNS-ZONE-TRANSFER.NSE", "NMAP:DOCKER-VERSION.NSE", "NMAP:DOMCON-BRUTE.NSE", "NMAP:DOMCON-CMD.NSE", "NMAP:DOMINO-ENUM-USERS.NSE", "NMAP:DPAP-BRUTE.NSE", "NMAP:DRDA-BRUTE.NSE", "NMAP:DRDA-INFO.NSE", "NMAP:DUPLICATES.NSE", "NMAP:EAP-INFO.NSE", "NMAP:ENIP-INFO.NSE", "NMAP:EPMD-INFO.NSE", "NMAP:EPPC-ENUM-PROCESSES.NSE", "NMAP:FCRDNS.NSE", "NMAP:FINGER.NSE", "NMAP:FINGERPRINT-STRINGS.NSE", "NMAP:FIREWALK.NSE", "NMAP:FIREWALL-BYPASS.NSE", "NMAP:FLUME-MASTER-INFO.NSE", "NMAP:FOX-INFO.NSE", "NMAP:FREELANCER-INFO.NSE", "NMAP:FTP-ANON.NSE", "NMAP:FTP-BOUNCE.NSE", "NMAP:FTP-BRUTE.NSE", "NMAP:FTP-LIBOPIE.NSE", "NMAP:FTP-PROFTPD-BACKDOOR.NSE", "NMAP:FTP-SYST.NSE", "NMAP:FTP-VSFTPD-BACKDOOR.NSE", "NMAP:FTP-VULN-CVE2010-4221.NSE", "NMAP:GANGLIA-INFO.NSE", "NMAP:GIOP-INFO.NSE", "NMAP:GKRELLM-INFO.NSE", "NMAP:GOPHER-LS.NSE", "NMAP:GPSD-INFO.NSE", "NMAP:HADOOP-DATANODE-INFO.NSE", "NMAP:HADOOP-JOBTRACKER-INFO.NSE", "NMAP:HADOOP-NAMENODE-INFO.NSE", "NMAP:HADOOP-SECONDARY-NAMENODE-INFO.NSE", "NMAP:HADOOP-TASKTRACKER-INFO.NSE", "NMAP:HBASE-MASTER-INFO.NSE", "NMAP:HBASE-REGION-INFO.NSE", "NMAP:HDDTEMP-INFO.NSE", "NMAP:HNAP-INFO.NSE", "NMAP:HOSTMAP-BFK.NSE", "NMAP:HOSTMAP-CRTSH.NSE", "NMAP:HOSTMAP-ROBTEX.NSE", "NMAP:HTTP-ADOBE-COLDFUSION-APSA1301.NSE", "NMAP:HTTP-AFFILIATE-ID.NSE", "NMAP:HTTP-APACHE-NEGOTIATION.NSE", "NMAP:HTTP-APACHE-SERVER-STATUS.NSE", "NMAP:HTTP-ASPNET-DEBUG.NSE", "NMAP:HTTP-AUTH-FINDER.NSE", "NMAP:HTTP-AUTH.NSE", "NMAP:HTTP-AVAYA-IPOFFICE-USERS.NSE", "NMAP:HTTP-AWSTATSTOTALS-EXEC.NSE", "NMAP:HTTP-AXIS2-DIR-TRAVERSAL.NSE", "NMAP:HTTP-BACKUP-FINDER.NSE", "NMAP:HTTP-BARRACUDA-DIR-TRAVERSAL.NSE", "NMAP:HTTP-BIGIP-COOKIE.NSE", "NMAP:HTTP-BRUTE.NSE", "NMAP:HTTP-CAKEPHP-VERSION.NSE", "NMAP:HTTP-CHRONO.NSE", "NMAP:HTTP-CISCO-ANYCONNECT.NSE", "NMAP:HTTP-COLDFUSION-SUBZERO.NSE", "NMAP:HTTP-COMMENTS-DISPLAYER.NSE", "NMAP:HTTP-CONFIG-BACKUP.NSE", "NMAP:HTTP-COOKIE-FLAGS.NSE", "NMAP:HTTP-CORS.NSE", "NMAP:HTTP-CROSS-DOMAIN-POLICY.NSE", "NMAP:HTTP-CSRF.NSE", "NMAP:HTTP-DATE.NSE", "NMAP:HTTP-DEFAULT-ACCOUNTS.NSE", "NMAP:HTTP-DEVFRAMEWORK.NSE", "NMAP:HTTP-DLINK-BACKDOOR.NSE", "NMAP:HTTP-DOMBASED-XSS.NSE", "NMAP:HTTP-DOMINO-ENUM-PASSWORDS.NSE", "NMAP:HTTP-DRUPAL-ENUM-USERS.NSE", "NMAP:HTTP-DRUPAL-ENUM.NSE", "NMAP:HTTP-ENUM.NSE", "NMAP:HTTP-ERRORS.NSE", "NMAP:HTTP-EXIF-SPIDER.NSE", "NMAP:HTTP-FAVICON.NSE", "NMAP:HTTP-FEED.NSE", "NMAP:HTTP-FETCH.NSE", "NMAP:HTTP-FILEUPLOAD-EXPLOITER.NSE", "NMAP:HTTP-FORM-BRUTE.NSE", "NMAP:HTTP-FORM-FUZZER.NSE", "NMAP:HTTP-FRONTPAGE-LOGIN.NSE", "NMAP:HTTP-GENERATOR.NSE", "NMAP:HTTP-GIT.NSE", "NMAP:HTTP-GITWEB-PROJECTS-ENUM.NSE", "NMAP:HTTP-GOOGLE-MALWARE.NSE", "NMAP:HTTP-GREP.NSE", "NMAP:HTTP-HEADERS.NSE", "NMAP:HTTP-HP-ILO-INFO.NSE", "NMAP:HTTP-HUAWEI-HG5XX-VULN.NSE", "NMAP:HTTP-ICLOUD-FINDMYIPHONE.NSE", "NMAP:HTTP-ICLOUD-SENDMSG.NSE", "NMAP:HTTP-IIS-SHORT-NAME-BRUTE.NSE", "NMAP:HTTP-IIS-WEBDAV-VULN.NSE", "NMAP:HTTP-INTERNAL-IP-DISCLOSURE.NSE", "NMAP:HTTP-JOOMLA-BRUTE.NSE", "NMAP:HTTP-JSONP-DETECTION.NSE", "NMAP:HTTP-LITESPEED-SOURCECODE-DOWNLOAD.NSE", "NMAP:HTTP-LS.NSE", "NMAP:HTTP-MAJORDOMO2-DIR-TRAVERSAL.NSE", "NMAP:HTTP-MALWARE-HOST.NSE", "NMAP:HTTP-MCMP.NSE", "NMAP:HTTP-METHOD-TAMPER.NSE", "NMAP:HTTP-METHODS.NSE", "NMAP:HTTP-MOBILEVERSION-CHECKER.NSE", "NMAP:HTTP-NTLM-INFO.NSE", "NMAP:HTTP-OPEN-PROXY.NSE", "NMAP:HTTP-OPEN-REDIRECT.NSE", "NMAP:HTTP-PASSWD.NSE", "NMAP:HTTP-PHP-VERSION.NSE", "NMAP:HTTP-PHPMYADMIN-DIR-TRAVERSAL.NSE", "NMAP:HTTP-PHPSELF-XSS.NSE", "NMAP:HTTP-PROXY-BRUTE.NSE", "NMAP:HTTP-PUT.NSE", "NMAP:HTTP-QNAP-NAS-INFO.NSE", "NMAP:HTTP-REFERER-CHECKER.NSE", "NMAP:HTTP-RFI-SPIDER.NSE", "NMAP:HTTP-ROBTEX-REVERSE-IP.NSE", "NMAP:HTTP-ROBTEX-SHARED-NS.NSE", "NMAP:HTTP-SAP-NETWEAVER-LEAK.NSE", "NMAP:HTTP-SECURITY-HEADERS.NSE", "NMAP:HTTP-SERVER-HEADER.NSE", "NMAP:HTTP-SHELLSHOCK.NSE", "NMAP:HTTP-SITEMAP-GENERATOR.NSE", "NMAP:HTTP-SLOWLORIS-CHECK.NSE", "NMAP:HTTP-SLOWLORIS.NSE", "NMAP:HTTP-SQL-INJECTION.NSE", "NMAP:HTTP-STORED-XSS.NSE", "NMAP:HTTP-SVN-ENUM.NSE", "NMAP:HTTP-SVN-INFO.NSE", "NMAP:HTTP-TITLE.NSE", "NMAP:HTTP-TPLINK-DIR-TRAVERSAL.NSE", "NMAP:HTTP-TRACE.NSE", "NMAP:HTTP-TRACEROUTE.NSE", "NMAP:HTTP-TRANE-INFO.NSE", "NMAP:HTTP-UNSAFE-OUTPUT-ESCAPING.NSE", "NMAP:HTTP-USERAGENT-TESTER.NSE", "NMAP:HTTP-USERDIR-ENUM.NSE", "NMAP:HTTP-VHOSTS.NSE", "NMAP:HTTP-VIRUSTOTAL.NSE", "NMAP:HTTP-VLCSTREAMER-LS.NSE", "NMAP:HTTP-VMWARE-PATH-VULN.NSE", "NMAP:HTTP-VULN-CVE2006-3392.NSE", "NMAP:HTTP-VULN-CVE2009-3960.NSE", "NMAP:HTTP-VULN-CVE2010-0738.NSE", "NMAP:HTTP-VULN-CVE2010-2861.NSE", "NMAP:HTTP-VULN-CVE2011-3192.NSE", "NMAP:HTTP-VULN-CVE2011-3368.NSE", "NMAP:HTTP-VULN-CVE2012-1823.NSE", "NMAP:HTTP-VULN-CVE2013-0156.NSE", "NMAP:HTTP-VULN-CVE2013-6786.NSE", "NMAP:HTTP-VULN-CVE2013-7091.NSE", "NMAP:HTTP-VULN-CVE2014-2126.NSE", "NMAP:HTTP-VULN-CVE2014-2127.NSE", "NMAP:HTTP-VULN-CVE2014-2128.NSE", "NMAP:HTTP-VULN-CVE2014-2129.NSE", "NMAP:HTTP-VULN-CVE2014-3704.NSE", "NMAP:HTTP-VULN-CVE2014-8877.NSE", "NMAP:HTTP-VULN-CVE2015-1427.NSE", "NMAP:HTTP-VULN-CVE2015-1635.NSE", "NMAP:HTTP-VULN-CVE2017-1001000.NSE", "NMAP:HTTP-VULN-CVE2017-5638.NSE", "NMAP:HTTP-VULN-CVE2017-5689.NSE", "NMAP:HTTP-VULN-CVE2017-8917.NSE", "NMAP:HTTP-VULN-MISFORTUNE-COOKIE.NSE", "NMAP:HTTP-VULN-WNR1000-CREDS.NSE", "NMAP:HTTP-WAF-DETECT.NSE", "NMAP:HTTP-WAF-FINGERPRINT.NSE", "NMAP:HTTP-WEBDAV-SCAN.NSE", "NMAP:HTTP-WORDPRESS-BRUTE.NSE", "NMAP:HTTP-WORDPRESS-ENUM.NSE", "NMAP:HTTP-WORDPRESS-USERS.NSE", "NMAP:HTTP-XSSED.NSE", "NMAP:HTTPS-REDIRECT.NSE", "NMAP:IAX2-BRUTE.NSE", "NMAP:IAX2-VERSION.NSE", "NMAP:ICAP-INFO.NSE", "NMAP:IEC-IDENTIFY.NSE", "NMAP:IKE-VERSION.NSE", "NMAP:IMAP-BRUTE.NSE", "NMAP:IMAP-CAPABILITIES.NSE", "NMAP:IMAP-NTLM-INFO.NSE", "NMAP:IMPRESS-REMOTE-DISCOVER.NSE", "NMAP:INFORMIX-BRUTE.NSE", "NMAP:INFORMIX-QUERY.NSE", "NMAP:INFORMIX-TABLES.NSE", "NMAP:IP-FORWARDING.NSE", "NMAP:IP-GEOLOCATION-GEOPLUGIN.NSE", "NMAP:IP-GEOLOCATION-IPINFODB.NSE", "NMAP:IP-GEOLOCATION-MAP-BING.NSE", "NMAP:IP-GEOLOCATION-MAP-GOOGLE.NSE", "NMAP:IP-GEOLOCATION-MAP-KML.NSE", "NMAP:IP-GEOLOCATION-MAXMIND.NSE", "NMAP:IP-HTTPS-DISCOVER.NSE", "NMAP:IPIDSEQ.NSE", "NMAP:IPMI-BRUTE.NSE", "NMAP:IPMI-CIPHER-ZERO.NSE", "NMAP:IPMI-VERSION.NSE", "NMAP:IPV6-MULTICAST-MLD-LIST.NSE", "NMAP:IPV6-NODE-INFO.NSE", "NMAP:IPV6-RA-FLOOD.NSE", "NMAP:IRC-BOTNET-CHANNELS.NSE", "NMAP:IRC-BRUTE.NSE", "NMAP:IRC-INFO.NSE", "NMAP:IRC-SASL-BRUTE.NSE", "NMAP:IRC-UNREALIRCD-BACKDOOR.NSE", "NMAP:ISCSI-BRUTE.NSE", "NMAP:ISCSI-INFO.NSE", "NMAP:ISNS-INFO.NSE", "NMAP:JDWP-EXEC.NSE", "NMAP:JDWP-INFO.NSE", "NMAP:JDWP-INJECT.NSE", "NMAP:JDWP-VERSION.NSE", "NMAP:KNX-GATEWAY-DISCOVER.NSE", "NMAP:KNX-GATEWAY-INFO.NSE", "NMAP:KRB5-ENUM-USERS.NSE", "NMAP:LDAP-BRUTE.NSE", "NMAP:LDAP-NOVELL-GETPASS.NSE", "NMAP:LDAP-ROOTDSE.NSE", "NMAP:LDAP-SEARCH.NSE", "NMAP:LEXMARK-CONFIG.NSE", "NMAP:LLMNR-RESOLVE.NSE", "NMAP:LLTD-DISCOVERY.NSE", "NMAP:MAXDB-INFO.NSE", "NMAP:MCAFEE-EPO-AGENT.NSE", "NMAP:MEMBASE-BRUTE.NSE", "NMAP:MEMBASE-HTTP-INFO.NSE", "NMAP:MEMCACHED-INFO.NSE", "NMAP:METASPLOIT-INFO.NSE", "NMAP:METASPLOIT-MSGRPC-BRUTE.NSE", "NMAP:METASPLOIT-XMLRPC-BRUTE.NSE", "NMAP:MIKROTIK-ROUTEROS-BRUTE.NSE", "NMAP:MMOUSE-BRUTE.NSE", "NMAP:MMOUSE-EXEC.NSE", "NMAP:MODBUS-DISCOVER.NSE", "NMAP:MONGODB-BRUTE.NSE", "NMAP:MONGODB-DATABASES.NSE", "NMAP:MONGODB-INFO.NSE", "NMAP:MQTT-SUBSCRIBE.NSE", "NMAP:MRINFO.NSE", "NMAP:MS-SQL-BRUTE.NSE", "NMAP:MS-SQL-CONFIG.NSE", "NMAP:MS-SQL-DAC.NSE", "NMAP:MS-SQL-DUMP-HASHES.NSE", "NMAP:MS-SQL-EMPTY-PASSWORD.NSE", "NMAP:MS-SQL-HASDBACCESS.NSE", "NMAP:MS-SQL-INFO.NSE", "NMAP:MS-SQL-NTLM-INFO.NSE", "NMAP:MS-SQL-QUERY.NSE", "NMAP:MS-SQL-TABLES.NSE", "NMAP:MS-SQL-XP-CMDSHELL.NSE", "NMAP:MSRPC-ENUM.NSE", "NMAP:MTRACE.NSE", "NMAP:MURMUR-VERSION.NSE", "NMAP:MYSQL-AUDIT.NSE", "NMAP:MYSQL-BRUTE.NSE", "NMAP:MYSQL-DATABASES.NSE", "NMAP:MYSQL-DUMP-HASHES.NSE", "NMAP:MYSQL-EMPTY-PASSWORD.NSE", "NMAP:MYSQL-ENUM.NSE", "NMAP:MYSQL-INFO.NSE", "NMAP:MYSQL-QUERY.NSE", "NMAP:MYSQL-USERS.NSE", "NMAP:MYSQL-VARIABLES.NSE", "NMAP:MYSQL-VULN-CVE2012-2122.NSE", "NMAP:NAT-PMP-INFO.NSE", "NMAP:NAT-PMP-MAPPORT.NSE", "NMAP:NBD-INFO.NSE", "NMAP:NBNS-INTERFACES.NSE", "NMAP:NBSTAT.NSE", "NMAP:NCP-ENUM-USERS.NSE", "NMAP:NCP-SERVERINFO.NSE", "NMAP:NDMP-FS-INFO.NSE", "NMAP:NDMP-VERSION.NSE", "NMAP:NESSUS-BRUTE.NSE", "NMAP:NESSUS-XMLRPC-BRUTE.NSE", "NMAP:NETBUS-AUTH-BYPASS.NSE", "NMAP:NETBUS-BRUTE.NSE", "NMAP:NETBUS-INFO.NSE", "NMAP:NETBUS-VERSION.NSE", "NMAP:NEXPOSE-BRUTE.NSE", "NMAP:NFS-LS.NSE", "NMAP:NFS-SHOWMOUNT.NSE", "NMAP:NFS-STATFS.NSE", "NMAP:NJE-NODE-BRUTE.NSE", "NMAP:NJE-PASS-BRUTE.NSE", "NMAP:NNTP-NTLM-INFO.NSE", "NMAP:NPING-BRUTE.NSE", "NMAP:NRPE-ENUM.NSE", "NMAP:NTP-INFO.NSE", "NMAP:NTP-MONLIST.NSE", "NMAP:OMP2-BRUTE.NSE", "NMAP:OMP2-ENUM-TARGETS.NSE", "NMAP:OMRON-INFO.NSE", "NMAP:OPENFLOW-INFO.NSE", "NMAP:OPENLOOKUP-INFO.NSE", "NMAP:OPENVAS-OTP-BRUTE.NSE", "NMAP:OPENWEBNET-DISCOVERY.NSE", "NMAP:ORACLE-BRUTE-STEALTH.NSE", "NMAP:ORACLE-BRUTE.NSE", "NMAP:ORACLE-ENUM-USERS.NSE", "NMAP:ORACLE-SID-BRUTE.NSE", "NMAP:ORACLE-TNS-VERSION.NSE", "NMAP:OVS-AGENT-VERSION.NSE", "NMAP:P2P-CONFICKER.NSE", "NMAP:PATH-MTU.NSE", "NMAP:PCANYWHERE-BRUTE.NSE", "NMAP:PCWORX-INFO.NSE", "NMAP:PGSQL-BRUTE.NSE", "NMAP:PJL-READY-MESSAGE.NSE", "NMAP:POP3-BRUTE.NSE", "NMAP:POP3-CAPABILITIES.NSE", "NMAP:POP3-NTLM-INFO.NSE", "NMAP:PORT-STATES.NSE", "NMAP:PPTP-VERSION.NSE", "NMAP:PUPPET-NAIVESIGNING.NSE", "NMAP:QCONN-EXEC.NSE", "NMAP:QSCAN.NSE", "NMAP:QUAKE1-INFO.NSE", "NMAP:QUAKE3-INFO.NSE", "NMAP:QUAKE3-MASTER-GETSERVERS.NSE", "NMAP:RDP-ENUM-ENCRYPTION.NSE", "NMAP:RDP-NTLM-INFO.NSE", "NMAP:RDP-VULN-MS12-020.NSE", "NMAP:REALVNC-AUTH-BYPASS.NSE", "NMAP:REDIS-BRUTE.NSE", "NMAP:REDIS-INFO.NSE", "NMAP:RESOLVEALL.NSE", "NMAP:REVERSE-INDEX.NSE", "NMAP:REXEC-BRUTE.NSE", "NMAP:RFC868-TIME.NSE", "NMAP:RIAK-HTTP-INFO.NSE", "NMAP:RLOGIN-BRUTE.NSE", "NMAP:RMI-DUMPREGISTRY.NSE", "NMAP:RMI-VULN-CLASSLOADER.NSE", "NMAP:RPC-GRIND.NSE", "NMAP:RPCAP-BRUTE.NSE", "NMAP:RPCAP-INFO.NSE", "NMAP:RPCINFO.NSE", "NMAP:RSA-VULN-ROCA.NSE", "NMAP:RSYNC-BRUTE.NSE", "NMAP:RSYNC-LIST-MODULES.NSE", "NMAP:RTSP-METHODS.NSE", "NMAP:RTSP-URL-BRUTE.NSE", "NMAP:RUSERS.NSE", "NMAP:S7-INFO.NSE", "NMAP:SAMBA-VULN-CVE-2012-1182.NSE", "NMAP:SERVICETAGS.NSE", "NMAP:SHODAN-API.NSE", "NMAP:SIP-BRUTE.NSE", "NMAP:SIP-CALL-SPOOF.NSE", "NMAP:SIP-ENUM-USERS.NSE", "NMAP:SIP-METHODS.NSE", "NMAP:SKYPEV2-VERSION.NSE", "NMAP:SMB-BRUTE.NSE", "NMAP:SMB-DOUBLE-PULSAR-BACKDOOR.NSE", "NMAP:SMB-ENUM-DOMAINS.NSE", "NMAP:SMB-ENUM-GROUPS.NSE", "NMAP:SMB-ENUM-PROCESSES.NSE", "NMAP:SMB-ENUM-SERVICES.NSE", "NMAP:SMB-ENUM-SESSIONS.NSE", "NMAP:SMB-ENUM-SHARES.NSE", "NMAP:SMB-ENUM-USERS.NSE", "NMAP:SMB-FLOOD.NSE", "NMAP:SMB-LS.NSE", "NMAP:SMB-MBENUM.NSE", "NMAP:SMB-OS-DISCOVERY.NSE", "NMAP:SMB-PRINT-TEXT.NSE", "NMAP:SMB-PROTOCOLS.NSE", "NMAP:SMB-PSEXEC.NSE", "NMAP:SMB-SECURITY-MODE.NSE", "NMAP:SMB-SERVER-STATS.NSE", "NMAP:SMB-SYSTEM-INFO.NSE", "NMAP:SMB-VULN-CONFICKER.NSE", "NMAP:SMB-VULN-CVE-2017-7494.NSE", "NMAP:SMB-VULN-CVE2009-3103.NSE", "NMAP:SMB-VULN-MS06-025.NSE", "NMAP:SMB-VULN-MS07-029.NSE", "NMAP:SMB-VULN-MS08-067.NSE", "NMAP:SMB-VULN-MS10-054.NSE", "NMAP:SMB-VULN-MS10-061.NSE", "NMAP:SMB-VULN-MS17-010.NSE", "NMAP:SMB-VULN-REGSVC-DOS.NSE", "NMAP:SMB-VULN-WEBEXEC.NSE", "NMAP:SMB-WEBEXEC-EXPLOIT.NSE", "NMAP:SMB2-CAPABILITIES.NSE", "NMAP:SMB2-SECURITY-MODE.NSE", "NMAP:SMB2-TIME.NSE", "NMAP:SMB2-VULN-UPTIME.NSE", "NMAP:SMTP-BRUTE.NSE", "NMAP:SMTP-COMMANDS.NSE", "NMAP:SMTP-ENUM-USERS.NSE", "NMAP:SMTP-NTLM-INFO.NSE", "NMAP:SMTP-OPEN-RELAY.NSE", "NMAP:SMTP-STRANGEPORT.NSE", "NMAP:SMTP-VULN-CVE2010-4344.NSE", "NMAP:SMTP-VULN-CVE2011-1720.NSE", "NMAP:SMTP-VULN-CVE2011-1764.NSE", "NMAP:SNIFFER-DETECT.NSE", "NMAP:SNMP-BRUTE.NSE", "NMAP:SNMP-HH3C-LOGINS.NSE", "NMAP:SNMP-INFO.NSE", "NMAP:SNMP-INTERFACES.NSE", "NMAP:SNMP-IOS-CONFIG.NSE", "NMAP:SNMP-NETSTAT.NSE", "NMAP:SNMP-PROCESSES.NSE", "NMAP:SNMP-SYSDESCR.NSE", "NMAP:SNMP-WIN32-SERVICES.NSE", "NMAP:SNMP-WIN32-SHARES.NSE", "NMAP:SNMP-WIN32-SOFTWARE.NSE", "NMAP:SNMP-WIN32-USERS.NSE", "NMAP:SOCKS-AUTH-INFO.NSE", "NMAP:SOCKS-BRUTE.NSE", "NMAP:SOCKS-OPEN-PROXY.NSE", "NMAP:SSH-AUTH-METHODS.NSE", "NMAP:SSH-BRUTE.NSE", "NMAP:SSH-HOSTKEY.NSE", "NMAP:SSH-PUBLICKEY-ACCEPTANCE.NSE", "NMAP:SSH-RUN.NSE", "NMAP:SSH2-ENUM-ALGOS.NSE", "NMAP:SSHV1.NSE", "NMAP:SSL-CCS-INJECTION.NSE", "NMAP:SSL-CERT-INTADDR.NSE", "NMAP:SSL-CERT.NSE", "NMAP:SSL-DATE.NSE", "NMAP:SSL-DH-PARAMS.NSE", "NMAP:SSL-ENUM-CIPHERS.NSE", "NMAP:SSL-HEARTBLEED.NSE", "NMAP:SSL-KNOWN-KEY.NSE", "NMAP:SSL-POODLE.NSE", "NMAP:SSLV2-DROWN.NSE", "NMAP:SSLV2.NSE", "NMAP:SSTP-DISCOVER.NSE", "NMAP:STUN-INFO.NSE", "NMAP:STUN-VERSION.NSE", "NMAP:STUXNET-DETECT.NSE", "NMAP:SUPERMICRO-IPMI-CONF.NSE", "NMAP:SVN-BRUTE.NSE", "NMAP:TARGETS-ASN.NSE", "NMAP:TARGETS-IPV6-MAP4TO6.NSE", "NMAP:TARGETS-IPV6-MULTICAST-ECHO.NSE", "NMAP:TARGETS-IPV6-MULTICAST-INVALID-DST.NSE", "NMAP:TARGETS-IPV6-MULTICAST-MLD.NSE", "NMAP:TARGETS-IPV6-MULTICAST-SLAAC.NSE", "NMAP:TARGETS-IPV6-WORDLIST.NSE", "NMAP:TARGETS-SNIFFER.NSE", "NMAP:TARGETS-TRACEROUTE.NSE", "NMAP:TARGETS-XML.NSE", "NMAP:TEAMSPEAK2-VERSION.NSE", "NMAP:TELNET-BRUTE.NSE", "NMAP:TELNET-ENCRYPTION.NSE", "NMAP:TELNET-NTLM-INFO.NSE", "NMAP:TFTP-ENUM.NSE", "NMAP:TLS-ALPN.NSE", "NMAP:TLS-NEXTPROTONEG.NSE", "NMAP:TLS-TICKETBLEED.NSE", "NMAP:TN3270-SCREEN.NSE", "NMAP:TOR-CONSENSUS-CHECKER.NSE", "NMAP:TRACEROUTE-GEOLOCATION.NSE", "NMAP:TSO-BRUTE.NSE", "NMAP:TSO-ENUM.NSE", "NMAP:UBIQUITI-DISCOVERY.NSE", "NMAP:UNITTEST.NSE", "NMAP:UNUSUAL-PORT.NSE", "NMAP:UPNP-INFO.NSE", "NMAP:UPTIME-AGENT-INFO.NSE", "NMAP:URL-SNARF.NSE", "NMAP:VENTRILO-INFO.NSE", "NMAP:VERSANT-INFO.NSE", "NMAP:VMAUTHD-BRUTE.NSE", "NMAP:VMWARE-VERSION.NSE", "NMAP:VNC-BRUTE.NSE", "NMAP:VNC-INFO.NSE", "NMAP:VNC-TITLE.NSE", "NMAP:VOLDEMORT-INFO.NSE", "NMAP:VTAM-ENUM.NSE", "NMAP:VULNERS.NSE", "NMAP:VUZE-DHT-INFO.NSE", "NMAP:WDB-VERSION.NSE", "NMAP:WEBLOGIC-T3-INFO.NSE", "NMAP:WHOIS-DOMAIN.NSE", "NMAP:WHOIS-IP.NSE", "NMAP:WSDD-DISCOVER.NSE", "NMAP:X11-ACCESS.NSE", "NMAP:XDMCP-DISCOVER.NSE", "NMAP:XMLRPC-METHODS.NSE", "NMAP:XMPP-BRUTE.NSE", "NMAP:XMPP-INFO.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123690", "OPENVAS:1361412562310123695", "OPENVAS:1361412562310123940", "OPENVAS:1361412562310123943", "OPENVAS:1361412562310703860", "OPENVAS:136141256231071254", "OPENVAS:136141256231071279", "OPENVAS:136141256231071548", "OPENVAS:1361412562310802794", "OPENVAS:1361412562310811055", "OPENVAS:1361412562310831574", "OPENVAS:1361412562310840980", "OPENVAS:1361412562310843180", "OPENVAS:1361412562310850203", "OPENVAS:1361412562310850289", "OPENVAS:1361412562310851557", "OPENVAS:1361412562310851559", "OPENVAS:1361412562310864158", "OPENVAS:1361412562310864174", "OPENVAS:1361412562310864200", "OPENVAS:1361412562310864205", "OPENVAS:1361412562310864213", "OPENVAS:1361412562310864238", "OPENVAS:1361412562310864306", "OPENVAS:1361412562310865323", "OPENVAS:1361412562310865347", "OPENVAS:1361412562310870581", "OPENVAS:1361412562310870584", "OPENVAS:1361412562310870928", "OPENVAS:1361412562310870935", "OPENVAS:1361412562310871821", "OPENVAS:1361412562310871822", "OPENVAS:1361412562310872718", "OPENVAS:1361412562310872719", "OPENVAS:1361412562310881179", "OPENVAS:1361412562310881194", "OPENVAS:1361412562310881228", "OPENVAS:1361412562310881650", "OPENVAS:1361412562310881654", "OPENVAS:1361412562310881680", "OPENVAS:1361412562310882723", "OPENVAS:1361412562310882724", "OPENVAS:1361412562310882726", "OPENVAS:1361412562310890951", "OPENVAS:1361412562311220171104", "OPENVAS:1361412562311220171105", "OPENVAS:703860", "OPENVAS:71254", "OPENVAS:71279", "OPENVAS:71548", "OPENVAS:802794", "OPENVAS:831574", "OPENVAS:840980", "OPENVAS:850203", "OPENVAS:850289", "OPENVAS:864158", "OPENVAS:864174", "OPENVAS:864200", "OPENVAS:864205", "OPENVAS:864213", "OPENVAS:864238", "OPENVAS:864306", "OPENVAS:865323", "OPENVAS:865347", "OPENVAS:870581", "OPENVAS:870584", "OPENVAS:870928", "OPENVAS:870935", "OPENVAS:881179", "OPENVAS:881194", "OPENVAS:881228", "OPENVAS:881650", "OPENVAS:881654", "OPENVAS:881680"]}, {"type": "oraclelinux", "idList": ["ELSA-2012-0465", "ELSA-2012-0466", "ELSA-2012-0478", "ELSA-2013-0506", "ELSA-2013-0515", "ELSA-2017-1270", "ELSA-2017-1271", "ELSA-2017-1272", "ELSA-2017-1950", "ELSA-2018-1860"]}, {"type": "osv", "idList": ["OSV:DLA-951-1", "OSV:DSA-2450-1", "OSV:DSA-3860-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:116843", "PACKETSTORM:116953", "PACKETSTORM:142657", "PACKETSTORM:142715", "PACKETSTORM:142782"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D20A6BA20BB0FAD48EDDE6836F08EDBA"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:38689BEB2152AB6F6A52F8E26AA1499F", "RAPID7COMMUNITY:41DCA564C1D56E5188C09BCC956BC029", "RAPID7COMMUNITY:70F4A599D7DDC69173F490543EA5873E", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595"]}, {"type": "redhat", "idList": ["RHSA-2012:0465", "RHSA-2012:0466", "RHSA-2012:0478", "RHSA-2013:0506", "RHSA-2013:0515", "RHSA-2017:1270", "RHSA-2017:1271", "RHSA-2017:1272", "RHSA-2017:1273", "RHSA-2017:1390"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-7494"]}, {"type": "saint", "idList": ["SAINT:3579A721D51A069C725493EA48A26E42", "SAINT:6FE788CBA26F517C02B44A699047593B", "SAINT:C50A339EFD5B2F96051BC00F96014CAA"]}, {"type": "samba", "idList": ["SAMBA:CVE-2012-1182", "SAMBA:CVE-2017-7494"]}, {"type": "securelist", "idList": ["SECURELIST:A16165B9EDE725C7470E1FA5D469DA0F"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28165", "SECURITYVULNS:VULN:12328", "SECURITYVULNS:VULN:12426", "SECURITYVULNS:VULN:12518"]}, {"type": "seebug", "idList": ["SSV:60050", "SSV:93139"]}, {"type": "slackware", "idList": ["SSA-2017-144-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2012:0507-1", "OPENSUSE-SU-2012:0508-1", "OPENSUSE-SU-2017:1401-1", "OPENSUSE-SU-2017:1415-1", "SUSE-SU-2012:0500-1", "SUSE-SU-2012:0501-1", "SUSE-SU-2012:0501-2", "SUSE-SU-2012:0502-1", "SUSE-SU-2012:0504-1", "SUSE-SU-2012:0515-1", "SUSE-SU-2017:1391-1", "SUSE-SU-2017:1392-1", "SUSE-SU-2017:1393-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9256DE4CBAB937F2D9EAEDCA068E3DE9"]}, {"type": "thn", "idList": ["THN:4706A097E7EBD85B2426246B35CDC5E6", "THN:590A2A4F40D408F427266EBA5EE7B530", "THN:9D54715DA42C8EB2A5D3C8AA0A5EE0B7", "THN:9DF1743B35B2E69D4835136091D08EAD", "THN:B1F7A116FFB321FFB433B2511F0594AA"]}, {"type": "threatpost", "idList": ["THREATPOST:5800C37DAB0716BD2D308FB187B6B7E1", "THREATPOST:6B393C6EA80E795EF303485AFABE5327", "THREATPOST:B108BD1ECF3200F21B65BFC1C849F747"]}, {"type": "ubuntu", "idList": ["USN-1423-1", "USN-3296-1", "USN-3296-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-1182", "UB:CVE-2017-7494"]}, {"type": "zdi", "idList": ["ZDI-12-061", "ZDI-12-062", "ZDI-12-063", "ZDI-12-064", "ZDI-12-068", "ZDI-12-069", "ZDI-12-070", "ZDI-12-071", "ZDI-12-072"]}, {"type": "zdt", "idList": ["1337DAY-ID-27836", "1337DAY-ID-27859"]}]}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2017-834"]}, {"type": "archlinux", "idList": ["ASA-201705-22"]}, {"type": "attackerkb", "idList": ["AKB:49AAF9A1-B710-4CA1-AAFA-3C022294A5D4"]}, {"type": "avleonov", "idList": ["AVLEONOV:40C2BE2DE75816DD7ED47DA106AF9627"]}, {"type": "canvas", "idList": ["SAMBA_IS_KNOWN_PIPENAME"]}, {"type": "centos", "idList": ["CESA-2017:1270", "CESA-2017:1271"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0444"]}, {"type": "cisa", "idList": ["CISA:384A71FB1AD858FAC86EEB1A7660E778"]}, {"type": "cisco", "idList": ["CISCO-SA-20170530-SAMBA"]}, {"type": "cve", "idList": ["CVE-2017-7494"]}, {"type": "debian", "idList": ["DEBIAN:DLA-951-1:1BAA2", "DEBIAN:DSA-3860-1:8B793"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-7494"]}, {"type": "exploitdb", "idList": ["EDB-ID:42060", "EDB-ID:42084"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:11BDEE18B40708887778CCF837705185"]}, {"type": "f5", "idList": ["F5:K13551136", "SOL13719"]}, {"type": "fedora", "idList": ["FEDORA:0B8006061CC2", "FEDORA:219F3605E539", "FEDORA:79D7720B02", "FEDORA:BC7B0601FC16"]}, {"type": "fireeye", "idList": ["FIREEYE:DC498F7CA24681C582F008B675092B7D"]}, {"type": "freebsd", "idList": ["6F4D96C0-4062-11E7-B291-B499BAEBFEAF", "BAF37CD2-8351-11E1-894E-00215C6A37BB"]}, {"type": "gentoo", "idList": ["GLSA-201805-07"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170613-01-SAMBA", "HUAWEI-SA-20171129-01-SAMBA"]}, {"type": "ibm", "idList": ["82248DC9C1F555BF98367B4387954D2C23BFE20908CE565E0127C6A3FC16193E", "CE6756539D503C94C0FE819367133FAF5CF98E845923A4230C5E49923B068701"]}, {"type": "ics", "idList": ["ICSA-17-180-02"]}, {"type": "kitploit", "idList": ["KITPLOIT:5052987141331551837"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/SAMBA/IS_KNOWN_PIPENAME"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786440", "MYHACK58:62201786477", "MYHACK58:62201786521", "MYHACK58:62201786995"]}, {"type": "nessus", "idList": ["ALA_ALAS-2017-834.NASL", "CENTOS_RHSA-2017-1270.NASL", "CENTOS_RHSA-2017-1271.NASL", "DEBIAN_DLA-951.NASL", "DEBIAN_DSA-3860.NASL", "EULEROS_SA-2017-1104.NASL", "EULEROS_SA-2017-1105.NASL", "FEDORA_2017-570C0071C4.NASL", "FEDORA_2017-642A0ECA75.NASL", "FREEBSD_PKG_6F4D96C0406211E7B291B499BAEBFEAF.NASL", "OPENSUSE-2017-613.NASL", "OPENSUSE-2017-618.NASL", "ORACLELINUX_ELSA-2013-0506.NASL", "ORACLELINUX_ELSA-2017-1270.NASL", "ORACLELINUX_ELSA-2017-1271.NASL", "ORACLELINUX_ELSA-2017-1272.NASL", "REDHAT-RHSA-2013-0515.NASL", "REDHAT-RHSA-2017-1270.NASL", "REDHAT-RHSA-2017-1271.NASL", "REDHAT-RHSA-2017-1272.NASL", "REDHAT-RHSA-2017-1273.NASL", "REDHAT-RHSA-2017-1390.NASL", "SLACKWARE_SSA_2017-144-01.NASL", "SL_20170524_SAMBA4_ON_SL6_X.NASL", "SL_20170524_SAMBA_ON_SL6_X.NASL", "SUSE_SU-2017-1391-1.NASL", "SUSE_SU-2017-1392-1.NASL", "SUSE_SU-2017-1393-1.NASL", "SUSE_SU-2017-1396-1.NASL", "UBUNTU_USN-3296-1.NASL", "UBUNTU_USN-3296-2.NASL"]}, {"type": "nmap", "idList": ["NMAP:AJP-HEADERS.NSE", "NMAP:AUTH-OWNERS.NSE", "NMAP:BROADCAST-DNS-SERVICE-DISCOVERY.NSE", "NMAP:BROADCAST-IGMP-DISCOVERY.NSE", "NMAP:BROADCAST-LISTENER.NSE", "NMAP:CICS-INFO.NSE", "NMAP:CITRIX-ENUM-SERVERS.NSE", "NMAP:CLAMAV-EXEC.NSE", "NMAP:COUCHDB-DATABASES.NSE", "NMAP:DAYTIME.NSE", "NMAP:DNS-CACHE-SNOOP.NSE", "NMAP:DNS-SERVICE-DISCOVERY.NSE", "NMAP:FTP-SYST.NSE", "NMAP:HADOOP-TASKTRACKER-INFO.NSE", "NMAP:HDDTEMP-INFO.NSE", "NMAP:HTTP-ADOBE-COLDFUSION-APSA1301.NSE", "NMAP:HTTP-APACHE-SERVER-STATUS.NSE", "NMAP:HTTP-COOKIE-FLAGS.NSE", "NMAP:HTTP-GENERATOR.NSE", "NMAP:HTTP-INTERNAL-IP-DISCLOSURE.NSE", "NMAP:HTTP-NTLM-INFO.NSE", "NMAP:MS-SQL-XP-CMDSHELL.NSE", "NMAP:MYSQL-VARIABLES.NSE", "NMAP:NAT-PMP-INFO.NSE", "NMAP:ORACLE-ENUM-USERS.NSE", "NMAP:POP3-NTLM-INFO.NSE", "NMAP:RFC868-TIME.NSE", "NMAP:RPC-GRIND.NSE", "NMAP:S7-INFO.NSE", "NMAP:SSH-PUBLICKEY-ACCEPTANCE.NSE", "NMAP:SSH-RUN.NSE", "NMAP:SSL-DH-PARAMS.NSE", "NMAP:TARGETS-IPV6-MAP4TO6.NSE", "NMAP:TARGETS-IPV6-MULTICAST-INVALID-DST.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123690", "OPENVAS:136141256231014259", "OPENVAS:136141256231071254", "OPENVAS:1361412562310881179", "OPENVAS:1361412562310890951", "OPENVAS:864174", "OPENVAS:864213", "OPENVAS:865347"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-1270", "ELSA-2017-1271", "ELSA-2017-1272"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142657", "PACKETSTORM:142715", "PACKETSTORM:142782"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D20A6BA20BB0FAD48EDDE6836F08EDBA"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:38689BEB2152AB6F6A52F8E26AA1499F", "RAPID7COMMUNITY:70F4A599D7DDC69173F490543EA5873E", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595"]}, {"type": "redhat", "idList": ["RHSA-2017:1271"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-7494"]}, {"type": "saint", "idList": ["SAINT:3579A721D51A069C725493EA48A26E42", "SAINT:C50A339EFD5B2F96051BC00F96014CAA"]}, {"type": "samba", "idList": ["SAMBA:CVE-2012-1182"]}, {"type": "securelist", "idList": ["SECURELIST:A16165B9EDE725C7470E1FA5D469DA0F"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12426"]}, {"type": "seebug", "idList": ["SSV:93139"]}, {"type": "slackware", "idList": ["SSA-2017-144-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:1401-1", "OPENSUSE-SU-2017:1415-1", "SUSE-SU-2017:1391-1", "SUSE-SU-2017:1392-1", "SUSE-SU-2017:1393-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9256DE4CBAB937F2D9EAEDCA068E3DE9"]}, {"type": "thn", "idList": ["THN:4706A097E7EBD85B2426246B35CDC5E6", "THN:590A2A4F40D408F427266EBA5EE7B530", "THN:9D54715DA42C8EB2A5D3C8AA0A5EE0B7", "THN:9DF1743B35B2E69D4835136091D08EAD", "THN:B1F7A116FFB321FFB433B2511F0594AA"]}, {"type": "threatpost", "idList": ["THREATPOST:5800C37DAB0716BD2D308FB187B6B7E1", "THREATPOST:6B393C6EA80E795EF303485AFABE5327", "THREATPOST:B108BD1ECF3200F21B65BFC1C849F747"]}, {"type": "ubuntu", "idList": ["USN-3296-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-7494"]}, {"type": "zdi", "idList": ["ZDI-12-062"]}, {"type": "zdt", "idList": ["1337DAY-ID-27836"]}]}, "exploitation": null, "vulnersScore": -0.4}, "_state": {"dependencies": 1660004461, "score": 1659981696}, "_internal": {"score_hash": "d1790cf49991a50bc6a95ee64837cbee"}, "sourceData": "local stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal tn3270 = require \"tn3270\"\nlocal brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal unpwdb = require \"unpwdb\"\nlocal io = require \"io\"\nlocal nmap = require \"nmap\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to enumerate Logical Units (LU) of TN3270E servers.\n\nWhen connecting to a TN3270E server you are assigned a Logical Unit (LU) or you can tell\nthe TN3270E server which LU you'd like to use. Typically TN3270E servers are configured to \ngive you an LU from a pool of LUs. They can also have LUs set to take you to a specific\napplication. This script attempts to guess valid LUs that bypass the default LUs you are\nassigned. For example, if a TN3270E server sends you straight to TPX you could use this\nscript to find LUs that take you to TSO, CICS, etc.\n]]\n\n---\n--@args lulist Path to list of Logical Units to test.\n-- Defaults the initial Logical Unit TN3270E provides, replacing the \n-- last two characters with <code>00-99</code>.\n--@args lu-enum.path Folder used to store valid logical unit 'screenshots'\n-- Defaults to <code>None</code> and doesn't store anything. This stores \n-- all valid logical units.\n--@usage\n-- nmap --script lu-enum -p 23 <targets>\n--\n--@usage\n-- nmap --script lu-enum --script-args lulist=lus.txt,\n-- lu-enum.path=\"/home/dade/screenshots/\" -p 23 -sV <targets>\n--\n--@output\n-- PORT STATE SERVICE REASON VERSION\n-- 23/tcp open tn3270 syn-ack IBM Telnet TN3270 (TN3270E)\n-- | lu-enum: \n-- | Logical Units: \n-- | LU:BSLVLU69 - Valid credentials\n-- |_ Statistics: Performed 7 guesses in 7 seconds, average tps: 1.0\n-- \n-- @changelog\n-- 2019-02-04 - v0.1 - created by Soldier of Fortran\n\nauthor = \"Philip Young aka Soldier of Fortran\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\nportrule = shortport.port_or_service({23,992}, \"tn3270\")\n\n--- Saves the TN3270E terminal screen to disk\n--\n-- @param filename string containing the name and full path to the file\n-- @param data contains the data\n-- @return status true on success, false on failure\n-- @return err string containing error message if status is false\nlocal function save_screens( filename, data )\n local f = io.open( filename, \"w\")\n if not f then return false, (\"Failed to open file (%s)\"):format(filename) end\n if not(f:write(data)) then return false, (\"Failed to write file (%s)\"):format(filename) end\n f:close()\n return true\nend\n\n--- Compares two screens and returns the difference as a percentage\n--\n-- @param1 the original screen\n-- @param2 the screen to compare to\nlocal function screen_diff( orig_screen, current_screen )\n if orig_screen == current_screen then return 100 end\n if #orig_screen == 0 or #current_screen == 0 then return 0 end\n local m = 1\n for i = 1 , #orig_screen do\n if orig_screen:byte(i) == current_screen:byte(i) then\n m = m + 1\n end\n end\n return (m/1920)*100\nend\n\nDriver = {\n new = function(self, host, port, options)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.options = options\n o.tn3270 = tn3270.Telnet:new()\n return o\n end,\n connect = function( self )\n return true\n end,\n disconnect = function( self )\n self.tn3270:disconnect()\n self.tn3270 = nil\n end,\n login = function (self, user, pass) -- pass is actually the username we want to try\n local path = self.options['path']\n local original = self.options['no_lu']\n local threshold = 90\n stdnse.verbose(2,\"Trying Logical Unit: %s\", pass)\n self.tn3270:set_lu(pass)\n local status, err = self.tn3270:initiate(self.host,self.port)\n if not status then\n stdnse.debug(2,\"Could not initiate TN3270: %s\", err )\n stdnse.verbose(2, \"Invalid LU: %s\",string.upper(pass))\n return false, brute.Error:new( \"Invalid Logical Unit\" )\n end\n self.tn3270:get_all_data()\n self.tn3270:get_screen_debug(2)\n if path ~= nil then\n stdnse.verbose(2,\"Writting screen to: %s\", path..string.upper(pass)..\".txt\")\n local status, err = save_screens(path..string.upper(pass)..\".txt\",self.tn3270:get_screen())\n if not status then\n stdnse.verbose(2,\"Failed writting screen to: %s\", path..string.upper(pass)..\".txt\")\n end\n end\n\n stdnse.debug(3, \"compare results: %s \", tostring(screen_diff(original, self.tn3270:get_screen_raw())))\n if screen_diff(original, self.tn3270:get_screen_raw()) > threshold then\n stdnse.verbose(2,'Same Screen for LU: %s',string.upper(pass))\n return false, brute.Error:new( \"Invalid Logical Unit\" )\n else\n stdnse.verbose(2,\"Valid Logical Unit: %s\",string.upper(pass))\n return true, creds.Account:new(\"LU\", string.upper(pass), creds.State.VALID)\n end\n end\n}\n\n--- Tests the target to see if we can connect with TN3270E\n--\n-- @param host host NSE object\n-- @param port port NSE object\n-- @return status true on success, false on failure\nlocal function lu_test( host, port )\n local tn = tn3270.Telnet:new()\n local status, err = tn:initiate(host,port)\n \n if not status then\n stdnse.debug(1,\"[lu_test] Could not initiate TN3270: %s\", err )\n return false\n end\n\n stdnse.debug(2,\"[lu_test] Displaying initial TN3270 Screen:\")\n tn:get_screen_debug(2) -- prints TN3270 screen to debug\n if tn.state == tn.TN3270E_DATA then -- Could make a function in the library 'istn3270e'\n stdnse.debug(1,\"[lu_test] Orig screen: %s\", tn:get_screen_raw())\n return true, tn:get_lu(), tn:get_screen_raw()\n else \n return false, 'Not in TN3270E Mode. LU not supported.', ''\n end\n\nend\n\n-- Checks if it's a valid Logical Unit name\nlocal valid_lu = function(x)\n return (string.len(x) <= 8 and string.match(x,\"[%w@#%$]\"))\nend\n\n-- iterator function\nfunction iter(t)\n local i, val\n return function()\n i, val = next(t, i)\n return val\n end\nend\n\naction = function(host, port)\n local lu_id_file = stdnse.get_script_args(\"lulist\")\n local path = stdnse.get_script_args(SCRIPT_NAME .. '.path') -- Folder for screen grabs\n local logical_units = {}\n lu_id_file = ((lu_id_file and nmap.fetchfile(lu_id_file)) or lu_id_file) \n\n local status, lu, orig_screen = lu_test( host, port )\n if status then\n \n \n if not lu_id_file then\n -- we have to do this here because we don't have an LU to use for the template until now\n stdnse.debug(3, \"No LU list provided, auto generating a list using template: %s##\", lu:sub(1, (#lu-2)))\n for i=1,99 do\n table.insert(logical_units, lu:sub(1, (#lu-2)) .. string.format(\"%02d\", i))\n end\n else \n for l in io.lines(lu_id_file) do\n local cleaned_line = string.gsub(l,\"[\\r\\n]\",\"\")\n if not cleaned_line:match(\"#!comment:\") then\n table.insert(logical_units, cleaned_line)\n end\n end\n end\n \n \n -- Make sure we pass the original screen we got to the brute \n local options = { no_lu = orig_screen, path = path }\n if path ~= nil then stdnse.verbose(2,\"Saving Screenshots to: %s\", path) end\n local engine = brute.Engine:new(Driver, host, port, options)\n engine.options.script_name = SCRIPT_NAME\n engine:setPasswordIterator(unpwdb.filter_iterator(iter(logical_units), valid_lu))\n engine.options.passonly = true\n engine.options:setTitle(\"Logical Units\")\n local status, result = engine:start()\n return result\n else\n stdnse.debug(1,\"Not in TN3270E mode, LU not supported.\")\n return lu\n end\n\nend\n", "nmap": {"scriptType": "portrule", "categories": ["intrusive", "brute"]}}

{"nmap": [{"lastseen": "2022-02-15T09:33:02", "description": "Detects the Ventrilo voice communication server service versions 2.1.2 and above and tries to determine version and configuration information. Some of the older versions (pre 3.0.0) may not have the UDP service that this probe relies on enabled by default. \n\nThe Ventrilo server listens on a TCP (voice/control) and an UDP (ping/status) port with the same port number (fixed to 3784 in the free version, otherwise configurable). This script activates on both a TCP and UDP port version scan. In both cases probe data is sent only to the UDP port because it allows for a simple and informative status command as implemented by the `ventrilo_status.exe` executable which has shipped alongside the Windows server package since version 2.1.2 when the UDP status service was implemented. \n\nWhen run as a version detection script (`-sV`), the script will report on the server version, name, uptime, authentication scheme, and OS. When run explicitly (`--script ventrilo-info`), the script will additionally report on the server name phonetic pronunciation string, the server comment, maximum number of clients, voice codec, voice format, channel and client counts, and details about channels and currently connected clients. \n\nOriginal reversing of the protocol was done by Luigi Auriemma (<http://aluigi.altervista.org/papers.htm#ventrilo>).\n\n## Example Usage \n\n * nmap -sV <target>\n\n * nmap -Pn -sU -sV --script ventrilo-info -p <port> <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 9408/tcp open ventrilo Ventrilo 3.0.3.C (voice port; name: TypeFrag.com; uptime: 152h:56m; auth: pw)\n | ventrilo-info:\n | name: TypeFrag.com\n | phonetic: Type Frag Dot Com\n | comment: http://www.typefrag.com/\n | auth: pw\n | max. clients: 100\n | voice codec: 3,Speex\n | voice format: 32,32 KHz%2C 16 bit%2C 10 Qlty\n | uptime: 152h:56m\n | platform: WIN32\n | version: 3.0.3.C\n | channel count: 14\n | channel fields: CID, PID, PROT, NAME, COMM\n | client count: 6\n | client fields: ADMIN, CID, PHAN, PING, SEC, NAME, COMM\n | channels:\n | <top level lobby> (CID: 0, PID: n/a, PROT: n/a, COMM: n/a): <empty>\n | Group 1 (CID: 719, PID: 0, PROT: 0, COMM: ):\n | stabya (ADMIN: 0, PHAN: 0, PING: 47, SEC: 206304, COMM:\n | Group 2 (CID: 720, PID: 0, PROT: 0, COMM: ): <empty>\n | Group 3 (CID: 721, PID: 0, PROT: 0, COMM: ): <empty>\n | Group 4 (CID: 722, PID: 0, PROT: 0, COMM: ): <empty>\n | Group 5 (CID: 723, PID: 0, PROT: 0, COMM: ):\n | Sir Master Win (ADMIN: 0, PHAN: 0, PING: 32, SEC: 186890, COMM:\n | waterbukk (ADMIN: 0, PHAN: 0, PING: 31, SEC: 111387, COMM:\n | likez (ADMIN: 0, PHAN: 0, PING: 140, SEC: 22457, COMM:\n | Tweet (ADMIN: 0, PHAN: 0, PING: 140, SEC: 21009, COMM:\n | Group 6 (CID: 724, PID: 0, PROT: 0, COMM: ): <empty>\n | Raid (CID: 725, PID: 0, PROT: 0, COMM: ): <empty>\n | Officers (CID: 726, PID: 0, PROT: 1, COMM: ): <empty>\n | PG 13 (CID: 727, PID: 0, PROT: 0, COMM: ): <empty>\n | Rated R (CID: 728, PID: 0, PROT: 0, COMM: ): <empty>\n | Group 7 (CID: 729, PID: 0, PROT: 0, COMM: ): <empty>\n | Group 8 (CID: 730, PID: 0, PROT: 0, COMM: ): <empty>\n | Group 9 (CID: 731, PID: 0, PROT: 0, COMM: ): <empty>\n | AFK - switch to this when AFK (CID: 732, PID: 0, PROT: 0, COMM: ):\n |_ Eisennacher (ADMIN: 0, PHAN: 0, PING: 79, SEC: 181948, COMM:\n Service Info: OS: WIN32\n \n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [math](<>)\n * [nmap](<../lib/nmap.html>)\n * [strbuf](<../lib/strbuf.html>)\n * [string](<>)\n * [table](<>)\n * [shortport](<../lib/shortport.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2013-01-16T00:29:05", "type": "nmap", "title": "ventrilo-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-13T14:58:56", "id": "NMAP:VENTRILO-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/ventrilo-info.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal math = require \"math\"\nlocal nmap = require \"nmap\"\nlocal strbuf = require \"strbuf\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal shortport = require \"shortport\"\n\ndescription = [[\nDetects the Ventrilo voice communication server service versions 2.1.2\nand above and tries to determine version and configuration\ninformation. Some of the older versions (pre 3.0.0) may not have the\nUDP service that this probe relies on enabled by default.\n\nThe Ventrilo server listens on a TCP (voice/control) and an UDP (ping/status)\nport with the same port number (fixed to 3784 in the free version, otherwise\nconfigurable). This script activates on both a TCP and UDP port version scan.\nIn both cases probe data is sent only to the UDP port because it allows for a\nsimple and informative status command as implemented by the\n<code>ventrilo_status.exe</code> executable which has shipped alongside the Windows server\npackage since version 2.1.2 when the UDP status service was implemented.\n\nWhen run as a version detection script (<code>-sV</code>), the script will report on the\nserver version, name, uptime, authentication scheme, and OS. When run\nexplicitly (<code>--script ventrilo-info</code>), the script will additionally report on the\nserver name phonetic pronunciation string, the server comment, maximum number\nof clients, voice codec, voice format, channel and client counts, and details\nabout channels and currently connected clients.\n\nOriginal reversing of the protocol was done by Luigi Auriemma\n(http://aluigi.altervista.org/papers.htm#ventrilo).\n]]\n\n---\n-- @usage\n-- nmap -sV <target>\n-- @usage\n-- nmap -Pn -sU -sV --script ventrilo-info -p <port> <target>\n--\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 9408/tcp open ventrilo Ventrilo 3.0.3.C (voice port; name: TypeFrag.com; uptime: 152h:56m; auth: pw)\n-- | ventrilo-info:\n-- | name: TypeFrag.com\n-- | phonetic: Type Frag Dot Com\n-- | comment: http://www.typefrag.com/\n-- | auth: pw\n-- | max. clients: 100\n-- | voice codec: 3,Speex\n-- | voice format: 32,32 KHz%2C 16 bit%2C 10 Qlty\n-- | uptime: 152h:56m\n-- | platform: WIN32\n-- | version: 3.0.3.C\n-- | channel count: 14\n-- | channel fields: CID, PID, PROT, NAME, COMM\n-- | client count: 6\n-- | client fields: ADMIN, CID, PHAN, PING, SEC, NAME, COMM\n-- | channels:\n-- | <top level lobby> (CID: 0, PID: n/a, PROT: n/a, COMM: n/a): <empty>\n-- | Group 1 (CID: 719, PID: 0, PROT: 0, COMM: ):\n-- | stabya (ADMIN: 0, PHAN: 0, PING: 47, SEC: 206304, COMM:\n-- | Group 2 (CID: 720, PID: 0, PROT: 0, COMM: ): <empty>\n-- | Group 3 (CID: 721, PID: 0, PROT: 0, COMM: ): <empty>\n-- | Group 4 (CID: 722, PID: 0, PROT: 0, COMM: ): <empty>\n-- | Group 5 (CID: 723, PID: 0, PROT: 0, COMM: ):\n-- | Sir Master Win (ADMIN: 0, PHAN: 0, PING: 32, SEC: 186890, COMM:\n-- | waterbukk (ADMIN: 0, PHAN: 0, PING: 31, SEC: 111387, COMM:\n-- | likez (ADMIN: 0, PHAN: 0, PING: 140, SEC: 22457, COMM:\n-- | Tweet (ADMIN: 0, PHAN: 0, PING: 140, SEC: 21009, COMM:\n-- | Group 6 (CID: 724, PID: 0, PROT: 0, COMM: ): <empty>\n-- | Raid (CID: 725, PID: 0, PROT: 0, COMM: ): <empty>\n-- | Officers (CID: 726, PID: 0, PROT: 1, COMM: ): <empty>\n-- | PG 13 (CID: 727, PID: 0, PROT: 0, COMM: ): <empty>\n-- | Rated R (CID: 728, PID: 0, PROT: 0, COMM: ): <empty>\n-- | Group 7 (CID: 729, PID: 0, PROT: 0, COMM: ): <empty>\n-- | Group 8 (CID: 730, PID: 0, PROT: 0, COMM: ): <empty>\n-- | Group 9 (CID: 731, PID: 0, PROT: 0, COMM: ): <empty>\n-- | AFK - switch to this when AFK (CID: 732, PID: 0, PROT: 0, COMM: ):\n-- |_ Eisennacher (ADMIN: 0, PHAN: 0, PING: 79, SEC: 181948, COMM:\n-- Service Info: OS: WIN32\n--\n-- @xmloutput\n-- <elem key=\"phonetic\">Type Frag Dot Com</elem>\n-- <elem key=\"comment\">http://www.typefrag.com/</elem>\n-- <elem key=\"auth\">1</elem>\n-- <elem key=\"maxclients\">100</elem>\n-- <elem key=\"voicecodec\">3,Speex</elem>\n-- <elem key=\"voiceformat\">32,32 KHz%2C 16 bit%2C 10 Qlty</elem>\n-- <elem key=\"uptime\">551533</elem>\n-- <elem key=\"platform\">WIN32</elem>\n-- <elem key=\"version\">3.0.3.C</elem>\n-- <elem key=\"channelcount\">14</elem>\n-- <table key=\"channelfields\">\n-- <elem>CID</elem>\n-- <elem>PID</elem>\n-- <elem>PROT</elem>\n-- <elem>NAME</elem>\n-- <elem>COMM</elem>\n-- </table>\n-- <table key=\"channels\">\n-- <table key=\"0\">\n-- <elem key=\"NAME\">&lt;top level lobby&gt;</elem>\n-- <elem key=\"CID\">0</elem>\n-- </table>\n-- <table key=\"363\">\n-- <elem key=\"CID\">363</elem>\n-- <elem key=\"PID\">0</elem>\n-- <elem key=\"PROT\">0</elem>\n-- <elem key=\"NAME\">Group 1</elem>\n-- <elem key=\"COMM\"></elem>\n-- <table key=\"clients\">\n-- <table>\n-- <elem key=\"ADMIN\">0</elem>\n-- <elem key=\"CID\">363</elem>\n-- <elem key=\"PHAN\">0</elem>\n-- <elem key=\"PING\">47</elem>\n-- <elem key=\"SEC\">207276</elem>\n-- <elem key=\"NAME\">stabya</elem>\n-- <elem key=\"COMM\"></elem>\n-- </table>\n-- </table>\n-- </table>\n-- <!-- Channels other than the first and last cut for brevity -->\n-- <table key=\"376\">\n-- <elem key=\"CID\">376</elem>\n-- <elem key=\"PID\">0</elem>\n-- <elem key=\"PROT\">0</elem>\n-- <elem key=\"NAME\">AFK - switch to this when AFK</elem>\n-- <elem key=\"COMM\"></elem>\n-- <table key=\"clients\">\n-- <table>\n-- <elem key=\"ADMIN\">0</elem>\n-- <elem key=\"CID\">376</elem>\n-- <elem key=\"PHAN\">0</elem>\n-- <elem key=\"PING\">78</elem>\n-- <elem key=\"SEC\">182920</elem>\n-- <elem key=\"NAME\">Eisennacher</elem>\n-- <elem key=\"COMM\"></elem>\n-- </table>\n-- </table>\n-- </table>\n-- </table>\n-- <elem key=\"clientcount\">6</elem>\n-- <table key=\"clientfields\">\n-- <elem>ADMIN</elem>\n-- <elem>CID</elem>\n-- <elem>PHAN</elem>\n-- <elem>PING</elem>\n-- <elem>SEC</elem>\n-- <elem>NAME</elem>\n-- <elem>COMM</elem>\n-- </table>\n\nauthor = \"Marin Mar\u017ei\u0107\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = { \"default\", \"discovery\", \"safe\", \"version\" }\n\nlocal crypt_head = {\n 0x80,0xe5,0x0e,0x38,0xba,0x63,0x4c,0x99,0x88,0x63,0x4c,0xd6,0x54,0xb8,0x65,0x7e,\n 0xbf,0x8a,0xf0,0x17,0x8a,0xaa,0x4d,0x0f,0xb7,0x23,0x27,0xf6,0xeb,0x12,0xf8,0xea,\n 0x17,0xb7,0xcf,0x52,0x57,0xcb,0x51,0xcf,0x1b,0x14,0xfd,0x6f,0x84,0x38,0xb5,0x24,\n 0x11,0xcf,0x7a,0x75,0x7a,0xbb,0x78,0x74,0xdc,0xbc,0x42,0xf0,0x17,0x3f,0x5e,0xeb,\n 0x74,0x77,0x04,0x4e,0x8c,0xaf,0x23,0xdc,0x65,0xdf,0xa5,0x65,0xdd,0x7d,0xf4,0x3c,\n 0x4c,0x95,0xbd,0xeb,0x65,0x1c,0xf4,0x24,0x5d,0x82,0x18,0xfb,0x50,0x86,0xb8,0x53,\n 0xe0,0x4e,0x36,0x96,0x1f,0xb7,0xcb,0xaa,0xaf,0xea,0xcb,0x20,0x27,0x30,0x2a,0xae,\n 0xb9,0x07,0x40,0xdf,0x12,0x75,0xc9,0x09,0x82,0x9c,0x30,0x80,0x5d,0x8f,0x0d,0x09,\n 0xa1,0x64,0xec,0x91,0xd8,0x8a,0x50,0x1f,0x40,0x5d,0xf7,0x08,0x2a,0xf8,0x60,0x62,\n 0xa0,0x4a,0x8b,0xba,0x4a,0x6d,0x00,0x0a,0x93,0x32,0x12,0xe5,0x07,0x01,0x65,0xf5,\n 0xff,0xe0,0xae,0xa7,0x81,0xd1,0xba,0x25,0x62,0x61,0xb2,0x85,0xad,0x7e,0x9d,0x3f,\n 0x49,0x89,0x26,0xe5,0xd5,0xac,0x9f,0x0e,0xd7,0x6e,0x47,0x94,0x16,0x84,0xc8,0xff,\n 0x44,0xea,0x04,0x40,0xe0,0x33,0x11,0xa3,0x5b,0x1e,0x82,0xff,0x7a,0x69,0xe9,0x2f,\n 0xfb,0xea,0x9a,0xc6,0x7b,0xdb,0xb1,0xff,0x97,0x76,0x56,0xf3,0x52,0xc2,0x3f,0x0f,\n 0xb6,0xac,0x77,0xc4,0xbf,0x59,0x5e,0x80,0x74,0xbb,0xf2,0xde,0x57,0x62,0x4c,0x1a,\n 0xff,0x95,0x6d,0xc7,0x04,0xa2,0x3b,0xc4,0x1b,0x72,0xc7,0x6c,0x82,0x60,0xd1,0x0d\n}\n\nlocal crypt_data = {\n 0x82,0x8b,0x7f,0x68,0x90,0xe0,0x44,0x09,0x19,0x3b,0x8e,0x5f,0xc2,0x82,0x38,0x23,\n 0x6d,0xdb,0x62,0x49,0x52,0x6e,0x21,0xdf,0x51,0x6c,0x76,0x37,0x86,0x50,0x7d,0x48,\n 0x1f,0x65,0xe7,0x52,0x6a,0x88,0xaa,0xc1,0x32,0x2f,0xf7,0x54,0x4c,0xaa,0x6d,0x7e,\n 0x6d,0xa9,0x8c,0x0d,0x3f,0xff,0x6c,0x09,0xb3,0xa5,0xaf,0xdf,0x98,0x02,0xb4,0xbe,\n 0x6d,0x69,0x0d,0x42,0x73,0xe4,0x34,0x50,0x07,0x30,0x79,0x41,0x2f,0x08,0x3f,0x42,\n 0x73,0xa7,0x68,0xfa,0xee,0x88,0x0e,0x6e,0xa4,0x70,0x74,0x22,0x16,0xae,0x3c,0x81,\n 0x14,0xa1,0xda,0x7f,0xd3,0x7c,0x48,0x7d,0x3f,0x46,0xfb,0x6d,0x92,0x25,0x17,0x36,\n 0x26,0xdb,0xdf,0x5a,0x87,0x91,0x6f,0xd6,0xcd,0xd4,0xad,0x4a,0x29,0xdd,0x7d,0x59,\n 0xbd,0x15,0x34,0x53,0xb1,0xd8,0x50,0x11,0x83,0x79,0x66,0x21,0x9e,0x87,0x5b,0x24,\n 0x2f,0x4f,0xd7,0x73,0x34,0xa2,0xf7,0x09,0xd5,0xd9,0x42,0x9d,0xf8,0x15,0xdf,0x0e,\n 0x10,0xcc,0x05,0x04,0x35,0x81,0xb2,0xd5,0x7a,0xd2,0xa0,0xa5,0x7b,0xb8,0x75,0xd2,\n 0x35,0x0b,0x39,0x8f,0x1b,0x44,0x0e,0xce,0x66,0x87,0x1b,0x64,0xac,0xe1,0xca,0x67,\n 0xb4,0xce,0x33,0xdb,0x89,0xfe,0xd8,0x8e,0xcd,0x58,0x92,0x41,0x50,0x40,0xcb,0x08,\n 0xe1,0x15,0xee,0xf4,0x64,0xfe,0x1c,0xee,0x25,0xe7,0x21,0xe6,0x6c,0xc6,0xa6,0x2e,\n 0x52,0x23,0xa7,0x20,0xd2,0xd7,0x28,0x07,0x23,0x14,0x24,0x3d,0x45,0xa5,0xc7,0x90,\n 0xdb,0x77,0xdd,0xea,0x38,0x59,0x89,0x32,0xbc,0x00,0x3a,0x6d,0x61,0x4e,0xdb,0x29\n}\n\nlocal crypt_crc = {\n 0x0000,0x1021,0x2042,0x3063,0x4084,0x50a5,0x60c6,0x70e7,\n 0x8108,0x9129,0xa14a,0xb16b,0xc18c,0xd1ad,0xe1ce,0xf1ef,\n 0x1231,0x0210,0x3273,0x2252,0x52b5,0x4294,0x72f7,0x62d6,\n 0x9339,0x8318,0xb37b,0xa35a,0xd3bd,0xc39c,0xf3ff,0xe3de,\n 0x2462,0x3443,0x0420,0x1401,0x64e6,0x74c7,0x44a4,0x5485,\n 0xa56a,0xb54b,0x8528,0x9509,0xe5ee,0xf5cf,0xc5ac,0xd58d,\n 0x3653,0x2672,0x1611,0x0630,0x76d7,0x66f6,0x5695,0x46b4,\n 0xb75b,0xa77a,0x9719,0x8738,0xf7df,0xe7fe,0xd79d,0xc7bc,\n 0x48c4,0x58e5,0x6886,0x78a7,0x0840,0x1861,0x2802,0x3823,\n 0xc9cc,0xd9ed,0xe98e,0xf9af,0x8948,0x9969,0xa90a,0xb92b,\n 0x5af5,0x4ad4,0x7ab7,0x6a96,0x1a71,0x0a50,0x3a33,0x2a12,\n 0xdbfd,0xcbdc,0xfbbf,0xeb9e,0x9b79,0x8b58,0xbb3b,0xab1a,\n 0x6ca6,0x7c87,0x4ce4,0x5cc5,0x2c22,0x3c03,0x0c60,0x1c41,\n 0xedae,0xfd8f,0xcdec,0xddcd,0xad2a,0xbd0b,0x8d68,0x9d49,\n 0x7e97,0x6eb6,0x5ed5,0x4ef4,0x3e13,0x2e32,0x1e51,0x0e70,\n 0xff9f,0xefbe,0xdfdd,0xcffc,0xbf1b,0xaf3a,0x9f59,0x8f78,\n 0x9188,0x81a9,0xb1ca,0xa1eb,0xd10c,0xc12d,0xf14e,0xe16f,\n 0x1080,0x00a1,0x30c2,0x20e3,0x5004,0x4025,0x7046,0x6067,\n 0x83b9,0x9398,0xa3fb,0xb3da,0xc33d,0xd31c,0xe37f,0xf35e,\n 0x02b1,0x1290,0x22f3,0x32d2,0x4235,0x5214,0x6277,0x7256,\n 0xb5ea,0xa5cb,0x95a8,0x8589,0xf56e,0xe54f,0xd52c,0xc50d,\n 0x34e2,0x24c3,0x14a0,0x0481,0x7466,0x6447,0x5424,0x4405,\n 0xa7db,0xb7fa,0x8799,0x97b8,0xe75f,0xf77e,0xc71d,0xd73c,\n 0x26d3,0x36f2,0x0691,0x16b0,0x6657,0x7676,0x4615,0x5634,\n 0xd94c,0xc96d,0xf90e,0xe92f,0x99c8,0x89e9,0xb98a,0xa9ab,\n 0x5844,0x4865,0x7806,0x6827,0x18c0,0x08e1,0x3882,0x28a3,\n 0xcb7d,0xdb5c,0xeb3f,0xfb1e,0x8bf9,0x9bd8,0xabbb,0xbb9a,\n 0x4a75,0x5a54,0x6a37,0x7a16,0x0af1,0x1ad0,0x2ab3,0x3a92,\n 0xfd2e,0xed0f,0xdd6c,0xcd4d,0xbdaa,0xad8b,0x9de8,0x8dc9,\n 0x7c26,0x6c07,0x5c64,0x4c45,0x3ca2,0x2c83,0x1ce0,0x0cc1,\n 0xef1f,0xff3e,0xcf5d,0xdf7c,0xaf9b,0xbfba,0x8fd9,0x9ff8,\n 0x6e17,0x7e36,0x4e55,0x5e74,0x2e93,0x3eb2,0x0ed1,0x1ef0\n}\n\n-- The probe payload is static as it has proven to be unnecessary to forge a new\n-- one every time. The data used includes the following parameters:\n-- cmd = 2, password = 0, header len = 20, data len = 16, totlen = 36\n-- static 2 byte status request id (time(NULL) in the original protocol)\nlocal static_probe_id = 0x33CF\nlocal static_probe_payload = \"\\x49\\xde\\xdf\\xd0\\x65\\xc9\\x21\\xc4\\x90\\x0d\\xbf\\x23\\xa2\\xc8\\x8b\\x65\\x7d\\x43\\x15\\x9b\\x30\\xc2\\xe2\\x23\\xd2\\x13\\xe3\\x29\\xad\\xe8\\x63\\xff\\x17\\x31\\x33\\x50\"\n\n-- Returns a string interpretation of the server authentication scheme.\n-- @param auth the server authentication scheme code\n-- @return string string interpretation of the server authentication scheme\nlocal auth_str = function(auth)\n if auth == \"0\" then\n return \"none\"\n elseif auth == \"1\" then\n return \"pw\"\n elseif auth == \"2\" then\n return \"user/pw\"\n else\n return auth\n end\nend\n\n-- Formats an uptime string containing a number of seconds.\n-- E.g. \"3670\" -> \"1h:1m\"\n-- @param uptime number of seconds of uptime\n-- @return uptime_formatted formatted uptime string (hours and minutes)\nlocal uptime_str = function(uptime)\n local uptime_num = tonumber(uptime)\n if not uptime_num then\n return uptime\n end\n\n local h = math.floor(uptime_num/3600)\n local m = math.floor((uptime_num - h*3600)/60)\n\n return h .. \"h:\" .. m .. \"m\"\nend\n\n-- Decrypts the Ventrilo UDP status response header segment.\n-- @param str the Ventrilo UDP status response\n-- @return id status request id as sent by us\n-- @return len length of the data segment of the response\n-- @return totlen total length of data segments of all response packets\n-- @return pck response packet number (starts with 0)\n-- @return totpck total number of response packets to expect\n-- @return key key for decrypting the data segment of this response packet\n-- @return crc_sum the crc checksum of the full response data segment\nlocal dec_head = function(str)\n local head = { string.byte(str, 1, 20) }\n\n head[1], head[2] = head[2], head[1]\n local a1 = head[1]\n if a1 == 0 then\n return table.concat(head)\n end\n local a2 = head[2]\n\n for i = 3,20 do\n head[i] = head[i] - (crypt_head[a2 + 1] + ((i - 3) % 5)) & 0xFF\n a2 = (a2 + a1) & 0xFF\n end\n\n for i = 3,19,2 do\n head[i], head[i + 1] = head[i + 1], head[i]\n end\n\n local id = head[7] + (head[8] << 8)\n local totlen = head[9] + (head[10] << 8)\n local len = head[11] + (head[12] << 8)\n local totpck = head[13] + (head[14] << 8)\n local pck = head[15] + (head[16] << 8)\n local key = head[17] + (head[18] << 8)\n local crc_sum = head[19] + (head[20] << 8)\n\n return id, len, totlen, pck, totpck, key, crc_sum\nend\n\n-- Decrypts the Ventrilo UDP status response data segment.\n-- @param str the Ventrilo UDP status response\n-- @param len length of the data segment of this response packet\n-- @param key key for decrypting the data segment\nlocal dec_data = function(str, len, key)\n -- skip the header (first 20 bytes)\n local data = { string.byte(str, 21, 20 + len) }\n\n local a1 = key & 0xFF\n if a1 == 0 then\n return table.concat(data)\n end\n local a2 = key >> 8\n\n for i = 1,len do\n data[i] = data[i] - (crypt_data[a2 + 1] + ((i - 1) % 72)) & 0xFF\n a2 = (a2 + a1) & 0xFF\n end\n\n return string.char(table.unpack(data))\nend\n\n-- Convenient wrapper for string.find(...). Returns the position of the end of\n-- the match, or the previous starting position if no match was found. Also\n-- returns the first capture, or \"n/a\" if one was not found.\n-- @param str the string to search\n-- @param pattern the pattern to apply for the search\n-- @param pos the starting position of the search\n-- @return newpos position of the end of the match, or pos if no match found\n-- @return cap the first capture, or \"n/a\" if one was not found\nlocal str_find = function(str, pattern, pos)\n local _, newpos, cap = string.find(str, pattern, pos)\n return newpos or pos, cap or \"n/a\"\nend\n\n-- Calculates the CRC checksum used for checking the integrity of the received\n-- status response data segment.\n-- @param data data to calculate the checksum of\n-- @return 2 byte CRC checksum as seen in Ventrilo UDP status headers\nlocal crc = function(data)\n local sum = 0\n for i = 1,#data do\n sum = (crypt_crc[(sum >> 8) + 1] ~ data:byte(i) ~ (sum << 8)) & 0xFFFF\n end\n return sum\nend\n\n-- Parses the status response data segment and constructs an output table.\n-- @param Ventrilo UDP status response data segment\n-- @return info output table representing Ventrilo UDP status response info\nlocal o_table = function(data)\n local info = stdnse.output_table()\n local pos\n\n pos, info.name = str_find(data, \"NAME: ([^\\n]*)\", 0)\n pos, info.phonetic = str_find(data, \"PHONETIC: ([^\\n]*)\", pos)\n pos, info.comment = str_find(data, \"COMMENT: ([^\\n]*)\", pos)\n pos, info.auth = str_find(data, \"AUTH: ([^\\n]*)\", pos)\n pos, info.maxclients = str_find(data, \"MAXCLIENTS: ([^\\n]*)\", pos)\n pos, info.voicecodec = str_find(data, \"VOICECODEC: ([^\\n]*)\", pos)\n pos, info.voiceformat = str_find(data, \"VOICEFORMAT: ([^\\n]*)\", pos)\n pos, info.uptime = str_find(data, \"UPTIME: ([^\\n]*)\", pos)\n pos, info.platform = str_find(data, \"PLATFORM: ([^\\n]*)\", pos)\n pos, info.version = str_find(data, \"VERSION: ([^\\n]*)\", pos)\n\n -- channels\n pos, info.channelcount = str_find(data, \"CHANNELCOUNT: ([^\\n]*)\", pos)\n pos, info.channelfields = str_find(data, \"CHANNELFIELDS: ([^\\n]*)\", pos)\n\n -- construct channel fields as a nice list instead of the raw data\n local channelfields = {}\n for channelfield in string.gmatch(info.channelfields, \"[^,\\n]+\") do\n channelfields[#channelfields + 1] = channelfield\n end\n info.channelfields = channelfields\n\n -- parse and add channels\n info.channels = stdnse.output_table()\n -- add top level lobby channel (CID = 0)\n info.channels[\"0\"] = stdnse.output_table()\n info.channels[\"0\"].NAME = \"<top level lobby>\"\n info.channels[\"0\"].CID = \"0\"\n while string.sub(data, pos + 2, pos + 10) == \"CHANNEL: \" do\n local channel = stdnse.output_table()\n for _, channelfield in ipairs(info.channelfields) do\n pos, channel[channelfield] = str_find(data, channelfield .. \"=([^,\\n]*)\", pos)\n end\n if channel.CID then\n info.channels[channel.CID] = channel\n end\n end\n\n -- clients\n pos, info.clientcount = str_find(data, \"CLIENTCOUNT: ([^\\n]*)\", pos)\n pos, info.clientfields = str_find(data, \"CLIENTFIELDS: ([^\\n]*)\", pos)\n\n -- construct client fields as a nice list instead of the raw data\n local clientfields = {}\n for clientfield in string.gmatch(info.clientfields, \"[^,\\n]+\") do\n clientfields[#clientfields + 1] = clientfield\n end\n info.clientfields = clientfields\n\n -- parse and add clients\n while string.sub(data, pos + 2, pos + 9) == \"CLIENT: \" do\n local client = stdnse.output_table()\n for _, clientfield in ipairs(info.clientfields) do\n pos, client[clientfield] = str_find(data, clientfield .. \"=([^,\\n]*)\", pos)\n end\n if client.CID then\n if not info.channels[client.CID] then\n -- weird clients with unrecognized CID are put in the -1 channel\n if not info.channels[\"-1\"] then\n -- add channel for weird clients with unrecognized CIDs\n info.channels[\"-1\"] = stdnse.output_table()\n info.channels[\"-1\"].NAME = \"<clients with unrecognized CIDs>\"\n info.channels[\"-1\"].CID = \"-1\"\n info.channels[\"-1\"].clients = {}\n end\n table.insert(info.channels[\"-1\"].clients, client)\n elseif not info.channels[client.CID].clients then\n -- channel had no clients, create table for the 1st client\n info.channels[client.CID].clients = {}\n table.insert(info.channels[client.CID].clients, client)\n else\n table.insert(info.channels[client.CID].clients, client)\n end\n end\n end\n\n return info\nend\n\n-- Constructs an output string from an output table for use in normal output.\n-- @param info output table\n-- @return output_string output string\nlocal o_str = function(info)\n local buf = strbuf.new()\n buf = buf .. \"\\nname: \"\n buf = buf .. info.name\n buf = buf .. \"\\nphonetic: \"\n buf = buf .. info.phonetic\n buf = buf .. \"\\ncomment: \"\n buf = buf .. info.comment\n buf = buf .. \"\\nauth: \"\n buf = buf .. auth_str(info.auth)\n buf = buf .. \"\\nmax. clients: \"\n buf = buf .. info.maxclients\n buf = buf .. \"\\nvoice codec: \"\n buf = buf .. info.voicecodec\n buf = buf .. \"\\nvoice format: \"\n buf = buf .. info.voiceformat\n buf = buf .. \"\\nuptime: \"\n buf = buf .. uptime_str(info.uptime)\n buf = buf .. \"\\nplatform: \"\n buf = buf .. info.platform\n buf = buf .. \"\\nversion: \"\n buf = buf .. info.version\n buf = buf .. \"\\nchannel count: \"\n buf = buf .. info.channelcount\n buf = buf .. \"\\nchannel fields: \"\n for i, channelfield in ipairs(info.channelfields) do\n buf = buf .. channelfield\n if i ~= #info.channelfields then\n buf = buf .. \", \"\n end\n end\n buf = buf .. \"\\nclient count: \"\n buf = buf .. info.clientcount\n buf = buf .. \"\\nclient fields: \"\n for i, clientfield in ipairs(info.clientfields) do\n buf = buf .. clientfield\n if i ~= #info.clientfields then\n buf = buf .. \", \"\n end\n end\n buf = buf .. \"\\nchannels:\"\n for i, channel in pairs(info.channels) do\n buf = buf .. \"\\n\"\n buf = buf .. channel.NAME\n buf = buf .. \" (\"\n for j, channelfield in ipairs(info.channelfields) do\n if channelfield ~= \"NAME\" and channelfield ~= \"n/a\" then\n buf = buf .. channelfield\n buf = buf .. \": \"\n buf = buf .. (channel[channelfield] or \"n/a\")\n if j ~= #info.channelfields then\n buf = buf .. \", \"\n end\n end\n end\n buf = buf .. \"): \"\n if not channel.clients then\n buf = buf .. \"<empty>\"\n else\n for j, client in ipairs(channel.clients) do\n buf = buf .. \"\\n \"\n buf = buf .. client.NAME\n buf = buf .. \" (\"\n for k, clientfield in ipairs(info.clientfields) do\n if clientfield ~= \"NAME\" and clientfield ~= \"CID\" then\n buf = buf .. clientfield\n buf = buf .. \": \"\n buf = buf .. client[clientfield]\n if k ~= #info.clientfields then\n buf = buf .. \", \"\n end\n end\n end\n end\n end\n end\n\n return strbuf.dump(buf, \"\")\nend\n\nportrule = shortport.version_port_or_service({3784}, \"ventrilo\", {\"tcp\", \"udp\"})\n\naction = function(host, port)\n local mutex = nmap.mutex(\"ventrilo-info:\" .. host.ip .. \":\" .. port.number)\n mutex(\"lock\")\n\n if host.registry[\"ventrilo-info\"] == nil then\n host.registry[\"ventrilo-info\"] = {}\n end\n -- Maybe the script already ran for this port number on another protocol\n local r = host.registry[\"ventrilo-info\"][port.number]\n if r == nil then\n r = {}\n host.registry[\"ventrilo-info\"][port.number] = r\n\n local socket = nmap.new_socket()\n socket:set_timeout(2000)\n\n local cleanup = function()\n socket:close()\n mutex(\"done\")\n end\n local try = nmap.new_try(cleanup)\n\n local udpport = { number = port.number, protocol = \"udp\" }\n try(socket:connect(host.ip, udpport))\n\n local status, response\n -- try a couple of times on timeout, the service seems to not\n -- respond if multiple requests come within a short timeframe\n for _ = 1,3 do\n try(socket:send(static_probe_payload))\n status, response = socket:receive()\n if status then\n nmap.set_port_state(host, udpport, \"open\")\n break\n end\n end\n if not status then\n -- 3 timeouts, no response\n cleanup()\n return\n end\n\n -- received the first packet, process it and others if they come\n local fulldata = {}\n local fulldatalen = 0\n local curlen = 0\n local head_crc_sum\n while true do\n -- decrypt received header and extract relevant information\n local id, len, totlen, pck, totpck, key, crc_sum = dec_head(response)\n\n if id == static_probe_id then\n curlen = curlen + len\n head_crc_sum = crc_sum\n\n -- check for an invalid response\n if #response < 20 or pck >= totpck or\n len > 492 or curlen > totlen then\n stdnse.debug1(\"Invalid response. Aborting script.\")\n cleanup()\n return\n end\n\n -- keep track of the length of fulldata (# isn't applicable)\n if fulldata[pck + 1] == nil then\n fulldatalen = fulldatalen + 1\n end\n -- accumulate UDP packets that may not necessarily come in proper\n -- order; arrange them by packet id\n fulldata[pck + 1] = dec_data(response, len, key)\n end\n\n -- check for invalid states in communication\n if (fulldatalen > totpck) or (curlen > totlen)\n or (fulldatalen == totpck and curlen ~= totlen)\n or (curlen == totlen and fulldatalen ~= totpck) then\n stdnse.debug1(\"Invalid state (fulldatalen = \" .. fulldatalen ..\n \"; totpck = \" .. totpck .. \"; curlen = \" .. curlen ..\n \"; totlen = \" .. totlen .. \"). Aborting script.\")\n cleanup()\n return\n end\n\n -- check for valid end of communication\n if fulldatalen == totpck and curlen == totlen then\n break\n end\n\n -- receive another packet\n status, response = socket:receive()\n if not status then\n stdnse.debug1(\"Response packets stopped coming midway. Aborting script.\")\n cleanup()\n return\n end\n end\n\n socket:close()\n\n -- concatenate received data into a single string for further use\n local fulldata_str = table.concat(fulldata)\n\n -- check for an invalid checksum on the response data sections (no headers)\n local fulldata_crc_sum = crc(fulldata_str)\n if fulldata_crc_sum ~= head_crc_sum then\n stdnse.debug1(\"Invalid CRC sum, received = %04X, calculated = %04X\", head_crc_sum, fulldata_crc_sum)\n cleanup()\n return\n end\n\n -- parse the received data string into an output table\n r.info = o_table(fulldata_str)\n end\n\n mutex(\"done\")\n\n -- If the registry is empty the port was probed but Ventrilo wasn't detected\n if next(r) == nil then\n return\n end\n\n port.version.name = \"ventrilo\"\n port.version.name_confidence = 10\n port.version.product = \"Ventrilo\"\n port.version.version = r.info.version\n port.version.ostype = r.info.platform\n port.version.extrainfo = \"; name: \".. r.info.name\n if port.protocol == \"tcp\" then\n port.version.extrainfo = \"voice port\" .. port.version.extrainfo\n else\n port.version.extrainfo = \"status port\" .. port.version.extrainfo\n end\n port.version.extrainfo = port.version.extrainfo .. \"; uptime: \" .. uptime_str(r.info.uptime)\n port.version.extrainfo = port.version.extrainfo .. \"; auth: \" .. auth_str(r.info.auth)\n\n nmap.set_port_version(host, port, \"hardmatched\")\n\n -- an output table for XML output and a custom string for normal output\n return r.info, o_str(r.info)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:30:40", "description": "Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys. \n\nThe only databases currently checked are the LittleBlackBox 0.1 database of compromised keys from various devices, some keys reportedly used by the Chinese state-sponsored hacking division APT1 (<https://www.fireeye.com/blog/threat-research/2013/03/md5-sha1.html>), and the key used by CARBANAK malware (<https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html>). However, any file of fingerprints will serve just as well. For example, this could be used to find weak Debian OpenSSL keys using the widely available (but too large to include with Nmap) list.\n\n## Script Arguments \n\n#### ssl-known-key.fingerprintfile \n\nSpecify a different file to read fingerprints from.\n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### tls.servername \n\nSee the documentation for the [tls](<../lib/tls.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script ssl-known-key -p 443 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 443/tcp open https syn-ack\n |_ssl-known-key: Found in Little Black Box 0.1 (SHA-1: 0028 e7d4 9cfa 4aa5 984f e497 eb73 4856 0787 e496)\n \n\n## Requires \n\n * [io](<>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [sslcert](<../lib/sslcert.html>)\n * [tls](<../lib/tls.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-03-22T19:44:40", "type": "nmap", "title": "ssl-known-key NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-05-26T02:03:00", "id": "NMAP:SSL-KNOWN-KEY.NSE", "href": "https://nmap.org/nsedoc/scripts/ssl-known-key.html", "sourceData": "local io = require \"io\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal sslcert = require \"sslcert\"\nlocal tls = require \"tls\"\n\ndescription = [[\nChecks whether the SSL certificate used by a host has a fingerprint\nthat matches an included database of problematic keys.\n\nThe only databases currently checked are the LittleBlackBox 0.1 database of\ncompromised keys from various devices, some keys reportedly used by the Chinese\nstate-sponsored hacking division APT1\n(https://www.fireeye.com/blog/threat-research/2013/03/md5-sha1.html),\nand the key used by CARBANAK malware\n(https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html).\nHowever, any file of fingerprints will serve just as well. For example, this\ncould be used to find weak Debian OpenSSL keys using the widely available (but\ntoo large to include with Nmap) list.\n]]\n\n---\n-- @usage\n-- nmap --script ssl-known-key -p 443 <host>\n--\n-- @args ssl-known-key.fingerprintfile Specify a different file to read\n-- fingerprints from.\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 443/tcp open https syn-ack\n-- |_ssl-known-key: Found in Little Black Box 0.1 (SHA-1: 0028 e7d4 9cfa 4aa5 984f e497 eb73 4856 0787 e496)\n--\n-- @xmloutput\n-- <table>\n-- <elem key=\"section\">Little Black Box 0.1</elem>\n-- <elem key=\"sha1\">0028e7d49cfa4aa5984fe497eb7348560787e496</elem>\n-- </table>\n\nauthor = \"Mak Kolybabi\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\", \"vuln\", \"default\"}\ndependencies = {\"https-redirect\"}\n\nlocal FINGERPRINT_FILE = \"ssl-fingerprints\"\n\nlocal get_fingerprints = function(path)\n -- Check registry for cached fingerprints.\n if nmap.registry.ssl_fingerprints then\n stdnse.debug2(\"Using cached SSL fingerprints.\")\n return true, nmap.registry.ssl_fingerprints\n end\n\n -- Attempt to resolve path if it is relative.\n local full_path = nmap.fetchfile(\"nselib/data/\" .. path)\n if not full_path then\n full_path = path\n end\n stdnse.debug2(\"Loading SSL fingerprints from %s.\", full_path)\n\n -- Open database.\n local file = io.open(full_path, \"r\")\n if not file then\n return false, \"Failed to open file \" .. full_path\n end\n\n -- Parse database.\n local section = nil\n local fingerprints = {}\n for line in file:lines() do\n line = line:gsub(\"#.*\", \"\")\n line = line:gsub(\"^%s*\", \"\")\n line = line:gsub(\"%s*$\", \"\")\n if line ~= \"\" then\n if line:sub(1,1) == \"[\" then\n -- Start a new section.\n line = line:sub(2, #line - 1)\n stdnse.debug4(\"Starting new section %s.\", line)\n section = line\n elseif section ~= nil then\n -- Add fingerprint to section.\n local fingerprint = stdnse.fromhex(line)\n if #fingerprint == 20 then\n fingerprints[fingerprint] = section\n stdnse.debug4(\"Added key %s to database.\", line)\n else\n stdnse.debug0(\"Cannot parse presumed fingerprint %q in section %q.\", line, section)\n end\n else\n -- Key found outside of section.\n stdnse.debug1(\"Key %s is not in a section.\", line)\n end\n end\n end\n\n -- Close database.\n file:close()\n\n -- Cache fingerprints in registry for future runs.\n nmap.registry.ssl_fingerprints = fingerprints\n\n return true, fingerprints\nend\n\nportrule = shortport.ssl\n\naction = function(host, port)\n -- Get script arguments.\n host.targetname = tls.servername(host)\n local path = stdnse.get_script_args(\"ssl-known-key.fingerprintfile\") or FINGERPRINT_FILE\n local status, result = get_fingerprints(path)\n if not status then\n stdnse.debug1(\"%s\", result)\n return\n end\n local fingerprints = result\n\n -- Get SSL certificate.\n local status, cert = sslcert.getCertificate(host, port)\n if not status then\n stdnse.debug1(\"sslcert.getCertificate error: %s\", cert)\n return\n end\n local fingerprint = cert:digest(\"sha1\")\n local fingerprint_fmt = stdnse.tohex(fingerprint, {separator=\" \", group=4})\n\n -- Check SSL fingerprint against database.\n local section = fingerprints[fingerprint]\n if not section then\n stdnse.debug2(\"%s was not in the database.\", fingerprint_fmt)\n return\n end\n\n return {section=section, sha1=stdnse.tohex(fingerprint)}, \"Found in \" .. section .. \" (SHA-1: \" .. fingerprint_fmt .. \")\"\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:56", "description": "Attempts to identify IEC 60870-5-104 ICS protocol. \n\nAfter probing with a TESTFR (test frame) message, a STARTDT (start data transfer) message is sent and general interrogation is used to gather the list of information object addresses stored.\n\n## Example Usage \n \n \n nmap -sV --script=iec-identify <target>\n\n## Script Output \n \n \n | iec-identify:\n | ASDU address: 105\n |_ Information objects: 30\n \n\n## Requires \n\n * [shortport](<../lib/shortport.html>)\n * [comm](<../lib/comm.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [match](<../lib/match.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-06T20:54:04", "type": "nmap", "title": "iec-identify NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-07-06T20:54:04", "id": "NMAP:IEC-IDENTIFY.NSE", "href": "https://nmap.org/nsedoc/scripts/iec-identify.html", "sourceData": "local shortport = require \"shortport\"\nlocal comm = require \"comm\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal match = require \"match\"\n\ndescription = [[\nAttempts to identify IEC 60870-5-104 ICS protocol.\n\nAfter probing with a TESTFR (test frame) message, a STARTDT (start data\ntransfer) message is sent and general interrogation is used to gather the list\nof information object addresses stored.\n]]\n\n---\n-- @output\n-- | iec-identify:\n-- | ASDU address: 105\n-- |_ Information objects: 30\n--\n\nauthor = {\"Aleksandr Timorin\", \"Daniel Miller\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\"}\n\nportrule = shortport.port_or_service(2404, \"iec-104\", \"tcp\")\n\nlocal function get_asdu(socket)\n local status, data = socket:receive_buf(match.numbytes(2), true)\n if not status then\n return nil, data\n end\n if data:byte(1) ~= 0x68 then\n return nil, \"Not IEC-104\"\n end\n local len = data:byte(2)\n status, data = socket:receive_buf(match.numbytes(len), true)\n if not status then\n return nil, data\n end\n local apcitype = data:byte(1)\n return apcitype, data\nend\n\naction = function(host, port)\n\n local output = stdnse.output_table()\n local socket, err = comm.opencon(host, port)\n if not socket then\n stdnse.debug1(\"Connect error: %s\", err)\n return nil\n end\n\n -- send TESTFR ACT command\n -- Test frame, like \"ping\"\n local TESTFR = \"\\x68\\x04\\x43\\0\\0\\0\"\n local status, err = socket:send( TESTFR )\n if not status then\n stdnse.debug1(\"Failed to send: %s\", err)\n return nil\n end\n\n -- receive TESTFR answer\n local apcitype, recv = get_asdu(socket)\n if not apcitype then\n stdnse.debug1(\"protocol error: %s\", recv)\n return nil\n end\n if apcitype ~= 0x83 then\n stdnse.print_debug(1, \"Not IEC-104. TESTFR response: %#x\", apcitype)\n return nil\n end\n\n -- send STARTDT ACT command\n local STARTDT = \"\\x68\\x04\\x07\\0\\0\\0\"\n status, err = socket:send( STARTDT )\n if not status then\n stdnse.debug1(\"Failed to send: %s\", err)\n return nil\n end\n\n -- receive STARTDT answer\n apcitype, recv = get_asdu(socket)\n if not apcitype then\n stdnse.debug1(\"protocol error: %s\", recv)\n return nil\n end\n if apcitype ~= 0x0b then\n stdnse.debug1(\"STARTDT ACT did not receive STARTDT CON: %#x\", apcitype)\n return nil\n end\n\n -- May also receive ME_EI_NA_1 (End of initialization), so check for that in the buffer after sending the next part\n\n -- send C_IC_NA_1 command\n -- type: 0x64, C_IC_NA_1,\n -- numix: 1\n -- TNCause: 6, Act\n -- Originator address; 0\n -- ASDU address: 0xffff\n -- Information object address: 0\n -- QOI: 0x14 (20), Station interrogation (global)\n local C_IC_NA_1_broadcast = \"\\x68\\x0e\\0\\0\\0\\0\\x64\\x01\\x06\\0\\xff\\xff\\0\\0\\0\\x14\"\n status, err = socket:send( C_IC_NA_1_broadcast )\n if not status then\n stdnse.debug1(\"Failed to send: %s\", err)\n return nil\n end\n\n local asdu_address\n local ioas = 0\n -- Have to draw the line somewhere.\n local limit = 10\n while limit > 0 do\n limit = limit - 1\n apcitype, recv = get_asdu(socket)\n if not apcitype then\n stdnse.debug1(\"Error in C_IC_NA_1: %s\", recv)\n break\n end\n if apcitype & 0x01 == 0 then -- Type I, numbered information transfer\n -- skip 2 bytes Tx, 2 bytes Rx\n local typeid = recv:byte(5)\n if typeid == 70 then\n -- ME_EI_NA_1, End of Initialization. Skip.\n else\n local numix = recv:byte(6) & 0x7f\n local cause = recv:byte(7) & 0x3f\n asdu_address = string.unpack(\"<I2\", recv, 9)\n stdnse.debug2(\"Got asdu=%d, type %d, cause %d, numix %d.\", asdu_address, typeid, cause, numix)\n if typeid == 100 then\n -- C_IC_NA_1\n if cause == 7 then\n -- ActCon. Skip.\n elseif cause == 10 then\n -- ActTerm. The end!\n break\n else\n -- TODO: do something!\n end\n else\n if cause >= 20 and cause <= 36 then\n -- Inrogen, response to general interrogation\n ioas = ioas + numix\n end\n end\n end\n end\n end\n\n socket:close()\n\n if asdu_address then\n output[\"ASDU address\"] = asdu_address\n output[\"Information objects\"] = ioas\n else\n output = \"IEC-104 endpoint did not respond to C_IC_NA_1 request\"\n end\n\n return output\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:42:32", "description": "Connects to a VLC Streamer helper service and lists directory contents. The VLC Streamer helper service is used by the iOS VLC Streamer application to enable streaming of multimedia content from the remote server to the device.\n\n## Script Arguments \n\n#### http-vlcstreamer-ls.dir \n\ndirectory to list (default: /)\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 54340 --script http-vlcstreamer-ls <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 54340/tcp open unknown\n | http-vlcstreamer-ls:\n | /Applications\n | /Developer\n | /Library\n | /Network\n | /Pictures\n | /System\n | /User Guides And Information\n | /Users\n | /Volumes\n | /bin\n | /bundles\n | /cores\n | /dev\n | /etc\n | /home\n | /mach_kernel\n | /net\n | /opt\n | /private\n | /sbin\n | /tmp\n | /usr\n |_ /var\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [json](<../lib/json.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-04-08T23:04:18", "type": "nmap", "title": "http-vlcstreamer-ls NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:HTTP-VLCSTREAMER-LS.NSE", "href": "https://nmap.org/nsedoc/scripts/http-vlcstreamer-ls.html", "sourceData": "local http = require \"http\"\nlocal json = require \"json\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nConnects to a VLC Streamer helper service and lists directory contents. The\nVLC Streamer helper service is used by the iOS VLC Streamer application to\nenable streaming of multimedia content from the remote server to the device.\n]]\n\n---\n-- @usage\n-- nmap -p 54340 --script http-vlcstreamer-ls <ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 54340/tcp open unknown\n-- | http-vlcstreamer-ls:\n-- | /Applications\n-- | /Developer\n-- | /Library\n-- | /Network\n-- | /Pictures\n-- | /System\n-- | /User Guides And Information\n-- | /Users\n-- | /Volumes\n-- | /bin\n-- | /bundles\n-- | /cores\n-- | /dev\n-- | /etc\n-- | /home\n-- | /mach_kernel\n-- | /net\n-- | /opt\n-- | /private\n-- | /sbin\n-- | /tmp\n-- | /usr\n-- |_ /var\n--\n-- @args http-vlcstreamer-ls.dir directory to list (default: /)\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service(54340, \"vlcstreamer\", \"tcp\")\n\nlocal arg_dir = stdnse.get_script_args(SCRIPT_NAME .. \".dir\") or \"/\"\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n local response = http.get(host, port, (\"/secure?command=browse&dir=%s\"):format(arg_dir))\n\n if ( response.status ~= 200 or not(response.body) or 0 == #response.body ) then\n if ( response.status == 401 ) then\n return fail(\"Server requires authentication\")\n else\n return\n end\n end\n\n local status, parsed = json.parse(response.body)\n if ( not(status) ) then\n return fail(\"Failed to parse response\")\n end\n\n if ( parsed.errorMessage ) then\n return fail(parsed.errorMessage)\n end\n\n local output = {}\n for _, entry in pairs(parsed.files or {}) do\n table.insert(output,entry.path)\n end\n table.sort(output, function(a,b) return a<b end)\n return stdnse.format_output(true, output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:46", "description": "Enumerates various common service (SRV) records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: \\- Active Directory Global Catalog \\- Exchange Autodiscovery \\- Kerberos KDC Service \\- Kerberos Passwd Change Service \\- LDAP Servers \\- SIP Servers \\- XMPP S2S \\- XMPP C2S\n\n## Script Arguments \n\n#### dns-srv-enum.domain \n\nstring containing the domain to query\n\n#### dns-srv-enum.filter \n\nstring containing the service to query (default: all)\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script dns-srv-enum --script-args \"dns-srv-enum.domain='example.com'\"\n \n\n## Script Output \n \n \n | dns-srv-enum:\n | Active Directory Global Catalog\n | service prio weight host\n | 3268/tcp 0 100 stodc01.example.com\n | Kerberos KDC Service\n | service prio weight host\n | 88/tcp 0 100 stodc01.example.com\n | 88/udp 0 100 stodc01.example.com\n | Kerberos Password Change Service\n | service prio weight host\n | 464/tcp 0 100 stodc01.example.com\n | 464/udp 0 100 stodc01.example.com\n | LDAP\n | service prio weight host\n | 389/tcp 0 100 stodc01.example.com\n | SIP\n | service prio weight host\n | 5060/udp 10 50 vclux2.example.com\n | 5070/udp 10 50 vcbxl2.example.com\n | 5060/tcp 10 50 vclux2.example.com\n | 5060/tcp 10 50 vcbxl2.example.com\n | XMPP server-to-server\n | service prio weight host\n | 5269/tcp 5 0 xmpp-server.l.example.com\n | 5269/tcp 20 0 alt2.xmpp-server.l.example.com\n | 5269/tcp 20 0 alt4.xmpp-server.l.example.com\n | 5269/tcp 20 0 alt3.xmpp-server.l.example.com\n |_ 5269/tcp 20 0 alt1.xmpp-server.l.example.com\n \n\n## Requires \n\n * [coroutine](<>)\n * [dns](<../lib/dns.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n * [target](<../lib/target.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-19T00:49:48", "type": "nmap", "title": "dns-srv-enum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:DNS-SRV-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-srv-enum.html", "sourceData": "local coroutine = require \"coroutine\"\nlocal dns = require \"dns\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\nlocal target = require \"target\"\n\ndescription = [[\nEnumerates various common service (SRV) records for a given domain name.\nThe service records contain the hostname, port and priority of servers for a given service.\nThe following services are enumerated by the script:\n - Active Directory Global Catalog\n - Exchange Autodiscovery\n - Kerberos KDC Service\n - Kerberos Passwd Change Service\n - LDAP Servers\n - SIP Servers\n - XMPP S2S\n - XMPP C2S\n]]\n\n---\n-- @usage\n-- nmap --script dns-srv-enum --script-args \"dns-srv-enum.domain='example.com'\"\n--\n-- @output\n-- | dns-srv-enum:\n-- | Active Directory Global Catalog\n-- | service prio weight host\n-- | 3268/tcp 0 100 stodc01.example.com\n-- | Kerberos KDC Service\n-- | service prio weight host\n-- | 88/tcp 0 100 stodc01.example.com\n-- | 88/udp 0 100 stodc01.example.com\n-- | Kerberos Password Change Service\n-- | service prio weight host\n-- | 464/tcp 0 100 stodc01.example.com\n-- | 464/udp 0 100 stodc01.example.com\n-- | LDAP\n-- | service prio weight host\n-- | 389/tcp 0 100 stodc01.example.com\n-- | SIP\n-- | service prio weight host\n-- | 5060/udp 10 50 vclux2.example.com\n-- | 5070/udp 10 50 vcbxl2.example.com\n-- | 5060/tcp 10 50 vclux2.example.com\n-- | 5060/tcp 10 50 vcbxl2.example.com\n-- | XMPP server-to-server\n-- | service prio weight host\n-- | 5269/tcp 5 0 xmpp-server.l.example.com\n-- | 5269/tcp 20 0 alt2.xmpp-server.l.example.com\n-- | 5269/tcp 20 0 alt4.xmpp-server.l.example.com\n-- | 5269/tcp 20 0 alt3.xmpp-server.l.example.com\n-- |_ 5269/tcp 20 0 alt1.xmpp-server.l.example.com\n--\n-- @args dns-srv-enum.domain string containing the domain to query\n-- @args dns-srv-enum.filter string containing the service to query\n-- (default: all)\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nlocal arg_domain = stdnse.get_script_args(SCRIPT_NAME .. \".domain\")\nlocal arg_filter = stdnse.get_script_args(SCRIPT_NAME .. \".filter\")\n\nprerule = function() return not(not(arg_domain)) end\n\nlocal function parseSvcList(services)\n local i = 1\n return function()\n local svc = services[i]\n if ( svc ) then\n i=i + 1\n else\n return\n end\n return svc.name, svc.query\n end\nend\n\nlocal function parseSrvResponse(resp)\n local i = 1\n if ( resp.answers ) then\n table.sort(resp.answers,\n function(a, b)\n if ( a.SRV and b.SRV and a.SRV.prio and b.SRV.prio ) then\n return a.SRV.prio < b.SRV.prio\n end\n end\n )\n end\n return function()\n if ( not(resp.answers) or 0 == #resp.answers ) then return end\n if ( not(resp.answers[i]) ) then\n return\n elseif ( resp.answers[i].SRV ) then\n local srv = resp.answers[i].SRV\n i = i + 1\n return srv.target, srv.port, srv.prio, srv.weight\n end\n end\nend\n\nlocal function checkFilter(services)\n if ( not(arg_filter) or \"\" == arg_filter or \"all\" == arg_filter ) then\n return true\n end\n for name, queries in parseSvcList(services) do\n if ( name == arg_filter ) then\n return true\n end\n end\n return false\nend\n\nlocal function doQuery(name, queries, result)\n local condvar = nmap.condvar(result)\n local svc_result = tab.new(4)\n tab.addrow(svc_result, \"service\", \"prio\", \"weight\", \"host\")\n for _, query in ipairs(queries) do\n local fqdn = (\"%s.%s\"):format(query, arg_domain)\n local status, resp = dns.query(fqdn, { dtype=\"SRV\", retAll=true, retPkt=true } )\n for host, port, prio, weight in parseSrvResponse(resp) do\n if target.ALLOW_NEW_TARGETS then\n target.add(host)\n end\n local proto = query:sub(-3)\n tab.addrow(svc_result, (\"%d/%s\"):format(port, proto), prio, weight, host)\n end\n end\n if ( #svc_result ~= 1 ) then\n table.insert(result, { name = name, tab.dump(svc_result) })\n end\n condvar \"signal\"\nend\n\naction = function(host)\n\n local services = {\n { name = \"Active Directory Global Catalog\", query = {\"_gc._tcp\"} },\n { name = \"Exchange Autodiscovery\", query = {\"_autodiscover._tcp\"} },\n { name = \"Kerberos KDC Service\", query = {\"_kerberos._tcp\", \"_kerberos._udp\"} },\n { name = \"Kerberos Password Change Service\", query = {\"_kpasswd._tcp\", \"_kpasswd._udp\"} },\n { name = \"LDAP\", query = {\"_ldap._tcp\"} },\n { name = \"SIP\", query = {\"_sip._udp\", \"_sip._tcp\"} },\n { name = \"XMPP server-to-server\", query = {\"_xmpp-server._tcp\"} },\n { name = \"XMPP client-to-server\", query = {\"_xmpp-client._tcp\"} },\n }\n\n if ( not(checkFilter(services)) ) then\n return stdnse.format_output(false, (\"Invalid filter (%s) was supplied\"):format(arg_filter))\n end\n\n local threads, result = {}, {}\n for name, queries in parseSvcList(services) do\n if ( not(arg_filter) or 0 == #arg_filter or\n \"all\" == arg_filter or arg_filter == name ) then\n local co = stdnse.new_thread(doQuery, name, queries, result)\n threads[co] = true\n end\n end\n\n local condvar = nmap.condvar(result)\n repeat\n for t in pairs(threads) do\n if ( coroutine.status(t) == \"dead\" ) then threads[t] = nil end\n end\n if ( next(threads) ) then\n condvar \"wait\"\n end\n until( next(threads) == nil )\n\n table.sort(result, function(a,b) return a.name < b.name end)\n\n return stdnse.format_output(true, result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:39", "description": "Extracts a list of Citrix servers from the ICA Browser service.\n\n## Example Usage \n \n \n sudo ./nmap -sU --script=citrix-enum-servers -p 1604\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 1604/udp open unknown\n | citrix-enum-servers:\n | CITRIXSRV01\n |_ CITRIXSRV02\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-12-14T07:30:38", "type": "nmap", "title": "citrix-enum-servers NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-05T21:57:41", "id": "NMAP:CITRIX-ENUM-SERVERS.NSE", "href": "https://nmap.org/nsedoc/scripts/citrix-enum-servers.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nExtracts a list of Citrix servers from the ICA Browser service.\n]]\n\n---\n-- @usage sudo ./nmap -sU --script=citrix-enum-servers -p 1604\n--\n-- @output\n-- PORT STATE SERVICE\n-- 1604/udp open unknown\n-- | citrix-enum-servers:\n-- | CITRIXSRV01\n-- |_ CITRIXSRV02\n--\n\n-- Version 0.2\n\n-- Created 11/26/2009 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 11/26/2009 - v0.2 - minor packet documentation\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.portnumber(1604, \"udp\")\n\n--\n-- process the response from the server\n-- @param response string, complete server response\n-- @return string row delimited with \\n containing all published applications\n--\nfunction process_server_response(response)\n\n local packet_len, pos = string.unpack(\"<I2\", response)\n local server_name\n local server_list = {}\n\n if packet_len < 40 then\n return\n end\n\n -- the list of published applications starts at offset 40\n local offset = 41\n\n while offset < packet_len do\n server_name, pos = string.unpack(\"z\", response:sub(offset))\n offset = offset + pos - 1\n table.insert(server_list, server_name)\n end\n\n return server_list\n\nend\n\n\naction = function(host, port)\n\n local packet, counter, socket\n local query = {}\n local server_list = {}\n\n --\n -- Packets were intercepted from the Citrix Program Neighborhood client\n -- They are used to query a server for its list of published applications\n --\n -- We're really not interested in the responses to the first two packets\n -- The third response contains the list of published applications\n -- I couldn't find any documentation on this protocol so I'm providing\n -- some brief information for the bits and bytes this script uses.\n --\n -- Spec. of response to query[2] that contains a list of published apps\n --\n -- offset size content\n -- -------------------------\n -- 0 16-bit Length\n -- 12 32-bit Server IP (not used here)\n -- 30 8-bit Last packet(1), More packets(0)\n -- 40 - null-separated list of applications\n --\n query[0] = string.char(\n 0x1e, 0x00, -- Length: 30\n 0x01, 0x30, 0x02, 0xfd, 0xa8, 0xe3, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00\n )\n\n query[1] = string.char(\n 0x2a, 0x00, -- Length: 42\n 0x01, 0x32, 0x02, 0xfd, 0xa8, 0xe3, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00\n )\n\n counter = 0\n\n socket = nmap.new_socket()\n socket:set_timeout(5000)\n\n local try = nmap.new_try(function() socket:close() end)\n try(socket:connect(host, port))\n\n -- send the two first packets and never look back\n repeat\n try(socket:send(query[counter]))\n packet = try(socket:receive())\n counter = counter + 1\n until (counter>#query)\n\n -- process the first response\n server_list = process_server_response( packet )\n\n --\n -- the byte at offset 31 in the response has a really magic function\n -- if it is set to zero (0) we have more response packets to process\n -- if it is set to one (1) we have arrived at the last packet of our journey\n --\n while packet:sub(31,31) ~= \"\\x01\" do\n packet = try( socket:receive() )\n local tmp_table = process_server_response( packet )\n\n for _, v in ipairs(tmp_table) do\n table.insert(server_list, v)\n end\n end\n\n if #server_list>0 then\n nmap.set_port_state(host, port, \"open\")\n end\n\n socket:close()\n\n return stdnse.format_output(true, server_list)\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:56", "description": "Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers.\n\n## Example Usage \n \n \n nmap -sV --script=broadcast-novell-locate <target>\n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-novell-locate:\n | Tree name: CQURE-LABTREE\n | Server name: linux-l84t\n | Addresses\n |_ 192.168.56.33\n \n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [srvloc](<../lib/srvloc.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-06-15T06:23:30", "type": "nmap", "title": "broadcast-novell-locate NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:BROADCAST-NOVELL-LOCATE.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-novell-locate.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal srvloc = require \"srvloc\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers.\n]]\n\n---\n--\n--@output\n-- Pre-scan script results:\n-- | broadcast-novell-locate:\n-- | Tree name: CQURE-LABTREE\n-- | Server name: linux-l84t\n-- | Addresses\n-- |_ 192.168.56.33\n--\n--\n\n-- Version 0.1\n-- Created 04/26/2011 - v0.1 - created by Patrik Karlsson\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"broadcast\", \"safe\"}\n\n\nprerule = function() return true end\n\nfunction action()\n\n local helper = srvloc.Helper:new()\n\n local status, bindery = helper:ServiceRequest(\"bindery.novell\", \"DEFAULT\")\n if ( not(status) or not(bindery) ) then\n helper:close()\n return\n end\n bindery = bindery[1]\n local srvname = bindery:match(\"%/%/%/(.*)$\")\n\n local status, attrib = helper:AttributeRequest(bindery, \"DEFAULT\", \"svcaddr-ws\")\n helper:close()\n attrib = attrib:match(\"^%(svcaddr%-ws=(.*)%)$\")\n if ( not(attrib) ) then return end\n\n local attribs = stringaux.strsplit(\",\", attrib)\n if ( not(attribs) ) then return end\n\n local addrs = { name = \"Addresses\"}\n local ips = {}\n for _, attr in ipairs(attribs) do\n local addr = attr:match(\"^%d*%-%d*%-%d*%-(........)\")\n if ( addr ) then\n local ip = ipOps.str_to_ip(stdnse.fromhex(addr))\n\n if ( not(ips[ip]) ) then\n table.insert(addrs, ip)\n ips[ip] = ip\n end\n end\n end\n\n local output = {}\n local status, treename = helper:ServiceRequest(\"ndap.novell\", \"DEFAULT\")\n if ( status ) then\n treename = treename[1]\n treename = treename:match(\"%/%/%/(.*)%.$\")\n table.insert(output, (\"Tree name: %s\"):format(treename))\n end\n table.insert(output, (\"Server name: %s\"):format(srvname))\n table.insert(output, addrs)\n\n return stdnse.format_output(true, output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:02", "description": "Crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query.\n\n## Script Arguments \n\n#### http-rfi-spider.withinhost \n\nonly spider URLs within the same host. (default: true)\n\n#### http-rfi-spider.url \n\nthe url to start spidering. This is a URL relative to the scanned host eg. /default.html (default: /)\n\n#### http-rfi-spider.withindomain \n\nonly spider URLs within the same domain. This widens the scope from `withinhost` and can not be used in combination. (default: false)\n\n#### http-rfi-spider.inclusionurl \n\nthe url we will try to include, defaults to `http://tools.ietf.org/html/rfc13?`\n\n#### http-rfi-spider.maxdepth \n\nthe maximum amount of directories beneath the initial url to spider. A negative value disables the limit. (default: 3)\n\n#### http-rfi-spider.maxpagecount \n\nthe maximum amount of pages to visit. A negative value disables the limit (default: 20)\n\n#### http-rfi-spider.pattern \n\nthe pattern to search for in `response.body` to determine if the inclusion was successful, defaults to `'20 August 1969'`\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost \n\nSee the documentation for the [httpspider](<../lib/httpspider.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script http-rfi-spider -p80 <host>\n \n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http\n | http-rfi-spider:\n | Possible RFI in form fields\n | Form \"(form 1)\" at /experiments/rfihome.html (action rfi.pl) with fields:\n | inc\n | Form \"someform\" at /experiments/rfihome.html (action rfi.pl) with fields:\n | inc2\n | Possible RFI in query parameters\n | Path /experiments/rfi.pl with queries:\n |_ inc=http%3a%2f%2ftools%2eietf%2eorg%2fhtml%2frfc13%3f\n \n\n## Requires \n\n * [shortport](<../lib/shortport.html>)\n * [http](<../lib/http.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [url](<../lib/url.html>)\n * [httpspider](<../lib/httpspider.html>)\n * [string](<>)\n * [table](<>)\n * [tableaux](<../lib/tableaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-06-15T22:37:33", "type": "nmap", "title": "http-rfi-spider NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-17T15:34:30", "id": "NMAP:HTTP-RFI-SPIDER.NSE", "href": "https://nmap.org/nsedoc/scripts/http-rfi-spider.html", "sourceData": "description = [[\nCrawls webservers in search of RFI (remote file inclusion) vulnerabilities. It\ntests every form field it finds and every parameter of a URL containing a\nquery.\n]]\n\n---\n-- @usage\n-- nmap --script http-rfi-spider -p80 <host>\n--\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http\n-- | http-rfi-spider:\n-- | Possible RFI in form fields\n-- | Form \"(form 1)\" at /experiments/rfihome.html (action rfi.pl) with fields:\n-- | inc\n-- | Form \"someform\" at /experiments/rfihome.html (action rfi.pl) with fields:\n-- | inc2\n-- | Possible RFI in query parameters\n-- | Path /experiments/rfi.pl with queries:\n-- |_ inc=http%3a%2f%2ftools%2eietf%2eorg%2fhtml%2frfc13%3f\n--\n-- @xmloutput\n-- <table key=\"Forms\">\n-- <table key=\"/experiments/rfihome.html\">\n-- <table key=\"(form 1)\">\n-- <table key=\"Vulnerable fields\">\n-- <elem>inc</elem>\n-- </table>\n-- <elem key=\"Action\">rfi.pl</elem>\n-- </table>\n-- <table key=\"someform\">\n-- <table key=\"Vulnerable fields\">\n-- <elem>inc2</elem>\n-- </table>\n-- <elem key=\"Action\">rfi.pl</elem>\n-- </table>\n-- </table>\n-- </table>\n-- <table key=\"Queries\">\n-- <table key=\"/experiments/rfi.pl\">\n-- <elem>inc=http%3a%2f%2ftools%2eietf%2eorg%2fhtml%2frfc13%3f</elem>\n-- </table>\n-- </table>\n--\n-- @args http-rfi-spider.inclusionurl the url we will try to include, defaults\n-- to <code>http://tools.ietf.org/html/rfc13?</code>\n-- @args http-rfi-spider.pattern the pattern to search for in <code>response.body</code>\n-- to determine if the inclusion was successful, defaults to\n-- <code>'20 August 1969'</code>\n-- @args http-rfi-spider.maxdepth the maximum amount of directories beneath\n-- the initial url to spider. A negative value disables the limit.\n-- (default: 3)\n-- @args http-rfi-spider.maxpagecount the maximum amount of pages to visit.\n-- A negative value disables the limit (default: 20)\n-- @args http-rfi-spider.url the url to start spidering. This is a URL\n-- relative to the scanned host eg. /default.html (default: /)\n-- @args http-rfi-spider.withinhost only spider URLs within the same host.\n-- (default: true)\n-- @args http-rfi-spider.withindomain only spider URLs within the same\n-- domain. This widens the scope from <code>withinhost</code> and can\n-- not be used in combination. (default: false)\n--\n\nauthor = \"Piotr Olma\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\"}\n\nlocal shortport = require 'shortport'\nlocal http = require 'http'\nlocal stdnse = require 'stdnse'\nlocal url = require 'url'\nlocal httpspider = require 'httpspider'\nlocal string = require 'string'\nlocal table = require 'table'\nlocal tableaux = require 'tableaux'\n\n-- this is a variable that will hold the function that checks if a pattern we are searching for is in\n-- response's body\nlocal check_response\n\n-- this variable will hold the injection url\nlocal inclusion_url\n\n-- checks if a field is of type we want to check for rfi\nlocal function rfi_field(field_type)\n return field_type==\"text\" or field_type==\"radio\" or field_type==\"checkbox\" or field_type==\"textarea\"\nend\n\n-- generates postdata with value of \"sampleString\" for every field (that satisfies rfi_field()) of a form\nlocal function generate_safe_postdata(form)\n local postdata = {}\n for _,field in ipairs(form[\"fields\"]) do\n if rfi_field(field[\"type\"]) then\n postdata[field[\"name\"]] = \"sampleString\"\n end\n end\n return postdata\nend\n\n-- checks each field of a form to see if it's vulnerable to rfi\nlocal function check_form(form, host, port, path)\n local vulnerable_fields = {}\n local postdata = generate_safe_postdata(form)\n local sending_function, response\n\n local form_submission_path = url.absolute(path, form.action)\n if form[\"method\"]==\"post\" then\n sending_function = function(data) return http.post(host, port, form_submission_path, nil, nil, data) end\n else\n sending_function = function(data) return http.get(host, port, form_submission_path..\"?\"..url.build_query(data), nil) end\n end\n\n for _,field in ipairs(form[\"fields\"]) do\n if rfi_field(field[\"type\"]) then\n stdnse.debug2(\"checking field %s\", field[\"name\"])\n postdata[field[\"name\"]] = inclusion_url\n response = sending_function(postdata)\n if response and response.body and response.status==200 then\n if check_response(response.body) then\n vulnerable_fields[#vulnerable_fields+1] = field[\"name\"]\n end\n end\n postdata[field[\"name\"]] = \"sampleString\"\n end\n end\n return vulnerable_fields\nend\n\n-- builds urls with a query that would let us decide if a parameter is rfi vulnerable\nlocal function build_urls(injectable)\n local new_urls = {}\n for _,u in ipairs(injectable) do\n if type(u) == \"string\" then\n local parsed_url = url.parse(u)\n local old_query = url.parse_query(parsed_url.query)\n for f,v in pairs(old_query) do\n old_query[f] = inclusion_url\n parsed_url.query = url.build_query(old_query)\n table.insert(new_urls, url.build(parsed_url))\n old_query[f] = v\n end\n end\n end\n return new_urls\nend\n\n-- as in sql-injection.nse\nlocal function inject(host, port, injectable)\n local all = nil\n for k, v in pairs(injectable) do\n all = http.pipeline_add(v, nil, all, 'GET')\n end\n return http.pipeline_go(host, port, all)\nend\n\nlocal function check_responses(urls, responses)\n if responses == nil or #responses==0 then\n return {}\n end\n local suspects = {}\n for i,r in ipairs(responses) do\n if r.body then\n if check_response(r.body) then\n local parsed = url.parse(urls[i])\n if suspects[parsed.path] then\n table.insert(suspects[parsed.path], parsed.query)\n else\n suspects[parsed.path] = {}\n table.insert(suspects[parsed.path], parsed.query)\n end\n end\n end\n end\n return suspects\nend\n\nportrule = shortport.port_or_service( {80, 443}, {\"http\", \"https\"}, \"tcp\", \"open\")\n\nfunction action(host, port)\n inclusion_url = stdnse.get_script_args('http-rfi-spider.inclusionurl') or 'http://tools.ietf.org/html/rfc13?'\n local pattern_to_search = stdnse.get_script_args('http-rfi-spider.pattern') or '20 August 1969'\n\n -- once we know the pattern we'll be searching for, we can set up the function\n check_response = function(body) return string.find(body, pattern_to_search) end\n\n -- create a new crawler instance\n local crawler = httpspider.Crawler:new( host, port, nil, { scriptname = SCRIPT_NAME} )\n\n if ( not(crawler) ) then\n return\n end\n\n local output = stdnse.output_table()\n output.Forms = stdnse.output_table()\n output.Queries = stdnse.output_table()\n\n while(true) do\n local status, r = crawler:crawl()\n\n if ( not(status) ) then\n if ( r.err ) then\n return stdnse.format_output(false, r.reason)\n else\n break\n end\n end\n\n -- first we try rfi on forms\n if r.response and r.response.body and r.response.status==200 then\n local path = r.url.path\n local all_forms = http.grab_forms(r.response.body)\n for seq, form_plain in ipairs(all_forms) do\n local form = http.parse_form(form_plain)\n if form and form.action then\n local vulnerable_fields = check_form(form, host, port, path)\n if #vulnerable_fields > 0 then\n local out_form = stdnse.output_table()\n out_form[\"Action\"] = form.action\n out_form[\"Vulnerable fields\"] = vulnerable_fields\n if not output.Forms[path] then output.Forms[path] = stdnse.output_table() end\n output.Forms[path][form.id or string.format(\"(form %d)\", seq)] = out_form\n end\n end\n end --for\n end --if\n\n -- now try inclusion by query parameters\n local injectable = {}\n -- search for injectable links (as in sql-injection.nse)\n if r.response.status and r.response.body then\n local links = httpspider.LinkExtractor:new(r.url, r.response.body, crawler.options):getLinks()\n for _,u in ipairs(links) do\n local url_parsed = url.parse(u)\n if url_parsed.query then\n table.insert(injectable, u)\n end\n end\n end\n if #injectable > 0 then\n local new_urls = build_urls(injectable)\n local responses = inject(host, port, new_urls)\n local suspects = check_responses(new_urls, responses)\n for p, q in pairs(suspects) do\n local queries_out = output.Queries[p] or {}\n for _, query in ipairs(q) do\n queries_out[#queries_out+1] = query\n end\n output.Queries[p] = queries_out\n end\n end\n end\n\n local text_output = {}\n if #output.Forms > 0 then\n local rfi = { name = \"Possible RFI in form fields\" }\n for path, forms in pairs(output.Forms) do\n for fid, fobj in pairs(forms) do\n local out = tableaux.shallow_tcopy(fobj[\"Vulnerable fields\"])\n out.name = string.format('Form \"%s\" at %s (action %s) with fields:',\n fid, path, fobj[\"Action\"])\n table.insert(rfi, out)\n end\n end\n table.insert(text_output, rfi)\n end\n if #output.Queries > 0 then\n local rfi = { name = \"Possible RFI in query parameters\" }\n for path, queries in pairs(output.Queries) do\n local out = tableaux.shallow_tcopy(queries)\n out.name = string.format('Path %s with queries:', path)\n table.insert(rfi, out)\n end\n table.insert(text_output, rfi)\n end\n\n if #text_output > 0 then\n return output, stdnse.format_output(true, text_output)\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:42:40", "description": "Checks for MySQL servers with an empty password for `root` or `anonymous`.\n\n### See also:\n\n * [ mysql-brute.nse ](<../scripts/mysql-brute.html>)\n\n## Example Usage \n \n \n nmap -sV --script=mysql-empty-password <target>\n\n## Script Output \n \n \n 3306/tcp open mysql\n | mysql-empty-password:\n | anonymous account has empty password\n |_ root account has empty password\n\n## Requires \n\n * [mysql](<../lib/mysql.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-01-26T09:40:38", "type": "nmap", "title": "mysql-empty-password NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-01-23T20:37:22", "id": "NMAP:MYSQL-EMPTY-PASSWORD.NSE", "href": "https://nmap.org/nsedoc/scripts/mysql-empty-password.html", "sourceData": "local mysql = require \"mysql\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nChecks for MySQL servers with an empty password for <code>root</code> or\n<code>anonymous</code>.\n]]\n\n---\n-- @see mysql-brute.nse\n--\n-- @output\n-- 3306/tcp open mysql\n-- | mysql-empty-password:\n-- | anonymous account has empty password\n-- |_ root account has empty password\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"auth\"}\n\n\n-- Version 0.3\n-- Created 01/15/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 01/23/2010 - v0.2 - revised by Patrik Karlsson, added anonymous account check\n-- Revised 01/23/2010 - v0.3 - revised by Patrik Karlsson, fixed abort bug due to try of loginrequest\n\nportrule = shortport.port_or_service(3306, \"mysql\")\n\naction = function( host, port )\n\n local socket = nmap.new_socket()\n local result = {}\n local users = {\"\", \"root\"}\n\n -- set a reasonable timeout value\n socket:set_timeout(5000)\n\n for _, v in ipairs( users ) do\n local status, response = socket:connect(host, port)\n if( not(status) ) then return stdnse.format_output(false, \"Failed to connect to mysql server\") end\n\n status, response = mysql.receiveGreeting( socket )\n if ( not(status) ) then\n stdnse.debug3(\"%s\", SCRIPT_NAME)\n socket:close()\n return response\n end\n\n status, response = mysql.loginRequest( socket, { authversion = \"post41\", charset = response.charset }, v, nil, response.salt )\n if response.errorcode == 0 then\n table.insert(result, string.format(\"%s account has empty password\", ( v==\"\" and \"anonymous\" or v ) ) )\n if nmap.registry.mysqlusers == nil then\n nmap.registry.mysqlusers = {}\n end\n nmap.registry.mysqlusers[v==\"\" and \"anonymous\" or v] = \"\"\n end\n socket:close()\n end\n\n return stdnse.format_output(true, result)\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:17", "description": "Lists currently queued print jobs of the remote CUPS service grouped by printer.\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 631 <ip> --script cups-queue-info\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 631/tcp open ipp\n | cups-queue-info:\n | HP Laserjet\n | id time state size (kb) owner jobname\n | 14 2012-04-26 22:01:19 Held 2071k Patrik Karlsson Print - CUPS Implementation of IPP - Documentation - CUPS\n | Generic-PostScript-Printer\n | id time state size (kb) owner jobname\n | 3 2012-04-16 23:25:47 Pending 11k Unknown Unknown\n | 4 2012-04-16 23:33:21 Pending 11k Unknown Unknown\n |_ 11 2012-04-24 08:15:14 Pending 13k Unknown Unknown\n \n\n## Requires \n\n * [ipp](<../lib/ipp.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-01T14:23:40", "type": "nmap", "title": "cups-queue-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:CUPS-QUEUE-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/cups-queue-info.html", "sourceData": "local ipp = require \"ipp\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nLists currently queued print jobs of the remote CUPS service grouped by\nprinter.\n]]\n\n---\n-- @usage\n-- nmap -p 631 <ip> --script cups-queue-info\n--\n-- @output\n-- PORT STATE SERVICE\n-- 631/tcp open ipp\n-- | cups-queue-info:\n-- | HP Laserjet\n-- | id time state size (kb) owner jobname\n-- | 14 2012-04-26 22:01:19 Held 2071k Patrik Karlsson Print - CUPS Implementation of IPP - Documentation - CUPS\n-- | Generic-PostScript-Printer\n-- | id time state size (kb) owner jobname\n-- | 3 2012-04-16 23:25:47 Pending 11k Unknown Unknown\n-- | 4 2012-04-16 23:33:21 Pending 11k Unknown Unknown\n-- |_ 11 2012-04-24 08:15:14 Pending 13k Unknown Unknown\n--\n\ncategories = {\"safe\", \"discovery\"}\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\"}\n\n\nportrule = shortport.port_or_service(631, \"ipp\", \"tcp\", \"open\")\n\naction = function(host, port)\n local helper = ipp.Helper:new(host, port)\n if ( not(helper:connect()) ) then\n return stdnse.format_output(false, \"Failed to connect to server\")\n end\n\n local output = helper:getQueueInfo()\n if ( output ) then\n return stdnse.format_output(true, output)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:41", "description": "This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Bing Map of markers representing the targets. \n\nThe Bing Maps REST API has a limit of 100 markers, so if more coordinates are found, only the top 100 markers by number of IPs will be shown. \n\nAdditional information for the Bing Maps REST Services API can be found at: \\- <https://msdn.microsoft.com/en-us/library/ff701724.aspx>\n\n### See also:\n\n * [ ip-geolocation-geoplugin.nse ](<../scripts/ip-geolocation-geoplugin.html>)\n * [ ip-geolocation-ipinfodb.nse ](<../scripts/ip-geolocation-ipinfodb.html>)\n * [ ip-geolocation-map-google.nse ](<../scripts/ip-geolocation-map-google.html>)\n * [ ip-geolocation-map-kml.nse ](<../scripts/ip-geolocation-map-kml.html>)\n * [ ip-geolocation-maxmind.nse ](<../scripts/ip-geolocation-maxmind.html>)\n\n## Script Arguments \n\n#### ip-geolocation-map-bing.format \n\nThe default value is 'jpeg', 'png', and 'gif' are also allowed.\n\n#### ip-geolocation-map-bing.size \n\nThe default value is '640x640' pixels, but can be changed so long as the width is between 80 and 2000 pixels and the height is between 80 and 1500 pixels.\n\n#### ip-geolocation-map-bing.marker_style \n\nThis argument can apply styling to the markers. <https://msdn.microsoft.com/en-us/library/ff701719.aspx>\n\n#### ip-geolocation-map-bing.map_path \n\nThe path at which the rendered Bing Map will be saved to the local filesystem.\n\n#### ip-geolocation-map-bing.language \n\nThe default value is 'en', but other two-letter language codes are accepted.\n\n#### ip-geolocation-map-bing.layer \n\nThe default value is 'Road', 'Aerial', and 'AerialWithLabels' are also allowed.\n\n#### ip-geolocation-map-bing.api_key \n\nThe required Bing Maps API key for your account. An API key can be generated at <https://www.bingmapsportal.com/>\n\n#### ip-geolocation-map-bing.center \n\nGPS coordinates defining the center of the image. If omitted, Bing Maps will choose a center that shows all the markers.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sn -Pn --script ip-geolocation-geoplugin,ip-geolocation-map-bing --script-args ip-geolocation-map-bing.api_key=[redacted],ip-geolocation-map-bing.map_path=map.png <target>\n \n\n## Script Output \n \n \n | ip-geolocation-map-bing:\n |_ The map has been saved at 'map.png'.\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [geoip](<../lib/geoip.html>)\n * [io](<>)\n * [oops](<../lib/oops.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [url](<../lib/url.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-17T14:37:35", "type": "nmap", "title": "ip-geolocation-map-bing NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-09-20T04:40:20", "id": "NMAP:IP-GEOLOCATION-MAP-BING.NSE", "href": "https://nmap.org/nsedoc/scripts/ip-geolocation-map-bing.html", "sourceData": "local http = require \"http\"\nlocal geoip = require \"geoip\"\nlocal io = require \"io\"\nlocal oops = require \"oops\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal url = require \"url\"\n\ndescription = [[\nThis script queries the Nmap registry for the GPS coordinates of targets stored\nby previous geolocation scripts and renders a Bing Map of markers representing\nthe targets.\n\nThe Bing Maps REST API has a limit of 100 markers, so if more coordinates are\nfound, only the top 100 markers by number of IPs will be shown.\n\nAdditional information for the Bing Maps REST Services API can be found at:\n- https://msdn.microsoft.com/en-us/library/ff701724.aspx\n]]\n\n---\n-- @usage\n-- nmap -sn -Pn --script ip-geolocation-geoplugin,ip-geolocation-map-bing --script-args ip-geolocation-map-bing.api_key=[redacted],ip-geolocation-map-bing.map_path=map.png <target>\n--\n-- @output\n-- | ip-geolocation-map-bing:\n-- |_ The map has been saved at 'map.png'.\n--\n-- @args ip-geolocation-map-bing.api_key The required Bing Maps API key for your\n-- account. An API key can be generated at https://www.bingmapsportal.com/\n--\n-- @args ip-geolocation-map-bing.center GPS coordinates defining the center of the\n-- image. If omitted, Bing Maps will choose a center that shows all the\n-- markers.\n--\n-- @args ip-geolocation-map-bing.format The default value is 'jpeg', 'png', and\n-- 'gif' are also allowed.\n--\n-- @args ip-geolocation-map-bing.language The default value is 'en', but other\n-- two-letter language codes are accepted.\n--\n-- @args ip-geolocation-map-bing.layer The default value is 'Road',\n-- 'Aerial', and 'AerialWithLabels' are also allowed.\n--\n-- @args ip-geolocation-map-bing.map_path The path at which the rendered\n-- Bing Map will be saved to the local filesystem.\n--\n-- @args ip-geolocation-map-bing.marker_style This argument can apply styling\n-- to the markers.\n-- https://msdn.microsoft.com/en-us/library/ff701719.aspx\n--\n-- @args ip-geolocation-map-bing.size The default value is '640x640' pixels, but\n-- can be changed so long as the width is between 80 and 2000 pixels and the\n-- height is between 80 and 1500 pixels.\n--\n-- @see ip-geolocation-geoplugin.nse\n-- @see ip-geolocation-ipinfodb.nse\n-- @see ip-geolocation-map-google.nse\n-- @see ip-geolocation-map-kml.nse\n-- @see ip-geolocation-maxmind.nse\n\nauthor = \"Mak Kolybabi <mak@kolybabi.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"external\", \"safe\"}\n\nlocal render = function(params, options)\n -- Format marker style for inclusion in parameters.\n local style = \"\"\n if options[\"marker_style\"] then\n style = \";\" .. options[\"marker_style\"]\n end\n\n -- Add in a marker for each host.\n local markers = {}\n for coords, ip in pairs(geoip.get_all_by_gps()) do\n table.insert(markers, {#ip, \"pp=\" .. coords .. style})\n end\n if #markers > 100 then\n -- API is limited to 100 markers\n stdnse.verbose1(\"Bing Maps API limits render to 100 markers. Some results not mapped.\")\n -- sort by number of IPs so we map the biggest groups\n table.sort(markers, function (a, b) return a[1] < b[1] end)\n end\n local out_markers = {}\n for i=1, #markers do\n if i > 100 then break end\n out_markers[#out_markers+1] = markers[i][2]\n end\n local body = table.concat(out_markers, \"&\")\n\n -- Format the parameters into a properly encoded URL.\n local query = \"/REST/v1/Imagery/Map/\" .. options[\"layer\"] .. \"?\" .. url.build_query(params)\n stdnse.debug1(\"The query URL is: %s\", query)\n stdnse.debug1(\"The query body is: %s\", body)\n\n local headers = {\n [\"header\"] = {\n [\"Content-Type\"] = \"text/plain; charset=utf-8\"\n }\n }\n\n local res = http.post(\"dev.virtualearth.net\", 80, query, headers, nil, body)\n if not res or res.status ~= 200 then\n stdnse.debug1(\"Error %d from API: %s\", res.status, res.body)\n return false, (\"Failed to receive map using query '%s'.\"):format(query)\n end\n\n local f = io.open(options[\"map_path\"], \"w\")\n if not f then\n return false, (\"Failed to open file '%s'.\"):format(options[\"map_path\"])\n end\n\n if not f:write(res.body) then\n return false, (\"Failed to write file '%s'.\"):format(options[\"map_path\"])\n end\n\n f:close()\n\n local msg\n\n return true, (\"The map has been saved at '%s'.\"):format(options[\"map_path\"])\nend\n\nlocal parse_args = function()\n local options = {}\n local params = {}\n\n local api_key = stdnse.get_script_args(SCRIPT_NAME .. '.api_key')\n if not api_key then\n return false, \"Need to specify an API key, get one at https://www.bingmapsportal.com/.\"\n end\n params[\"key\"] = api_key\n\n local center = stdnse.get_script_args(SCRIPT_NAME .. \".center\")\n if center then\n params[\"centerPoint\"] = center\n end\n\n local format = stdnse.get_script_args(SCRIPT_NAME .. \".format\")\n if format then\n params[\"format\"] = format\n end\n\n local language = stdnse.get_script_args(SCRIPT_NAME .. \".language\")\n if language then\n params[\"language\"] = language\n end\n\n local layer = stdnse.get_script_args(SCRIPT_NAME .. \".layer\")\n if not layer then\n layer = \"Road\"\n end\n options[\"layer\"] = layer\n\n local map_path = stdnse.get_script_args(SCRIPT_NAME .. '.map_path')\n if map_path then\n options[\"map_path\"] = map_path\n else\n return false, \"Need to specify a path for the map.\"\n end\n\n local size = stdnse.get_script_args(SCRIPT_NAME .. \".size\")\n if not size then\n -- This size is arbitrary, and is chosen to match the default that Google\n -- Maps will produce.\n size = \"640x640\"\n end\n size = string.gsub(size, \"x\", \",\")\n params[\"mapSize\"] = size\n\n return true, params, options\nend\n\npostrule = function()\n -- Only run if a previous script has registered geolocation data.\n return not geoip.empty()\nend\n\naction = function()\n -- Parse and sanity check the command line arguments.\n local status, params, options = oops.raise(\n \"Script argument problem\",\n parse_args())\n if not status then\n return params\n end\n\n -- Render the map.\n return oops.output(render(params, options))\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:56", "description": "Detects the UDP IAX2 service. \n\nThe script sends an Inter-Asterisk eXchange (IAX) Revision 2 Control Frame POKE request and checks for a proper response. This protocol is used to enable VoIP connections between servers as well as client-server communication.\n\n## Example Usage \n \n \n nmap -sU -sV -p 4569 <target>\n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 4569/udp closed iax2\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "iax2-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:IAX2-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/iax2-version.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\n\ndescription = [[\nDetects the UDP IAX2 service.\n\nThe script sends an Inter-Asterisk eXchange (IAX) Revision 2 Control Frame POKE\nrequest and checks for a proper response. This protocol is used to enable VoIP\nconnections between servers as well as client-server communication.\n]]\n\n---\n-- @usage\n-- nmap -sU -sV -p 4569 <target>\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 4569/udp closed iax2\n\nauthor = \"Ferdy Riphagen\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"version\"}\n\n\nportrule = shortport.version_port_or_service(4569, nil, \"udp\")\n\naction = function(host, port)\n -- see http://www.cornfed.com/iax.pdf for all options.\n local poke = \"\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x1e\"\n\n local status, recv = comm.exchange(host, port, poke, {timeout=10000})\n\n if not status then\n return\n end\n\n if (#recv) == 12 then\n local byte11 = string.byte(recv, 11)\n local byte12 = string.byte(recv, 12)\n\n -- byte11 must be \\x06 IAX Control Frame\n -- and byte12 must be \\x03 or \\x04\n if ((byte11 == 6) and\n (byte12 == 3 or byte12 == 4))\n then\n nmap.set_port_state(host, port, \"open\")\n port.version.name = \"iax2\"\n nmap.set_port_version(host, port)\n end\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:59", "description": "Extracts information, including file paths, version and database names from a Versant object database.\n\n## Example Usage \n \n \n nmap -p 5019 <ip> --script versant-info\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 5019/tcp open versant syn-ack\n | versant-info:\n | Hostname: WIN-S6HA7RJFAAR\n | Root path: C:\\Versant\\8\n | Database path: C:\\Versant\\db\n | Library path: C:\\Versant\\8\n | Version: 8.0.2\n | Databases\n | FirstDB@WIN-S6HA7RJFAAR:5019\n | Created: Sat Mar 03 12:00:02 2012\n | Owner: Administrator\n | Version: 8.0.2\n | SecondDB@WIN-S6HA7RJFAAR:5019\n | Created: Sat Mar 03 03:44:10 2012\n | Owner: Administrator\n | Version: 8.0.2\n | ThirdDB@WIN-S6HA7RJFAAR:5019\n | Created: Sun Mar 04 02:20:21 2012\n | Owner: Administrator\n |_ Version: 8.0.2\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [versant](<../lib/versant.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-08T17:51:48", "type": "nmap", "title": "versant-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:VERSANT-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/versant-info.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal versant = require \"versant\"\n\ndescription = [[\nExtracts information, including file paths, version and database names from\na Versant object database.\n]]\n\n---\n-- @usage\n-- nmap -p 5019 <ip> --script versant-info\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 5019/tcp open versant syn-ack\n-- | versant-info:\n-- | Hostname: WIN-S6HA7RJFAAR\n-- | Root path: C:\\Versant\\8\n-- | Database path: C:\\Versant\\db\n-- | Library path: C:\\Versant\\8\n-- | Version: 8.0.2\n-- | Databases\n-- | FirstDB@WIN-S6HA7RJFAAR:5019\n-- | Created: Sat Mar 03 12:00:02 2012\n-- | Owner: Administrator\n-- | Version: 8.0.2\n-- | SecondDB@WIN-S6HA7RJFAAR:5019\n-- | Created: Sat Mar 03 03:44:10 2012\n-- | Owner: Administrator\n-- | Version: 8.0.2\n-- | ThirdDB@WIN-S6HA7RJFAAR:5019\n-- | Created: Sun Mar 04 02:20:21 2012\n-- | Owner: Administrator\n-- |_ Version: 8.0.2\n--\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\nportrule = shortport.port_or_service(5019, \"versant\", \"tcp\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n local v = versant.Versant:new(host, port)\n local status = v:connect()\n if ( not(status) ) then\n return fail(\"Failed to connect to server\")\n end\n\n local status, newport = v:getObePort()\n if ( not(status) ) then\n return fail(\"Failed to retrieve OBE port\")\n end\n v:close()\n\n v = versant.Versant.OBE:new(host, newport)\n status = v:connect()\n if ( not(status) ) then\n return fail(\"Failed to connect to server\")\n end\n\n local result\n status, result = v:getVODInfo()\n if ( not(status) ) then\n return fail(\"Failed to get VOD information\")\n end\n v:close()\n\n local output = {}\n\n table.insert(output, (\"Hostname: %s\"):format(result.hostname))\n table.insert(output, (\"Root path: %s\"):format(result.root_path))\n table.insert(output, (\"Database path: %s\"):format(result.db_path))\n table.insert(output, (\"Library path: %s\"):format(result.lib_path))\n table.insert(output, (\"Version: %s\"):format(result.version))\n\n port.version.product = \"Versant Database\"\n port.version.name = \"versant\"\n nmap.set_port_version(host, port)\n\n -- the script may fail after this part, but we want to report at least\n -- the above information if that's the case.\n\n v = versant.Versant:new(host, port)\n status = v:connect()\n if ( not(status) ) then\n return stdnse.format_output(true, output)\n end\n\n status, result = v:getNodeInfo()\n if ( not(status) ) then\n return stdnse.format_output(true, output)\n end\n v:close()\n\n local databases = { name = \"Databases\" }\n\n for _, db in ipairs(result) do\n local db_tbl = { name = db.name }\n table.insert(db_tbl, (\"Created: %s\"):format(db.created))\n table.insert(db_tbl, (\"Owner: %s\"):format(db.owner))\n table.insert(db_tbl, (\"Version: %s\"):format(db.version))\n table.insert(databases, db_tbl)\n end\n\n table.insert(output, databases)\n return stdnse.format_output(true, output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:55", "description": "Discover IPv4 networks using Open Shortest Path First version 2(OSPFv2) protocol. \n\nThe script works by listening for OSPF Hello packets from the 224.0.0.5 multicast address. The script then replies and attempts to create a neighbor relationship, in order to discover network database. \n\nIf no interface was provided as a script argument or through the -e option, the script will fail unless a single interface is present on the system.\n\n## Script Arguments \n\n#### broadcast-ospf2-discover.md5_key \n\nMD5 digest key to use if message digest authentication is disclosed.\n\n#### broadcast-ospf2-discover.router_id \n\nRouter ID to use. Defaults to 0.0.0.1\n\n#### broadcast-ospf2-discover.timeout \n\nTime in seconds that the script waits for hello from other routers. Defaults to 10 seconds, matching OSPFv2 default value for hello interval.\n\n#### broadcast-ospf2-discover.interface \n\nInterface to send on (overrides -e). Mandatory if not using -e and multiple interfaces are present.\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=broadcast-ospf2-discover\n nmap --script=broadcast-ospf2-discover -e wlan0\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-ospf2-discover:\n | Area ID: 0.0.0.0\n | External Routes\n | 192.168.24.0/24\n |_ Use the newtargets script-arg to add the results as targets\n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [ospf](<../lib/ospf.html>)\n * [packet](<../lib/packet.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [target](<../lib/target.html>)\n * [os](<>)\n * [string](<>)\n * [table](<>)\n * [openssl](<../lib/openssl.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-14T00:15:22", "type": "nmap", "title": "broadcast-ospf2-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-09T17:06:03", "id": "NMAP:BROADCAST-OSPF2-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-ospf2-discover.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal ospf = require \"ospf\"\nlocal packet = require \"packet\"\nlocal stdnse = require \"stdnse\"\nlocal target = require \"target\"\nlocal os = require \"os\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\nlocal have_ssl, openssl = pcall(require,'openssl')\n\ndescription = [[\nDiscover IPv4 networks using Open Shortest Path First version 2(OSPFv2) protocol.\n\nThe script works by listening for OSPF Hello packets from the 224.0.0.5\nmulticast address. The script then replies and attempts to create a neighbor\nrelationship, in order to discover network database.\n\nIf no interface was provided as a script argument or through the -e option,\nthe script will fail unless a single interface is present on the system.\n]]\n\n---\n-- @usage\n-- nmap --script=broadcast-ospf2-discover\n-- nmap --script=broadcast-ospf2-discover -e wlan0\n--\n-- @args broadcast-ospf2-discover.md5_key MD5 digest key to use if message digest\n-- authentication is disclosed.\n--\n-- @args broadcast-ospf2-discover.router_id Router ID to use. Defaults to 0.0.0.1\n--\n-- @args broadcast-ospf2-discover.timeout Time in seconds that the script waits for\n-- hello from other routers. Defaults to 10 seconds, matching OSPFv2 default\n-- value for hello interval.\n--\n-- @args broadcast-ospf2-discover.interface Interface to send on (overrides -e). Mandatory\n-- if not using -e and multiple interfaces are present.\n--\n-- @output\n-- Pre-scan script results:\n-- | broadcast-ospf2-discover:\n-- | Area ID: 0.0.0.0\n-- | External Routes\n-- | 192.168.24.0/24\n-- |_ Use the newtargets script-arg to add the results as targets\n--\n\nauthor = \"Emiliano Ticci\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"broadcast\", \"discovery\", \"safe\"}\n\nprerule = function()\n if nmap.address_family() ~= \"inet\" then\n stdnse.print_verbose(\"is IPv4 only.\")\n return false\n end\n if not nmap.is_privileged() then\n stdnse.print_verbose(\"not running for lack of privileges.\")\n return false\n end\n return true\nend\n\n-- Script constants\nOSPF_ALL_ROUTERS = \"224.0.0.5\"\nOSPF_MSG_HELLO = 0x01\nOSPF_MSG_DBDESC = 0x02\nOSPF_MSG_LSREQ = 0x03\nOSPF_MSG_LSUPD = 0x04\nlocal md5_key, router_id\n\n-- Convenience functions\nlocal function fail(err) return stdnse.format_output(false, err) end\n\n-- Print OSPFv2 LSA Header packet details to debug output.\n-- @param hello OSPFv2 LSA Header packet\nlocal ospfDumpLSAHeader = function(lsa_h)\n if 2 > nmap.debugging() then\n return\n end\n stdnse.print_debug(2, \"| LS Age: %s\", lsa_h.age)\n stdnse.print_debug(2, \"| Options: %s\", lsa_h.options)\n stdnse.print_debug(2, \"| LS Type: %s\", lsa_h.type)\n stdnse.print_debug(2, \"| Link State ID: %s\", lsa_h.id)\n stdnse.print_debug(2, \"| Advertising Router: %s\", lsa_h.adv_router)\n stdnse.print_debug(2, \"| Sequence: 0x%s\", lsa_h.sequence)\n stdnse.print_debug(2, \"| Checksum: 0x%s\", lsa_h.checksum)\n stdnse.print_debug(2, \"| Length: %s\", lsa_h.length)\nend\n\n-- Print OSPFv2 Database Description packet details to debug output.\n-- @param hello OSPFv2 Database Description packet\nlocal ospfDumpDBDesc = function(db_desc)\n if 2 > nmap.debugging() then\n return\n end\n stdnse.print_debug(2, \"| MTU: %s\", db_desc.mtu)\n stdnse.print_debug(2, \"| Options: %s\", db_desc.options)\n stdnse.print_debug(2, \"| Init: %s\", db_desc.init)\n stdnse.print_debug(2, \"| More: %s\", db_desc.more)\n stdnse.print_debug(2, \"| Master: %s\", db_desc.master)\n stdnse.print_debug(2, \"| Sequence: %s\", db_desc.sequence)\n if #db_desc.lsa_headers > 0 then\n stdnse.print_debug(2, \"| LSA Headers:\")\n for i, lsa_h in ipairs(db_desc.lsa_headers) do\n ospfDumpLSAHeader(lsa_h)\n if i < #db_desc.lsa_headers then\n stdnse.print_debug(2, \"|\")\n end\n end\n end\nend\n\n-- Print OSPFv2 Hello packet details to debug output.\n-- @param hello OSPFv2 Hello packet\nlocal ospfDumpHello = function(hello)\n if 2 > nmap.debugging() then\n return\n end\n stdnse.print_debug(2, \"| Router ID: %s\", hello.header.router_id)\n stdnse.print_debug(2, \"| Area ID: %s\", ipOps.fromdword(hello.header.area_id))\n stdnse.print_debug(2, \"| Checksum: %s\", hello.header.chksum)\n stdnse.print_debug(2, \"| Auth Type: %s\", hello.header.auth_type)\n if hello.header.auth_type == 0x01 then\n stdnse.print_debug(2, \"| Auth Password: %s\", hello.header.auth_data.password)\n elseif hello.header.auth_type == 0x02 then\n stdnse.print_debug(2, \"| Auth Crypt Key ID: %s\", hello.header.auth_data.keyid)\n stdnse.print_debug(2, \"| Auth Data Length: %s\", hello.header.auth_data.length)\n stdnse.print_debug(2, \"| Auth Crypt Seq: %s\", hello.header.auth_data.seq)\n end\n stdnse.print_debug(2, \"| Netmask: %s\", hello.netmask)\n stdnse.print_debug(2, \"| Hello interval: %s\", hello.interval)\n stdnse.print_debug(2, \"| Options: %s\", hello.options)\n stdnse.print_debug(2, \"| Priority: %s\", hello.prio)\n stdnse.print_debug(2, \"| Dead interval: %s\", hello.router_dead_interval)\n stdnse.print_debug(2, \"| Designated Router: %s\", hello.DR)\n stdnse.print_debug(2, \"| Backup Router: %s\", hello.BDR)\n stdnse.print_debug(2, \"| Neighbors: %s\", table.concat(hello.neighbors, \",\"))\nend\n\n-- Print OSPFv2 LS Request packet details to debug output.\n-- @param ls_req OSPFv2 LS Request packet\nlocal ospfDumpLSRequest = function(ls_req)\n if 2 > nmap.debugging() then\n return\n end\n for i, req in ipairs(ls_req.ls_requests) do\n stdnse.print_debug(2, \"| LS Type: %s\", req.type)\n stdnse.print_debug(2, \"| Link State ID: %s\", req.id)\n stdnse.print_debug(2, \"| Avertising Router: %s\", req.adv_router)\n if i < #ls_req.ls_requests then\n stdnse.print_debug(2, \"|\")\n end\n end\nend\n\n-- Print OSPFv2 LS Update packet details to debug output.\n-- @param ls_upd OSPFv2 LS Update packet\nlocal ospfDumpLSUpdate = function(ls_upd)\n stdnse.print_debug(2, \"| Number of LSAs: %s\", ls_upd.num_lsas)\n for i, lsa in ipairs(ls_upd.lsas) do\n -- Only Type 1 (Router-LSA) and Type 5 (AS-External-LSA) are supported at the moment\n ospfDumpLSAHeader(lsa.header)\n if lsa.header.type == 1 then\n stdnse.print_debug(2, \"| Flags: %s\", lsa.flags)\n stdnse.print_debug(2, \"| Number of links: %s\", lsa.num_links)\n for j, link in ipairs(lsa.links) do\n stdnse.print_debug(2, \"| Link ID: %s\", link.id)\n stdnse.print_debug(2, \"| Link Data: %s\", link.data)\n stdnse.print_debug(2, \"| Link Type: %s\", link.type)\n stdnse.print_debug(2, \"| Number of Metrics: %s\", link.num_metrics)\n stdnse.print_debug(2, \"| 0 Metric: %s\", link.metric)\n if j < #lsa.links then\n stdnse.print_debug(2, \"|\")\n end\n end\n if i < #ls_upd.lsas then\n stdnse.print_debug(2, \"|\")\n end\n elseif lsa.header.type == 5 then\n stdnse.print_debug(2, \"| Netmask: %s\", lsa.netmask)\n stdnse.print_debug(2, \"| External Type: %s\", lsa.ext_type)\n stdnse.print_debug(2, \"| Metric: %s\", lsa.metric)\n stdnse.print_debug(2, \"| Forwarding Address: %s\", lsa.fw_address)\n stdnse.print_debug(2, \"| External Route Tag: %s\", lsa.ext_tag)\n end\n end\nend\n\n-- Send OSPFv2 packet to specified destination.\n-- @param interface Source interface to use\n-- @param ip_dst Destination IP address\n-- @param mac_dst Destination MAC address\n-- @param ospf_packet Raw OSPF packet\nlocal ospfSend = function(interface, ip_dst, mac_dst, ospf_packet)\n local dnet = nmap.new_dnet()\n local probe = packet.Frame:new()\n\n probe.mac_src = interface.mac\n probe.mac_dst = mac_dst\n probe.ip_bin_src = ipOps.ip_to_str(interface.address)\n probe.ip_bin_dst = ipOps.ip_to_str(ip_dst)\n probe.l3_packet = ospf_packet\n probe.ip_dsf = 0xc0\n probe.ip_p = 89\n probe.ip_ttl = 1\n\n probe:build_ip_packet()\n probe:build_ether_frame()\n\n dnet:ethernet_open(interface.device)\n dnet:ethernet_send(probe.frame_buf)\n dnet:ethernet_close()\nend\n\n-- Prepare OSPFv2 packet header for reply.\n-- @param packet_in Source packet\n-- @param packet_out Destination packet\nlocal ospfSetHeader = function(packet_in, packet_out)\n packet_out.header:setRouterId(router_id)\n packet_out.header:setAreaID(packet_in.header.area_id)\n if packet_in.header.auth_type == 0x01 then\n packet_out.header.auth_type = 0x01\n packet_out.header.auth_data.password = packet_in.header.auth_data.password\n elseif packet_in.header.auth_type == 0x02 then\n packet_out.header.auth_type = 0x02\n packet_out.header.auth_data.key = md5_key\n packet_out.header.auth_data.keyid = packet_in.header.auth_data.keyid\n packet_out.header.auth_data.length = 16\n packet_out.header.auth_data.seq = os.time()\n end\n\n return packet_out\nend\n\n-- Reply to OSPFv2 Database Description with an LS Request.\n-- @param interface Source interface\n-- @param mac_dst Destination MAC address\n-- @param db_desc_in OSPFv2 Database Description packet to reply for\nlocal ospfSendLSRequest = function(interface, mac_dst, db_desc_in)\n local ls_req_out = ospf.OSPF.LSRequest:new()\n ls_req_out = ospfSetHeader(db_desc_in, ls_req_out)\n\n for i, lsa_h in ipairs(db_desc_in.lsa_headers) do\n ls_req_out:addRequest(lsa_h.type, lsa_h.id, lsa_h.adv_router)\n end\n\n stdnse.print_debug(2, \"Crafted OSPFv2 LS Request packet with the following parameters:\")\n ospfDumpLSRequest(ls_req_out)\n ospfSend(interface, db_desc_in.header.router_id, mac_dst, tostring(ls_req_out))\nend\n\n-- Reply to given OSPFv2 Database Description packet.\n-- @param interface Source interface\n-- @param mac_dst Destination MAC address\n-- @param db_desc_in OSPFv2 Database Description packet to reply for\nlocal ospfReplyDBDesc = function(interface, mac_dst, db_desc_in)\n local reply = false\n local db_desc_out = ospf.OSPF.DBDescription:new()\n db_desc_out = ospfSetHeader(db_desc_in, db_desc_out)\n\n if db_desc_in.init == true then\n db_desc_out.init = false\n db_desc_out.more = db_desc_in.more\n db_desc_out.master = false\n db_desc_out.sequence = db_desc_in.sequence\n reply = true\n elseif #db_desc_in.lsa_headers > 0 then\n ospfSendLSRequest(interface, mac_dst, db_desc_in)\n return true\n end\n\n if reply then\n stdnse.print_debug(2, \"Crafted OSPFv2 Database Description packet with the following parameters:\")\n ospfDumpDBDesc(db_desc_out)\n ospfSend(interface, db_desc_in.header.router_id, mac_dst, tostring(db_desc_out))\n end\n\n return reply\nend\n\n-- Reply to given OSPFv2 Hello packet sending another Hello to\n-- \"All OSPF Routers\" multicast address (224.0.0.5).\n-- @param interface Source interface\n-- @param hello_in OSPFv2 Hello packet to reply for\nlocal ospfReplyHello = function(interface, hello_in)\n local hello_out = ospf.OSPF.Hello:new()\n hello_out = ospfSetHeader(hello_in, hello_out)\n hello_out.interval = hello_in.interval\n hello_out.router_dead_interval = hello_in.router_dead_interval\n hello_out:setDesignatedRouter(hello_in.header.router_id)\n hello_out:setNetmask(hello_in.netmask)\n hello_out:addNeighbor(hello_in.header.router_id)\n\n stdnse.print_debug(2, \"Crafted OSPFv2 Hello packet with the following parameters:\")\n ospfDumpHello(hello_out)\n\n ospfSend(interface, OSPF_ALL_ROUTERS, \"\\x01\\x00\\x5e\\x00\\x00\\x05\", tostring(hello_out))\nend\n\n-- Listen for OSPF packets on a specified interface.\n-- @param interface Interface to use\n-- @param timeout Amount of time to listen in seconds\nlocal ospfListen = function(interface, timeout)\n local status, l2_data, l3_data, ospf_raw, _\n local start = nmap.clock_ms()\n\n stdnse.print_debug(\"Start listening on interface %s...\", interface.shortname)\n local listener = nmap.new_socket()\n listener:set_timeout(1000)\n listener:pcap_open(interface.device, 1500, true, \"ip proto 89 and not (ip src host \" .. interface.address .. \")\")\n while (nmap.clock_ms() - start) < (timeout * 1000) do\n status, _, l2_data, l3_data = listener:pcap_receive()\n if status then\n stdnse.print_debug(2, \"Packet received on interface %s.\", interface.shortname)\n local p = packet.Packet:new(l3_data, #l3_data)\n local ospf_raw = string.sub(l3_data, p.ip_hl * 4 + 1)\n if ospf_raw:byte(1) == 0x02 and ospf_raw:byte(2) == OSPF_MSG_HELLO then\n stdnse.print_debug(2, \"OSPFv2 Hello packet detected.\")\n\n local ospf_hello = ospf.OSPF.Hello.parse(ospf_raw)\n stdnse.print_debug(2, \"Captured OSPFv2 Hello packet with the following parameters:\")\n ospfDumpHello(ospf_hello)\n\n -- Additional checks required for message digest authentication\n if ospf_hello.header.auth_type == 0x02 then\n if not md5_key then\n return fail(\"Argument md5_key must be present when message digest authentication is disclosed.\")\n elseif not have_ssl then\n return fail(\"Cannot handle message digest authentication unless openssl is compiled in.\")\n end\n end\n\n ospfReplyHello(interface, ospf_hello)\n start = nmap.clock_ms()\n elseif ospf_raw:byte(1) == 0x02 and ospf_raw:byte(2) == OSPF_MSG_DBDESC then\n stdnse.print_debug(2, \"OSPFv2 Database Description packet detected.\")\n\n local ospf_db_desc = ospf.OSPF.DBDescription.parse(ospf_raw)\n stdnse.print_debug(2, \"Captured OSPFv2 Database Description packet with the following parameters:\")\n ospfDumpDBDesc(ospf_db_desc)\n\n if not ospfReplyDBDesc(interface, string.sub(l2_data, 7, 12), ospf_db_desc) then\n return\n end\n elseif ospf_raw:byte(1) == 0x02 and ospf_raw:byte(2) == OSPF_MSG_LSUPD then\n stdnse.print_debug(2, \"OSPFv2 LS Update packet detected.\")\n\n local ospf_ls_upd = ospf.OSPF.LSUpdate.parse(ospf_raw)\n stdnse.print_debug(2, \"Captured OSPFv2 LS Update packet with the following parameters:\")\n ospfDumpLSUpdate(ospf_ls_upd)\n\n local targets = {}\n for i, lsa in ipairs(ospf_ls_upd.lsas) do\n -- Only Type 1 (Router-LSA) and Type 5 (AS-External-LSA) are supported at the moment\n if lsa.header.type == 1 then\n for j, link in ipairs(lsa.links) do\n if link.type == 3 then\n local target = link.id .. ipOps.subnet_to_cidr(link.data)\n targets[target] = 1\n end\n end\n elseif lsa.header.type == 5 then\n local target = lsa.header.id .. ipOps.subnet_to_cidr(lsa.netmask)\n targets[target] = 1\n end\n end\n local output = stdnse.output_table()\n if next(targets) then\n local out_links = {}\n output[\"Area ID\"] = ipOps.fromdword(ospf_ls_upd.header.area_id)\n output[\"External Routes\"] = out_links\n for t, _ in pairs(targets) do\n table.insert(out_links, t)\n if target.ALLOW_NEW_TARGETS then\n target.add(t)\n end\n end\n if not target.ALLOW_NEW_TARGETS then\n stdnse.verbose(\"Use the newtargets script-arg to add the results as targets\")\n end\n end\n return output\n end\n end\n end\n listener:pcap_close()\nend\n\naction = function()\n -- Get script arguments\n md5_key = stdnse.get_script_args(SCRIPT_NAME .. \".md5_key\") or false\n router_id = stdnse.get_script_args(SCRIPT_NAME .. \".router_id\") or \"0.0.0.1\"\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\")) or 10\n local interface = stdnse.get_script_args(SCRIPT_NAME .. \".interface\")\n stdnse.print_debug(\"Value for router ID argument: %s.\", router_id)\n stdnse.print_debug(\"Value for timeout argument: %s.\", timeout)\n\n -- Determine interface to use\n interface = interface or nmap.get_interface()\n if interface then\n interface = nmap.get_interface_info(interface)\n if not interface then\n return fail((\"Failed to retrieve %s interface information.\"):format(interface))\n end\n stdnse.print_debug(\"Will use %s interface.\", interface.shortname)\n else\n local interface_list = nmap.list_interfaces()\n local interface_good = {}\n for _, os_interface in ipairs(interface_list) do\n if os_interface.address and os_interface.link == \"ethernet\" and\n os_interface.address:match(\"%d+%.%d+%.%d+%.%d+\") then\n\n stdnse.print_debug(2, \"Found usable interface: %s.\", os_interface.shortname)\n table.insert(interface_good, os_interface)\n end\n end\n if #interface_good == 1 then\n interface = interface_good[1]\n stdnse.print_debug(\"Will use %s interface.\", interface.shortname)\n elseif #interface_good == 0 then\n return fail(\"Source interface not found.\")\n else\n return fail(\"Ambiguous source interface, please specify it with -e or interface parameter.\")\n end\n end\n\n return ospfListen(interface, timeout)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:42:49", "description": "Unfiltered '&gt;' (greater than sign). An indication of potential XSS vulnerability.\n\n### See also:\n\n * [ http-dombased-xss.nse ](<../scripts/http-dombased-xss.html>)\n * [ http-phpself-xss.nse ](<../scripts/http-phpself-xss.html>)\n * [ http-xssed.nse ](<../scripts/http-xssed.html>)\n * [ http-unsafe-output-escaping.nse ](<../scripts/http-unsafe-output-escaping.html>)\n\n## Script Arguments \n\n#### http-stored-xss.formpaths \n\nThe pages that contain the forms to exploit. For example, {/upload.php, /login.php}. Default: nil (crawler mode on)\n\n#### http-stored-xss.uploadspaths \n\nThe pages that reflect back POSTed data. For example, {/comments.php, /guestbook.php}. Default: nil (Crawler mode on)\n\n#### http-stored-xss.fieldvalues \n\nThe script will try to fill every field found in the form but that may fail due to fields' restrictions. You can manually fill those fields using this table. For example, {gender = \"male\", email = \"foo@bar.com\"}. Default: {}\n\n#### http-stored-xss.dbfile \n\nThe path of a plain text file that contains one XSS vector per line. Default: nil\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost \n\nSee the documentation for the [httpspider](<../lib/httpspider.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p80 --script http-stored-xss.nse <target>\n \n This script works in two phases.\n 1) Posts specially crafted strings to every form it encounters.\n 2) Crawls through the page searching for these strings.\n \n If any string is reflected on some page without any proper\n HTML escaping, it's a sign for potential XSS vulnerability.\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-stored-xss:\n | Found the following stored XSS vulnerabilities:\n |\n | Payload: ghz>hzx\n | Uploaded on: /guestbook.php\n | Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.\n | Payload: zxc'xcv\n | Uploaded on: /guestbook.php\n | Description: Unfiltered ' (apostrophe). An indication of potential XSS vulnerability.\n |\n | Payload: ghz>hzx\n | Uploaded on: /posts.php\n | Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.\n | Payload: hzx\"zxc\n | Uploaded on: /posts.php\n |_ Description: Unfiltered \" (double quotation mark). An indication of potential XSS vulnerability.\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [io](<>)\n * [string](<>)\n * [httpspider](<../lib/httpspider.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2013-07-06T14:39:47", "type": "nmap", "title": "http-stored-xss NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-06-14T21:37:25", "id": "NMAP:HTTP-STORED-XSS.NSE", "href": "https://nmap.org/nsedoc/scripts/http-stored-xss.html", "sourceData": "description = [[\nPosts specially crafted strings to every form it\nencounters and then searches through the website for those\nstrings to determine whether the payloads were successful.\n]]\n\n---\n-- @usage nmap -p80 --script http-stored-xss.nse <target>\n--\n-- This script works in two phases.\n-- 1) Posts specially crafted strings to every form it encounters.\n-- 2) Crawls through the page searching for these strings.\n--\n-- If any string is reflected on some page without any proper\n-- HTML escaping, it's a sign for potential XSS vulnerability.\n--\n-- @args http-stored-xss.formpaths The pages that contain\n-- the forms to exploit. For example, {/upload.php, /login.php}.\n-- Default: nil (crawler mode on)\n-- @args http-stored-xss.uploadspaths The pages that reflect\n-- back POSTed data. For example, {/comments.php, /guestbook.php}.\n-- Default: nil (Crawler mode on)\n-- @args http-stored-xss.fieldvalues The script will try to\n-- fill every field found in the form but that may fail due to\n-- fields' restrictions. You can manually fill those fields using\n-- this table. For example, {gender = \"male\", email = \"foo@bar.com\"}.\n-- Default: {}\n-- @args http-stored-xss.dbfile The path of a plain text file\n-- that contains one XSS vector per line. Default: nil\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-stored-xss:\n-- | Found the following stored XSS vulnerabilities:\n-- |\n-- | Payload: ghz>hzx\n-- | Uploaded on: /guestbook.php\n-- | Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.\n-- | Payload: zxc'xcv\n-- | Uploaded on: /guestbook.php\n-- | Description: Unfiltered ' (apostrophe). An indication of potential XSS vulnerability.\n-- |\n-- | Payload: ghz>hzx\n-- | Uploaded on: /posts.php\n-- | Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.\n-- | Payload: hzx\"zxc\n-- | Uploaded on: /posts.php\n-- |_ Description: Unfiltered \" (double quotation mark). An indication of potential XSS vulnerability.\n--\n-- @see http-dombased-xss.nse\n-- @see http-phpself-xss.nse\n-- @see http-xssed.nse\n-- @see http-unsafe-output-escaping.nse\n\ncategories = {\"intrusive\", \"exploit\", \"vuln\"}\nauthor = \"George Chatzisofroniou\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\nlocal http = require \"http\"\nlocal io = require \"io\"\nlocal string = require \"string\"\nlocal httpspider = require \"httpspider\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\nportrule = shortport.port_or_service( {80, 443}, {\"http\", \"https\"}, \"tcp\", \"open\")\n\n\n-- A list of payloads.\n--\n-- You can manually add / remove your own payloads but make sure you\n-- don't mess up, otherwise the script may succeed when it actually\n-- hasn't.\n--\n-- Note, that more payloads will slow down your scan.\npayloads = {\n\n -- Basic vectors. Each one is an indication of potential XSS vulnerability.\n { vector = 'ghz>hzx', description = \"Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.\" },\n { vector = 'hzx\"zxc', description = \"Unfiltered \\\" (double quotation mark). An indication of potential XSS vulnerability.\" },\n { vector = 'zxc\\'xcv', description = \"Unfiltered ' (apostrophe). An indication of potential XSS vulnerability.\" },\n}\n\n\n-- Create customized requests for all of our payloads.\nlocal makeRequests = function(host, port, submission, fields, fieldvalues)\n\n local postdata = {}\n for _, p in ipairs(payloads) do\n for __, field in ipairs(fields) do\n if field[\"type\"] == \"text\" or field[\"type\"] == \"textarea\" or field[\"type\"] == \"radio\" or field[\"type\"] == \"checkbox\" then\n\n local value = fieldvalues[field[\"name\"]]\n if value == nil then\n value = p.vector\n end\n\n postdata[field[\"name\"]] = value\n\n end\n end\n\n stdnse.debug2(\"Making a POST request to \" .. submission .. \": \")\n for i, content in pairs(postdata) do\n stdnse.debug2(i .. \": \" .. content)\n end\n local response = http.post(host, port, submission, { no_cache = true }, nil, postdata)\n end\n\nend\n\nlocal checkPayload = function(body, p)\n\n if (body:match(p)) then\n return true\n end\n\nend\n\n-- Check if the payloads were successful by checking the content of pages in the uploadspaths array.\nlocal checkRequests = function(body, target)\n\n local output = {}\n for _, p in ipairs(payloads) do\n if checkPayload(body, p.vector) then\n local report = \" Payload: \" .. p.vector .. \"\\n\\t Uploaded on: \" .. target\n if p.description then\n report = report .. \"\\n\\t Description: \" .. p.description\n end\n table.insert(output, report)\n end\n end\n return output\nend\n\nlocal readFromFile = function(filename)\n local database = { }\n for l in io.lines(filename) do\n table.insert(payloads, { vector = l })\n end\nend\n\naction = function(host, port)\n\n local formpaths = stdnse.get_script_args(\"http-stored-xss.formpaths\")\n local uploadspaths = stdnse.get_script_args(\"http-stored-xss.uploadspaths\")\n local fieldvalues = stdnse.get_script_args(\"http-stored-xss.fieldvalues\") or {}\n local dbfile = stdnse.get_script_args(\"http-stored-xss.dbfile\")\n\n if dbfile then\n readFromFile(dbfile)\n end\n\n local returntable = {}\n local result\n\n local crawler = httpspider.Crawler:new( host, port, '/', { scriptname = SCRIPT_NAME, no_cache = true } )\n\n if (not(crawler)) then\n return\n end\n\n crawler:set_timeout(10000)\n\n local index, k, target, response\n\n -- Phase 1. Crawls through the website and POSTs malicious payloads.\n while (true) do\n\n if formpaths then\n\n k, target = next(formpaths, index)\n if (k == nil) then\n break\n end\n response = http.get(host, port, target, { no_cache = true })\n target = host.name .. target\n else\n\n local status, r = crawler:crawl()\n -- if the crawler fails it can be due to a number of different reasons\n -- most of them are \"legitimate\" and should not be reason to abort\n if ( not(status) ) then\n if ( r.err ) then\n return stdnse.format_output(false, r.reason)\n else\n break\n end\n end\n\n target = tostring(r.url)\n response = r.response\n\n end\n\n if response.body then\n\n local forms = http.grab_forms(response.body)\n\n for i, form in ipairs(forms) do\n\n form = http.parse_form(form)\n\n if form and form.action then\n\n local action_absolute = string.find(form[\"action\"], \"https*://\")\n\n -- Determine the path where the form needs to be submitted.\n local submission\n if action_absolute then\n submission = form[\"action\"]\n else\n local path_cropped = string.match(target, \"(.*/).*\")\n path_cropped = path_cropped and path_cropped or \"\"\n submission = path_cropped..form[\"action\"]\n end\n\n makeRequests(host, port, submission, form[\"fields\"], fieldvalues)\n\n end\n end\n end\n if (index) then\n index = index + 1\n else\n index = 1\n end\n\n end\n\n local crawler = httpspider.Crawler:new( host, port, '/', { scriptname = SCRIPT_NAME } )\n local index\n\n -- Phase 2. Crawls through the website and searches for the special crafted strings that were POSTed before.\n while true do\n if uploadspaths then\n k, target = next(uploadspaths, index)\n if (k == nil) then\n break\n end\n response = http.get(host, port, target)\n else\n\n local status, r = crawler:crawl()\n -- if the crawler fails it can be due to a number of different reasons\n -- most of them are \"legitimate\" and should not be reason to abort\n if ( not(status) ) then\n if ( r.err ) then\n return stdnse.format_output(false, r.reason)\n else\n break\n end\n end\n\n target = tostring(r.url)\n response = r.response\n\n end\n\n if response.body then\n\n result = checkRequests(response.body, target)\n\n if next(result) then\n table.insert(returntable, result)\n end\n end\n if (index) then\n index = index + 1\n else\n index = 1\n end\n end\n\n if next(returntable) then\n table.insert(returntable, 1, \"Found the following stored XSS vulnerabilities: \")\n return returntable\n else\n return \"Couldn't find any stored XSS vulnerabilities.\"\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:13", "description": "Discovers KNX gateways by sending a KNX Search Request to the multicast address 224.0.23.12 including a UDP payload with destination port 3671. KNX gateways will respond with a KNX Search Response including various information about the gateway, such as KNX address and supported services. \n\nFurther information: * DIN EN 13321-2 * <http://www.knx.org/>\n\n## Script Arguments \n\n#### timeout \n\nMax time to wait for a response. (default 3s)\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script knx-gateway-discover -e eth0\n \n\n## Script Output \n \n \n Pre-scan script results:\n | knx-gateway-discover:\n | 192.168.178.11:\n | Body:\n | HPAI:\n | Port: 3671\n | DIB_DEV_INFO:\n | KNX address: 15.15.255\n | Decive serial: 00ef2650065c\n | Multicast address: 0.0.0.0\n | Device MAC address: 00:05:26:50:06:5c\n | Device friendly name: IP-Viewer\n | DIB_SUPP_SVC_FAMILIES:\n | KNXnet/IP Core version 1\n | KNXnet/IP Device Management version 1\n | KNXnet/IP Tunnelling version 1\n |_ KNXnet/IP Object Server version 1\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [coroutine](<>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [packet](<../lib/packet.html>)\n * [ipOps](<../lib/ipOps.html>)\n * [string](<>)\n * [target](<../lib/target.html>)\n * [knx](<../lib/knx.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-09-15T15:10:37", "type": "nmap", "title": "knx-gateway-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-03T19:38:01", "id": "NMAP:KNX-GATEWAY-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/knx-gateway-discover.html", "sourceData": "local nmap = require \"nmap\"\nlocal coroutine = require \"coroutine\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal packet = require \"packet\"\nlocal ipOps = require \"ipOps\"\nlocal string = require \"string\"\nlocal target = require \"target\"\nlocal knx = require \"knx\"\n\ndescription = [[\nDiscovers KNX gateways by sending a KNX Search Request to the multicast address\n224.0.23.12 including a UDP payload with destination port 3671. KNX gateways\nwill respond with a KNX Search Response including various information about the\ngateway, such as KNX address and supported services.\n\nFurther information:\n * DIN EN 13321-2\n * http://www.knx.org/\n]]\n\nauthor = {\"Niklaus Schiess <nschiess@ernw.de>\", \"Dominik Schneider <dschneider@ernw.de>\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\", \"broadcast\"}\n\n---\n--@args timeout Max time to wait for a response. (default 3s)\n--\n--@usage\n-- nmap --script knx-gateway-discover -e eth0\n--\n--@output\n-- Pre-scan script results:\n-- | knx-gateway-discover:\n-- | 192.168.178.11:\n-- | Body:\n-- | HPAI:\n-- | Port: 3671\n-- | DIB_DEV_INFO:\n-- | KNX address: 15.15.255\n-- | Decive serial: 00ef2650065c\n-- | Multicast address: 0.0.0.0\n-- | Device MAC address: 00:05:26:50:06:5c\n-- | Device friendly name: IP-Viewer\n-- | DIB_SUPP_SVC_FAMILIES:\n-- | KNXnet/IP Core version 1\n-- | KNXnet/IP Device Management version 1\n-- | KNXnet/IP Tunnelling version 1\n-- |_ KNXnet/IP Object Server version 1\n--\n\nprerule = function()\n if not nmap.is_privileged() then\n stdnse.verbose1(\"Not running due to lack of privileges.\")\n return false\n end\n return true\nend\n\n--- Sends a knx search request\n-- @param query KNX search request message\n-- @param mcat Multicast destination address\n-- @param port Port to sent to\nlocal knxSend = function(query, mcast, mport)\n -- Multicast IP and UDP port\n local sock = nmap.new_socket()\n local status, err = sock:connect(mcast, mport, \"udp\")\n if not status then\n stdnse.debug1(\"%s\", err)\n return\n end\n sock:send(query)\n sock:close()\nend\n\nlocal fam_meta = {\n __tostring = function (self)\n return (\"%s version %d\"):format(\n knx.knxServiceFamilies[self.service_id] or self.service_id,\n self.Version\n )\n end\n}\n\n--- Parse a Search Response\n-- @param knxMessage Payload of captures UDP packet\nlocal knxParseSearchResponse = function(ips, results, knxMessage)\n local knx_header_length, knx_protocol_version, knx_service_type, knx_total_length, pos = knx.parseHeader(knxMessage)\n\n if not knx_header_length then\n stdnse.debug1(\"KNX header error: %s\", knx_protocol_version)\n return\n end\n\n local message_format = '>B c1 c4 I2 BBB c1 I2 c2 c6 c4 c6 c30 BB'\n if #knxMessage - pos + 1 < string.packlen(message_format) then\n stdnse.debug1(\"Message too short for KNX message\")\n return\n end\n\n local knx_hpai_structure_length,\n knx_hpai_protocol_code,\n knx_hpai_ip_address,\n knx_hpai_port,\n knx_dib_structure_length,\n knx_dib_description_type,\n knx_dib_knx_medium,\n knx_dib_device_status,\n knx_dib_knx_address,\n knx_dib_project_install_ident,\n knx_dib_dev_serial,\n knx_dib_dev_multicast_addr,\n knx_dib_dev_mac,\n knx_dib_dev_friendly_name,\n knx_supp_svc_families_structure_length,\n knx_supp_svc_families_description, pos = string.unpack(message_format, knxMessage, pos)\n\n knx_hpai_ip_address = ipOps.str_to_ip(knx_hpai_ip_address)\n\n knx_dib_description_type = knx.knxDibDescriptionTypes[knx_dib_description_type]\n knx_dib_knx_medium = knx.knxMediumTypes[knx_dib_knx_medium]\n knx_dib_dev_multicast_addr = ipOps.str_to_ip(knx_dib_dev_multicast_addr)\n knx_dib_dev_mac = stdnse.format_mac(knx_dib_dev_mac)\n\n local knx_supp_svc_families = {}\n knx_supp_svc_families_description = knx.knxDibDescriptionTypes[knx_supp_svc_families_description] or knx_supp_svc_families_description\n\n for i=0,(knx_total_length - pos),2 do\n local family = {}\n family.service_id, family.Version, pos = string.unpack('BB', knxMessage, pos)\n setmetatable(family, fam_meta)\n knx_supp_svc_families[#knx_supp_svc_families+1] = family\n end\n\n local search_response = stdnse.output_table()\n if nmap.debugging() > 0 then\n search_response.Header = stdnse.output_table()\n search_response.Header[\"Header length\"] = knx_header_length\n search_response.Header[\"Protocol version\"] = knx_protocol_version\n search_response.Header[\"Service type\"] = \"SEARCH_RESPONSE (0x0202)\"\n search_response.Header[\"Total length\"] = knx_total_length\n\n search_response.Body = stdnse.output_table()\n search_response.Body.HPAI = stdnse.output_table()\n search_response.Body.HPAI[\"Protocol code\"] = stdnse.tohex(knx_hpai_protocol_code)\n search_response.Body.HPAI[\"IP address\"] = knx_hpai_ip_address\n search_response.Body.HPAI[\"Port\"] = knx_hpai_port\n\n search_response.Body.DIB_DEV_INFO = stdnse.output_table()\n search_response.Body.DIB_DEV_INFO[\"Description type\"] = knx_dib_description_type\n search_response.Body.DIB_DEV_INFO[\"KNX medium\"] = knx_dib_knx_medium\n search_response.Body.DIB_DEV_INFO[\"Device status\"] = stdnse.tohex(knx_dib_device_status)\n search_response.Body.DIB_DEV_INFO[\"KNX address\"] = knx.parseKnxAddress(knx_dib_knx_address)\n search_response.Body.DIB_DEV_INFO[\"Project installation identifier\"] = stdnse.tohex(knx_dib_project_install_ident)\n search_response.Body.DIB_DEV_INFO[\"Decive serial\"] = stdnse.tohex(knx_dib_dev_serial)\n search_response.Body.DIB_DEV_INFO[\"Multicast address\"] = knx_dib_dev_multicast_addr\n search_response.Body.DIB_DEV_INFO[\"Device MAC address\"] = knx_dib_dev_mac\n search_response.Body.DIB_DEV_INFO[\"Device friendly name\"] = knx_dib_dev_friendly_name\n search_response.Body.DIB_SUPP_SVC_FAMILIES = knx_supp_svc_families\n else\n search_response.Body = stdnse.output_table()\n search_response.Body.HPAI = stdnse.output_table()\n search_response.Body.HPAI[\"Port\"] = knx_hpai_port\n\n search_response.Body.DIB_DEV_INFO = stdnse.output_table()\n search_response.Body.DIB_DEV_INFO[\"KNX address\"] = knx.parseKnxAddress(knx_dib_knx_address)\n search_response.Body.DIB_DEV_INFO[\"Decive serial\"] = stdnse.tohex(knx_dib_dev_serial)\n search_response.Body.DIB_DEV_INFO[\"Multicast address\"] = knx_dib_dev_multicast_addr\n search_response.Body.DIB_DEV_INFO[\"Device MAC address\"] = knx_dib_dev_mac\n search_response.Body.DIB_DEV_INFO[\"Device friendly name\"] = knx_dib_dev_friendly_name\n search_response.Body.DIB_SUPP_SVC_FAMILIES = knx_supp_svc_families\n end\n\n ips[#ips+1] = knx_hpai_ip_address\n results[knx_hpai_ip_address] = search_response\nend\n\n--- Listens for knx search responses\n-- @param interface Network interface to listen on.\n-- @param timeout Maximum time to listen.\n-- @param ips Table to put IP addresses into.\n-- @param result Table to put responses into.\nlocal knxListen = function(interface, timeout, ips, results)\n local condvar = nmap.condvar(results)\n local start = nmap.clock_ms()\n local listener = nmap.new_socket()\n local threads = {}\n local status, l3data, _\n local filter = 'dst host ' .. interface.address .. ' and udp src port 3671'\n listener:set_timeout(100)\n listener:pcap_open(interface.device, 1024, true, filter)\n\n while (nmap.clock_ms() - start) < timeout do\n status, _, _, l3data = listener:pcap_receive()\n if status then\n local p = packet.Packet:new(l3data, #l3data)\n -- Skip IP and UDP headers\n local knxMessage = string.sub(l3data, p.ip_hl*4 + 8 + 1)\n local co = stdnse.new_thread(knxParseSearchResponse, ips, results, knxMessage)\n threads[co] = true;\n end\n end\n\n repeat\n for thread in pairs(threads) do\n if coroutine.status(thread) == \"dead\" then threads[thread] = nil end\n end\n if ( next(threads) ) then\n condvar \"wait\"\n end\n until next(threads) == nil;\n condvar(\"signal\")\nend\n\n--- Returns the network interface used to send packets to a target host.\n-- @param target host to which the interface is used.\n-- @return interface Network interface used for target host.\nlocal getInterface = function(target)\n -- First, create dummy UDP connection to get interface\n local sock = nmap.new_socket()\n local status, err = sock:connect(target, \"12345\", \"udp\")\n if not status then\n stdnse.verbose1(\"%s\", err)\n return\n end\n local status, address, _, _, _ = sock:get_info()\n if not status then\n stdnse.verbose1(\"%s\", err)\n return\n end\n for _, interface in pairs(nmap.list_interfaces()) do\n if interface.address == address then\n return interface\n end\n end\nend\n\n--- Make a dummy connection and return a free source port\n-- @param target host to which the interface is used.\n-- @return lport Local port which can be used in KNX messages.\nlocal getSourcePort = function(target)\n local socket = nmap.new_socket()\n local _, _ = socket:connect(target, \"12345\", \"udp\")\n local _, _, lport, _, _ = socket:get_info()\n return lport\nend\n\naction = function()\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n timeout = (timeout or 3) * 1000\n local ips, results = {}, {}\n local mcast = \"224.0.23.12\"\n local mport = 3671\n local lport = getSourcePort(mcast)\n\n -- Check if a valid interface was provided\n local interface = nmap.get_interface()\n if interface then\n interface = nmap.get_interface_info(interface)\n else\n interface = getInterface(mcast)\n end\n if not interface then\n return (\"\\n ERROR: Couldn't get interface for %s\"):format(mcast)\n end\n\n -- Launch listener thread\n stdnse.new_thread(knxListen, interface, timeout, ips, results)\n -- Craft raw query\n local query = knx.query(0x0201, interface.address, lport)\n -- Small sleep so the listener doesn't miss the response\n stdnse.sleep(0.5)\n -- Send query\n knxSend(query, mcast, mport)\n -- Wait for listener thread to finish\n local condvar = nmap.condvar(results)\n condvar(\"wait\")\n\n -- Check responses\n if #ips > 0 then\n local sort_by_ip = function(a, b)\n return ipOps.compare_ip(a, \"lt\", b)\n end\n table.sort(ips, sort_by_ip)\n local output = stdnse.output_table()\n\n for i=1, #ips do\n local ip = ips[i]\n output[ip] = results[ip]\n\n if target.ALLOW_NEW_TARGETS then\n target.add(ip)\n end\n end\n\n return output\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:47", "description": "Discovers hosts and routing information from devices running RIPv2 on the LAN. It does so by sending a RIPv2 Request command and collects the responses from all devices responding to the request.\n\n## Script Arguments \n\n#### broadcast-rip-discover.timeout \n\ntimespec defining how long to wait for a response. (default 5s)\n\n## Example Usage \n \n \n nmap --script broadcast-rip-discover\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-rip-discover:\n | Discovered RIPv2 devices\n | 10.0.200.107\n | ip netmask nexthop metric\n | 10.46.100.0 255.255.255.0 0.0.0.0 1\n | 10.46.110.0 255.255.255.0 0.0.0.0 1\n | 10.46.120.0 255.255.255.0 0.0.0.0 1\n | 10.46.123.0 255.255.255.0 10.0.200.123 1\n | 10.46.124.0 255.255.255.0 10.0.200.124 1\n | 10.46.125.0 255.255.255.0 10.0.200.125 1\n | 10.0.200.101\n | ip netmask nexthop metric\n |_ 0.0.0.0 0.0.0.0 10.0.200.1 1\n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-11-02T10:23:50", "type": "nmap", "title": "broadcast-rip-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-06T14:20:32", "id": "NMAP:BROADCAST-RIP-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-rip-discover.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\n\ndescription=[[\nDiscovers hosts and routing information from devices running RIPv2 on the\nLAN. It does so by sending a RIPv2 Request command and collects the responses\nfrom all devices responding to the request.\n]]\n\n---\n-- @usage\n-- nmap --script broadcast-rip-discover\n--\n-- @output\n-- Pre-scan script results:\n-- | broadcast-rip-discover:\n-- | Discovered RIPv2 devices\n-- | 10.0.200.107\n-- | ip netmask nexthop metric\n-- | 10.46.100.0 255.255.255.0 0.0.0.0 1\n-- | 10.46.110.0 255.255.255.0 0.0.0.0 1\n-- | 10.46.120.0 255.255.255.0 0.0.0.0 1\n-- | 10.46.123.0 255.255.255.0 10.0.200.123 1\n-- | 10.46.124.0 255.255.255.0 10.0.200.124 1\n-- | 10.46.125.0 255.255.255.0 10.0.200.125 1\n-- | 10.0.200.101\n-- | ip netmask nexthop metric\n-- |_ 0.0.0.0 0.0.0.0 10.0.200.1 1\n--\n-- @args broadcast-rip-discover.timeout timespec defining how long to wait for\n-- a response. (default 5s)\n\n--\n-- Version 0.1\n-- Created 29/10/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"broadcast\", \"safe\"}\n\n\nprerule = function() return not( nmap.address_family() == \"inet6\") end\n\nRIPv2 = {\n\n Command = {\n Request = 1,\n Response = 2,\n },\n\n AddressFamily = {\n IP = 2,\n },\n\n -- The Request class contains functions to build a RIPv2 Request\n Request = {\n\n -- Creates a new Request instance\n --\n -- @param command number containing the RIPv2 Command to use\n -- @return o instance of request\n new = function(self, command)\n local o = {\n version = 2,\n command = command,\n domain = 0,\n family = 0,\n tag = 0,\n address = 0,\n subnet = 0,\n nexthop = 0,\n metric = 16\n }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n -- Converts the whole request to a string\n __tostring = function(self)\n assert(self.command, \"No command was supplied\")\n assert(self.metric, \"No metric was supplied\")\n assert(self.address, \"No address was supplied\")\n local RESERVED = 0\n -- RIPv2 stuff, should be 0 for RIPv1\n local tag, subnet, nexthop = 0, 0, 0\n\n local data = string.pack(\">BB I2 I2 I2 I4 I4 I4 I4\",\n self.command, self.version, self.domain, self.family, self.tag,\n self.address, self.subnet, self.nexthop, self.metric)\n\n return data\n end,\n\n },\n\n -- The Response class contains code needed to parse a RIPv2 response\n Response = {\n\n -- Creates a new Response instance based on raw socket data\n --\n -- @param data string containing the raw socket response\n -- @return o Response instance\n new = function(self, data)\n local o = { data = data }\n\n if ( not(data) or #data < 3 ) then\n return\n end\n local pos, _\n o.command, o.version, _, pos = string.unpack(\">BBI2\", data)\n if ( o.command ~= RIPv2.Command.Response or o.version ~= 2 ) then\n return\n end\n\n local routes = tab.new(2)\n tab.addrow(routes, \"ip\", \"netmask\", \"nexthop\", \"metric\")\n\n while( #data - pos >= 20 ) do\n local family, address, metric, netmask, nexthop\n family, _, address, netmask, nexthop,\n metric, pos = string.unpack(\">I2 I2 I4 I4 I4 I4\", data, pos)\n\n if ( family == RIPv2.AddressFamily.IP ) then\n local ip = ipOps.fromdword(address)\n netmask = ipOps.fromdword(netmask)\n nexthop = ipOps.fromdword(nexthop)\n tab.addrow(routes, ip, netmask, nexthop, metric)\n end\n end\n\n if ( #routes > 1 ) then o.routes = routes end\n\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n }\n\n}\n\n\naction = function()\n local timeout = stdnse.parse_timespec(stdnse.get_script_args('broadcast-rip-discover.timeout'))\n timeout = (timeout or 5) * 1000\n\n local socket = nmap.new_socket(\"udp\")\n socket:set_timeout(timeout)\n\n local rip = RIPv2.Request:new(RIPv2.Command.Request)\n local status, err = socket:sendto(\"224.0.0.9\",\n { number = 520, protocol = \"udp\" },\n tostring(rip))\n local result = {}\n repeat\n local data\n status, data = socket:receive()\n if ( status ) then\n local status, _, _, rhost, _ = socket:get_info()\n local response = RIPv2.Response:new(data)\n table.insert(result, rhost)\n\n if ( response and response.routes and #response.routes > 0 ) then\n --response.routes.name = \"Routes\"\n table.insert(result, { tab.dump(response.routes) } )\n end\n\n end\n until( not(status) )\n\n if ( #result > 0 ) then\n result.name = \"Discovered RIPv2 devices\"\n end\n return stdnse.format_output(true, result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:24", "description": "Extracts the name of the server farm and member servers from Citrix XML service.\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=citrix-enum-servers-xml -p 80,443,8080 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 8080/tcp open http-proxy syn-ack\n | citrix-enum-servers-xml:\n | CITRIX-SRV01\n |_ CITRIX-SRV01\n\n## Requires \n\n * [citrixxml](<../lib/citrixxml.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-12-14T07:30:38", "type": "nmap", "title": "citrix-enum-servers-xml NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:CITRIX-ENUM-SERVERS-XML.NSE", "href": "https://nmap.org/nsedoc/scripts/citrix-enum-servers-xml.html", "sourceData": "local citrixxml = require \"citrixxml\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nExtracts the name of the server farm and member servers from Citrix XML\nservice.\n]]\n\n---\n-- @usage\n-- nmap --script=citrix-enum-servers-xml -p 80,443,8080 <host>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 8080/tcp open http-proxy syn-ack\n-- | citrix-enum-servers-xml:\n-- | CITRIX-SRV01\n-- |_ CITRIX-SRV01\n\n-- Version 0.2\n\n-- Created 11/26/2009 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 12/02/2009 - v0.2 - Use stdnse.format_ouput for output\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.portnumber({8080,80,443}, \"tcp\")\n\n\naction = function(host, port)\n\n local xmldata = citrixxml.request_server_data(host, port)\n local servers = citrixxml.parse_server_data_response(xmldata)\n local response = {}\n\n for _, srv in ipairs(servers) do\n table.insert(response, srv)\n end\n\n return stdnse.format_output(true, response)\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:33:47", "description": "Performs IPv6 host discovery by triggering stateless address auto-configuration (SLAAC). \n\nThis script works by sending an ICMPv6 Router Advertisement with a random address prefix, which causes hosts to begin SLAAC and send a solicitation for their newly configured address, as part of duplicate address detection. The script then guesses the remote addresses by combining the link-local prefix of the interface with the interface identifier in each of the received solicitations. This should be followed up with ordinary ND host discovery to verify that the guessed addresses are correct. \n\nThe router advertisement has a router lifetime of zero and a short prefix lifetime (a few seconds) \n\nSee also: \n\n * RFC 4862, IPv6 Stateless Address Autoconfiguration, especially section 5.5.3. \n * <https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb>\n\n## Script Arguments \n\n#### targets-ipv6-multicast-slaac.interface \n\nThe interface to use for host discovery.\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -6 --script targets-ipv6-multicast-slaac --script-args 'newtargets,interface=eth0' -sP\n\n## Script Output \n \n \n Pre-scan script results:\n | targets-ipv6-multicast-slaac:\n | IP: fe80:0000:0000:0000:1322:33ff:fe44:5566 MAC: 11:22:33:44:55:66 IFACE: eth0\n |_ Use --script-args=newtargets to add the results as targets\n\n## Requires \n\n * [coroutine](<>)\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [packet](<../lib/packet.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n * [target](<../lib/target.html>)\n * [rand](<../lib/rand.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-09-02T04:11:00", "type": "nmap", "title": "targets-ipv6-multicast-slaac NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-08T17:07:06", "id": "NMAP:TARGETS-IPV6-MULTICAST-SLAAC.NSE", "href": "https://nmap.org/nsedoc/scripts/targets-ipv6-multicast-slaac.html", "sourceData": "local coroutine = require \"coroutine\"\nlocal ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal packet = require \"packet\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\nlocal target = require \"target\"\nlocal rand = require \"rand\"\n\ndescription = [[\nPerforms IPv6 host discovery by triggering stateless address auto-configuration\n(SLAAC).\n\nThis script works by sending an ICMPv6 Router Advertisement with a random\naddress prefix, which causes hosts to begin SLAAC and send a solicitation for\ntheir newly configured address, as part of duplicate address detection. The\nscript then guesses the remote addresses by combining the link-local prefix of\nthe interface with the interface identifier in each of the received\nsolicitations. This should be followed up with ordinary ND host discovery to\nverify that the guessed addresses are correct.\n\nThe router advertisement has a router lifetime of zero and a short prefix\nlifetime (a few seconds)\n\nSee also:\n* RFC 4862, IPv6 Stateless Address Autoconfiguration, especially section 5.5.3.\n* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb\n]]\n\n---\n-- @usage\n-- nmap -6 --script targets-ipv6-multicast-slaac --script-args 'newtargets,interface=eth0' -sP\n-- @output\n-- Pre-scan script results:\n-- | targets-ipv6-multicast-slaac:\n-- | IP: fe80:0000:0000:0000:1322:33ff:fe44:5566 MAC: 11:22:33:44:55:66 IFACE: eth0\n-- |_ Use --script-args=newtargets to add the results as targets\n-- @args targets-ipv6-multicast-slaac.interface The interface to use for host discovery.\n\nauthor = {\"David Fifield\", \"Xu Weilin\"}\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\",\"broadcast\"}\n\n\nprerule = function()\n return nmap.is_privileged()\nend\n\nlocal function get_identifier(ip6_addr)\n return string.sub(ip6_addr, 9, 16)\nend\n\n--- Get a Unique-local Address with random global ID.\n-- @param local_scope The scope of the address, local or reserved.\n-- @return A 16-byte string of IPv6 address, and the length of the prefix.\nlocal function get_random_ula_prefix(local_scope)\n local ula_prefix\n local global_id = rand.random_string(5)\n\n if local_scope then\n ula_prefix = ipOps.ip_to_str(\"fd00::\")\n else\n ula_prefix = ipOps.ip_to_str(\"fc00::\")\n end\n ula_prefix = string.sub(ula_prefix,1,1) .. global_id .. string.sub(ula_prefix,7,-1)\n return ula_prefix,64\nend\n\n--- Build an ICMPv6 payload of Router Advertisement.\n-- @param mac_src six-byte string of the source MAC address.\n-- @param prefix 16-byte string of IPv6 address.\n-- @param prefix_len integer that represents the length of the prefix.\n-- @param valid_time integer that represents the valid time of the prefix.\n-- @param preferred_time integer that represents the preferred time of the prefix.\nlocal function build_router_advert(mac_src,prefix,prefix_len,valid_time,preferred_time)\n local ra_msg = string.char(0x0, --cur hop limit\n 0x08, --flags\n 0x00,0x00, --router lifetime\n 0x00,0x00,0x00,0x00, --reachable time\n 0x00,0x00,0x00,0x00) --retrans timer\n local prefix_option_msg = string.char(prefix_len, 0xc0) .. --flags: Onlink, Auto\n packet.set_u32(\"....\",0,valid_time) ..\n packet.set_u32(\"....\",0,preferred_time) ..\n \"\\0\\0\\0\\0\" .. --unknown\n prefix\n local icmpv6_prefix_option = packet.Packet:set_icmpv6_option(packet.ND_OPT_PREFIX_INFORMATION,prefix_option_msg)\n local icmpv6_src_link_option = packet.Packet:set_icmpv6_option(packet.ND_OPT_SOURCE_LINKADDR,mac_src)\n local icmpv6_payload = ra_msg .. icmpv6_prefix_option .. icmpv6_src_link_option\n return icmpv6_payload\nend\n\nlocal function get_interfaces()\n local interface_name = stdnse.get_script_args(SCRIPT_NAME .. \".interface\")\n or nmap.get_interface()\n\n -- interfaces list (decide which interfaces to broadcast on)\n local interfaces = {}\n if interface_name then\n -- single interface defined\n local if_table = nmap.get_interface_info(interface_name)\n if if_table and ipOps.ip_to_str(if_table.address) and if_table.link == \"ethernet\" then\n interfaces[#interfaces + 1] = if_table\n else\n stdnse.debug1(\"Interface not supported or not properly configured.\")\n end\n else\n for _, if_table in ipairs(nmap.list_interfaces()) do\n if ipOps.ip_to_str(if_table.address) and if_table.link == \"ethernet\" then\n table.insert(interfaces, if_table)\n end\n end\n end\n\n return interfaces\nend\n\nlocal function single_interface_broadcast(if_nfo, results)\n stdnse.debug1(\"Starting \" .. SCRIPT_NAME .. \" on \" .. if_nfo.device)\n\n local condvar = nmap.condvar(results)\n local src_mac = if_nfo.mac\n local src_ip6 = ipOps.ip_to_str(if_nfo.address)\n local dst_mac = packet.mactobin(\"33:33:00:00:00:01\")\n local dst_ip6 = ipOps.ip_to_str(\"ff02::1\")\n\n ----------------------------------------------------------------------------\n --SLAAC-based host discovery probe\n\n local dnet = nmap.new_dnet()\n local pcap = nmap.new_socket()\n\n local function catch ()\n dnet:ethernet_close()\n pcap:pcap_close()\n end\n local try = nmap.new_try(catch)\n\n try(dnet:ethernet_open(if_nfo.device))\n pcap:pcap_open(if_nfo.device, 128, true, \"src ::0/128 and dst net ff02::1:0:0/96 and icmp6 and ip6[6:1] = 58 and ip6[40:1] = 135\")\n\n local actual_prefix = string.sub(src_ip6,1,8)\n local ula_prefix, prefix_len = get_random_ula_prefix()\n\n -- preferred_lifetime <= valid_lifetime.\n -- Nmap will get the whole IPv6 addresses of each host if the two parameters are both longer than 5 seconds.\n -- Sometimes it makes sense to regard the several addresses of a host as\n -- different hosts, as the host's administrator may apply different firewall\n -- configurations on them.\n local valid_lifetime = 6\n local preferred_lifetime = 6\n\n local probe = packet.Frame:new()\n\n probe.ip_bin_src = packet.mac_to_lladdr(src_mac)\n probe.ip_bin_dst = dst_ip6\n probe.mac_src = src_mac\n probe.mac_dst = packet.mactobin(\"33:33:00:00:00:01\")\n\n local icmpv6_payload = build_router_advert(src_mac,ula_prefix,prefix_len,valid_lifetime,preferred_lifetime)\n probe:build_icmpv6_header(packet.ND_ROUTER_ADVERT, 0, icmpv6_payload)\n probe:build_ipv6_packet()\n probe:build_ether_frame()\n\n try(dnet:ethernet_send(probe.frame_buf))\n\n local expected_mac_dst_prefix = packet.mactobin(\"33:33:ff:00:00:00\")\n local expected_ip6_src = ipOps.ip_to_str(\"::\")\n local expected_ip6_dst_prefix = ipOps.ip_to_str(\"ff02::1:0:0\")\n\n pcap:set_timeout(1000)\n local pcap_timeout_count = 0\n local nse_timeout = 5\n local start_time = nmap:clock()\n local cur_time = nmap:clock()\n\n repeat\n local status, length, layer2, layer3 = pcap:pcap_receive()\n cur_time = nmap:clock()\n if not status then\n pcap_timeout_count = pcap_timeout_count + 1\n else\n local l2reply = packet.Frame:new(layer2)\n if string.sub(l2reply.mac_dst, 1, 3) == string.sub(expected_mac_dst_prefix, 1, 3) then\n local reply = packet.Packet:new(layer3)\n if reply.ip_bin_src == expected_ip6_src and\n string.sub(expected_ip6_dst_prefix,1,12) == string.sub(reply.ip_bin_dst,1,12) then\n local ula_target_addr_str = ipOps.str_to_ip(reply.ns_target)\n local identifier = get_identifier(reply.ns_target)\n --Filter out the reduplicative identifiers.\n --A host will send several NS packets with the same interface\n --identifier if it receives several RA packets with different prefix\n --during the discovery phase.\n local actual_addr_str = ipOps.str_to_ip(actual_prefix .. identifier)\n if not results[actual_addr_str] then\n if target.ALLOW_NEW_TARGETS then\n target.add(actual_addr_str)\n end\n results[#results + 1] = { address = actual_addr_str, mac = stdnse.format_mac(l2reply.mac_src), iface = if_nfo.device }\n results[actual_addr_str] = true\n end\n end\n end\n end\n until pcap_timeout_count >= 2 or cur_time - start_time >= nse_timeout\n\n dnet:ethernet_close()\n pcap:pcap_close()\n\n condvar(\"signal\")\nend\n\nlocal function format_output(results)\n local output = tab.new()\n\n for _, record in ipairs(results) do\n tab.addrow(output, \"IP: \" .. record.address, \"MAC: \" .. record.mac, \"IFACE: \" .. record.iface)\n end\n if #results > 0 then\n output = { tab.dump(output) }\n if not target.ALLOW_NEW_TARGETS then\n output[#output + 1] = \"Use --script-args=newtargets to add the results as targets\"\n end\n return stdnse.format_output(true, output)\n end\nend\n\naction = function()\n local threads = {}\n local results = {}\n local condvar = nmap.condvar(results)\n\n for _, if_nfo in ipairs(get_interfaces()) do\n -- create a thread for each interface\n if ipOps.ip_in_range(if_nfo.address, \"fe80::/10\") then\n local co = stdnse.new_thread(single_interface_broadcast, if_nfo, results)\n threads[co] = true\n end\n end\n\n repeat\n for thread in pairs(threads) do\n if coroutine.status(thread) == \"dead\" then threads[thread] = nil end\n end\n if ( next(threads) ) then\n condvar \"wait\"\n end\n until next(threads) == nil\n\n return format_output(results)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:16", "description": "Retrieves printer or scanner information from a remote device supporting the BJNP protocol. The protocol is known to be supported by network based Canon devices.\n\n## Example Usage \n \n \n sudo nmap -sU -p 8611,8612 --script bjnp-discover <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 8611/udp open canon-bjnp1\n | bjnp-discover:\n | Manufacturer: Canon\n | Model: MG5200 series\n | Description: Canon MG5200 series\n | Firmware version: 1.050\n |_ Command: BJL,BJRaster3,BSCCe,NCCe,IVEC,IVECPLI\n 8612/udp open canon-bjnp2\n | bjnp-discover:\n | Manufacturer: Canon\n | Model: MG5200 series\n | Description: Canon MG5200 series\n |_ Command: MultiPass 2.1,IVEC\n \n\n## Requires \n\n * [bjnp](<../lib/bjnp.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-08-05T18:55:40", "type": "nmap", "title": "bjnp-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-08-27T20:43:55", "id": "NMAP:BJNP-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/bjnp-discover.html", "sourceData": "description = [[\nRetrieves printer or scanner information from a remote device supporting the\nBJNP protocol. The protocol is known to be supported by network based Canon\ndevices.\n]]\n\n---\n-- @usage\n-- sudo nmap -sU -p 8611,8612 --script bjnp-discover <ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 8611/udp open canon-bjnp1\n-- | bjnp-discover:\n-- | Manufacturer: Canon\n-- | Model: MG5200 series\n-- | Description: Canon MG5200 series\n-- | Firmware version: 1.050\n-- |_ Command: BJL,BJRaster3,BSCCe,NCCe,IVEC,IVECPLI\n-- 8612/udp open canon-bjnp2\n-- | bjnp-discover:\n-- | Manufacturer: Canon\n-- | Model: MG5200 series\n-- | Description: Canon MG5200 series\n-- |_ Command: MultiPass 2.1,IVEC\n--\n\ncategories = {\"safe\", \"discovery\"}\nauthor = \"Patrik Karlsson\"\n\nlocal bjnp = require(\"bjnp\")\nlocal shortport = require(\"shortport\")\nlocal stdnse = require(\"stdnse\")\n\nportrule = shortport.portnumber({8611, 8612}, \"udp\")\n\naction = function(host, port)\n local helper = bjnp.Helper:new(host, port)\n if ( not(helper:connect()) ) then\n return stdnse.format_output(false, \"Failed to connect to server\")\n end\n local status, attrs\n if ( port.number == 8611 ) then\n status, attrs = helper:getPrinterIdentity()\n else\n status, attrs = helper:getScannerIdentity()\n end\n helper:close()\n return stdnse.format_output(true, attrs)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:27", "description": "Attempts to extract system information from an SNMP service.\n\n## Script Arguments \n\n#### snmp.version \n\nSee the documentation for the [snmp](<../lib/snmp.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sU -p 161 --script snmp-sysdescr <target>\n \n\n## Script Output \n \n \n | snmp-sysdescr: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006\n |_ System uptime: 28 days, 17:18:59 (248153900 timeticks)\n\n## Requires \n\n * [datetime](<../lib/datetime.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [snmp](<../lib/snmp.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "snmp-sysdescr NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-10-09T02:43:26", "id": "NMAP:SNMP-SYSDESCR.NSE", "href": "https://nmap.org/nsedoc/scripts/snmp-sysdescr.html", "sourceData": "local datetime = require \"datetime\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal snmp = require \"snmp\"\nlocal string = require \"string\"\n\ndescription = [[\nAttempts to extract system information from an SNMP service.\n]]\n\n---\n-- @usage\n-- nmap -sU -p 161 --script snmp-sysdescr <target>\n--\n-- @output\n-- | snmp-sysdescr: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006\n-- |_ System uptime: 28 days, 17:18:59 (248153900 timeticks)\n\nauthor = \"Thomas Buchanan\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"discovery\", \"safe\"}\n\ndependencies = {\"snmp-brute\"}\n\n\nportrule = shortport.port_or_service(161, \"snmp\", \"udp\", {\"open\", \"open|filtered\"})\n\n---\n-- Sends SNMP packets to host and reads responses\naction = function(host, port)\n\n local snmpHelper = snmp.Helper:new(host, port)\n snmpHelper:connect()\n\n -- build a SNMP v1 packet\n -- copied from packet capture of snmpget exchange\n -- get value: 1.3.6.1.2.1.1.1.0 (SNMPv2-MIB::sysDescr.0)\n local status, response = snmpHelper:get({reqId=28428}, \"1.3.6.1.2.1.1.1.0\")\n\n if not status then\n return\n end\n\n -- since we got something back, the port is definitely open\n nmap.set_port_state(host, port, \"open\")\n\n local result = response and response[1] and response[1][1]\n\n -- build a SNMP v1 packet\n -- copied from packet capture of snmpget exchange\n -- get value: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)\n status, response = snmpHelper:get({reqId=28428}, \"1.3.6.1.2.1.1.3.0\")\n\n if not status then\n return result\n end\n\n local uptime = response and response[1] and response[1][1]\n if not uptime then\n return\n end\n\n result = result .. \"\\n\" .. string.format(\" System uptime: %s (%s timeticks)\", datetime.format_time(uptime, 100), tostring(uptime))\n\n return result\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:35", "description": "This script enumerates information from remote IMAP services with NTLM authentication enabled. \n\nSending an IMAP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.\n\n## Script Arguments \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### tls.servername \n\nSee the documentation for the [tls](<../lib/tls.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 143,993 --script imap-ntlm-info <target>\n \n\n## Script Output \n \n \n 143/tcp open imap\n | imap-ntlm-info:\n | Target_Name: ACTIVEIMAP\n | NetBIOS_Domain_Name: ACTIVEIMAP\n | NetBIOS_Computer_Name: IMAP-TEST2\n | DNS_Domain_Name: somedomain.com\n | DNS_Computer_Name: imap-test2.somedomain.com\n | DNS_Tree_Name: somedomain.com\n |_ Product_Version: 6.1.7601\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [os](<>)\n * [datetime](<../lib/datetime.html>)\n * [shortport](<../lib/shortport.html>)\n * [sslcert](<../lib/sslcert.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [base64](<../lib/base64.html>)\n * [smbauth](<../lib/smbauth.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-01-08T03:08:26", "type": "nmap", "title": "imap-ntlm-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-08-15T07:26:00", "id": "NMAP:IMAP-NTLM-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/imap-ntlm-info.html", "sourceData": "local comm = require \"comm\"\nlocal os = require \"os\"\nlocal datetime = require \"datetime\"\nlocal shortport = require \"shortport\"\nlocal sslcert = require \"sslcert\"\nlocal stdnse = require \"stdnse\"\nlocal base64 = require \"base64\"\nlocal smbauth = require \"smbauth\"\nlocal string = require \"string\"\n\n\ndescription = [[\nThis script enumerates information from remote IMAP services with NTLM\nauthentication enabled.\n\nSending an IMAP NTLM authentication request with null credentials will\ncause the remote service to respond with a NTLMSSP message disclosing\ninformation to include NetBIOS, DNS, and OS build version.\n]]\n\n\n---\n-- @usage\n-- nmap -p 143,993 --script imap-ntlm-info <target>\n--\n-- @output\n-- 143/tcp open imap\n-- | imap-ntlm-info:\n-- | Target_Name: ACTIVEIMAP\n-- | NetBIOS_Domain_Name: ACTIVEIMAP\n-- | NetBIOS_Computer_Name: IMAP-TEST2\n-- | DNS_Domain_Name: somedomain.com\n-- | DNS_Computer_Name: imap-test2.somedomain.com\n-- | DNS_Tree_Name: somedomain.com\n-- |_ Product_Version: 6.1.7601\n--\n--@xmloutput\n-- <elem key=\"Target_Name\">ACTIVEIMAP</elem>\n-- <elem key=\"NetBIOS_Domain_Name\">ACTIVEIMAP</elem>\n-- <elem key=\"NetBIOS_Computer_Name\">IMAP-TEST2</elem>\n-- <elem key=\"DNS_Domain_Name\">somedomain.com</elem>\n-- <elem key=\"DNS_Computer_Name\">imap-test2.somedomain.com</elem>\n-- <elem key=\"DNS_Tree_Name\">somedomain.com</elem>\n-- <elem key=\"Product_Version\">6.1.7601</elem>\n\n\nauthor = \"Justin Cacak\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\n\nlocal ntlm_auth_blob = base64.enc( select(2,\n smbauth.get_security_blob(nil, nil, nil, nil, nil, nil, nil,\n 0x00000001 + -- Negotiate Unicode\n 0x00000002 + -- Negotiate OEM strings\n 0x00000004 + -- Request Target\n 0x00000200 + -- Negotiate NTLM\n 0x00008000 + -- Negotiate Always Sign\n 0x00080000 + -- Negotiate NTLM2 Key\n 0x20000000 + -- Negotiate 128\n 0x80000000 -- Negotiate 56\n ))\n )\n\nportrule = shortport.port_or_service({ 143, 993 }, { \"imap\", \"imaps\" })\n\naction = function(host, port)\n\n local output = stdnse.output_table()\n\n local starttls = sslcert.isPortSupported(port)\n local socket\n if starttls then\n local status\n status, socket = starttls(host, port)\n if not status then\n -- could be socket problems, but more likely STARTTLS not supported.\n stdnse.debug1(\"starttls error: %s\", socket)\n socket = nil\n end\n end\n if not socket then\n local line, bopt, first_line\n socket, line, bopt, first_line = comm.tryssl(host, port, \"\" , {recv_before=true})\n if not socket then\n stdnse.debug1(\"connection error: %s\", line)\n return nil\n end\n end\n\n socket:send(\"000b AUTHENTICATE NTLM\\r\\n\")\n local status, response = socket:receive()\n if not status then\n stdnse.debug1(\"Socket receive failed: %s\", response)\n return nil\n end\n if not response then\n stdnse.debug1(\"No response to AUTHENTICATE NTLM\")\n return nil\n end\n\n socket:send(ntlm_auth_blob .. \"\\r\\n\")\n status, response = socket:receive()\n if not status then\n stdnse.debug1(\"Socket receive failed: %s\", response)\n return nil\n end\n if not response then\n stdnse.debug1(\"No response to NTLM challenge\")\n return nil\n end\n\n local recvtime = os.time()\n socket:close()\n\n if string.match(response, \"^A%d%d%d%d \") then\n stdnse.debug2(\"NTLM auth not supported.\")\n return nil\n end\n\n -- Continue only if a + response is returned\n local response_decoded = string.match(response, \"+ (.*)\")\n if not response_decoded then\n stdnse.debug1(\"Unexpected response to NTLM challenge: %s\", response)\n return nil\n end\n\n local response_decoded = base64.dec(response_decoded)\n\n -- Continue only if NTLMSSP response is returned\n if not string.match(response_decoded, \"^NTLMSSP\") then\n stdnse.debug1(\"Unexpected response to NTLM challenge: %s\", response)\n return nil\n end\n\n -- Leverage smbauth.get_host_info_from_security_blob() for decoding\n local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)\n\n if ntlm_decoded.timestamp then\n -- 64-bit number of 100ns clicks since 1/1/1601\n local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600\n datetime.record_skew(host, unixstamp, recvtime)\n end\n\n -- Target Name will always be returned under any implementation\n output.Target_Name = ntlm_decoded.target_realm\n\n -- Display information returned & ignore responses with null values\n if ntlm_decoded.netbios_domain_name and #ntlm_decoded.netbios_domain_name > 0 then\n output.NetBIOS_Domain_Name = ntlm_decoded.netbios_domain_name\n end\n\n if ntlm_decoded.netbios_computer_name and #ntlm_decoded.netbios_computer_name > 0 then\n output.NetBIOS_Computer_Name = ntlm_decoded.netbios_computer_name\n end\n\n if ntlm_decoded.dns_domain_name and #ntlm_decoded.dns_domain_name > 0 then\n output.DNS_Domain_Name = ntlm_decoded.dns_domain_name\n end\n\n if ntlm_decoded.fqdn and #ntlm_decoded.fqdn > 0 then\n output.DNS_Computer_Name = ntlm_decoded.fqdn\n end\n\n if ntlm_decoded.dns_forest_name and #ntlm_decoded.dns_forest_name > 0 then\n output.DNS_Tree_Name = ntlm_decoded.dns_forest_name\n end\n\n if ntlm_decoded.os_major_version then\n output.Product_Version = string.format(\"%d.%d.%d\",\n ntlm_decoded.os_major_version, ntlm_decoded.os_minor_version, ntlm_decoded.os_build)\n end\n\n return output\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:30", "description": "Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.\n\n## Example Usage \n \n \n nmap -p 4369 --script epmd-info <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 4369/tcp open epmd\n | epmd-info.nse:\n | epmd_port: 4369\n | nodes:\n | rabbit: 36804\n |_ ejabberd: 46540\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-04-04T18:28:33", "type": "nmap", "title": "epmd-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-25T13:29:52", "id": "NMAP:EPMD-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/epmd-info.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\n\ndescription = [[\nConnects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.\n]]\n\n---\n-- @usage\n-- nmap -p 4369 --script epmd-info <target>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 4369/tcp open epmd\n-- | epmd-info.nse:\n-- | epmd_port: 4369\n-- | nodes:\n-- | rabbit: 36804\n-- |_ ejabberd: 46540\n-- @xmloutput\n-- <elem key=\"epmd_port\">4369</elem>\n-- <table key=\"nodes\">\n-- <elem key=\"rabbit\">36804</elem>\n-- <elem key=\"ejabberd\">46540</elem>\n-- </table>\n\nauthor = \"Toni Ruottu\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\nportrule = shortport.port_or_service (4369, \"epmd\")\n\naction = function(host, port)\n local socket = nmap.new_socket()\n socket:set_timeout(stdnse.get_timeout(host))\n local try = nmap.new_try(function () socket:close() end)\n try(socket:connect(host, port))\n\n try(socket:send(\"\\x00\\x01n\")) -- NAMESREQ = 110\n\n local getline = stdnse.make_buffer(socket, \"\\n\")\n\n local data, err = getline()\n if data == nil then\n stdnse.debug2(\"Error on receive: %s\", err)\n socket:close()\n return nil\n end\n\n local realport, pos = string.unpack(\">I4\", data)\n data = string.sub(data, pos)\n\n local nodes = stdnse.output_table()\n local name, port\n while data and data ~= \"\" do\n name, port = data:match(\"^name (.*) at port (%d+)\")\n if name then\n nodes[name] = port\n end\n data = getline()\n end\n\n local response = stdnse.output_table()\n response.epmd_port = realport\n response.nodes = nodes\n return response\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:34", "description": "Retrieves some basic information, including protocol version from a Vuze filesharing node. \n\nAs Vuze doesn't have a default port for its DHT service, this script has some difficulties in determining when to run. Most scripts are triggered by either a default port or a fingerprinted service. To get around this, there are two options: 1\\. Always run a version scan, to identify the vuze-dht service in order to trigger the script. 2\\. Force the script to run against each port by setting the argument vuze-dht-info.allports\n\n## Script Arguments \n\n#### vuze-dht-info.allports \n\nif set runs this script against every open port\n\n## Example Usage \n \n \n nmap -sU -p <port> <ip> --script vuze-dht-info -sV\n \n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 17555/udp open vuze-dht Vuze\n | vuze-dht-info:\n | Transaction id: 9438865\n | Connection id: 0xFF79A77B4592BDB0\n | Protocol version: 50\n | Vendor id: Azureus (0)\n | Network id: Stable (0)\n |_ Instance id: 2260473691\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [vuzedht](<../lib/vuzedht.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-12-03T09:18:58", "type": "nmap", "title": "vuze-dht-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-11T04:37:48", "id": "NMAP:VUZE-DHT-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/vuze-dht-info.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\nlocal vuzedht = stdnse.silent_require \"vuzedht\"\n\ndescription = [[\nRetrieves some basic information, including protocol version from a Vuze filesharing node.\n\nAs Vuze doesn't have a default port for its DHT service, this script has\nsome difficulties in determining when to run. Most scripts are triggered by\neither a default port or a fingerprinted service. To get around this, there\nare two options:\n1. Always run a version scan, to identify the vuze-dht service in order to\n trigger the script.\n2. Force the script to run against each port by setting the argument\n vuze-dht-info.allports\n]]\n\n---\n-- @usage\n-- nmap -sU -p <port> <ip> --script vuze-dht-info -sV\n--\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 17555/udp open vuze-dht Vuze\n-- | vuze-dht-info:\n-- | Transaction id: 9438865\n-- | Connection id: 0xFF79A77B4592BDB0\n-- | Protocol version: 50\n-- | Vendor id: Azureus (0)\n-- | Network id: Stable (0)\n-- |_ Instance id: 2260473691\n--\n-- @args vuze-dht-info.allports if set runs this script against every open port\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = function(host, port)\n local allports = stdnse.get_script_args('vuze-dht-info.allports')\n if ( tonumber(allports) == 1 or allports == 'true' ) then\n return true\n else\n local f = shortport.port_or_service({17555, 49160, 49161, 49162}, \"vuze-dht\", \"udp\", {\"open\", \"open|filtered\"})\n return f(host, port)\n end\nend\n\nlocal function getDHTInfo(host, port, lhost)\n\n local helper = vuzedht.Helper:new(host, port, lhost)\n local status = helper:connect()\n\n if ( not(status) ) then\n return false, \"Failed to connect to server\"\n end\n\n local response\n status, response = helper:ping()\n if ( not(status) ) then\n return false, \"Failed to ping vuze node\"\n end\n helper:close()\n\n return true, response\nend\n\naction = function(host, port)\n\n local status, response = getDHTInfo(host, port)\n if not status then\n return stdnse.format_output(false, response)\n end\n\n -- check whether we have an error due to an incorrect address\n -- ie. we're on a NAT:ed network and we're announcing our private ip\n if ( status and response.header.action == vuzedht.Response.Actions.ERROR ) then\n status, response = getDHTInfo(host, port, response.addr.ip)\n end\n\n if ( status ) then\n nmap.set_port_state(host, port, \"open\")\n return tostring(response)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:01", "description": "Detects whether a host is infected with the Stuxnet worm (<http://en.wikipedia.org/wiki/Stuxnet>). \n\nAn executable version of the Stuxnet infection will be downloaded if a format for the filename is given on the command line.\n\n### See also:\n\n * [ smb-vuln-ms10-061.nse ](<../scripts/smb-vuln-ms10-061.html>)\n\n## Script Arguments \n\n#### stuxnet-detect.save \n\nPath to save Stuxnet executable under, with `%h` replaced by the host's IP address, and `%v` replaced by the version of Stuxnet.\n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script stuxnet-detect -p 445 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 445/tcp open microsoft-ds syn-ack\n \n Host script results:\n |_stuxnet-detect: INFECTED (version 4c:04:00:00:01:00:00:00)\n \n\n## Requires \n\n * [io](<>)\n * [msrpc](<../lib/msrpc.html>)\n * [smb](<../lib/smb.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-12-12T22:40:42", "type": "nmap", "title": "stuxnet-detect NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:STUXNET-DETECT.NSE", "href": "https://nmap.org/nsedoc/scripts/stuxnet-detect.html", "sourceData": "local io = require \"io\"\nlocal msrpc = require \"msrpc\"\nlocal smb = require \"smb\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\n\n-- -*- mode: lua -*-\n-- vim: set filetype=lua :\n\ndescription = [[\nDetects whether a host is infected with the Stuxnet worm (http://en.wikipedia.org/wiki/Stuxnet).\n\nAn executable version of the Stuxnet infection will be downloaded if a format\nfor the filename is given on the command line.\n]]\n\n---\n-- @usage\n-- nmap --script stuxnet-detect -p 445 <host>\n--\n-- @args stuxnet-detect.save Path to save Stuxnet executable under, with\n-- <code>%h</code> replaced by the host's IP address, and <code>%v</code>\n-- replaced by the version of Stuxnet.\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 445/tcp open microsoft-ds syn-ack\n--\n-- Host script results:\n-- |_stuxnet-detect: INFECTED (version 4c:04:00:00:01:00:00:00)\n--\n-- @see smb-vuln-ms10-061.nse\n\nauthor = \"Mak Kolybabi\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\"}\n\n\nlocal STUXNET_PATHS = {\"\\\\\\\\browser\", \"\\\\\\\\ntsvcs\", \"\\\\\\\\pipe\\\\browser\", \"\\\\\\\\pipe\\\\ntsvcs\"}\nlocal STUXNET_UUID = \"\\xe1\\x04\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x46\"\nlocal STUXNET_VERSION = 0x01\n\nlocal RPC_GET_VERSION = 0x00\nlocal RPC_GET_EXECUTABLE = 0x04\n\nlocal function check_infected(host, path, save)\n local file, result, session, status, version\n\n -- Create an SMB session.\n status, session = msrpc.start_smb(host, path)\n if not status then\n stdnse.debug1(\"Failed to establish session on %s.\", path)\n return false, nil\n end\n\n -- Bind to the Stuxnet service.\n status, result = msrpc.bind(session, STUXNET_UUID, STUXNET_VERSION, nil)\n if not status or result[\"ack_result\"] ~= 0 then\n stdnse.debug1(\"Failed to bind to Stuxnet service.\")\n msrpc.stop_smb(session)\n return false, nil\n end\n\n -- Request version of Stuxnet infection.\n status, result = msrpc.call_function(session, RPC_GET_VERSION, \"\")\n if not status then\n stdnse.debug1(\"Failed to retrieve Stuxnet version: %s\", result)\n msrpc.stop_smb(session)\n return false, nil\n end\n version = stdnse.tohex(result.arguments, {separator = \":\"})\n\n -- Request executable of Stuxnet infection.\n if save then\n local file, fmt\n\n status, result = msrpc.call_function(session, RPC_GET_EXECUTABLE, \"\")\n if not status then\n stdnse.debug1(\"Failed to retrieve Stuxnet executable: %s\", result)\n msrpc.stop_smb(session)\n return true, version\n end\n\n fmt = save:gsub(\"%%h\", host.ip)\n fmt = fmt:gsub(\"%%v\", version)\n file = io.open(stringaux.filename_escape(fmt), \"w\")\n if file then\n stdnse.debug1(\"Wrote %d bytes to file %s.\", #result.arguments, fmt)\n file:write(result.arguments)\n file:close()\n else\n stdnse.debug1(\"Failed to open file: %s\", fmt)\n end\n end\n\n -- Destroy the SMB session\n msrpc.stop_smb(session)\n\n return true, version\nend\n\nhostrule = function(host)\n return (smb.get_port(host) ~= nil)\nend\n\naction = function(host, port)\n local _, path, result, save, status\n\n -- Get script arguments.\n save = stdnse.get_script_args(\"stuxnet-detect.save\")\n\n -- Try to find Stuxnet on this host.\n for _, path in pairs(STUXNET_PATHS) do\n status, result = check_infected(host, path, save)\n if status then\n return \"INFECTED (version \" .. result .. \")\"\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:50", "description": "Retrieves IMAP email server capabilities. \n\nIMAP4rev1 capabilities are defined in RFC 3501. The CAPABILITY command allows a client to ask a server what commands it supports and possibly any site-specific policy.\n\n## Script Arguments \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n 143/tcp open imap\n |_ imap-capabilities: LOGINDISABLED IDLE IMAP4 LITERAL+ STARTTLS NAMESPACE IMAP4rev1\n\n## Requires \n\n * [imap](<../lib/imap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-06-08T23:21:56", "type": "nmap", "title": "imap-capabilities NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:IMAP-CAPABILITIES.NSE", "href": "https://nmap.org/nsedoc/scripts/imap-capabilities.html", "sourceData": "local imap = require \"imap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nRetrieves IMAP email server capabilities.\n\nIMAP4rev1 capabilities are defined in RFC 3501. The CAPABILITY command\nallows a client to ask a server what commands it supports and possibly\nany site-specific policy.\n]]\n\n---\n-- @output\n-- 143/tcp open imap\n-- |_ imap-capabilities: LOGINDISABLED IDLE IMAP4 LITERAL+ STARTTLS NAMESPACE IMAP4rev1\n\n\nauthor = \"Brandon Enright\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"safe\"}\n\n\nportrule = shortport.port_or_service({143, 993}, {\"imap\", \"imaps\"})\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n local helper = imap.Helper:new(host, port)\n local status = helper:connect()\n if ( not(status) ) then return fail(\"Failed to connect to server\") end\n\n local status, capa = helper:capabilities(host, port)\n if( not(status) ) then return fail(\"Failed to retrieve capabilities\") end\n helper:close()\n\n if type(capa) == \"table\" then\n -- Convert the capabilities table into an array of strings.\n local capstrings = {}\n local cap, args\n for cap, args in pairs(capa) do\n table.insert(capstrings, cap)\n end\n return table.concat(capstrings, \" \")\n elseif type(capa) == \"string\" then\n stdnse.debug1(\"'%s' for %s\", capa, host.ip)\n return\n else\n return \"server doesn't support CAPABILITIES\"\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:38:51", "description": "Detects the version of an Oracle Virtual Server Agent by fingerprinting responses to an HTTP GET request and an XML-RPC method call. \n\nVersion 2.2 of Virtual Server Agent returns a distinctive string in response to an HTTP GET request. However versions 3.0 and 3.0.1 return a generic response that looks like any other BaseHTTP/SimpleXMLRPCServer. Versions 2.2 and 3.0 return a distinctive error message in response to a `system.listMethods` XML-RPC call, which however does not distinguish the two versions. Version 3.0.1 returns a response to `system.listMethods` that is different from that of both version 2.2 and 3.0. Therefore we use this strategy: (1.) Send a GET request. If the version 2.2 string is returned, return \"2.2\". (2.) Send a `system.listMethods` method call. If an error is returned, return \"3.0\" or \"3.0.1\", depending on the specific format of the error.\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON VERSION\n 8899/tcp open ssl/ovs-agent syn-ack Oracle Virtual Server Agent 3.0 (BaseHTTP 0.3; Python SimpleXMLRPCServer; Python 2.5.2)\n\n## Requires \n\n * [http](<../lib/http.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-03-02T07:39:31", "type": "nmap", "title": "ovs-agent-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:OVS-AGENT-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/ovs-agent-version.html", "sourceData": "local http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\n\ndescription = [[\nDetects the version of an Oracle Virtual Server Agent by fingerprinting\nresponses to an HTTP GET request and an XML-RPC method call.\n\nVersion 2.2 of Virtual Server Agent returns a distinctive string in response to an\nHTTP GET request. However versions 3.0 and 3.0.1 return a generic response that\nlooks like any other BaseHTTP/SimpleXMLRPCServer. Versions 2.2 and 3.0 return a\ndistinctive error message in response to a <code>system.listMethods</code>\nXML-RPC call, which however does not distinguish the two versions. Version 3.0.1\nreturns a response to <code>system.listMethods</code> that is different from\nthat of both version 2.2 and 3.0. Therefore we use this strategy: (1.) Send a\nGET request. If the version 2.2 string is returned, return \"2.2\". (2.) Send a\n<code>system.listMethods</code> method call. If an error is\nreturned, return \"3.0\" or \"3.0.1\", depending on the specific format of the\nerror.\n]]\n\ncategories = {\"version\"}\n\n---\n-- @output\n-- PORT STATE SERVICE REASON VERSION\n-- 8899/tcp open ssl/ovs-agent syn-ack Oracle Virtual Server Agent 3.0 (BaseHTTP 0.3; Python SimpleXMLRPCServer; Python 2.5.2)\n\nauthor = \"David Fifield\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\n\nportrule = shortport.version_port_or_service({8899})\n\nlocal function set_port_version(host, port, version, server)\n port.version.name = \"ovs-agent\"\n port.version.product = \"Oracle Virtual Server Agent\"\n port.version.version = version\n if server then\n local basehttp, python = string.match(server, \"^BaseHTTP/([%d.]+) Python/([%d.]+)\")\n if basehttp and python then\n port.version.extrainfo = string.format(\"BaseHTTP %s; Python SimpleXMLRPCServer; Python %s\", basehttp, python)\n end\n end\n nmap.set_port_version(host, port)\nend\n\nfunction action(host, port)\n local response\n local version = {}\n\n response = http.get(host, port, \"/\")\n if response.status == 200 and string.match(response.body,\n \"<title>Python: OVSAgentServer Document</title>\") then\n set_port_version(host, port, \"2.2\", response.header[\"server\"])\n return\n end\n\n -- So much for version 2.2. If the response to GET was 501, then we may\n -- have a version 3.0 or 3.0.1.\n if not (response.status == 501) then\n return\n end\n\n response = http.post(host, port, \"/\",\n {header = {[\"Content-Type\"] = \"text/xml\"}}, nil,\n \"<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>\")\n if response.status == 403 and string.match(response.body,\n \"Message: Unauthorized HTTP Access Attempt from %('[%d.]+', %d+%)!%.\") then\n set_port_version(host, port, \"3.0\", response.header[\"server\"])\n return\n elseif response.status == 403 and string.match(response.body,\n \"Message: Unauthorized access attempt from %('[%d.]+', %d+%)!%.\") then\n set_port_version(host, port, \"3.0.1\", response.header[\"server\"])\n return\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:08", "description": "Retrieves system information (OS version, available memory, etc.) from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon. \n\nGanglia is a scalable distributed monitoring system for high-performance computing systems such as clusters and Grids. The information retrieved includes HDD size, available memory, OS version, architecture (and more) from each of the systems in each of the clusters in the grid. \n\nFor more information about Ganglia, see: \n\n * <http://ganglia.sourceforge.net/>\n * <http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Monitoring_Daemon_.28gmond.29>\n * <http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Meta_Daemon_.28gmetad.29>\n\n## Script Arguments \n\n#### ganglia-info.bytes \n\nSet the number of bytes to retrieve. The default value is 1000000. This should be enough for a grid of more than 100 hosts. About 5KB-10KB of data is returned for each host in the cluster.\n\n#### ganglia-info.timeout \n\nSet the timeout in seconds. The default value is 30.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script ganglia-info --script-args ganglia-info.timeout=60,ganglia-info.bytes=1000000 -p <port> <target>\n \n\n## Script Output \n \n \n 8649/tcp open unknown syn-ack\n | ganglia-info:\n | Ganglia Version: 3.1.7\n | Cluster 1:\n | Name: unspecified\n | Owner: unspecified\n | Host 1:\n | Name: sled9735.sd.dreamhost.com\n | IP: 10.208.42.221\n | load_one: 0.53\n | mem_total: 24685564KB\n | os_release: 3.1.9-vs2.3.2.5\n | proc_run: 0\n | load_five: 0.52\n | gexec: OFF\n | disk_free: 305.765GB\n | mem_cached: 18857264KB\n | pkts_in: 821.73packets/sec\n | bytes_in: 72686.10bytes/sec\n | bytes_out: 5612221.50bytes/sec\n | swap_total: 1998844KB\n | mem_free: 187964KB\n | load_fifteen: 0.57\n | os_name: Linux\n | boottime: 1429708366s\n | cpu_idle: 96.3%\n | cpu_user: 2.7%\n | cpu_nice: 0.0%\n | cpu_aidle: 94.7%\n | mem_buffers: 169588KB\n | cpu_system: 0.8%\n | part_max_used: 31.5%\n | disk_total: 435.962GB\n | mem_shared: 0KB\n | cpu_wio: 0.2%\n | machine_type: x86_64\n | proc_total: 1027\n | cpu_num: 8CPUs\n | cpu_speed: 2400MHz\n | pkts_out: 3977.13packets/sec\n | swap_free: 1393392KB\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [shortport](<../lib/shortport.html>)\n * [slaxml](<../lib/slaxml.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-10-04T05:45:54", "type": "nmap", "title": "ganglia-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-06-27T19:13:41", "id": "NMAP:GANGLIA-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/ganglia-info.html", "sourceData": "local comm = require \"comm\"\nlocal shortport = require \"shortport\"\nlocal slaxml = require \"slaxml\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nRetrieves system information (OS version, available memory, etc.) from\na listening Ganglia Monitoring Daemon or Ganglia Meta Daemon.\n\nGanglia is a scalable distributed monitoring system for high-performance\ncomputing systems such as clusters and Grids. The information retrieved\nincludes HDD size, available memory, OS version, architecture (and more) from\neach of the systems in each of the clusters in the grid.\n\nFor more information about Ganglia, see:\n* http://ganglia.sourceforge.net/\n* http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Monitoring_Daemon_.28gmond.29\n* http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Meta_Daemon_.28gmetad.29\n]]\n\n---\n-- @usage\n-- nmap --script ganglia-info --script-args ganglia-info.timeout=60,ganglia-info.bytes=1000000 -p <port> <target>\n--\n-- @args ganglia-info.timeout\n-- Set the timeout in seconds. The default value is 30.\n-- @args ganglia-info.bytes\n-- Set the number of bytes to retrieve. The default value is 1000000.\n-- This should be enough for a grid of more than 100 hosts.\n-- About 5KB-10KB of data is returned for each host in the cluster.\n--\n-- @output\n-- 8649/tcp open unknown syn-ack\n-- | ganglia-info:\n-- | Ganglia Version: 3.1.7\n-- | Cluster 1:\n-- | Name: unspecified\n-- | Owner: unspecified\n-- | Host 1:\n-- | Name: sled9735.sd.dreamhost.com\n-- | IP: 10.208.42.221\n-- | load_one: 0.53\n-- | mem_total: 24685564KB\n-- | os_release: 3.1.9-vs2.3.2.5\n-- | proc_run: 0\n-- | load_five: 0.52\n-- | gexec: OFF\n-- | disk_free: 305.765GB\n-- | mem_cached: 18857264KB\n-- | pkts_in: 821.73packets/sec\n-- | bytes_in: 72686.10bytes/sec\n-- | bytes_out: 5612221.50bytes/sec\n-- | swap_total: 1998844KB\n-- | mem_free: 187964KB\n-- | load_fifteen: 0.57\n-- | os_name: Linux\n-- | boottime: 1429708366s\n-- | cpu_idle: 96.3%\n-- | cpu_user: 2.7%\n-- | cpu_nice: 0.0%\n-- | cpu_aidle: 94.7%\n-- | mem_buffers: 169588KB\n-- | cpu_system: 0.8%\n-- | part_max_used: 31.5%\n-- | disk_total: 435.962GB\n-- | mem_shared: 0KB\n-- | cpu_wio: 0.2%\n-- | machine_type: x86_64\n-- | proc_total: 1027\n-- | cpu_num: 8CPUs\n-- | cpu_speed: 2400MHz\n-- | pkts_out: 3977.13packets/sec\n-- | swap_free: 1393392KB\n--\n-- @xmloutput\n-- <elem key=\"Ganglia Version\">3.1.7</elem>\n-- <table key=\"Cluster 1\">\n-- <elem key=\"Name\">unspecified</elem>\n-- <elem key=\"Owner\">unspecified</elem>\n-- <table key=\"Host 1\">\n-- <elem key=\"Name\">sled9735.sd.dreamhost.com</elem>\n-- <elem key=\"IP\">10.208.42.221</elem>\n-- <elem key=\"load_one\">0.53</elem>\n-- <elem key=\"mem_total\">24685564KB</elem>\n-- <elem key=\"os_release\">3.1.9-vs2.3.2.5</elem>\n-- <elem key=\"proc_run\">0</elem>\n-- <elem key=\"load_five\">0.52</elem>\n-- <elem key=\"gexec\">OFF</elem>\n-- <elem key=\"disk_free\">305.765GB</elem>\n-- <elem key=\"mem_cached\">18857264KB</elem>\n-- <elem key=\"pkts_in\">821.73packets/sec</elem>\n-- <elem key=\"bytes_in\">72686.10bytes/sec</elem>\n-- <elem key=\"bytes_out\">5612221.50bytes/sec</elem>\n-- <elem key=\"swap_total\">1998844KB</elem>\n-- <elem key=\"mem_free\">187964KB</elem>\n-- <elem key=\"load_fifteen\">0.57</elem>\n-- <elem key=\"os_name\">Linux</elem>\n-- <elem key=\"boottime\">1429708366s</elem>\n-- <elem key=\"cpu_idle\">96.3%</elem>\n-- <elem key=\"cpu_user\">2.7%</elem>\n-- <elem key=\"cpu_nice\">0.0%</elem>\n-- <elem key=\"cpu_aidle\">94.7%</elem>\n-- <elem key=\"mem_buffers\">169588KB</elem>\n-- <elem key=\"cpu_system\">0.8%</elem>\n-- <elem key=\"part_max_used\">31.5%</elem>\n-- <elem key=\"disk_total\">435.962GB</elem>\n-- <elem key=\"mem_shared\">0KB</elem>\n-- <elem key=\"cpu_wio\">0.2%</elem>\n-- <elem key=\"machine_type\">x86_64</elem>\n-- <elem key=\"proc_total\">1027</elem>\n-- <elem key=\"cpu_num\">8CPUs</elem>\n-- <elem key=\"cpu_speed\">2400MHz</elem>\n-- <elem key=\"pkts_out\">3977.13packets/sec</elem>\n-- <elem key=\"swap_free\">1393392KB</elem>\n-- </table>\n-- </table>\n--\n-- Version 0.2\n-- Created 2011-06-28 - v0.1 - created by Brendan Coles - itsecuritysolutions.org\n-- Created 2015-07-30 - v0.2 - Added Support for SLAXML by Gyanendra Mishra\n\nauthor = {\"Brendan Coles\", \"Gyanendra Mishra\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\nportrule = shortport.port_or_service ({8649,8651}, \"ganglia\", {\"tcp\"})\n\nlocal function set_name_value(name)\n return function(value, state)\n state.result[name] = value\n end\nend\n\nlocal function set_cluster(name)\n return function(value, state)\n local current = state[#state]\n if not current.out then\n state.cc = state.cc + 1\n current.out = stdnse.output_table()\n current.hc = 0\n state.result[\"Cluster \" .. state.cc] = current.out\n end\n state.result[\"Cluster \" .. state.cc][name] = value\n end\nend\n\nlocal function get_current_cluster(state)\n for i=#state, 1, -1 do\n if state[i][1] == \"CLUSTER\" then\n return state[i]\n end\n end\nend\n\nlocal function set_host(name)\n return function(value, state)\n local current = state[#state]\n local current_cluster = get_current_cluster(state)\n if not current.out then\n current_cluster.hc = current_cluster.hc + 1\n current.out = stdnse.output_table()\n state.result[\"Cluster \" .. state.cc][\"Host \" .. current_cluster.hc] = current.out\n end\n state.result[\"Cluster \" .. state.cc][\"Host \" .. current_cluster.hc][name] = value\n end\nend\n\nlocal function set_metric(name)\n return function(value, state)\n local current = state[#state]\n local current_cluster = get_current_cluster(state)\n current[name] = value\n if current[\"name\"] and current[\"value\"] and current[\"unit\"] then\n state.result[\"Cluster \" .. state.cc][\"Host \" .. current_cluster.hc][current[\"name\"]] = current[\"value\"] .. current[\"unit\"]\n end\n end\nend\n\nlocal P = {\n GANGLIA_XML = {\n VERSION = set_name_value(\"Ganglia Version\"),\n },\n GRID = {\n NAME = set_name_value(\"Grid Name\"),\n },\n CLUSTER = {\n NAME = set_cluster(\"Name\"),\n OWNER = set_cluster(\"Owner\"),\n },\n HOST = {\n NAME = set_host(\"Name\"),\n IP = set_host(\"IP\"),\n },\n METRIC = {\n NAME = set_metric(\"name\"),\n UNITS = set_metric(\"unit\"),\n VAL = set_metric(\"value\"),\n }\n}\n\naction = function( host, port )\n\n local result = stdnse.output_table()\n\n -- Set timeout\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. '.timeout'))\n timeout = timeout or 30\n\n -- Set bytes\n local bytes = stdnse.get_script_args(SCRIPT_NAME .. '.bytes')\n bytes = tonumber(bytes) or 1000000\n\n -- Retrieve grid data in XML format over TCP\n stdnse.debug1(\"Connecting to %s:%s\", host.targetname or host.ip, port.number)\n local status, data = comm.get_banner(host, port, {request_timeout=timeout*1000,bytes=bytes})\n if not status then\n stdnse.debug1(\"Timeout exceeded for %s:%s (Timeout: %ss).\", host.targetname or host.ip, port.number, timeout)\n return\n end\n\n local state = {\n cc = 0,\n result=stdnse.output_table()\n }\n\n local parser = slaxml.parser:new()\n parser._call = {\n startElement = function(name) table.insert(state, {name}) end,\n closeElement = function(name) assert(state[#state][1] == name) state[#state] = nil end,\n attribute = function(name, value)\n local p_elem = P[state[#state][1]]\n if not (p_elem and p_elem[name]) then return end\n local p_attr = p_elem[name]\n if not p_attr then return end\n p_attr(value, state)\n end,\n }\n\n parser:parseSAX(data, {stripWhitespace=true})\n\n if #state.result then return state.result end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:31", "description": "Checks if the IP over HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported. \n\nIP-HTTPS sends Teredo related IPv6 packets over an IPv4-based HTTPS session. This indicates that Microsoft DirectAccess [2], which allows remote clients to access intranet resources on a domain basis, is supported. Windows clients need Windows 7 Enterprise/Ultime or Windows 8.1 Enterprise/Ultimate. Servers need Windows Server 2008 (R2) or Windows Server 2012 (R2). Older versions of Windows and Windows Server are not supported. \n\n[1] <http://msdn.microsoft.com/en-us/library/dd358571.aspx> [2] <http://technet.microsoft.com/en-us/network/dd420463.aspx>\n\n## Script Arguments \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### tls.servername \n\nSee the documentation for the [tls](<../lib/tls.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script ip-https-discover\n \n\n## Script Output \n \n \n 443/tcp open https\n |_ip-https-discover: IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [string](<>)\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n * [sslcert](<../lib/sslcert.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-11-03T13:53:20", "type": "nmap", "title": "ip-https-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2016-09-21T03:55:11", "id": "NMAP:IP-HTTPS-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/ip-https-discover.html", "sourceData": "local comm = require 'comm'\nlocal string = require 'string'\nlocal stdnse = require 'stdnse'\nlocal shortport = require 'shortport'\nlocal sslcert = require 'sslcert'\n\ndescription = [[\nChecks if the IP over HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported.\n\nIP-HTTPS sends Teredo related IPv6 packets over an IPv4-based HTTPS session. This\nindicates that Microsoft DirectAccess [2], which allows remote clients to access\nintranet resources on a domain basis, is supported. Windows clients need\nWindows 7 Enterprise/Ultime or Windows 8.1 Enterprise/Ultimate. Servers need\nWindows Server 2008 (R2) or Windows Server 2012 (R2). Older versions\nof Windows and Windows Server are not supported.\n\n[1] http://msdn.microsoft.com/en-us/library/dd358571.aspx\n[2] http://technet.microsoft.com/en-us/network/dd420463.aspx\n]]\n\nauthor = \"Niklaus Schiess <nschiess@adversec.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {'discovery', 'safe', 'default'}\n\n---\n--@usage\n-- nmap --script ip-https-discover\n--\n--@output\n-- 443/tcp open https\n-- |_ip-https-discover: IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.\n--\n\nportrule = function(host, port)\n return shortport.http(host, port) and shortport.ssl(host, port)\nend\n\n-- Tested on a Windows Server 2012 R2 DirectAccess deployment. The URI\n-- /IPTLS from the specification (see description) doesn't seem to work\n-- on recent versions. They may be related to Windows Server 2008 (R2).\nlocal request =\n'POST /IPHTTPS HTTP/1.1\\r\\n' ..\n'Host: %s\\r\\n' ..\n'Content-Length: 18446744073709551615\\r\\n\\r\\n'\n\naction = function(host, port)\n local target\n if host.targetname then\n target = host.targetname\n else\n -- Try to get the hostname from the SSL certificate.\n local status, cert = sslcert.getCertificate(host,port)\n if not status then\n -- fall back to reverse DNS\n target = host.name\n else\n target = cert.subject['commonName']\n end\n end\n\n if not target or target == \"\" then\n return\n end\n\n local socket, response = comm.tryssl(host, port,\n string.format(request, target), { lines=4 })\n if not socket then\n stdnse.debug1('Problem establishing connection: %s', response)\n return\n end\n socket:close()\n\n if string.match(response, 'HTTP/1.1 200%s.+HTTPAPI/2.0') then\n return true, 'IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.'\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:46", "description": "Retrieves a list of Git projects, owners and descriptions from a gitweb (web interface to the Git revision control system).\n\n## Script Arguments \n\n#### http-gitweb-projects-enum.path \n\nspecifies the location of gitweb (default: /)\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p80 www.example.com --script http-gitweb-projects-enum\n \n\n## Script Output \n \n \n 80/tcp open http\n | http-gitweb-projects-enum:\n | Projects from gitweb.samba.org:\n | PROJECT AUTHOR DESCRIPTION\n | sando.git authornum1 no description\n | camui/san.git devteam no description\n | albert/tdx.git/.git blueteam no description\n |\n | Number of projects: 172\n |_ Number of owners: 42\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-04-20T12:46:49", "type": "nmap", "title": "http-gitweb-projects-enum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-24T22:05:51", "id": "NMAP:HTTP-GITWEB-PROJECTS-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/http-gitweb-projects-enum.html", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\n\ndescription=[[\nRetrieves a list of Git projects, owners and descriptions from a gitweb (web interface to the Git revision control system).\n]]\n\n---\n-- @usage\n-- nmap -p80 www.example.com --script http-gitweb-projects-enum\n--\n-- @output\n-- 80/tcp open http\n-- | http-gitweb-projects-enum:\n-- | Projects from gitweb.samba.org:\n-- | PROJECT AUTHOR DESCRIPTION\n-- | sando.git authornum1 no description\n-- | camui/san.git devteam no description\n-- | albert/tdx.git/.git blueteam no description\n-- |\n-- | Number of projects: 172\n-- |_ Number of owners: 42\n--\n-- @args http-gitweb-projects-enum.path specifies the location of gitweb\n-- (default: /)\n\nauthor = \"riemann\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.http\n\n---\n-- @param author bloc (if author name are too long we have a span bloc)\n-- @return author name filtred from html entities\n---\nget_owner = function(res)\n local result=res\n local _\n if ( res:match('<span') ) then\n _,_,result=string.find(res,'title=\"(.-)\"')\n end\n return result\nend\n\naction = function(host, port)\n\n local path = stdnse.get_script_args(SCRIPT_NAME .. '.path') or '/'\n local response = http.get(host,port,path)\n local result, result_stats = {}, {}\n\n if not response or not response.status or response.status ~= 200 or\n not response.body then\n stdnse.debug1(\"Failed to retrieve file: %s\", path)\n return\n end\n\n local html = response.body\n local repo=tab.new()\n tab.addrow(repo,'PROJECT','AUTHOR','DESCRIPTION')\n\n -- verif generator\n if (html:match('meta name=\"generator\" content=\"gitweb(.-)\"')) then\n result['name'] = string.format(\"Projects from %s:\", host.targetname or host.ip)\n\n local owners, projects_counter, owners_counter = {}, 0, 0\n\n for tr_code in html:gmatch('(%<tr[^<>]*%>(.-)%</tr%>)') do\n local regx='<a[^<>]*href=\"(.-)\">(.-)</a>(.-)title=\"(.-)\"(.-)<i>(.-)</i>'\n for _, project, _, desc, _, owner in tr_code:gmatch(regx) do\n\n --if desc result return default text of gitweb replace it by no description\n if(string.find(desc,'Unnamed repository')) then\n desc='no description'\n end\n\n tab.addrow(repo, project, get_owner(owner), desc)\n\n -- Protect from parsing errors or long owners\n -- just an arbitrary value\n if owner:len() < 128 and not owners[owner] then\n owners[owner] = true\n owners_counter = owners_counter + 1\n end\n\n projects_counter = projects_counter + 1\n end\n end\n\n table.insert(result,tab.dump(repo))\n table.insert(result, \"\")\n table.insert(result,\n string.format(\"Number of projects: %d\", projects_counter))\n if (owners_counter > 0 ) then\n table.insert(result,\n string.format(\"Number of owners: %d\", owners_counter))\n end\n\n end\n return stdnse.format_output(true,result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:48", "description": "Tests for the presence of the LibreOffice Impress Remote server. Checks if a PIN is valid if provided and will bruteforce the PIN if requested. \n\nWhen a remote first contacts Impress and sends a client name and PIN, the user must open the \"Slide Show -&gt; Impress Remote\" menu and enter the matching PIN at the prompt, which shows the client name. Subsequent connections with the same client name may then use the same PIN without user interaction. If no PIN has been set for the session, each PIN attempt will result in a new prompt in the \"Impress Remote\" menu. Brute-forcing the PIN, therefore, requires that the user has entered a PIN for the same client name, and will result in lots of extra prompts in the \"Impress Remote\" menu.\n\n## Script Arguments \n\n#### impress-remote-discover.client \n\nString value of the client name (default is `Firefox OS`).\n\n#### impress-remote-discover.bruteforce \n\nNo value needed (default is `false`).\n\n#### impress-remote-discover.pin \n\nPIN number for the remote (default is `0000`).\n\n## Example Usage \n \n \n nmap -p 1599 --script impress-remote-discover <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE Version\n 1599/tcp open impress-remote LibreOffice Impress remote 4.3.3.2\n | impress-remote-discover:\n | Impress Version: 4.3.3.2\n | Remote PIN: 0000\n |_ Client Name used: Firefox OS\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-04T19:54:56", "type": "nmap", "title": "impress-remote-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-04T19:54:56", "id": "NMAP:IMPRESS-REMOTE-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/impress-remote-discover.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nTests for the presence of the LibreOffice Impress Remote server.\nChecks if a PIN is valid if provided and will bruteforce the PIN\nif requested.\n\nWhen a remote first contacts Impress and sends a client name and PIN, the user\nmust open the \"Slide Show -> Impress Remote\" menu and enter the matching PIN at\nthe prompt, which shows the client name. Subsequent connections with the same\nclient name may then use the same PIN without user interaction. If no PIN has\nbeen set for the session, each PIN attempt will result in a new prompt in the\n\"Impress Remote\" menu. Brute-forcing the PIN, therefore, requires that the user\nhas entered a PIN for the same client name, and will result in lots of extra\nprompts in the \"Impress Remote\" menu.\n]]\n\n---\n-- @usage nmap -p 1599 --script impress-remote-discover <host>\n--\n-- @output\n-- PORT STATE SERVICE Version\n-- 1599/tcp open impress-remote LibreOffice Impress remote 4.3.3.2\n-- | impress-remote-discover:\n-- | Impress Version: 4.3.3.2\n-- | Remote PIN: 0000\n-- |_ Client Name used: Firefox OS\n--\n-- @args impress-remote-discover.bruteforce No value needed (default is\n-- <code>false</code>).\n--\n-- @args impress-remote-discover.client String value of the client name\n-- (default is <code>Firefox OS</code>).\n--\n-- @args impress-remote-discover.pin PIN number for the remote (default is\n-- <code>0000</code>).\n\nauthor = \"Jer Hiebert\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\nportrule = shortport.port_or_service(1599, \"impress-remote\", \"tcp\")\n\nlocal function parse_args()\n local args = {}\n\n local client_name = stdnse.get_script_args(SCRIPT_NAME .. \".client\")\n if client_name then\n stdnse.debug(\"Client name provided: %s\", client_name)\n -- Sanity check the value from the user.\n if type(client_name) ~= \"string\" then\n return false, \"Client argument must be a string.\"\n end\n end\n args.client_name = client_name or \"Firefox OS\"\n\n local bruteforce = stdnse.get_script_args(SCRIPT_NAME .. \".bruteforce\")\n if bruteforce and bruteforce ~= \"false\" then\n -- accept any value but false.\n bruteforce = true\n else\n bruteforce = false\n end\n args.bruteforce = bruteforce or false\n\n local pin = stdnse.get_script_args(SCRIPT_NAME .. \".pin\")\n if pin then\n -- Sanity check the value from the user.\n pin = tonumber(pin)\n if type(pin) ~= \"number\" then\n return false, \"PIN argument must be a number.\"\n elseif pin < 0 or pin > 9999 then\n return false, \"PIN argument must be in range between 0000 and 9999 inclusive.\"\n elseif bruteforce then\n return false, \"When bruteforcing is enabled, a PIN cannot be set.\"\n end\n end\n args.pin = pin or 0\n\n return true, args\nend\n\nlocal remote_connect = function(host, port, client_name, pin)\n local socket = nmap.new_socket()\n local status, err = socket:connect(host, port)\n if not status then\n stdnse.debug(\"Can't connect: %s\", err)\n return\n end\n socket:set_timeout(5000)\n\n local buffer, err = stdnse.make_buffer(socket, \"\\n\")\n if err then\n socket:close()\n stdnse.debug1(\"Failed to create buffer from socket: %s\", err)\n return\n end\n socket:send(\"LO_SERVER_CLIENT_PAIR\\n\" .. client_name .. \"\\n\" .. pin .. \"\\n\\n\")\n\n return buffer, socket\nend\n\n-- Returns the Client Name, PIN, and Remote Server version if the PIN and Client Name are correct\nlocal remote_version = function(buffer, socket, client_name, pin)\n local line, err\n -- The line we are looking for is 4 down in the response\n -- so we loop through lines until we get to that one\n for j=0,3 do\n line, err = buffer()\n if not line then\n socket:close()\n stdnse.debug1(\"Failed to receive line from socket: %s\", err)\n return\n end\n\n if string.match(line, \"^LO_SERVER_INFO$\") then\n line, err = buffer()\n socket:close()\n local output = stdnse.output_table()\n output[\"Impress Version\"] = line\n output[\"Remote PIN\"] = pin\n output[\"Client Name used\"] = client_name\n return output\n end\n end\n\n socket:close()\n stdnse.debug1(\"Failed to parse version from socket.\")\n return\nend\n\nlocal check_pin = function(host, port, client_name, pin)\n local buffer, socket = remote_connect(host, port, client_name, pin)\n if not buffer then\n return\n end\n\n local line, err = buffer()\n if not line then\n socket:close()\n stdnse.debug1(\"Failed to receive line from socket: %s\", err)\n return\n end\n\n if string.match(line, \"^LO_SERVER_SERVER_PAIRED$\") then\n return remote_version(buffer, socket, client_name, pin)\n end\n\n socket:close()\n stdnse.debug1(\"Remote Server present but PIN and/or Client Name was not accepted.\")\n return\nend\n\nlocal bruteforce = function(host, port, client_name)\n -- There are 10000 possible PINs which we loop through\n for i=0,9999 do\n -- Pad the pin with leading zeros if required\n local pin = string.format(\"%04d\", i)\n if i % 100 == 0 then\n stdnse.debug1(\"Bruteforce attempt %d with PIN %s...\", i + 1, pin)\n end\n\n local buffer, socket = remote_connect(host, port, client_name, pin)\n if not buffer then\n return\n end\n\n local line, err = buffer()\n if not line then\n socket:close()\n stdnse.debug1(\"Failed to receive line from socket: %s\", err)\n return\n end\n\n if string.match(line, \"^LO_SERVER_SERVER_PAIRED$\") then\n return remote_version(buffer, socket, client_name, pin)\n end\n\n socket:close()\n end\n\n stdnse.debug1(\"Failed to bruteforce PIN.\")\n return\nend\n\naction = function(host, port)\n -- Parse and sanity check the command line arguments.\n local status, options = parse_args()\n if not status then\n stdnse.verbose1(\"ERROR: %s\", options)\n return stdnse.format_output(false, options)\n end\n\n local result\n if options.bruteforce then\n result = bruteforce(host, port, options.client_name)\n else\n result = check_pin(host, port, options.client_name, options.pin)\n end\n\n if result and result[\"Impress Version\"] then\n port.version.product = port.version.product or \"LibreOffice Impress remote\"\n port.version.version = result[\"Impress Version\"]\n table.insert(port.version.cpe, (\"cpe:/a:libreoffice:libreoffice:%s\"):format(result[\"Impress Version\"]))\n nmap.set_port_version(host, port, \"hardmatched\")\n end\n\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:15", "description": "Lists modules available for rsync (remote file sync) synchronization.\n\n## Example Usage \n \n \n nmap -p 873 --script rsync-list-modules <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 873/tcp open rsync\n | rsync-list-modules:\n | www \twww directory\n | log \tlog directory\n |_ etc \tetc directory\n \n\n## Requires \n\n * [rsync](<../lib/rsync.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-02-05T10:10:59", "type": "nmap", "title": "rsync-list-modules NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:RSYNC-LIST-MODULES.NSE", "href": "https://nmap.org/nsedoc/scripts/rsync-list-modules.html", "sourceData": "local rsync = require \"rsync\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nLists modules available for rsync (remote file sync) synchronization.\n]]\n\n---\n-- @usage\n-- nmap -p 873 --script rsync-list-modules <ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 873/tcp open rsync\n-- | rsync-list-modules:\n-- | www \twww directory\n-- | log \tlog directory\n-- |_ etc \tetc directory\n--\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\nportrule = shortport.port_or_service(873, \"rsync\", \"tcp\")\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n local helper = rsync.Helper:new(host, port, { module = \"\" })\n if ( not(helper) ) then\n return fail(\"Failed to create rsync.Helper\")\n end\n\n local status, err = helper:connect()\n if ( not(status) ) then\n return fail(\"Failed to connect to rsync server\")\n end\n\n local modules = {}\n status, modules = helper:listModules()\n if ( not(status) ) then\n return fail(\"Failed to retrieve a list of modules\")\n end\n return stdnse.format_output(true, modules)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:33:15", "description": "Runs unit tests on all NSE libraries.\n\n## Script Arguments \n\n#### unittest.run \n\nRun tests. Causes `unittest.testing()` to return true.\n\n#### unittest.tests \n\nRun tests from only these libraries (defaults to all)\n\n## Example Usage \n \n \n nmap --script unittest --script-args unittest.run\n \n\n## Script Output \n \n \n Pre-scan script results:\n | unittest:\n |_ All tests passed\n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [unittest](<../lib/unittest.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2014-01-03T21:10:01", "type": "nmap", "title": "unittest NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:UNITTEST.NSE", "href": "https://nmap.org/nsedoc/scripts/unittest.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal unittest = require \"unittest\"\n\ndescription = [[\nRuns unit tests on all NSE libraries.\n]]\n\n---\n-- @args unittest.run Run tests. Causes <code>unittest.testing()</code> to\n-- return true.\n--\n-- @args unittest.tests Run tests from only these libraries (defaults to all)\n--\n-- @usage\n-- nmap --script unittest --script-args unittest.run\n--\n-- @output\n-- Pre-scan script results:\n-- | unittest:\n-- |_ All tests passed\n\nauthor = \"Daniel Miller\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"safe\"}\n\n\nprerule = unittest.testing\n\naction = function()\n local libs = stdnse.get_script_args(\"unittest.tests\")\n local result\n if libs then\n result = unittest.run_tests(libs)\n else\n result = unittest.run_tests()\n end\n if #result == 0 then\n return \"All tests passed\"\n else\n return result\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:11", "description": "Retrieves the day and time from the Daytime service.\n\n## Example Usage \n \n \n nmap -sV --script=daytime <target>\n\n## Script Output \n \n \n PORT STATE SERVICE\n 13/tcp open daytime\n |_daytime: Wed Mar 31 14:48:58 MDT 2010\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [shortport](<../lib/shortport.html>)\n * [oops](<../lib/oops.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "daytime NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-06-28T20:44:19", "id": "NMAP:DAYTIME.NSE", "href": "https://nmap.org/nsedoc/scripts/daytime.html", "sourceData": "local comm = require \"comm\"\nlocal shortport = require \"shortport\"\nlocal oops = require \"oops\"\n\ndescription = [[\nRetrieves the day and time from the Daytime service.\n]]\n\n---\n-- @output\n-- PORT STATE SERVICE\n-- 13/tcp open daytime\n-- |_daytime: Wed Mar 31 14:48:58 MDT 2010\n\nauthor = \"Diman Todorov\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service(13, \"daytime\", {\"tcp\", \"udp\"})\n\naction = function(host, port)\n return oops.output(comm.exchange(host, port, \"dummy\", {lines=1}))\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:35:43", "description": "Detects the Skype version 2 service.\n\n## Example Usage \n \n \n nmap -sV <target>\n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 80/tcp open skype2 Skype\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "skypev2-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-15T02:23:09", "id": "NMAP:SKYPEV2-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/skypev2-version.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\nlocal U = require \"lpeg-utility\"\n\ndescription = [[\nDetects the Skype version 2 service.\n]]\n\n---\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 80/tcp open skype2 Skype\n\nauthor = \"Brandon Enright\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"version\"}\n\n\nportrule = function(host, port)\n return (port.number == 80 or port.number == 443 or\n port.service == nil or port.service == \"\" or\n port.service == \"unknown\")\n and port.protocol == \"tcp\" and port.state == \"open\"\n and port.version.name_confidence < 10\n and not(shortport.port_is_excluded(port.number,port.protocol))\n and nmap.version_intensity() >= 7\nend\n\naction = function(host, port)\n local result, rand\n -- Did the service engine already do the hard work?\n if port.version and port.version.service_fp then\n -- Probes sent, replies received, but no match.\n result = U.get_response(port.version.service_fp, \"GetRequest\")\n -- Loop through the ASCII probes most likely to receive random response\n -- from Skype. Others will also receive this response, but are harder to\n -- distinguish from an echo service.\n for _, p in ipairs({\"HTTPOptions\", \"RTSPRequest\"}) do\n rand = U.get_response(port.version.service_fp, p)\n if rand then\n break\n end\n end\n end\n local status\n if not result then\n -- Have to send the probe ourselves.\n status, result = comm.exchange(host, port,\n \"GET / HTTP/1.0\\r\\n\\r\\n\", {bytes=26})\n\n if (not status) then\n return nil\n end\n end\n\n if (result ~= \"HTTP/1.0 404 Not Found\\r\\n\\r\\n\") then\n return\n end\n\n -- So far so good, now see if we get random data for another request\n if not rand then\n status, rand = comm.exchange(host, port,\n \"random data\\r\\n\\r\\n\", {bytes=15})\n\n if (not status) then\n return\n end\n end\n\n if string.match(rand, \"[^%s!-~].*[^%s!-~].*[^%s!-~]\") then\n -- Detected\n port.version.name = \"skype2\"\n port.version.product = \"Skype\"\n nmap.set_port_version(host, port)\n return\n end\n return\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:35:16", "description": "Implements remote process execution similar to the Sysinternals' psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a collection of computers. \n\nThis script can run commands present on the remote machine, such as ping or tracert, or it can upload a program and run it, such as pwdump6 or a backdoor. Additionally, it can read the program's stdout/stderr and return it to the user (works well with ping, pwdump6, etc), or it can read a file that the process generated (fgdump, for example, generates a file), or it can just start the process and let it run headless (a backdoor might run like this). \n\nTo use this, a configuration file should be created and edited. Several configuration files are included that you can customize, or you can write your own. This config file is placed in `nselib/data/psexec` (if you aren't sure where that is, search your system for `default.lua`), then is passed to Nmap as a script argument (for example, myconfig.lua would be passed as `--script-args=config=myconfig`. \n\nThe configuration file consists mainly of a module list. Each module is defined by a lua table, and contains fields for the name of the program, the executable and arguments for the program, and a score of other options. Modules also have an 'upload' field, which determines whether or not the module is to be uploaded. Here is a simple example of how to run \n \n \n net\n localgroup administrators\n\n, which returns a list of users in the \"administrators\" group (take a look at the `examples.lua` configuration file for these examples): \n \n \n mod = {}\n mod.upload = false\n mod.name = \"Example 1: Membership of 'administrators'\"\n mod.program = \"net.exe\"\n mod.args = \"localgroup administrators\"\n table.insert(modules, mod)\n\n`mod.upload` is `false`, meaning the program should already be present on the remote system (since 'net.exe' is on every version of Windows, this should be the case). `mod.name` defines the name that the program will have in the output. `mod.program` and `mod.args` obviously define which program is going to be run. The output for this script is this: \n \n \n | Example 1: Membership of 'administrators'\n | | Alias name administrators\n | | Comment Administrators have complete and unrestricted access to the computer/domain\n | |\n | | Members\n | |\n | | -------------------------------------------------------------------------------\n | | Administrator\n | | ron\n | | test\n | | The command completed successfully.\n | |\n | |_\n\nThat works, but it's really ugly. In general, we can use `mod.find`, `mod.replace`, `mod.remove`, and `mod.noblank` to clean up the output. For this example, we're going to use `mod.remove` to remove a lot of the useless lines, and `mod.noblank` to get rid of the blank lines that we don't want: \n \n \n mod = {}\n mod.upload = false\n mod.name = \"Example 2: Membership of 'administrators', cleaned\"\n mod.program = \"net.exe\"\n mod.args = \"localgroup administrators\"\n mod.remove = {\"The command completed\", \"%-%-%-%-%-%-%-%-%-%-%-\", \"Members\", \"Alias name\", \"Comment\"}\n mod.noblank = true\n table.insert(modules, mod)\n\nWe can see that the output is now much cleaner: \n \n \n | Example 2: Membership of 'administrators', cleaned\n | | Administrator\n | | ron\n | |_test\n\nFor our next command, we're going to run Windows' ipconfig.exe, which outputs a significant amount of unnecessary information, and what we do want isn't formatted very nicely. All we want is the IP address and MAC address, and we get it using `mod.find` and `mod.replace`: \n \n \n mod = {}\n mod.upload = false\n mod.name = \"Example 3: IP Address and MAC Address\"\n mod.program = \"ipconfig.exe\"\n mod.args = \"/all\"\n mod.maxtime = 1\n mod.find = {\"IP Address\", \"Physical Address\", \"Ethernet adapter\"}\n mod.replace = {{\"%. \", \"\"}, {\"-\", \":\"}, {\"Physical Address\", \"MAC Address\"}}\n table.insert(modules, mod)\n\nThis module searches for lines that contain \"IP Address\", \"Physical Address\", or \"Ethernet adapter\". In these lines, a \". \" is replaced with nothing, a \"-\" is replaced with a colon, and the term \"Physical Address\" is replaced with \"MAC Address\" (arguably unnecessary). Run ipconfig /all yourself to see what we start with, but here's the final output: \n \n \n | Example 3: IP Address and MAC Address\n | | Ethernet adapter Local Area Connection:\n | | MAC Address: 00:0C:29:12:E6:DB\n | |_ IP Address: 192.168.1.21| Example 3: IP Address and MAC Address\n\nAnother interesting part of this script is that variables can be used in any script fields. There are two types of variables: built-in and user-supplied. Built-in variables can be anything found in the `config` table, most of which are listed below. The more interesting ones are: \n\n * `$lhost`: The address of the scanner \n * `$rhost`: The address being scanned \n * `$path`: The path where the scripts are uploaded \n * `$share`: The share where the script was uploaded \n\nUser-supplied arguments are given on the commandline, and can be controlled by `mod.req_args` in the configuration file. Arguments are given by the user in --script-args; for example, to set $host to '1.2.3.4', the user would pass in --script-args=host=1.2.3.4. To ensure the user passes in the host variable, `mod.req_args` would be set to `{'host'}`. \n\nHere is a module that pings the local ip address: \n \n \n mod = {}\n mod.upload = false\n mod.name = \"Example 4: Can the host ping our address?\"\n mod.program = \"ping.exe\"\n mod.args = \"$lhost\"\n mod.remove = {\"statistics\", \"Packet\", \"Approximate\", \"Minimum\"}\n mod.noblank = true\n mod.env = \"SystemRoot=c:\\\\WINDOWS\"\n table.insert(modules, mod)\n\nAnd the output: \n \n \n | Example 4: Can the host ping our address?\n | | Pinging 192.168.1.100 with 32 bytes of data:\n | | Reply from 192.168.1.100: bytes=32 time<1ms TTL=64\n | | Reply from 192.168.1.100: bytes=32 time<1ms TTL=64\n | | Reply from 192.168.1.100: bytes=32 time<1ms TTL=64\n | |_Reply from 192.168.1.100: bytes=32 time<1ms TTL=64\n\nAnd this module pings an arbitrary address that the user is expected to give: \n \n \n mod = {}\n mod.upload = false\n mod.name = \"Example 5: Can the host ping $host?\"\n mod.program = \"ping.exe\"\n mod.args = \"$host\"\n mod.remove = {\"statistics\", \"Packet\", \"Approximate\", \"Minimum\"}\n mod.noblank = true\n mod.env = \"SystemRoot=c:\\\\WINDOWS\"\n mod.req_args = {'host'}\n table.insert(modules, mod)\n\nAnd the output (note that we had to up the timeout so this would complete; we'll talk about override values later): \n \n \n $ ./nmap -n -d -p445 --script=smb-psexec --script-args=smbuser=test,smbpass=test,config=examples,host=1.2.3.4 192.168.1.21\n [...]\n | Example 5: Can the host ping 1.2.3.4?\n | | Pinging 1.2.3.4 with 32 bytes of data:\n | | Request timed out.\n | | Request timed out.\n | | Request timed out.\n | |_Request timed out.\n\nFor the final example, we'll use the `upload` command to upload `fgdump.exe`, run it, download its output file, and clean up its logfile. You'll have to put `fgdump.exe` in the same folder as the script for this to work: \n \n \n mod = {}\n mod.upload = true\n mod.name = \"Example 6: FgDump\"\n mod.program = \"fgdump.exe\"\n mod.args = \"-c -l fgdump.log\"\n mod.url = \"http://www.foofus.net/fizzgig/fgdump/\"\n mod.tempfiles = {\"fgdump.log\"}\n mod.outfile = \"127.0.0.1.pwdump\"\n table.insert(modules, mod)\n\nThe `-l` argument for fgdump supplies the name of the logfile. That file is listed in the `mod.tempfiles` field. What, exactly, does `mod.tempfiles` do? It simply gives the service a list of files to delete while cleaning up. The cleanup process will be discussed later. \n\n`mod.url` is displayed to the user if `mod.program` isn't found in `nselib/data/psexec/`. And finally, `mod.outfile` is the file that is downloaded from the system. This is required because fgdump writes to an output file instead of to stdout (pwdump6, for example, doesn't require `mod.outfile`. \n\nNow that we've seen a few possible combinations of fields, I present a complete list of all fields available and what each of them do. Many of them will be familiar, but there are a few that aren't discussed in the examples: \n\n * `upload` (boolean) true if it's a local file to upload, false if it's already on the host machine. If `upload` is true, `program` has to be in `nselib/data/psexec`. \n * `name` (string) The name to display above the output. If this isn't given, `program` .. `args` are used. \n * `program` (string) If `upload` is false, the name (fully qualified or relative) of the program on the remote system; if `upload` is true, the name of the local file that will be uploaded (stored in `nselib/data/psexec`). \n * `args` (string) Arguments to pass to the process. \n * `env` (string) Environmental variables to pass to the process, as name=value pairs, delimited, per Microsoft's spec, by NULL characters (`string.char(0)`). \n * `maxtime` (integer) The approximate amount of time to wait for this process to complete. The total timeout for the script before it gives up waiting for a response is the total of all `maxtime` fields. \n * `extrafiles` (string[]) Extra file(s) to upload before running the program. These will not be renamed (because, presumably, if they are then the program won't be able to find them), but they will be marked as hidden/system/etc. This may cause a race condition if multiple people are doing this at once, but there isn't much we can do. The files are also deleted afterwards as tempfiles would be. The files have to be in the same directory as programs (`nselib/data/psexec`), but the program doesn't necessarily need to be an uploaded one. \n * `tempfiles` (string[]) A list of temporary files that the process is known to create (if the process does create files, using this field is recommended because it helps avoid making a mess on the remote system). \n * `find` (string[]) Only display lines that contain the given string(s) (for example, if you're searching for a line that contains \"IP Address\", set this to \n \n {'IP\n Address'}\n\n. This allows Lua-style patterns, see: <http://lua-users.org/wiki/PatternsTutorial> (don't forget to escape special characters with a `%`). Note that this is client-side only; the full output is still returned, the rest is removed while displaying. The line of output only needs to match one of the strings given here. \n * `remove` (string[]) Opposite of `find`; this removes lines containing the given string(s) instead of displaying them. Like `find`, this is client-side only and uses Lua-style patterns. If `remove` and `find` are in conflict, then `remove` takes priority. \n * `noblank` (boolean) Setting this to true removes all blank lines from the output. \n * `replace` (table) A table of values to replace in the strings returned. Like `find` and `replace`, this is client-side only and uses Lua-style patterns. \n * `headless` (boolean) If `headless` is set to true, the program doesn't return any output; rather, it runs detached from the service so that, when the service ends, the program keeps going. This can be useful for, say, a monitoring program. Or a backdoor, if that's what you're into (a Metasploit payload should work nicely). Not compatible with: `find`, `remove`, `noblank`, `replace`, `maxtime`, `outfile`. \n * `enabled` (boolean) Set to false, and optionally set `disabled_message`, if you don't want a module to run. Alternatively, you can comment out the process. \n * `disabled_message` (string) Displayed if the module is disabled. \n * `url` (string) A module where the user can download the uploadable file. Displayed if the uploadable file is missing. \n * `outfile` (string) If set, the specified file will be returned instead of stdout. \n * `req_args` (string[]) An array of arguments that the user must set in `--script-args`. \n\nAny field in the configuration file can contain variables, as discussed. Here are some of the available built-in variables: \n\n * `$lhost`: local IP address as a string. \n * `$lport`: local port (meaningless; it'll change by the time the module is uploaded since multiple connections are made). \n * `$rhost`: remote IP address as a string. \n * `$rport`: remote port. \n * `$lmac`: local MAC address as a string in the xx:xx:xx:xx:xx:xx format (note: requires root). \n * `$path`: the path where the file will be uploaded to. \n * `$service_name`: the name of the service that will be running this program \n * `$service_file`: the name of the executable file for the service \n * `$temp_output_file`: The (ciphered) file where the programs' output will be written before being renamed to $output_file \n * `$output_file`: The final name of the (ciphered) output file. When this file appears, the script downloads it and stops the service \n * `$timeout`: The total amount of time the script is going to run before it gives up and stops the process \n * `$share`: The share that everything was uploaded to \n * (script args): Any value passed as a script argument will be replaced (for example, if Nmap is run with `--script-args=var3=10`, then `$var3` in any field will be replaced with `10`. See the `req_args` field above. Script argument values take priority over config values. \n\nIn addition to modules, the configuration file can also contain overrides. Most of these aren't useful, so I'm not going to go into great detail. Search `smb-psexec.nse` for any reference to the `config` table; any value in the `config` table can be overridden with the `overrides` table in the module. The most useful value to override is probably `timeout`. \n\nBefore and after scripts are run, and when there's an error, a cleanup is performed. in the cleanup, we attempt to stop the remote processes, delete all programs, output files, temporary files, extra files, etc. A lot of effort was put into proper cleanup, since making a mess on remote systems is a bad idea. \n\nNow that I've talked at length about how to use this script, I'd like to spend some time talking about how it works. \n\nRunning a script happens in several stages: \n\n 1. An open fileshare is found that we can write to. Finding an open fileshare basically consists of enumerating all shares and seeing which one(s) we have access to. \n 2. A \"service wrapper\", and all of the uploadable/extra files, are uploaded. Before they're uploaded, the name of each file is obfuscated. The obfuscation completely renames the file, is unique for each source system, and doesn't change between multiple runs. This obfuscation has the benefit of preventing filenames from overlapping if multiple people are running this against the same computer, and also makes it more difficult to determine their purposes. The reason for keeping them consistent for every run is to make cleanup possible: a random filename, if the script somehow fails, will be left on the system. \n 3. A new service is created and started. The new service has a random name for the same reason the files do, and points at the 'service wrapper' program that was uploaded. \n 4. The service runs the processes. One by one, the processes are run and their output is captured. The output is obfuscated using a simple (and highly insecure) xor algorithm, which is designed to prevent casual sniffing (but won't deter intelligent attackers). This data is put into a temporary output file. When all the programs have finished, the file is renamed to the final output file \n 5. The output file is downloaded, and the cleanup is performced. The file being renamed triggers the final stage of the program, where the data is downloaded and all relevant files are deleted. \n 6. Output file, now decrypted, is formatted and displayed to the user. \n\nAnd that's how it works! \n\nPlease post any questions, or suggestions for better modules, to dev@nmap.org. \n\nAnd, as usual, since this tool can be dangerous and can easily be viewed as a malicious tool -- use this responsibly, and don't break any laws with it. \n\nSome ideas for later versions (TODO): \n\n * Set up a better environment for scripts (`PATH`, `SystemRoot`, etc). Without this, a lot of programs (especially ones that deal with network traffic) behave oddly. \n * Abstract the code required to run remote processes so other scripts can use it more easily (difficult, but will ultimately be well worth it later). (May actually not be possible. There is a lot of overhead and specialized code in this module. We'll see, though.) \n * Let user specify an output file (per-script) so they can, for example, download binary files (don't think it's worthwhile). \n * Consider running the external programs in parallel (not sure if the benefits outweigh the drawbacks). \n * Let the config request the return code from the process instead of the output (not sure if doing this would be worth the effort). \n * Check multiple shares in a single session to save packets (and see where else we can tighten up the amount of traffic).\n\n## Script Arguments \n\n#### nohide \n\nDon't set the uploaded files to hidden/system/etc.\n\n#### cleanup \n\nSet to only clean up any mess we made (leftover files, processes, etc. on the host OS) on a previous run of the script. This will attempt to delete the files from every share, not just the first one. This is done to prevent leftover files if the OS changes the ordering of the shares (there's no guarantee of shares coming back in any particular order) Note that cleaning up is still fairly invasive, since it has to re-discover the proper share, connect to it, delete files, open the services manager, etc.\n\n#### nocipher \n\nSet to disable the ciphering of the returned text (useful for debugging).\n\n#### sharepath \n\nThe full path to the share (eg, `\"c:\\windows\"`). This is required when creating a service.\n\n#### config \n\nThe config file to use (eg, default). Config files require a .lua extension, and are located in `nselib/data/psexec`.\n\n#### time \n\nThe minimum amount of time, in seconds, to wait for the external module to finish (default: `15`)\n\n#### nocleanup \n\nSet to not clean up at all; this leaves the files on the remote system and the wrapper service installed. This is bad in practice, but significantly reduces the network traffic and makes analysis easier.\n\n#### key \n\nScript uses this value instead of a random encryption key (useful for debugging the crypto).\n\n#### share \n\nSet to override the share used for uploading. This also stops shares from being enumerated, and all other shares will be ignored. No checks are done to determine whether or not this is a valid share before using it. Reqires `sharepath` to be set.\n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script smb-psexec.nse --script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <host>\n sudo nmap -sU -sS --script smb-psexec.nse --script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p U:137,T:139 <host>\n \n\n## Script Output \n \n \n Host script results:\n | smb-psexec:\n | | Windows version\n | | |_ Microsoft Windows 2000 [Version 5.00.2195]\n | | IP Address and MAC Address from 'ipconfig.exe'\n | | | Ethernet adapter Local Area Connection 2:\n | | | MAC Address: 00:50:56:A1:24:C2\n | | | IP Address: 10.0.0.30\n | | | Ethernet adapter Local Area Connection:\n | | |_ MAC Address: 00:50:56:A1:00:65\n | | User list from 'net user'\n | | | Administrator TestUser3 Guest\n | | | IUSR_RON-WIN2K-TEST IWAM_RON-WIN2K-TEST nmap\n | | | rontest123 sshd SvcCOPSSH\n | | |_ test1234 Testing TsInternetUser\n | | Membership of 'administrators' from 'net localgroup administrators'\n | | | Administrator\n | | | SvcCOPSSH\n | | | test1234\n | | |_ Testing\n | | Can the host ping our address?\n | | | Pinging 10.0.0.138 with 32 bytes of data:\n | | |_ Reply from 10.0.0.138: bytes=32 time<10ms TTL=64\n | | Traceroute back to the scanner\n | | |_ 1 <10 ms <10 ms <10 ms 10.0.0.138\n | | ARP Cache from arp.exe\n | | | Internet Address Physical Address Type\n | | |_ 10.0.0.138 00-50-56-a1-27-4b dynamic\n | | List of listening and established connections (netstat -an)\n | | | Proto Local Address Foreign Address State\n | | | TCP 0.0.0.0:22 0.0.0.0:0 LISTENING\n | | | TCP 0.0.0.0:25 0.0.0.0:0 LISTENING\n | | | TCP 0.0.0.0:80 0.0.0.0:0 LISTENING\n | | | TCP 0.0.0.0:135 0.0.0.0:0 LISTENING\n | | | TCP 0.0.0.0:443 0.0.0.0:0 LISTENING\n | | | TCP 0.0.0.0:445 0.0.0.0:0 LISTENING\n | | | TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING\n | | | TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING\n | | | TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING\n | | | TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING\n | | | TCP 0.0.0.0:4933 0.0.0.0:0 LISTENING\n | | | TCP 10.0.0.30:139 0.0.0.0:0 LISTENING\n | | | TCP 127.0.0.1:2528 127.0.0.1:2529 ESTABLISHED\n | | | TCP 127.0.0.1:2529 127.0.0.1:2528 ESTABLISHED\n | | | TCP 127.0.0.1:2531 127.0.0.1:2532 ESTABLISHED\n | | | TCP 127.0.0.1:2532 127.0.0.1:2531 ESTABLISHED\n | | | TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING\n | | | TCP 127.0.0.1:5152 127.0.0.1:2530 CLOSE_WAIT\n | | | UDP 0.0.0.0:135 *:*\n | | | UDP 0.0.0.0:445 *:*\n | | | UDP 0.0.0.0:1030 *:*\n | | | UDP 0.0.0.0:3456 *:*\n | | | UDP 10.0.0.30:137 *:*\n | | | UDP 10.0.0.30:138 *:*\n | | | UDP 10.0.0.30:500 *:*\n | | | UDP 10.0.0.30:4500 *:*\n | | |_ UDP 127.0.0.1:1026 *:*\n | | Full routing table from 'netstat -nr'\n | | | ===========================================================================\n | | | Interface List\n | | | 0x1 ........................... MS TCP Loopback interface\n | | | 0x2 ...00 50 56 a1 00 65 ...... VMware Accelerated AMD PCNet Adapter\n | | | 0x1000004 ...00 50 56 a1 24 c2 ...... VMware Accelerated AMD PCNet Adapter\n | | | ===========================================================================\n | | | ===========================================================================\n | | | Active Routes:\n | | | Network Destination Netmask Gateway Interface Metric\n | | | 10.0.0.0 255.255.255.0 10.0.0.30 10.0.0.30 1\n | | | 10.0.0.30 255.255.255.255 127.0.0.1 127.0.0.1 1\n | | | 10.255.255.255 255.255.255.255 10.0.0.30 10.0.0.30 1\n | | | 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1\n | | | 224.0.0.0 224.0.0.0 10.0.0.30 10.0.0.30 1\n | | | 255.255.255.255 255.255.255.255 10.0.0.30 2 1\n | | | ===========================================================================\n | | | Persistent Routes:\n | | | None\n |_ |_ |_ Route Table\n \n\n## Requires \n\n * [io](<>)\n * [math](<>)\n * [msrpc](<../lib/msrpc.html>)\n * [nmap](<../lib/nmap.html>)\n * [smb](<../lib/smb.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-11-20T16:19:40", "type": "nmap", "title": "smb-psexec NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:SMB-PSEXEC.NSE", "href": "https://nmap.org/nsedoc/scripts/smb-psexec.html", "sourceData": "local _G = require \"_G\"\nlocal io = require \"io\"\nlocal math = require \"math\"\nlocal msrpc = require \"msrpc\"\nlocal nmap = require \"nmap\"\nlocal smb = require \"smb\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nImplements remote process execution similar to the Sysinternals' psexec\ntool, allowing a user to run a series of programs on a remote machine and\nread the output. This is great for gathering information about servers,\nrunning the same tool on a range of system, or even installing a backdoor on\na collection of computers.\n\nThis script can run commands present on the remote machine, such as ping or\ntracert, or it can upload a program and run it, such as pwdump6 or a\nbackdoor. Additionally, it can read the program's stdout/stderr and return\nit to the user (works well with ping, pwdump6, etc), or it can read a file\nthat the process generated (fgdump, for example, generates a file), or it\ncan just start the process and let it run headless (a backdoor might run\nlike this).\n\nTo use this, a configuration file should be created and edited. Several\nconfiguration files are included that you can customize, or you can write\nyour own. This config file is placed in <code>nselib/data/psexec</code> (if\nyou aren't sure where that is, search your system for\n<code>default.lua</code>), then is passed to Nmap as a script argument (for\nexample, myconfig.lua would be passed as\n<code>--script-args=config=myconfig</code>.\n\nThe configuration file consists mainly of a module list. Each module is\ndefined by a lua table, and contains fields for the name of the program, the\nexecutable and arguments for the program, and a score of other options.\nModules also have an 'upload' field, which determines whether or not the\nmodule is to be uploaded. Here is a simple example of how to run <code>net\nlocalgroup administrators</code>, which returns a list of users in the\n\"administrators\" group (take a look at the <code>examples.lua</code>\nconfiguration file for these examples):\n\n<code>\n mod = {}\n mod.upload = false\n mod.name = \"Example 1: Membership of 'administrators'\"\n mod.program = \"net.exe\"\n mod.args = \"localgroup administrators\"\n table.insert(modules, mod)\n</code>\n\n<code>mod.upload</code> is <code>false</code>, meaning the program should\nalready be present on the remote system (since 'net.exe' is on every version\nof Windows, this should be the case). <code>mod.name</code> defines the name\nthat the program will have in the output. <code>mod.program</code> and\n<code>mod.args</code> obviously define which program is going to be run. The\noutput for this script is this:\n\n<code>\n | Example 1: Membership of 'administrators'\n | | Alias name administrators\n | | Comment Administrators have complete and unrestricted access to the computer/domain\n | |\n | | Members\n | |\n | | -------------------------------------------------------------------------------\n | | Administrator\n | | ron\n | | test\n | | The command completed successfully.\n | |\n | |_\n</code>\n\nThat works, but it's really ugly. In general, we can use\n<code>mod.find</code>, <code>mod.replace</code>, <code>mod.remove</code>,\nand <code>mod.noblank</code> to clean up the output. For this example, we're\ngoing to use <code>mod.remove</code> to remove a lot of the useless lines,\nand <code>mod.noblank</code> to get rid of the blank lines that we don't\nwant:\n\n<code>\n mod = {}\n mod.upload = false\n mod.name = \"Example 2: Membership of 'administrators', cleaned\"\n mod.program = \"net.exe\"\n mod.args = \"localgroup administrators\"\n mod.remove = {\"The command completed\", \"%-%-%-%-%-%-%-%-%-%-%-\", \"Members\", \"Alias name\", \"Comment\"}\n mod.noblank = true\n table.insert(modules, mod)\n</code>\n\nWe can see that the output is now much cleaner:\n\n<code>\n| Example 2: Membership of 'administrators', cleaned\n| | Administrator\n| | ron\n| |_test\n</code>\n\nFor our next command, we're going to run Windows' ipconfig.exe, which\noutputs a significant amount of unnecessary information, and what we do want\nisn't formatted very nicely. All we want is the IP address and MAC address,\nand we get it using <code>mod.find</code> and <code>mod.replace</code>:\n\n<code>\n mod = {}\n mod.upload = false\n mod.name = \"Example 3: IP Address and MAC Address\"\n mod.program = \"ipconfig.exe\"\n mod.args = \"/all\"\n mod.maxtime = 1\n mod.find = {\"IP Address\", \"Physical Address\", \"Ethernet adapter\"}\n mod.replace = {{\"%. \", \"\"}, {\"-\", \":\"}, {\"Physical Address\", \"MAC Address\"}}\n table.insert(modules, mod)\n</code>\n\nThis module searches for lines that contain \"IP Address\", \"Physical\nAddress\", or \"Ethernet adapter\". In these lines, a \". \" is replaced with\nnothing, a \"-\" is replaced with a colon, and the term \"Physical Address\" is\nreplaced with \"MAC Address\" (arguably unnecessary). Run ipconfig /all\nyourself to see what we start with, but here's the final output:\n\n<code>\n| Example 3: IP Address and MAC Address\n| | Ethernet adapter Local Area Connection:\n| | MAC Address: 00:0C:29:12:E6:DB\n| |_ IP Address: 192.168.1.21| Example 3: IP Address and MAC Address\n</code>\n\nAnother interesting part of this script is that variables can be used in any\nscript fields. There are two types of variables: built-in and user-supplied.\nBuilt-in variables can be anything found in the <code>config</code> table,\nmost of which are listed below. The more interesting ones are:\n\n* <code>$lhost</code>: The address of the scanner\n* <code>$rhost</code>: The address being scanned\n* <code>$path</code>: The path where the scripts are uploaded\n* <code>$share</code>: The share where the script was uploaded\n\nUser-supplied arguments are given on the commandline, and can be controlled\nby <code>mod.req_args</code> in the configuration file. Arguments are given\nby the user in --script-args; for example, to set $host to '1.2.3.4', the\nuser would pass in --script-args=host=1.2.3.4. To ensure the user passes in\nthe host variable, <code>mod.req_args</code> would be set to\n<code>{'host'}</code>.\n\nHere is a module that pings the local ip address:\n\n<code>\n mod = {}\n mod.upload = false\n mod.name = \"Example 4: Can the host ping our address?\"\n mod.program = \"ping.exe\"\n mod.args = \"$lhost\"\n mod.remove = {\"statistics\", \"Packet\", \"Approximate\", \"Minimum\"}\n mod.noblank = true\n mod.env = \"SystemRoot=c:\\\\WINDOWS\"\n table.insert(modules, mod)\n</code>\n\nAnd the output:\n<code>\n| Example 4: Can the host ping our address?\n| | Pinging 192.168.1.100 with 32 bytes of data:\n| | Reply from 192.168.1.100: bytes=32 time<1ms TTL=64\n| | Reply from 192.168.1.100: bytes=32 time<1ms TTL=64\n| | Reply from 192.168.1.100: bytes=32 time<1ms TTL=64\n| |_Reply from 192.168.1.100: bytes=32 time<1ms TTL=64\n</code>\n\nAnd this module pings an arbitrary address that the user is expected to\ngive:\n\n<code>\n mod = {}\n mod.upload = false\n mod.name = \"Example 5: Can the host ping $host?\"\n mod.program = \"ping.exe\"\n mod.args = \"$host\"\n mod.remove = {\"statistics\", \"Packet\", \"Approximate\", \"Minimum\"}\n mod.noblank = true\n mod.env = \"SystemRoot=c:\\\\WINDOWS\"\n mod.req_args = {'host'}\n table.insert(modules, mod)\n</code>\n\nAnd the output (note that we had to up the timeout so this would complete;\nwe'll talk about override values later):\n\n<code>\n$ ./nmap -n -d -p445 --script=smb-psexec --script-args=smbuser=test,smbpass=test,config=examples,host=1.2.3.4 192.168.1.21\n[...]\n| Example 5: Can the host ping 1.2.3.4?\n| | Pinging 1.2.3.4 with 32 bytes of data:\n| | Request timed out.\n| | Request timed out.\n| | Request timed out.\n| |_Request timed out.\n</code>\n\nFor the final example, we'll use the <code>upload</code> command to upload\n<code>fgdump.exe</code>, run it, download its output file, and clean up its\nlogfile. You'll have to put <code>fgdump.exe</code> in the same folder as\nthe script for this to work:\n\n<code>\n mod = {}\n mod.upload = true\n mod.name = \"Example 6: FgDump\"\n mod.program = \"fgdump.exe\"\n mod.args = \"-c -l fgdump.log\"\n mod.url = \"http://www.foofus.net/fizzgig/fgdump/\"\n mod.tempfiles = {\"fgdump.log\"}\n mod.outfile = \"127.0.0.1.pwdump\"\n table.insert(modules, mod)\n</code>\n\nThe <code>-l</code> argument for fgdump supplies the name of the logfile.\nThat file is listed in the <code>mod.tempfiles</code> field. What, exactly,\ndoes <code>mod.tempfiles</code> do? It simply gives the service a list of\nfiles to delete while cleaning up. The cleanup process will be discussed\nlater.\n\n<code>mod.url</code> is displayed to the user if <code>mod.program</code>\nisn't found in <code>nselib/data/psexec/</code>. And finally,\n<code>mod.outfile</code> is the file that is downloaded from the system.\nThis is required because fgdump writes to an output file instead of to\nstdout (pwdump6, for example, doesn't require <code>mod.outfile</code>.\n\nNow that we've seen a few possible combinations of fields, I present a\ncomplete list of all fields available and what each of them do. Many of them\nwill be familiar, but there are a few that aren't discussed in the examples:\n\n* <code>upload</code> (boolean) true if it's a local file to upload, false\n if it's already on the host machine. If\n <code>upload</code> is true, <code>program</code> has\n to be in <code>nselib/data/psexec</code>.\n* <code>name</code> (string) The name to display above the output. If this\n isn't given, <code>program</code> .. <code>args</code>\n are used.\n* <code>program</code> (string) If <code>upload</code> is false, the name\n (fully qualified or relative) of the program on the\n remote system; if <code>upload</code> is true, the\n name of the local file that will be uploaded (stored\n in <code>nselib/data/psexec</code>).\n* <code>args</code> (string) Arguments to pass to the process.\n* <code>env</code> (string) Environmental variables to pass to the process,\n as name=value pairs, delimited, per Microsoft's spec, by\n NULL characters (<code>string.char(0)</code>).\n* <code>maxtime</code> (integer) The approximate amount of time to wait for\n this process to complete. The total timeout for the\n script before it gives up waiting for a response is\n the total of all <code>maxtime</code> fields.\n* <code>extrafiles</code> (string[]) Extra file(s) to upload before running\n the program. These will not be renamed (because,\n presumably, if they are then the program won't be\n able to find them), but they will be marked as\n hidden/system/etc. This may cause a race condition\n if multiple people are doing this at once, but\n there isn't much we can do. The files are also\n deleted afterwards as tempfiles would be. The\n files have to be in the same directory as programs\n (<code>nselib/data/psexec</code>), but the program\n doesn't necessarily need to be an uploaded one.\n* <code>tempfiles</code> (string[]) A list of temporary files that the\n process is known to create (if the process does\n create files, using this field is recommended\n because it helps avoid making a mess on the remote\n system).\n* <code>find</code> (string[]) Only display lines that contain the given\n string(s) (for example, if you're searching for a line\n that contains \"IP Address\", set this to <code>{'IP\n Address'}</code>. This allows Lua-style patterns, see:\n http://lua-users.org/wiki/PatternsTutorial (don't forget\n to escape special characters with a <code>%</code>).\n Note that this is client-side only; the full output is\n still returned, the rest is removed while displaying.\n The line of output only needs to match one of the\n strings given here.\n* <code>remove</code> (string[]) Opposite of <code>find</code>; this removes\n lines containing the given string(s) instead of\n displaying them. Like <code>find</code>, this is\n client-side only and uses Lua-style patterns. If\n <code>remove</code> and <code>find</code> are in\n conflict, then <code>remove</code> takes priority.\n* <code>noblank</code> (boolean) Setting this to true removes all blank\n lines from the output.\n* <code>replace</code> (table) A table of values to replace in the strings\n returned. Like <code>find</code> and\n <code>replace</code>, this is client-side only and\n uses Lua-style patterns.\n* <code>headless</code> (boolean) If <code>headless</code> is set to true,\n the program doesn't return any output; rather, it\n runs detached from the service so that, when the\n service ends, the program keeps going. This can be\n useful for, say, a monitoring program. Or a\n backdoor, if that's what you're into (a Metasploit\n payload should work nicely). Not compatible with:\n <code>find</code>, <code>remove</code>,\n <code>noblank</code>, <code>replace</code>,\n <code>maxtime</code>, <code>outfile</code>.\n* <code>enabled</code> (boolean) Set to false, and optionally set\n <code>disabled_message</code>, if you don't want a\n module to run. Alternatively, you can comment out\n the process.\n* <code>disabled_message</code> (string) Displayed if the module is disabled.\n* <code>url</code> (string) A module where the user can download the\n uploadable file. Displayed if the uploadable file is\n missing.\n* <code>outfile</code> (string) If set, the specified file will be returned\n instead of stdout.\n* <code>req_args</code> (string[]) An array of arguments that the user must\n set in <code>--script-args</code>.\n\n\nAny field in the configuration file can contain variables, as discussed.\nHere are some of the available built-in variables:\n\n* <code>$lhost</code>: local IP address as a string.\n* <code>$lport</code>: local port (meaningless; it'll change by the time the\n module is uploaded since multiple connections are\n made).\n* <code>$rhost</code>: remote IP address as a string.\n* <code>$rport</code>: remote port.\n* <code>$lmac</code>: local MAC address as a string in the\n xx:xx:xx:xx:xx:xx format (note: requires root).\n* <code>$path</code>: the path where the file will be uploaded to.\n* <code>$service_name</code>: the name of the service that will be running\n this program\n* <code>$service_file</code>: the name of the executable file for the\n service\n* <code>$temp_output_file</code>: The (ciphered) file where the programs'\n output will be written before being\n renamed to $output_file\n* <code>$output_file</code>: The final name of the (ciphered) output file.\n When this file appears, the script downloads it\n and stops the service\n* <code>$timeout</code>: The total amount of time the script is going to run\n before it gives up and stops the process\n* <code>$share</code>: The share that everything was uploaded to\n* (script args): Any value passed as a script argument will be replaced (for\n example, if Nmap is run with\n <code>--script-args=var3=10</code>, then <code>$var3</code>\n in any field will be replaced with <code>10</code>. See the\n <code>req_args</code> field above. Script argument values\n take priority over config values.\n\nIn addition to modules, the configuration file can also contain overrides.\nMost of these aren't useful, so I'm not going to go into great detail.\nSearch <code>smb-psexec.nse</code> for any reference to the\n<code>config</code> table; any value in the <code>config</code> table can be\noverridden with the <code>overrides</code> table in the module. The most\nuseful value to override is probably <code>timeout</code>.\n\nBefore and after scripts are run, and when there's an error, a cleanup is\nperformed. in the cleanup, we attempt to stop the remote processes, delete\nall programs, output files, temporary files, extra files, etc. A lot of\neffort was put into proper cleanup, since making a mess on remote systems is\na bad idea.\n\n\nNow that I've talked at length about how to use this script, I'd like to\nspend some time talking about how it works.\n\nRunning a script happens in several stages:\n\n1. An open fileshare is found that we can write to. Finding an open\n fileshare basically consists of enumerating all shares and seeing which\n one(s) we have access to.\n2. A \"service wrapper\", and all of the uploadable/extra files, are uploaded.\n Before they're uploaded, the name of each file is obfuscated. The\n obfuscation completely renames the file, is unique for each source system,\n and doesn't change between multiple runs. This obfuscation has the benefit\n of preventing filenames from overlapping if multiple people are running this\n against the same computer, and also makes it more difficult to determine\n their purposes. The reason for keeping them consistent for every run is to\n make cleanup possible: a random filename, if the script somehow fails, will\n be left on the system.\n3. A new service is created and started. The new service has a random name\n for the same reason the files do, and points at the 'service wrapper'\n program that was uploaded.\n4. The service runs the processes. One by one, the processes are run and\n their output is captured. The output is obfuscated using a simple (and\n highly insecure) xor algorithm, which is designed to prevent casual sniffing\n (but won't deter intelligent attackers). This data is put into a temporary\n output file. When all the programs have finished, the file is renamed to the\n final output file\n5. The output file is downloaded, and the cleanup is performced. The file\n being renamed triggers the final stage of the program, where the data is\n downloaded and all relevant files are deleted.\n6. Output file, now decrypted, is formatted and displayed to the user.\n\nAnd that's how it works!\n\nPlease post any questions, or suggestions for better modules, to\ndev@nmap.org.\n\nAnd, as usual, since this tool can be dangerous and can easily be viewed as\na malicious tool -- use this responsibly, and don't break any laws with it.\n\nSome ideas for later versions (TODO):\n\n* Set up a better environment for scripts (<code>PATH</code>,\n <code>SystemRoot</code>, etc). Without this, a lot of programs (especially\n ones that deal with network traffic) behave oddly.\n* Abstract the code required to run remote processes so other scripts can\n use it more easily (difficult, but will ultimately be well worth it\n later). (May actually not be possible. There is a lot of overhead and\n specialized code in this module. We'll see, though.)\n* Let user specify an output file (per-script) so they can, for example,\n download binary files (don't think it's worthwhile).\n* Consider running the external programs in parallel (not sure if the\n benefits outweigh the drawbacks).\n* Let the config request the return code from the process instead of the\n output (not sure if doing this would be worth the effort).\n* Check multiple shares in a single session to save packets (and see where\n else we can tighten up the amount of traffic).\n]]\n\n---\n-- @usage\n-- nmap --script smb-psexec.nse --script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <host>\n-- sudo nmap -sU -sS --script smb-psexec.nse --script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p U:137,T:139 <host>\n--\n-- @output\n-- Host script results:\n-- | smb-psexec:\n-- | | Windows version\n-- | | |_ Microsoft Windows 2000 [Version 5.00.2195]\n-- | | IP Address and MAC Address from 'ipconfig.exe'\n-- | | | Ethernet adapter Local Area Connection 2:\n-- | | | MAC Address: 00:50:56:A1:24:C2\n-- | | | IP Address: 10.0.0.30\n-- | | | Ethernet adapter Local Area Connection:\n-- | | |_ MAC Address: 00:50:56:A1:00:65\n-- | | User list from 'net user'\n-- | | | Administrator TestUser3 Guest\n-- | | | IUSR_RON-WIN2K-TEST IWAM_RON-WIN2K-TEST nmap\n-- | | | rontest123 sshd SvcCOPSSH\n-- | | |_ test1234 Testing TsInternetUser\n-- | | Membership of 'administrators' from 'net localgroup administrators'\n-- | | | Administrator\n-- | | | SvcCOPSSH\n-- | | | test1234\n-- | | |_ Testing\n-- | | Can the host ping our address?\n-- | | | Pinging 10.0.0.138 with 32 bytes of data:\n-- | | |_ Reply from 10.0.0.138: bytes=32 time<10ms TTL=64\n-- | | Traceroute back to the scanner\n-- | | |_ 1 <10 ms <10 ms <10 ms 10.0.0.138\n-- | | ARP Cache from arp.exe\n-- | | | Internet Address Physical Address Type\n-- | | |_ 10.0.0.138 00-50-56-a1-27-4b dynamic\n-- | | List of listening and established connections (netstat -an)\n-- | | | Proto Local Address Foreign Address State\n-- | | | TCP 0.0.0.0:22 0.0.0.0:0 LISTENING\n-- | | | TCP 0.0.0.0:25 0.0.0.0:0 LISTENING\n-- | | | TCP 0.0.0.0:80 0.0.0.0:0 LISTENING\n-- | | | TCP 0.0.0.0:135 0.0.0.0:0 LISTENING\n-- | | | TCP 0.0.0.0:443 0.0.0.0:0 LISTENING\n-- | | | TCP 0.0.0.0:445 0.0.0.0:0 LISTENING\n-- | | | TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING\n-- | | | TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING\n-- | | | TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING\n-- | | | TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING\n-- | | | TCP 0.0.0.0:4933 0.0.0.0:0 LISTENING\n-- | | | TCP 10.0.0.30:139 0.0.0.0:0 LISTENING\n-- | | | TCP 127.0.0.1:2528 127.0.0.1:2529 ESTABLISHED\n-- | | | TCP 127.0.0.1:2529 127.0.0.1:2528 ESTABLISHED\n-- | | | TCP 127.0.0.1:2531 127.0.0.1:2532 ESTABLISHED\n-- | | | TCP 127.0.0.1:2532 127.0.0.1:2531 ESTABLISHED\n-- | | | TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING\n-- | | | TCP 127.0.0.1:5152 127.0.0.1:2530 CLOSE_WAIT\n-- | | | UDP 0.0.0.0:135 *:*\n-- | | | UDP 0.0.0.0:445 *:*\n-- | | | UDP 0.0.0.0:1030 *:*\n-- | | | UDP 0.0.0.0:3456 *:*\n-- | | | UDP 10.0.0.30:137 *:*\n-- | | | UDP 10.0.0.30:138 *:*\n-- | | | UDP 10.0.0.30:500 *:*\n-- | | | UDP 10.0.0.30:4500 *:*\n-- | | |_ UDP 127.0.0.1:1026 *:*\n-- | | Full routing table from 'netstat -nr'\n-- | | | ===========================================================================\n-- | | | Interface List\n-- | | | 0x1 ........................... MS TCP Loopback interface\n-- | | | 0x2 ...00 50 56 a1 00 65 ...... VMware Accelerated AMD PCNet Adapter\n-- | | | 0x1000004 ...00 50 56 a1 24 c2 ...... VMware Accelerated AMD PCNet Adapter\n-- | | | ===========================================================================\n-- | | | ===========================================================================\n-- | | | Active Routes:\n-- | | | Network Destination Netmask Gateway Interface Metric\n-- | | | 10.0.0.0 255.255.255.0 10.0.0.30 10.0.0.30 1\n-- | | | 10.0.0.30 255.255.255.255 127.0.0.1 127.0.0.1 1\n-- | | | 10.255.255.255 255.255.255.255 10.0.0.30 10.0.0.30 1\n-- | | | 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1\n-- | | | 224.0.0.0 224.0.0.0 10.0.0.30 10.0.0.30 1\n-- | | | 255.255.255.255 255.255.255.255 10.0.0.30 2 1\n-- | | | ===========================================================================\n-- | | | Persistent Routes:\n-- | | | None\n-- |_ |_ |_ Route Table\n--\n--@args config The config file to use (eg, default). Config files require a .lua extension, and are located in <code>nselib/data/psexec</code>.\n--@args nohide Don't set the uploaded files to hidden/system/etc.\n--@args cleanup Set to only clean up any mess we made (leftover files, processes, etc. on the host OS) on a previous run of the script.\n-- This will attempt to delete the files from every share, not just the first one. This is done to prevent leftover\n-- files if the OS changes the ordering of the shares (there's no guarantee of shares coming back in any particular\n-- order)\n-- Note that cleaning up is still fairly invasive, since it has to re-discover the proper share, connect to it,\n-- delete files, open the services manager, etc.\n--@args share Set to override the share used for uploading. This also stops shares from being enumerated, and all other shares\n-- will be ignored. No checks are done to determine whether or not this is a valid share before using it. Reqires\n-- <code>sharepath</code> to be set.\n--@args sharepath The full path to the share (eg, <code>\"c:\\windows\"</code>). This is required when creating a service.\n--@args time The minimum amount of time, in seconds, to wait for the external module to finish (default: <code>15</code>)\n--\n--@args nocleanup Set to not clean up at all; this leaves the files on the remote system and the wrapper\n-- service installed. This is bad in practice, but significantly reduces the network traffic and makes analysis\n-- easier.\n--@args nocipher Set to disable the ciphering of the returned text (useful for debugging).\n--@args key Script uses this value instead of a random encryption key (useful for debugging the crypto).\n-----------------------------------------------------------------------\n\nauthor = \"Ron Bowes\"\ncopyright = \"Ron Bowes\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\"}\ndependencies = {\"smb-brute\"}\n\n\n\n-- Where we tell the user to get nmap_service.exe if it's not installed.\nlocal NMAP_SERVICE_EXE_DOWNLOAD = \"https://nmap.org/psexec/nmap_service.exe\"\n\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\n---Get the random-ish filenames used by the service.\n--\n--@param host The host table, which the names are based on.\n--@return Status: true or false.\n--@return Name of the remote service, or an error message if status is false.\n--@return Name of the executable file that's run by the service.\n--@return Name of the temporary output file.\n--@return Name of the final output file.\nlocal function get_service_files(host)\n local status, service_name, service_file, temp_output_file, output_file\n\n -- Get the name of the service\n status, service_name = smb.get_uniqueish_name(host)\n if(status == false) then\n return false, string.format(\"Error generating service name: %s\", service_name)\n end\n stdnse.debug1(\"Generated static service name: %s\", service_name)\n\n -- Get the name and service's executable file (with a .txt extension for fun)\n status, service_file = smb.get_uniqueish_name(host, \"txt\")\n if(status == false) then\n return false, string.format(\"Error generating remote filename: %s\", service_file)\n end\n stdnse.debug1(\"Generated static service name: %s\", service_name)\n\n -- Get the temporary output file\n status, temp_output_file = smb.get_uniqueish_name(host, \"out.tmp\")\n if(status == false) then\n return false, string.format(\"Error generating remote filename: %s\", temp_output_file)\n end\n stdnse.debug1(\"Generated static service filename: %s\", temp_output_file)\n\n -- Get the actual output file\n status, output_file = smb.get_uniqueish_name(host, \"out\")\n if(status == false) then\n return false, string.format(\"Error generating remote output file: %s\", output_file)\n end\n stdnse.debug1(\"Generated static output filename: %s\", output_file)\n\n -- Return everything\n return true, service_name, service_file, temp_output_file, output_file\nend\n\n---Stop/delete the service and delete the service file.\n--\n--@param host The host object.\n--@param config The table of configuration values.\nfunction cleanup(host, config)\n local status, err\n\n -- Add a delay here. For some reason, calling this function too quickly causes SMB to close the connection,\n -- but even a tiny delay makes that issue go away.\n stdnse.sleep(.01)\n\n -- If the user doesn't want to clean up, don't\n if(stdnse.get_script_args( \"nocleanup\" )) then\n return\n end\n\n stdnse.debug1(\"Entering cleanup() -- errors here can generally be ignored\")\n -- Try stopping the service\n status, err = msrpc.service_stop(host, config.service_name)\n if(status == false) then\n stdnse.debug1(\"[cleanup] Couldn't stop service: %s\", err)\n end\n\n -- Try deleting the service\n status, err = msrpc.service_delete(host, config.service_name)\n if(status == false) then\n stdnse.debug1(\"[cleanup] Couldn't delete service: %s\", err)\n end\n\n -- Delete the files\n for _, share in ipairs(config.all_shares) do\n status, err = smb.file_delete(host, share, config.all_files)\n end\n\n stdnse.debug1(\"Leaving cleanup()\")\n\n return true\nend\n\n---Find the file on the system (checks both Nmap's directories and the current\n-- directory).\n--\n--@param filename The name of the file.\n--@param extension The extension of the file (filename without the extension is tried first).\n--@return The full filename, or nil if it couldn't be found.\nlocal function locate_file(filename, extension)\n stdnse.debug1(\"Attempting to find file: %s\", filename)\n\n extension = extension or \"\"\n\n local filename_full = nmap.fetchfile(filename) or nmap.fetchfile(filename .. \".\" .. extension)\n\n if(filename_full == nil) then\n local psexecfile = \"nselib/data/psexec/\" .. filename\n filename_full = nmap.fetchfile(psexecfile) or nmap.fetchfile(psexecfile .. \".\" .. extension)\n end\n\n -- check for absolute path or relative to current directory\n if(filename_full == nil) then\n local f, err = io.open(filename, \"rb\")\n if f == nil then\n stdnse.debug1(\"Error opening %s: %s\", filename, err)\n f, err = io.open(filename .. \".\" .. extension, \"rb\")\n if f == nil then\n stdnse.debug1(\"Error opening %s.%s: %s\", filename, extension, err)\n return nil -- unnecessary, but explicit\n else\n f:close()\n return filename .. \".\" .. extension\n end\n else\n f:close()\n return filename\n end\n end\n\n return filename_full\nend\n\n---Generate an array of all files that will be uploaded/created, including\n-- the temporary file and the output file. This is done so the files can\n-- all be deleted during the cleanup phase.\n--\n--@param config The config table.\n--@return The array of files.\nlocal function get_all_files(config)\n local files = {config.service_file, config.output_file, config.temp_output_file}\n for _, mod in ipairs(config.enabled_modules) do\n -- We're going to delete the module itself\n table.insert(files, mod.upload_name)\n\n -- We're also going to delete any temp files...\n if(mod.tempfiles) then\n for _, file in ipairs(mod.tempfiles) do\n table.insert(files, file)\n end\n end\n\n -- ... and any extra files we uploaded ,,,\n if(mod.extrafiles) then\n for _, file in ipairs(mod.extrafiles) do\n table.insert(files, file)\n end\n end\n\n -- ... not to mention the output file\n if(mod.outfile and mod.outfile ~= \"\") then\n table.insert(files, mod.outfile)\n end\n end\n\n return files\nend\n\n---Decide which share to use. Unless the user overrides it with the 'share' and 'sharepath'\n-- arguments, a the first writable share is used.\n--\n--@param host The host object.\n--@return status true for success, false for failure\n--@return share The share we're going to use, or an error message.\n--@return path The path on the remote system that points to the share.\n--@return shares A list of all shares on the system (used for cleaning up).\nlocal function find_share(host)\n local status, share, path, shares\n\n -- Determine which share to use\n if(nmap.registry.args.share ~= nil) then\n share = nmap.registry.args.share\n shares = {share}\n path = nmap.registry.args.sharepath\n if(path == nil) then\n return false, \"Setting the 'share' script-arg requires the 'sharepath' to be set as well.\"\n end\n\n stdnse.debug1(\"Using share chosen by the user: %s (%s)\", share, path)\n else\n -- Try and find a share to use.\n status, share, path, shares = smb.share_find_writable(host)\n if(status == false) then\n return false, share .. \" (May not have an administrator account)\"\n end\n if(path == nil) then\n return false, string.format(\"Couldn't find path to writable share (we probably don't have admin access): '%s'\", share)\n end\n stdnse.debug1(\"Found usable share %s (%s) (all writable shares: %s)\", share, path, table.concat(shares, \", \"))\n end\n\n return true, share, path, shares\nend\n\n---Recursively replace all variables in the 'setting' field with string variables\n-- found in the 'config' field and in the script-args passed by the user.\n--\n--@param config The configuration table (used as a source of variables to replace).\n--@param setting The current setting field (generally a string or a table).\n--@return setting The setting with all values replaced.\nlocal function replace_variables(config, setting)\n if(type(setting) == \"string\") then\n -- Replace module fields with variables in the script-args argument\n for k, v in pairs(nmap.registry.args) do\n setting = string.gsub(setting, \"$\"..k, v)\n end\n\n -- Replace module fields with variables in the config file\n for k, v in pairs(config) do\n if((type(v) == \"string\" or type(v) == \"boolean\" or type(v) == \"number\") and k ~= \"key\") then\n setting = string.gsub(setting, \"$\"..k, v)\n end\n end\n elseif(type(setting) == \"table\") then\n for k, v in pairs(setting) do\n setting[k] = replace_variables(config, v)\n end\n end\n\n return setting\nend\n\n---Takes the 'overrides' field from a module and replace any configuration variables.\n--\n--@param config The config table.\n--@param overrides The overrides we're replacing values with.\n--@return config The new config table.\nlocal function do_overrides(config, overrides)\n if(overrides) then\n if(type(overrides) == 'string') then\n overrides = {overrides}\n end\n\n for i, v in pairs(overrides) do\n config[i] = v\n end\n end\n\n return config\nend\n\n---Reads, prepares, parses, sanity checks, and pre-processes the configuration file (either the\n-- default, or the file passed as a parameter).\n--\n--@param host The host table.\n--@param config A table to fill with configuration values.\n--@return status true or false\n--@return config The configuration table or an error message.\nlocal function get_config(host, config)\n local status\n local filename = nmap.registry.args.config\n config.enabled_modules = {}\n config.disabled_modules = {}\n\n -- Find the config file\n filename = locate_file(filename or 'default', 'lua')\n if(filename == nil) then\n return false, \"Couldn't locate config file: file not found (make sure it has a .lua extension and is in nselib/data/psexec/)\"\n end\n\n -- Load the config file\n local env = setmetatable({modules = {}; overrides = {}; module = function() stdnse.debug1(\"WARNING: Selected config file contains an unnecessary call to module()\") end}, {__index = _G})\n stdnse.debug1(\"Attempting to load config file: %s\", filename)\n local file = loadfile(filename, \"t\", env)\n if(not(file)) then\n return false, \"Couldn't load module file:\\n\" .. filename\n end\n\n -- Run the config file\n file()\n local modules = env.modules\n local overrides = env.overrides\n\n -- Generate a cipher key\n if(stdnse.get_script_args( \"nocipher\" )) then\n config.key = \"\"\n elseif(nmap.registry.args.key) then\n config.key = nmap.registry.args.key\n else\n local tmp = {}\n for i = 1, 127, 1 do\n tmp[i] = string.char(math.random(0x20, 0x7F))\n end\n config.key = table.concat(tmp)\n config.key_index = 0\n end\n\n -- Initialize the timeout\n config.timeout = 0\n\n -- Figure out which share we're using (this is the first place in the script where a lot of traffic is generated --\n -- any possible sanity checking should be done before this)\n status, config.share, config.path, config.all_shares = find_share(host)\n if(not(status)) then\n return false, config.share\n end\n\n -- Get information about the socket; it's a bit out of place here, but it should go before the mod loop\n status, config.lhost, config.lport, config.rhost, config.rport, config.lmac = smb.get_socket_info(host)\n if(status == false) then\n return false, \"Couldn't get socket information: \" .. config.lhost\n end\n\n -- Get the names of the files we're going to need\n status, config.service_name, config.service_file, config.temp_output_file, config.output_file = get_service_files(host)\n if(not(status)) then\n return false, config.service_name\n end\n\n -- Make sure the modules loaded properly\n -- NOTE: If you're here because of an error that 'modules' is undefined, it's likely because your configuration file doesn't have a\n -- proper modules table, or your configuration file has a module() declaration at the top.\n if(not(modules) or #modules == 0) then\n return false, string.format(\"Configuration file (%s) doesn't have a proper 'modules' table.\", filename)\n end\n\n -- Make sure we got a proper modules array\n if(type(modules) ~= \"table\") then\n return false, string.format(\"The chosen configuration file, %s.lua, \\z\n doesn't have a proper 'modules' table. If possible, it should be \\z\n modified to have a public array called 'modules' that contains a \\z\n list of all modules that will be run.\", filename)\n end\n\n -- Loop through the modules for some pre-processing\n stdnse.debug1(\"Verifying uploadable executables exist\")\n for i, mod in ipairs(modules) do\n local enabled = true\n -- Do some sanity checking\n if(mod.program == nil) then\n enabled = false\n if(mod.name) then\n mod.disabled_message = string.format(\"Configuration error: '%s': module doesn't have a program\", mod.name)\n else\n mod.disabled_message = string.format(\"Configuration error: Module #%d doesn't have a program\", i)\n end\n end\n\n -- Set some defaults, if the user didn't specify\n mod.name = mod.name or (string.format(\"%s %s\", mod.program, mod.args or \"\"))\n mod.maxtime = mod.maxtime or 1\n\n -- Check if they forgot the uploadibility\n if(mod.upload == nil) then\n enabled = false\n mod.disabled_message = string.format(\"Configuration error: '%s': 'upload' field is required\", mod.name)\n end\n\n -- Check if the upload field is set wrong\n if(mod.upload ~= true and mod.upload ~= false) then\n enabled = false\n mod.disabled_message = string.format(\"Configuration error: '%s': 'upload' field has to be true or false\", mod.name)\n end\n\n -- Check for incompatible fields with 'headless'\n if(mod.headless) then\n if(mod.find or mod.remove or mod.noblank or mod.replace or (mod.maxtime > 1) or mod.outfile) then\n enabled = false\n mod.disabled_message = string.format(\"Configuration error: '%s': 'headless' is incompatible with find, remove, noblank, replace, and maxtime\", mod.name)\n end\n end\n\n -- Check for improperly formatted 'replace'\n if(mod.replace) then\n if(type(mod.replace) ~= \"table\") then\n enabled = false\n mod.disabled_message = string.format(\"Configuration error: '%s': 'replace' has to be a table of one-element tables (eg. replace = {{'a'='b'}, {'c'='d'}})\", mod.name)\n end\n\n for _, v in ipairs(mod.replace) do\n if(type(v) ~= 'table') then\n enabled = false\n mod.disabled_message = string.format(\"Configuration error: '%s': 'replace' has to be a table of one-element tables (eg. replace = {{'a'='b'}, {'c'='d'}})\", mod.name)\n end\n end\n end\n\n -- Set some default values\n if(mod.headless == nil) then\n mod.headless = false\n end\n if(mod.include_stderr == nil) then\n mod.include_stderr = true\n end\n\n -- Make sure required arguments are given\n if(mod.req_args) then\n if(type(mod.req_args) == 'string') then\n mod.req_args = {mod.req_args}\n end\n\n -- Keep a table of missing args so we can tell the user all the args they're missing at once\n local missing_args = {}\n for _, arg in ipairs(mod.req_args) do\n if(nmap.registry.args[arg] == nil) then\n table.insert(missing_args, arg)\n end\n end\n\n if(#missing_args > 0) then\n enabled = false\n mod.disabled_message = {}\n table.insert(mod.disabled_message, string.format(\"Configuration error: Required argument(s) ('%s') weren't given.\", table.concat('\", missing_args, \"')))\n table.insert(mod.disabled_message, \"Please add --script-args=[arg]=[value] to your commandline to run this module\")\n if(#missing_args == 1) then\n table.insert(mod.disabled_message, string.format(\"For example: --script-args=%s=123\", missing_args[1]))\n else\n table.insert(mod.disabled_message, string.format(\"For example: --script-args=%s=123,%s=456...\", missing_args[1], missing_args[2]))\n end\n end\n end\n\n -- Checks for the uploadable modules\n if(mod.upload) then\n -- Check if the module actually exists\n stdnse.debug1(\"Looking for uploadable module: %s or %s.exe\", mod.program, mod.program)\n mod.filename = locate_file(mod.program, \"exe\")\n if(mod.filename == nil) then\n enabled = false\n stdnse.debug1(\"Couldn't find uploadable module %s, disabling\", mod.program)\n mod.disabled_message = {string.format(\"Couldn't find uploadable module %s, disabling\", mod.program)}\n if(mod.url) then\n stdnse.debug1(\"You can try getting it from: %s\", mod.url)\n table.insert(mod.disabled_message, string.format(\"You can try getting it from: %s\", mod.url))\n table.insert(mod.disabled_message, \"And placing it in Nmap's nselib/data/psexec/ directory\")\n end\n else\n -- We found it\n stdnse.debug1(\"Found: %s\", mod.filename)\n\n -- Generate a name to upload them as (we don't upload with the original names)\n status, mod.upload_name = smb.get_uniqueish_name(host, \"txt\", mod.filename)\n if(not(status)) then\n return false, \"Couldn't generate name for uploaded file: \" .. mod.upload_name\n end\n stdnse.debug1(\"Will upload %s as %s\", mod.filename, mod.upload_name)\n end\n end\n\n\n -- Prepare extra files\n if(enabled and mod.extrafiles) then\n -- Make sure we have an array to help save on duplicate code\n if(type(mod.extrafiles) == \"string\") then\n mod.extrafiles = {mod.extrafiles}\n end\n\n -- Loop through all of the extra files\n mod.extrafiles_paths = {}\n for i, extrafile in ipairs(mod.extrafiles) do\n stdnse.debug1(\"Looking for extra module: %s\", extrafile)\n mod.extrafiles_paths[i] = locate_file(extrafile)\n if(mod.extrafiles_paths[i] == nil) then\n return false, string.format(\"Couldn't find required file to upload: %s\", extrafile)\n end\n stdnse.debug1(\"Found: %s\", mod.extrafiles_paths[i])\n end\n end\n\n -- Add the timeout to the total\n config.timeout = config.timeout + mod.maxtime\n\n -- Add the module to the appropriate list\n if(enabled) then\n table.insert(config.enabled_modules, mod)\n else\n table.insert(config.disabled_modules, mod)\n end\n end\n\n -- Make a list of *all* files (used for cleaning up)\n config.all_files = get_all_files(config)\n\n -- Finalize the timeout\n local max_timeout = nmap.registry.args.timeout or 15\n config.timeout = math.max(config.timeout, max_timeout)\n stdnse.debug1(\"Timeout waiting for a response is %d seconds\", config.timeout)\n\n -- Do config overrides\n if(overrides) then\n config = do_overrides(config, overrides)\n end\n\n -- Replace variable values in the configuration (this has to go last)\n stdnse.debug1(\"Replacing variables in the modules' fields\")\n for i, mod in ipairs(config.enabled_modules) do\n for k, v in pairs(mod) do\n mod[k] = replace_variables(config, v)\n end\n end\n\n return true, config\nend\n\n---Cipher (or uncipher) a string with a weak xor-based encryption.\n--\n--@args str The string go cipher/uncipher.\n--@args config The config file for this host (stores the encryption key).\n--@return The decrypted string.\nlocal function cipher(str, config)\n local result = {}\n if(config.key == \"\") then\n return str\n end\n\n for i = 1, #str, 1 do\n local c = string.byte(str, i)\n c = string.char(c ~ string.byte(config.key, config.key_index + 1))\n\n config.key_index = config.key_index + 1\n config.key_index = config.key_index % #config.key\n\n result[i] = c\n end\n\n return table.concat(result)\nend\n\nlocal function get_overrides()\n -- Create some overrides:\n -- 0x00004000 = Encrypted\n -- 0x00002000 = Don't index this file\n -- 0x00000100 = Temporary file\n -- 0x00000800 = Compressed file\n -- 0x00000002 = Hidden file\n -- 0x00000004 = System file\n local attr = 0x00000004 | 0x00000002 | 0x00000800 | 0x00000100 | 0x00002000 | 0x00004000\n\n -- Let the user override this behaviour\n if(stdnse.get_script_args( \"nohide\" )) then\n attr = 0\n end\n\n -- Create the overrides\n return {file_create_attributes=attr}\nend\n\n--- Check if an nmap_service.exe file is the XOR-encoded version from the 5.21\n-- release. It works by checking the first few bytes against a known pattern.\n-- Returns <code>true</code> or <code>false</code>, or else <code>nil</code> and\n-- an error message.\n-- @param filename the name of the file to check.\n-- @return status\n-- @return error message\nlocal function service_file_is_xor_encoded(filename)\n local f, bytes, msg\n\n f, msg = io.open(filename)\n if not f then\n return nil, msg\n end\n bytes = f:read(2)\n f:close()\n if not bytes or #bytes < 2 then\n return nil, \"Can't read from service file\"\n end\n -- This is the XOR-inverse of \"MZ\".\n return bytes == \"\\xb2\\xa5\"\nend\n\n---Upload all of the uploadable files to the remote system.\n--\n--@param host The host table.\n--@param config The configuration table.\n--@return status true or false\n--@return err An error message if status is false.\nlocal function upload_everything(host, config)\n local is_xor_encoded, msg\n local overrides = get_overrides()\n\n -- In Nmap 5.20, it was discovered that nmap_service.exe file was\n -- causing false positives in antivirus software. In an effort to avoid\n -- this, in version 5.21 the file was obfuscated by XORing all its bytes\n -- with 0xFF. That didn't work, so now the file is not included in the\n -- distribution. But it means we must check if we are dealing with the\n -- original or XOR-encoded version of the file.\n is_xor_encoded, msg = service_file_is_xor_encoded(config.local_service_file)\n if is_xor_encoded == nil then\n return nil, msg\n elseif is_xor_encoded then\n stdnse.debug2(\"%s is the XOR-encoded version from the 5.21 release.\", config.local_service_file)\n end\n\n -- Upload the service file\n stdnse.debug1(\"Uploading: %s => \\\\\\\\%s\\\\%s\", config.local_service_file, config.share, config.service_file)\n local status, err\n status, err = smb.file_upload(host, config.local_service_file, config.share, \"\\\\\" .. config.service_file, overrides, is_xor_encoded)\n if(status == false) then\n cleanup(host, config)\n return false, string.format(\"Couldn't upload the service file: %s\\n\", err)\n end\n stdnse.debug1(\"Service file successfully uploaded!\")\n\n -- Upload the modules and all their extras\n stdnse.debug1(\"Attempting to upload the modules\")\n for _, mod in ipairs(config.enabled_modules) do\n -- If it's an uploadable module, upload it\n if(mod.upload) then\n stdnse.debug1(\"Uploading: %s => \\\\\\\\%s\\\\%s\", mod.filename, config.share, mod.upload_name)\n status, err = smb.file_upload(host, mod.filename, config.share, \"\\\\\" .. mod.upload_name, overrides)\n if(status == false) then\n cleanup(host, config)\n return false, string.format(\"Couldn't upload module %s: %s\\n\", mod.program, err)\n end\n end\n\n -- If it requires extra files, upload them, too\n if(mod.extrafiles) then\n -- Convert to a table, if it's a string\n if(type(mod.extrafiles) == \"string\") then\n mod.extrafiles = {mod.extrafiles}\n end\n\n -- Loop over the files and upload them\n for i, extrafile in ipairs(mod.extrafiles) do\n local extrafile_local = mod.extrafiles_paths[i]\n\n stdnse.debug1(\"Uploading extra file: %s => \\\\\\\\%s\\\\%s\", extrafile_local, config.share, extrafile)\n status, err = smb.file_upload(host, extrafile_local, config.share, extrafile, overrides)\n if(status == false) then\n cleanup(host, config)\n return false, string.format(\"Couldn't upload extra file %s: %s\\n\", extrafile_local, err)\n end\n end\n end\n end\n stdnse.debug1(\"Modules successfully uploaded!\")\n\n return true\nend\n\n---Create the service on the remote system.\n--@param host The host object.\n--@param config The configuration table.\n--@return status true or false\n--@return err An error message if status is false.\nlocal function create_service(host, config)\n local status, err = msrpc.service_create(host, config.service_name, config.path .. \"\\\\\" .. config.service_file)\n if(status == false) then\n stdnse.debug1(\"Couldn't create the service: %s\", err)\n cleanup(host, config)\n\n if(string.find(err, \"MARKED_FOR_DELETE\")) then\n return false, \"Service is stuck in 'being deleted' phase on remote machine; try setting script-args=randomseed=abc for now\"\n else\n return false, string.format(\"Couldn't create the service on the remote machine: %s\", err)\n end\n end\n\n return true\nend\n\n---Create the list of parameters we're using to start the service. This consists\n-- of a few global params, then a group of parameters with options for each process\n-- that's going to be started.\n--\n--@param config The configuration table.\n--@return status true or false\n--@return params A table of parameters if status is true, or an error message if status is false.\nlocal function get_params(config)\n local count = 0\n\n -- Build the table of parameters to pass to the service\n local params = {}\n table.insert(params, config.path .. \"\\\\\" .. config.output_file)\n table.insert(params, config.path .. \"\\\\\" .. config.temp_output_file)\n table.insert(params, tostring(#config.enabled_modules))\n table.insert(params, \"0\")\n table.insert(params, config.key)\n table.insert(params, config.path)\n for _, mod in ipairs(config.enabled_modules) do\n if(mod.upload) then\n table.insert(params, config.path .. \"\\\\\" .. mod.upload_name .. \" \" .. (mod.args or \"\"))\n else\n table.insert(params, mod.program .. \" \" .. (mod.args or \"\"))\n end\n\n table.insert(params, (mod.env or \"\"))\n table.insert(params, tostring(mod.headless))\n table.insert(params, tostring(mod.include_stderr))\n table.insert(params, mod.outfile or \"\")\n end\n\n return true, params\nend\n\n---Start the service on the remote machine.\n--\n--@param host The host object.\n--@param config The configuration table.\n--@param params The parameters to pass to the service, likely from the <code>get_params</code> function.\n--@return status true or false\n--@return err An error message if status is false.\nlocal function start_service(host, config, params)\n local status, err = msrpc.service_start(host, config.service_name, params)\n if(status == false) then\n stdnse.debug1(\"Couldn't start the service: %s\", err)\n return false, string.format(\"Couldn't start the service on the remote machine: %s\", err)\n end\n\n return true\nend\n\n---Poll for the output file on the remote machine until either the file is created, or the timeout\n-- expires.\n--\n--@param host The host object.\n--@param config The configuration table.\n--@return status true or false\n--@return result The file if status is true, or an error message if status is false.\n\nlocal function get_output_file(host, config)\n stdnse.debug1(\"Waiting for output file to be created (timeout = %d seconds)\", config.timeout)\n local status, result\n\n local i = config.timeout\n while true do\n status, result = smb.file_read(host, config.share, \"\\\\\" .. config.output_file, nil, {file_create_disposition=1})\n\n if(not(status) and result ~= \"NT_STATUS_OBJECT_NAME_NOT_FOUND\") then\n -- An unexpected error occurred\n stdnse.debug1(\"Couldn't read the file: %s\", result)\n cleanup(host, config)\n\n return false, string.format(\"Couldn't read the file from the remote machine: %s\", result)\n end\n\n if(not(status) and result == \"NT_STATUS_OBJECT_NAME_NOT_FOUND\") then\n -- An expected error occurred; if this happens, we just wait\n if(i == 0) then\n stdnse.debug1(\"Error in remote service: output file was never created!\")\n cleanup(host, config)\n\n return false, \"Error in remote service: output file was never created\"\n end\n\n stdnse.debug1(\"Output file %s doesn't exist yet, waiting for %d more seconds\", config.output_file, i)\n stdnse.sleep(1)\n i = i - 1\n end\n\n if(status) then\n break\n end\n end\n\n return true, result\nend\n\n---Decide whether or not a line should be included in the output file, based on the module's\n-- find, remove, and noblank settings.\nlocal function should_be_included(mod, line)\n local removed, found\n\n -- Remove lines from the output, if the module requested it\n removed = false\n if(mod.remove and #mod.remove > 0) then\n -- Make a single string into a table to save code\n if(type(mod.remove) ~= 'table') then\n mod.remove = {mod.remove}\n end\n\n -- Loop through the module's find table to see if any of the lines match\n for _, remove in ipairs(mod.remove) do\n if(string.match(line, remove)) then\n removed = true\n break\n end\n end\n end\n\n -- Remove blank lines if we're supposed to\n if(mod.noblank and line == \"\") then\n removed = true\n end\n\n -- If the line wasn't removed, and we are searching for specific text, do the search\n found = false\n if(mod.find and #mod.find > 0 and not(removed)) then\n -- Make a single string a table to save duplicate code\n if(type(mod.find) ~= 'table') then\n mod.find = {mod.find}\n end\n\n -- Loop through the module's find table to see if any of the lines match\n for _, find in ipairs(mod.find) do\n if(string.match(line, find)) then\n found = true\n break\n end\n end\n else\n found = true\n end\n\n -- Only display the line if it's found and not removed\n return (found and not(removed))\nend\n\n---Alter a line based on the module's 'replace' setting.\nlocal function do_replacements(mod, line)\n if(mod.replace) then\n for _, v in pairs(mod.replace) do\n line = string.gsub(line, v[1], v[2])\n end\n end\n\n return line\nend\n\n---Parse the output file into a neat array.\nlocal function parse_output(config, data)\n -- Allow 'data' to be nil. This lets us skip most of the effort when all mods are disabled\n data = data or \"\"\n\n -- Split the result at newlines\n local lines = stringaux.strsplit(\"\\n\", data)\n\n local module_num = -1\n local mod = nil\n local result = nil\n\n -- Loop through the lines and parse them into the results table\n local results = {}\n for _, line in ipairs(lines) do\n if(line ~= \"\") then\n local this_module_num = tonumber(string.sub(line, 1, 1))\n\n -- Get the important part of the line\n line = string.sub(line, 2)\n\n -- Remove the Windows endline (0x0a) from the string (these are left in up to this point to maintain\n -- the ability to download binary files, if that ever comes up\n line = string.gsub(line, \"\\r\", \"\")\n\n -- If the module_number has changed, increment to the next module\n if(this_module_num ~= (module_num % 10)) then\n -- Increment our module number\n if(module_num < 0) then\n module_num = 0\n else\n module_num = module_num + 1\n end\n\n\n -- Go to the next module, and make sure it exists\n mod = config.enabled_modules[module_num + 1]\n if(mod == nil) then\n stdnse.debug1(\"Server's response wasn't formatted properly (mod %d); if you can reproduce, place report to dev@nmap.org\", module_num)\n stdnse.debug1(\"--\\n\" .. string.gsub(\"%%\", \"%%\", data) .. \"\\n--\")\n return false, \"Server's response wasn't formatted properly; if you can reproduce, place report to dev@nmap.org\"\n end\n\n -- Save this result\n if(result ~= nil) then\n table.insert(results, result)\n end\n result = {}\n result['name'] = \"<no name>\"\n result['lines'] = {}\n\n if(mod.name) then\n result['name'] = mod.name\n else\n result['name'] = string.format(\"'%s %s;\", mod.program, (mod.args or \"\"))\n end\n end\n\n\n local include = should_be_included(mod, line)\n\n -- If we're including it, do the replacements\n if(include) then\n line = do_replacements(mod, line)\n table.insert(result, line)\n end\n end\n end\n\n table.insert(results, result)\n\n -- Loop through the disabled modules and print them out\n for _, mod in ipairs(config.disabled_modules) do\n local result = {}\n result['name'] = mod.name\n if(mod.disabled_message == nil) then\n mod.disabled_message = {\"No reason for disabling the module was found\"}\n end\n\n if(type(mod.disabled_message) == 'string') then\n mod.disabled_message = {mod.disabled_message}\n end\n\n for _, message in ipairs(mod.disabled_message) do\n table.insert(result, \"WARNING: \" .. message)\n end\n\n table.insert(results, result)\n end\n\n return true, results\nend\n\naction = function(host)\n local status, result, err\n local key\n\n local i\n\n local params\n\n local config = {}\n local files\n\n -- First check for nmap_service.exe; we can't do anything without it.\n stdnse.debug1(\"Looking for the service file: nmap_service or nmap_service.exe\")\n config.local_service_file = locate_file(\"nmap_service\", \"exe\")\n if (config.local_service_file == nil) then\n if nmap.verbosity() > 0 then\n return string.format([[\nCan't find the service file: nmap_service.exe (or nmap_service).\nDue to false positives in antivirus software, this module is no\nlonger included by default. Please download it from\n%s\nand place it in nselib/data/psexec/ under the Nmap DATADIR.\n]], NMAP_SERVICE_EXE_DOWNLOAD)\n else\n return\n end\n end\n\n -- Parse the configuration file\n status, config = get_config(host, config)\n if(not(status)) then\n return stdnse.format_output(false, config)\n end\n\n if(#config.enabled_modules > 0) then\n -- Start by cleaning up, just in case.\n cleanup(host, config)\n\n -- If the user just wanted a cleanup, do it\n if(stdnse.get_script_args( \"cleanup\" )) then\n return stdnse.format_output(true, \"Cleanup complete.\")\n end\n\n -- Check if any of the files exist\n status, result, files = smb.files_exist(host, config.share, config.all_files, {})\n if(not(status)) then\n return stdnse.format_output(false, \"Couldn't log in to check for remote files: \" .. result)\n end\n if(result > 0) then\n local response = {}\n table.insert(response, \"One or more output files already exist on the host, and couldn't be removed. Try:\")\n table.insert(response, \"* Running the script with --script-args=cleanup=1 to force a cleanup (passing -d and looking for error messages might help),\")\n table.insert(response, \"* Running the script with --script-args=randomseed=ABCD (or something) to change the name of the uploaded files,\")\n table.insert(response, \"* Changing the share and path using, for example, --script-args=share=C$,sharepath=C:, or\")\n table.insert(response, \"* Deleting the affected file(s) off the server manually (\\\\\\\\\" .. config.share .. \"\\\\\" .. table.concat(files, \", \\\\\\\\\" .. config.share .. \"\\\\\") .. \")\")\n return stdnse.format_output(false, response)\n end\n\n -- Upload the modules\n status, err = upload_everything(host, config)\n if(not(status)) then\n cleanup(host, config)\n return stdnse.format_output(false, err)\n end\n\n -- Create the service\n status, err = create_service(host, config)\n if(not(status)) then\n cleanup(host, config)\n return stdnse.format_output(false, err)\n end\n\n -- Get the table of parameters to pass to the service when we start it\n status, params = get_params(config)\n if(not(status)) then\n cleanup(host, config)\n return stdnse.format_output(false, params)\n end\n\n -- Start the service\n status, params = start_service(host, config, params)\n if(not(status)) then\n cleanup(host, config)\n return stdnse.format_output(false, params)\n end\n\n -- Get the result\n status, result = get_output_file(host, config, config.share)\n if(not(status)) then\n cleanup(host, config)\n return stdnse.format_output(false, result)\n end\n\n -- Do a final cleanup\n cleanup(host, config)\n\n -- Uncipher the file\n result = cipher(result, config)\n end\n\n -- Build the output into a nice table\n local response\n status, response = parse_output(config, result)\n if(status == false) then\n return stdnse.format_output(false, \"Couldn't parse output: \" .. response)\n end\n\n -- Add a warning if nothing was enabled\n if(#config.enabled_modules == 0) then\n if(#response == 0) then\n response = {\"No modules were enabled! Please check your configuration file.\"}\n else\n table.insert(response, \"No modules were enabled! Please fix any errors displayed above, or check your configuration file.\")\n end\n end\n\n -- Return the string\n return stdnse.format_output(true, response)\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:37:22", "description": "Extracts information from a Quake3 game server and other games which use the same protocol.\n\n## Example Usage \n \n \n nmap -sU -sV -Pn --script quake3-info.nse -p <port> <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 27960/udp open quake3 Quake 3 dedicated server\n | quake3-info:\n | PLAYERS:\n | 1. cyberix (frags: 0/20, ping: 4)\n | BASIC OPTIONS:\n | capturelimit: 8\n | dmflags: 0\n | elimflags: 0\n | fraglimit: 20\n | gamename: baseoa\n | mapname: oa_dm1\n | protocol: 71\n | timelimit: 0\n | version: ioq3 1.36+svn1933-1/Ubuntu linux-x86_64 Apr 4 2011\n | videoflags: 7\n | voteflags: 767\n | OTHER OPTIONS:\n | bot_minplayers: 0\n | elimination_roundtime: 120\n | g_allowVote: 1\n | g_altExcellent: 0\n | g_delagHitscan: 0\n | g_doWarmup: 0\n | g_enableBreath: 0\n | g_enableDust: 0\n | g_gametype: 0\n | g_instantgib: 0\n | g_lms_mode: 0\n | g_maxGameClients: 0\n | g_needpass: 0\n | g_obeliskRespawnDelay: 10\n | g_rockets: 0\n | g_voteGametypes: /0/1/3/4/5/6/7/8/9/10/11/12/\n | g_voteMaxFraglimit: 0\n | g_voteMaxTimelimit: 0\n | g_voteMinFraglimit: 0\n | g_voteMinTimelimit: 0\n | sv_allowDownload: 0\n | sv_floodProtect: 1\n | sv_hostname: noname\n | sv_maxPing: 0\n | sv_maxRate: 0\n | sv_maxclients: 8\n | sv_minPing: 0\n | sv_minRate: 0\n |_ sv_privateClients: 0\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-09-21T22:49:59", "type": "nmap", "title": "quake3-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:QUAKE3-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/quake3-info.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nExtracts information from a Quake3 game server and other games which use the same protocol.\n]]\n\n---\n-- @usage\n-- nmap -sU -sV -Pn --script quake3-info.nse -p <port> <target>\n--\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 27960/udp open quake3 Quake 3 dedicated server\n-- | quake3-info:\n-- | PLAYERS:\n-- | 1. cyberix (frags: 0/20, ping: 4)\n-- | BASIC OPTIONS:\n-- | capturelimit: 8\n-- | dmflags: 0\n-- | elimflags: 0\n-- | fraglimit: 20\n-- | gamename: baseoa\n-- | mapname: oa_dm1\n-- | protocol: 71\n-- | timelimit: 0\n-- | version: ioq3 1.36+svn1933-1/Ubuntu linux-x86_64 Apr 4 2011\n-- | videoflags: 7\n-- | voteflags: 767\n-- | OTHER OPTIONS:\n-- | bot_minplayers: 0\n-- | elimination_roundtime: 120\n-- | g_allowVote: 1\n-- | g_altExcellent: 0\n-- | g_delagHitscan: 0\n-- | g_doWarmup: 0\n-- | g_enableBreath: 0\n-- | g_enableDust: 0\n-- | g_gametype: 0\n-- | g_instantgib: 0\n-- | g_lms_mode: 0\n-- | g_maxGameClients: 0\n-- | g_needpass: 0\n-- | g_obeliskRespawnDelay: 10\n-- | g_rockets: 0\n-- | g_voteGametypes: /0/1/3/4/5/6/7/8/9/10/11/12/\n-- | g_voteMaxFraglimit: 0\n-- | g_voteMaxTimelimit: 0\n-- | g_voteMinFraglimit: 0\n-- | g_voteMinTimelimit: 0\n-- | sv_allowDownload: 0\n-- | sv_floodProtect: 1\n-- | sv_hostname: noname\n-- | sv_maxPing: 0\n-- | sv_maxRate: 0\n-- | sv_maxclients: 8\n-- | sv_minPing: 0\n-- | sv_minRate: 0\n-- |_ sv_privateClients: 0\n\nauthor = \"Toni Ruottu\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\", \"version\"}\n\n\nlocal function range(first, last)\n local list = {}\n for i = first, last do\n table.insert(list, i)\n end\n return list\nend\n\nportrule = shortport.version_port_or_service(range(27960, 27970), {'quake3'}, 'udp')\n\nlocal function parsefields(data)\n local fields = {}\n local parts = stringaux.strsplit(\"\\\\\", data)\n local nullprefix = table.remove(parts, 1)\n if nullprefix ~= \"\" then\n stdnse.debug2(\"unrecognized field format, skipping options\")\n return {}\n end\n for i = 1, #parts, 2 do\n local key = parts[i]\n local value = parts[i + 1]\n fields[key] = value\n end\n return fields\nend\n\nlocal function parsename(data)\n local parts = stringaux.strsplit('\"', data)\n if #parts ~= 3 then\n return nil\n end\n local e1 = parts[1]\n local name = parts[2]\n local e2 = parts[3]\n local extra = e1 .. e2\n if extra ~= \"\" then\n return nil\n end\n return name\nend\n\nlocal function parseplayer(data)\n local parts = stringaux.strsplit(\" \", data)\n if #parts < 3 then\n stdnse.debug2(\"player info line is missing elements, skipping a player\")\n return nil\n end\n if #parts > 3 then\n stdnse.debug2(\"player info line has unknown elements, skipping a player\")\n return nil\n end\n local player = {}\n player.frags = parts[1]\n player.ping = parts[2]\n player.name = parsename(parts[3])\n if player.name == nil then\n stdnse.debug2(\"invalid player name serialization, skipping a player\")\n return nil\n end\n return player\nend\n\nlocal function parseplayers(data)\n local players = {}\n for _, p in ipairs(data) do\n local player = parseplayer(p)\n if player then\n table.insert(players, player)\n end\n end\n return players\nend\n\nlocal function is_leader(a, b)\n local collide = a.name == b.name\n local even = a.frags == b.frags\n local leads = a.frags > b.frags\n local alphab = a.name > b.name\n local faster = a.ping > b.ping\n return leads or (even and alphab) or (even and collide and faster)\nend\n\nlocal function formatplayers(players, fraglimit)\n table.sort(players, is_leader)\n local printable = {}\n for i, player in ipairs(players) do\n local name = player.name\n local ping = player.ping\n local frags = player.frags\n if fraglimit then\n frags = string.format(\"%s/%s\", frags, fraglimit)\n end\n table.insert(printable, string.format(\"%d. %s (frags: %s, ping: %s)\", i, name, frags, ping))\n end\n printable[\"name\"] = \"PLAYERS:\"\n return printable\nend\n\nlocal function formatfields(fields, title)\n local printable = {}\n for key, value in pairs(fields) do\n local kv = string.format(\"%s: %s\", key, value)\n table.insert(printable, kv)\n end\n table.sort(printable)\n printable[\"name\"] = title\n return printable\nend\n\nlocal function assorted(fields)\n local basic = {}\n local other = {}\n for key, value in pairs(fields) do\n if string.find(key, \"_\") == nil then\n basic[key] = value\n else\n other[key] = value\n end\n end\n return basic, other\nend\n\naction = function(host, port)\n local GETSTATUS = \"\\xff\\xff\\xff\\xffgetstatus\\n\"\n local STATUSRESP = \"\\xff\\xff\\xff\\xffstatusResponse\"\n\n local status, data = comm.exchange(host, port, GETSTATUS, {[\"proto\"] = \"udp\"})\n if not status then\n return\n end\n local parts = stringaux.strsplit(\"\\n\", data)\n local header = table.remove(parts, 1)\n if header ~= STATUSRESP then\n return\n end\n if #parts < 2 then\n stdnse.debug2(\"incomplete status response, script abort\")\n return\n end\n local nullend = table.remove(parts)\n if nullend ~= \"\" then\n stdnse.debug2(\"missing terminating endline, script abort\")\n return\n end\n local field_data = table.remove(parts, 1)\n local player_data = parts\n\n local fields = parsefields(field_data)\n local players = parseplayers(player_data)\n\n local basic, other = assorted(fields)\n\n -- Previously observed version strings:\n -- \"tremulous 1.1.0 linux-x86_64 Aug \u00a05 2010\"\n -- \"ioq3 1.36+svn1933-1/Ubuntu linux-x86_64 Apr \u00a04 2011\"\n local versionline = basic[\"version\"]\n if versionline then\n local fields = stringaux.strsplit(\" \", versionline)\n local product = fields[1]\n local version = fields[2]\n local osline = fields[3]\n port.version.name = \"quake3\"\n port.version.product = product\n port.version.version = version\n if string.find(osline, \"linux\") then\n port.version.ostype = \"Linux\"\n end\n if string.find(osline, \"win\") then\n port.version.ostype = \"Windows\"\n end\n nmap.set_port_version(host, port)\n end\n\n local fraglimit = fields[\"fraglimit\"]\n if not fraglimit then\n fraglimit = \"?\"\n end\n\n local response = {}\n table.insert(response, formatplayers(players, fraglimit))\n table.insert(response, formatfields(basic, \"BASIC OPTIONS:\"))\n if nmap.verbosity() > 0 then\n table.insert(response, formatfields(other, \"OTHER OPTIONS:\"))\n end\n return stdnse.format_output(true, response)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:18", "description": "Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.\n\n## Script Arguments \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n | creds-summary:\n | 10.10.10.10\n | 22/ssh\n | lisbon:jane - Account is valid\n | 10.10.10.20\n | 21/ftp\n | jane:redjohn - Account is locked\n | 22/ssh\n | cho:secret11 - Account is valid\n | 23/telnet\n | rigsby:pelt - Account is valid\n | pelt:rigsby - Password needs to be changed at next logon\n | 80/http\n | lisbon:jane - Account is valid\n | jane:redjohn - Account is locked\n |_ cho:secret11 - Account is valid\n\n## Requires \n\n * [creds](<../lib/creds.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-06-27T21:21:15", "type": "nmap", "title": "creds-summary NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:CREDS-SUMMARY.NSE", "href": "https://nmap.org/nsedoc/scripts/creds-summary.html", "sourceData": "local creds = require \"creds\"\n\ndescription = [[\nLists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.\n]]\n\n---\n--@output\n-- | creds-summary:\n-- | 10.10.10.10\n-- | 22/ssh\n-- | lisbon:jane - Account is valid\n-- | 10.10.10.20\n-- | 21/ftp\n-- | jane:redjohn - Account is locked\n-- | 22/ssh\n-- | cho:secret11 - Account is valid\n-- | 23/telnet\n-- | rigsby:pelt - Account is valid\n-- | pelt:rigsby - Password needs to be changed at next logon\n-- | 80/http\n-- | lisbon:jane - Account is valid\n-- | jane:redjohn - Account is locked\n-- |_ cho:secret11 - Account is valid\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"auth\", \"default\", \"safe\"}\n\n\npostrule = function()\n local all = creds.Credentials:new(creds.ALL_DATA)\n local tab = all:getTable()\n if ( tab and next(tab) ) then return true end\nend\n\naction = function()\n local all = creds.Credentials:new(creds.ALL_DATA)\n return all:getTable()\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:25", "description": "Gathers information from an IRC server. \n\nIt uses STATS, LUSERS, and other queries to obtain this information.\n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n 6665/tcp open irc\n | irc-info:\n | server: asimov.freenode.net\n | version: ircd-seven-1.1.3(20111112-b71671d1e846,charybdis-3.4-dev). asimov.freenode.net\n | servers: 31\n | ops: 36\n | chans: 48636\n | users: 84883\n | lservers: 1\n | lusers: 4350\n | uptime: 511 days, 23:02:29\n | source host: source.example.com\n |_ source ident: NONE or BLOCKED\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [math](<>)\n * [irc](<../lib/irc.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [rand](<../lib/rand.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "irc-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-08T17:07:06", "id": "NMAP:IRC-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/irc-info.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal math = require \"math\"\nlocal irc = require \"irc\"\nlocal stdnse = require \"stdnse\"\nlocal rand = require \"rand\"\n\ndescription = [[\nGathers information from an IRC server.\n\nIt uses STATS, LUSERS, and other queries to obtain this information.\n]]\n\n---\n-- @output\n-- 6665/tcp open irc\n-- | irc-info:\n-- | server: asimov.freenode.net\n-- | version: ircd-seven-1.1.3(20111112-b71671d1e846,charybdis-3.4-dev). asimov.freenode.net\n-- | servers: 31\n-- | ops: 36\n-- | chans: 48636\n-- | users: 84883\n-- | lservers: 1\n-- | lusers: 4350\n-- | uptime: 511 days, 23:02:29\n-- | source host: source.example.com\n-- |_ source ident: NONE or BLOCKED\n--@xmloutput\n-- <elem key=\"server\">asimov.freenode.net</elem>\n-- <elem key=\"version\">ircd-seven-1.1.3(20111112-b71671d1e846,charybdis-3.4-dev). asimov.freenode.net </elem>\n-- <elem key=\"servers\">31</elem>\n-- <elem key=\"ops\">36</elem>\n-- <elem key=\"chans\">48636</elem>\n-- <elem key=\"users\">84883</elem>\n-- <elem key=\"lservers\">1</elem>\n-- <elem key=\"lusers\">4350</elem>\n-- <elem key=\"uptime\">511 days, 23:02:29</elem>\n-- <elem key=\"source host\">source.example.com</elem>\n-- <elem key=\"source ident\">NONE or BLOCKED</elem>\n\nauthor = {\"Doug Hoyte\", \"Patrick Donnelly\"}\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"discovery\", \"safe\"}\n\nportrule = irc.portrule\n\nlocal banner_timeout = 60\n\nfunction action (host, port)\n local nick = rand.random_alpha(9)\n\n local output = stdnse.output_table()\n\n local sd, line = comm.tryssl(host, port,\n (\"USER nmap +iw nmap :Nmap Wuz Here\\nNICK %s\\n\"):format(nick),\n {request_timeout=6000})\n if not sd then return \"Unable to open connection\" end\n\n local buf = stdnse.make_buffer(sd, \"\\r?\\n\")\n\n while line do\n stdnse.debug2(\"%s\", line)\n\n -- This one lets us know we've connected, pre-PONGed, and got a NICK\n -- Start of MOTD, we'll take the server name from here\n local info = line:match \"^:([%w-_.]+) 375\"\n if info then\n output.server = info\n sd:send(\"LUSERS\\nVERSION\\nSTATS u\\nWHO \" .. nick .. \"\\nQUIT\\n\")\n end\n\n -- MOTD could be missing, we want to handle that scenario as well\n info = line:match \"^:([%w-_.]+) 422\"\n if info then\n output.server = info\n sd:send(\"LUSERS\\nVERSION\\nSTATS u\\nWHO \" .. nick .. \"\\nQUIT\\n\")\n end\n\n -- NICK already in use\n info = line:match \"^:([%w-_.]+) 433\"\n if info then\n nick = rand.random_alpha(9)\n sd:send(\"NICK \" .. nick .. \"\\n\")\n end\n\n -- PING/PONG\n local dummy = line:match \"^PING :(.*)\"\n if dummy then\n sd:send(\"PONG :\" .. dummy .. \"\\n\")\n end\n\n -- Server version info\n info = line:match \"^:[%w-_.]+ 351 %w+ ([^:]+)\"\n if info then\n output.version = info\n end\n\n -- Various bits of info\n local users, invisible, servers = line:match \"^:[%w-_.]+ 251 %w+ :There are (%d+) users and (%d+) invisible on (%d+) servers\"\n if users then\n output.users = math.tointeger(users + invisible)\n output.servers = servers\n end\n\n local users, servers = line:match \"^:[%w-_.]+ 251 %w+ :There are (%d+) users and %d+ services on (%d+) servers\"\n if users then\n output.users = users\n output.servers = servers\n end\n\n info = line:match \"^:[%w-_.]+ 252 %w+ (%d+) :\"\n if info then\n output.ops = info\n end\n\n info = line:match \"^:[%w-_.]+ 254 %w+ (%d+) :\"\n if info then\n output.chans = info\n end\n\n -- efnet\n local clients, servers = line:match \"^:[%w-_.]+ 255 %w+ :I have (%d+) clients and (%d+) server\"\n if clients then\n output.lusers = clients\n output.lservers = servers\n end\n\n -- ircnet\n local clients, servers = line:match \"^:[%w-_.]+ 255 %w+ :I have (%d+) users, %d+ services and (%d+) server\"\n if clients then\n output.lusers = clients\n output.lservers = servers\n end\n\n local uptime = line:match \"^:[%w-_.]+ 242 %w+ :Server Up (%d+ days, [%d:]+)\"\n if uptime then\n output.uptime = uptime\n end\n\n local ident, host = line:match \"^:[%w-_.]+ 352 %w+ %S+ (%S+) ([%w-_.]+)\"\n if ident then\n if ident:find \"^~\" then\n output[\"source ident\"] = \"NONE or BLOCKED\"\n else\n output[\"source ident\"] = ident\n end\n output[\"source host\"] = host\n end\n\n local err = line:match \"^ERROR :(.*)\"\n if err then\n output.error = err\n end\n\n line = buf()\n end\n\n if output.server then\n return output\n else\n return nil\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:15", "description": "Lists printers managed by the CUPS printing service.\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 631 <ip> --script cups-info\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 631/tcp open ipp\n | cups-info:\n | Generic-PostScript-Printer\n | DNS-SD Name: Lexmark S300-S400 Series @ ubu1110\n | Location:\n | Model: Local Raw Printer\n | State: Processing\n | Queue: 0 print jobs\n | Lexmark-S300-S400-Series\n | DNS-SD Name: Lexmark S300-S400 Series @ ubu1110\n | Location:\n | Model: Local Raw Printer\n | State: Stopped\n | Queue: 0 print jobs\n | PDF\n | DNS-SD Name: PDF @ ubu1110\n | Location:\n | Model: Generic CUPS-PDF Printer\n | State: Idle\n |_ Queue: 0 print jobs\n \n\n## Requires \n\n * [ipp](<../lib/ipp.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-04-17T19:37:22", "type": "nmap", "title": "cups-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-06-13T22:54:24", "id": "NMAP:CUPS-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/cups-info.html", "sourceData": "local ipp = require \"ipp\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nLists printers managed by the CUPS printing service.\n]]\n\n---\n-- @usage\n-- nmap -p 631 <ip> --script cups-info\n--\n-- @output\n-- PORT STATE SERVICE\n-- 631/tcp open ipp\n-- | cups-info:\n-- | Generic-PostScript-Printer\n-- | DNS-SD Name: Lexmark S300-S400 Series @ ubu1110\n-- | Location:\n-- | Model: Local Raw Printer\n-- | State: Processing\n-- | Queue: 0 print jobs\n-- | Lexmark-S300-S400-Series\n-- | DNS-SD Name: Lexmark S300-S400 Series @ ubu1110\n-- | Location:\n-- | Model: Local Raw Printer\n-- | State: Stopped\n-- | Queue: 0 print jobs\n-- | PDF\n-- | DNS-SD Name: PDF @ ubu1110\n-- | Location:\n-- | Model: Generic CUPS-PDF Printer\n-- | State: Idle\n-- |_ Queue: 0 print jobs\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\"}\n\n\nportrule = shortport.port_or_service(631, \"ipp\", \"tcp\", \"open\")\n\nlocal verbose_states = {\n [ipp.IPP.PrinterState.IPP_PRINTER_IDLE] = \"Idle\",\n [ipp.IPP.PrinterState.IPP_PRINTER_PROCESSING] = \"Processing\",\n [ipp.IPP.PrinterState.IPP_PRINTER_STOPPED] = \"Stopped\",\n }\n\naction = function(host, port)\n\n local helper = ipp.Helper:new(host, port)\n if ( not(helper:connect()) ) then\n return stdnse.format_output(false, \"Failed to connect to server\")\n end\n\n local status, printers = helper:getPrinters()\n if ( not(status) ) then\n return\n end\n\n local output = {}\n for _, printer in ipairs(printers) do\n table.insert(output, {\n name = printer.name,\n (\"DNS-SD Name: %s\"):format(printer.dns_sd_name or \"\"),\n (\"Location: %s\"):format(printer.location or \"\"),\n (\"Model: %s\"):format(printer.model or \"\"),\n (\"State: %s\"):format(verbose_states[printer.state] or \"\"),\n (\"Queue: %s print jobs\"):format(tonumber(printer.queue_count) or 0),\n } )\n end\n\n if ( 0 ~= #output ) then\n return stdnse.format_output(true, output)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:42:43", "description": "Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies. \n\nThe script works by sending HTTP requests with values of the Max-Forwards HTTP header varying from 0 to 2 and checking for any anomalies in certain response values such as the status code, Server, Content-Type and Content-Length HTTP headers and body values such as the HTML title. \n\nBased on the work of: \n\n * Nicolas Gregoire (nicolas.gregoire@agarri.fr) \n * Julien Cayssol (tools@aqwz.com) \n\nFor more information, see: \n\n * <http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html>\n\n## Script Arguments \n\n#### http-traceroute.path \n\nThe path to send requests to. Defaults to `/`.\n\n#### http-traceroute.method \n\nHTTP request method to use. Defaults to `GET`. Among other values, TRACE is probably the most interesting.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=http-traceroute <targets>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-traceroute:\n | HTML title\n | Hop #1: Twitter / Over capacity\n | Hop #2: t.co / Twitter\n | Hop #3: t.co / Twitter\n | Status Code\n | Hop #1: 502\n | Hop #2: 200\n | Hop #3: 200\n | server\n | Hop #1: Apache\n | Hop #2: hi\n | Hop #3: hi\n | content-type\n | Hop #1: text/html; charset=UTF-8\n | Hop #2: text/html; charset=utf-8\n | Hop #3: text/html; charset=utf-8\n | content-length\n | Hop #1: 4833\n | Hop #2: 3280\n | Hop #3: 3280\n | last-modified\n | Hop #1: Thu, 05 Apr 2012 00:19:40 GMT\n | Hop #2\n |_ Hop #3\n\n## Requires \n\n * [http](<../lib/http.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-20T15:42:33", "type": "nmap", "title": "http-traceroute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:HTTP-TRACEROUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/http-traceroute.html", "sourceData": "local http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nExploits the Max-Forwards HTTP header to detect the presence of reverse proxies.\n\nThe script works by sending HTTP requests with values of the Max-Forwards HTTP\nheader varying from 0 to 2 and checking for any anomalies in certain response\nvalues such as the status code, Server, Content-Type and Content-Length HTTP\nheaders and body values such as the HTML title.\n\nBased on the work of:\n* Nicolas Gregoire (nicolas.gregoire@agarri.fr)\n* Julien Cayssol (tools@aqwz.com)\n\nFor more information, see:\n* http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html\n]]\n\n---\n-- @args http-traceroute.path The path to send requests to. Defaults to <code>/</code>.\n-- @args http-traceroute.method HTTP request method to use. Defaults to <code>GET</code>.\n-- Among other values, TRACE is probably the most interesting.\n--\n-- @usage\n-- nmap --script=http-traceroute <targets>\n--\n--@output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-traceroute:\n-- | HTML title\n-- | Hop #1: Twitter / Over capacity\n-- | Hop #2: t.co / Twitter\n-- | Hop #3: t.co / Twitter\n-- | Status Code\n-- | Hop #1: 502\n-- | Hop #2: 200\n-- | Hop #3: 200\n-- | server\n-- | Hop #1: Apache\n-- | Hop #2: hi\n-- | Hop #3: hi\n-- | content-type\n-- | Hop #1: text/html; charset=UTF-8\n-- | Hop #2: text/html; charset=utf-8\n-- | Hop #3: text/html; charset=utf-8\n-- | content-length\n-- | Hop #1: 4833\n-- | Hop #2: 3280\n-- | Hop #3: 3280\n-- | last-modified\n-- | Hop #1: Thu, 05 Apr 2012 00:19:40 GMT\n-- | Hop #2\n-- |_ Hop #3\n\nauthor = \"Hani Benhabiles\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.service(\"http\")\n\n--- Attempts to extract the html title\n-- from an HTTP response body.\n--@param responsebody Response's body.\nlocal function extract_title (responsebody)\n return responsebody:match \"<title>(.-)</title>\"\nend\n\n--- Attempts to extract the X-Forwarded-For header\n-- from an HTTP response body in case of TRACE requests.\n--@param responsebody Response's body.\nlocal function extract_xfwd (responsebody)\n return responsebody:match \"X-Forwarded-For: [^\\r\\n]*\"\nend\n\n--- Check for differences in response headers, status code\n-- and html title between responses.\n--@param responses Responses to compare.\n--@param method Used HTTP method.\nlocal compare_responses = function(responses, method)\n local response, key\n local results = {}\n local result = {}\n local titles = {}\n local interesting_headers = {\n 'server',\n 'via',\n 'x-via',\n 'x-forwarded-for',\n 'content-type',\n 'content-length',\n 'last-modified',\n 'location',\n }\n\n -- Check page title\n for key,response in pairs(responses) do\n titles[key] = extract_title(response.body)\n end\n if titles[1] ~= titles[2] or\n titles[1] ~= titles[3] then\n\n table.insert(results, 'HTML title')\n for key,response in pairs(responses) do\n table.insert(result, \"Hop #\" .. key .. \": \" .. titles[key])\n end\n table.insert(results, result)\n end\n\n -- Check status code\n if responses[1].status == 502 or\n responses[1].status == 483 or\n responses[1].status ~= responses[2].status or\n responses[1].status ~= responses[3].status then\n\n result = {}\n table.insert(results, 'Status Code')\n for key,response in pairs(responses) do\n table.insert(result, \"Hop #\" .. key .. \": \" .. tostring(response.status))\n end\n table.insert(results, result)\n end\n\n -- Check headers\n for _,header in pairs(interesting_headers) do\n -- Compare header of different responses\n if responses[1].header[header] ~= responses[2].header[header] or\n responses[1].header[header] ~= responses[3].header[header] then\n\n result = {}\n table.insert(results, header)\n for key,response in pairs(responses) do\n if response.header[header] ~= nil then\n table.insert(result, \"Hop #\" .. key .. \": \" .. tostring(response.header[header]))\n else\n table.insert(result, \"Hop #\" .. key)\n end\n end\n table.insert(results, result)\n end\n end\n\n -- Check for X-Forwarded-For in the response body\n -- when using TRACE method\n if method == \"TRACE\" then\n local xfwd = extract_xfwd(responses[1].body)\n if xfwd ~= nil then\n table.insert(results, xfwd)\n end\n end\n\n return results\nend\n\naction = function(host, port)\n local path = stdnse.get_script_args(SCRIPT_NAME .. '.path') or \"/\"\n local method = stdnse.get_script_args(SCRIPT_NAME .. '.method') or \"GET\"\n local responses = {}\n local detected = \"Possible reverse proxy detected.\"\n\n for i = 0,2 do\n local response = http.generic_request(host, port, method, path, { ['header'] = { ['Max-Forwards'] = i }, ['no_cache'] = true})\n table.insert(responses, response)\n end\n\n -- Check results\n local results = compare_responses(responses, method)\n if results ~= nil and nmap.verbosity() == 1 then\n return stdnse.format_output(true,detected)\n else\n return stdnse.format_output(true,results)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:40:54", "description": "Lists remote file systems by querying the remote device using the Network Data Management Protocol (ndmp). NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to support the protocol: \n\n * Amanda \n * Bacula \n * CA Arcserve \n * CommVault Simpana \n * EMC Networker \n * Hitachi Data Systems \n * IBM Tivoli \n * Quest Software Netvault Backup \n * Symantec Netbackup \n * Symantec Backup Exec\n\n## Example Usage \n \n \n nmap -p 10000 --script ndmp-fs-info <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON VERSION\n 10000/tcp open ndmp syn-ack Symantec/Veritas Backup Exec ndmp\n | ndmp-fs-info:\n | FS Logical device Physical device\n | NTFS C: Device0000\n | NTFS E: Device0000\n | UNKNOWN Shadow Copy Components Device0000\n |_UNKNOWN System State Device0000\n \n \n\n## Requires \n\n * [ndmp](<../lib/ndmp.html>)\n * [shortport](<../lib/shortport.html>)\n * [tab](<../lib/tab.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-02-19T14:56:17", "type": "nmap", "title": "ndmp-fs-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-07-28T16:06:18", "id": "NMAP:NDMP-FS-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/ndmp-fs-info.html", "sourceData": "local ndmp = require \"ndmp\"\nlocal shortport = require \"shortport\"\nlocal tab = require \"tab\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nLists remote file systems by querying the remote device using the Network\nData Management Protocol (ndmp). NDMP is a protocol intended to transport\ndata between a NAS device and the backup device, removing the need for the\ndata to pass through the backup server. The following products are known\nto support the protocol:\n* Amanda\n* Bacula\n* CA Arcserve\n* CommVault Simpana\n* EMC Networker\n* Hitachi Data Systems\n* IBM Tivoli\n* Quest Software Netvault Backup\n* Symantec Netbackup\n* Symantec Backup Exec\n]]\n\n---\n-- @usage\n-- nmap -p 10000 --script ndmp-fs-info <ip>\n--\n-- @output\n-- PORT STATE SERVICE REASON VERSION\n-- 10000/tcp open ndmp syn-ack Symantec/Veritas Backup Exec ndmp\n-- | ndmp-fs-info:\n-- | FS Logical device Physical device\n-- | NTFS C: Device0000\n-- | NTFS E: Device0000\n-- | UNKNOWN Shadow Copy Components Device0000\n-- |_UNKNOWN System State Device0000\n--\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service(10000, \"ndmp\", \"tcp\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n local helper = ndmp.Helper:new(host, port)\n local status, msg = helper:connect()\n if ( not(status) ) then return fail(\"Failed to connect to server\") end\n\n status, msg = helper:getFsInfo()\n if ( not(status) ) then return fail(\"Failed to get filesystem information from server\") end\n if ( msg.header.error == ndmp.NDMP.ErrorType.NOT_AUTHORIZED_ERROR ) then return fail(\"Not authorized to get filesystem information from server\") end\n helper:close()\n\n local result = tab.new(3)\n tab.addrow(result, \"FS\", \"Logical device\", \"Physical device\")\n\n for _, item in ipairs(msg.fsinfo) do\n if ( item.fs_logical_device and #item.fs_logical_device ~= 0 ) then\n if ( item and item.fs_type and item.fs_logical_device and item.fs_physical_device ) then\n tab.addrow(result, item.fs_type, item.fs_logical_device:gsub(\"?\", \" \"), item.fs_physical_device)\n end\n end\n end\n\n return \"\\n\" .. tab.dump(result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:21", "description": "Attempts to enumerate Windows user accounts through SNMP\n\n## Script Arguments \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### snmp.version \n\nSee the documentation for the [snmp](<../lib/snmp.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sU -p 161 --script=snmp-win32-users <target>\n\n## Script Output \n \n \n | snmp-win32-users:\n | Administrator\n | Guest\n | IUSR_EDUSRV011\n | IWAM_EDUSRV011\n | SUPPORT_388945a0\n | Tomcat\n | db2admin\n | ldaptest\n |_ patrik\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [snmp](<../lib/snmp.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-02-16T09:15:38", "type": "nmap", "title": "snmp-win32-users NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-07-27T03:32:27", "id": "NMAP:SNMP-WIN32-USERS.NSE", "href": "https://nmap.org/nsedoc/scripts/snmp-win32-users.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal snmp = require \"snmp\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to enumerate Windows user accounts through SNMP\n]]\n\n---\n-- @usage\n-- nmap -sU -p 161 --script=snmp-win32-users <target>\n-- @output\n-- | snmp-win32-users:\n-- | Administrator\n-- | Guest\n-- | IUSR_EDUSRV011\n-- | IWAM_EDUSRV011\n-- | SUPPORT_388945a0\n-- | Tomcat\n-- | db2admin\n-- | ldaptest\n-- |_ patrik\n-- @xmloutput\n-- <elem>Administrator</elem>\n-- <elem>Guest</elem>\n-- <elem>IUSR_EDUSRV011</elem>\n-- <elem>IWAM_EDUSRV011</elem>\n-- <elem>SUPPORT_388945a0</elem>\n-- <elem>Tomcat</elem>\n-- <elem>db2admin</elem>\n-- <elem>ldaptest</elem>\n-- <elem>patrik</elem>\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"auth\", \"safe\"}\ndependencies = {\"snmp-brute\"}\n\n-- Version 0.3\n-- Created 01/15/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 01/19/2010 - v0.2 - fixed loop that would occur if a mib did not exist\n-- Revised 04/11/2010 - v0.3 - moved snmp_walk to snmp library <patrik@cqure.net>\n\n\nportrule = shortport.port_or_service(161, \"snmp\", \"udp\", {\"open\", \"open|filtered\"})\n\n--- Processes the table and creates the script output\n--\n-- @param tbl table containing <code>oid</code> and <code>value</code>\n-- @return table with just the values\nlocal function process_answer( tbl )\n\n local new_tab = {}\n\n for _, v in ipairs( tbl ) do\n table.insert( new_tab, v.value )\n end\n\n table.sort( new_tab )\n\n return new_tab\n\nend\n\naction = function(host, port)\n\n local snmpoid = \"1.3.6.1.4.1.77.1.2.25\"\n local users = {}\n local status\n\n local snmpHelper = snmp.Helper:new(host, port)\n snmpHelper:connect()\n\n status, users = snmpHelper:walk( snmpoid )\n\n if( not(status) ) then\n return\n end\n\n users = process_answer( users )\n\n if ( users == nil ) or ( #users == 0 ) then\n return\n end\n\n nmap.set_port_state(host, port, \"open\")\n\n return users\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:03", "description": "Discovers Jenkins servers on a LAN by sending a discovery broadcast probe. \n\nFor more information about Jenkins auto discovery, see: \n\n * <https://wiki.jenkins.io/display/JENKINS/Auto-discovering+Jenkins+on+the+network>\n\n## Script Arguments \n\n#### broadcast-jenkins.address \n\naddress to which the probe packet is sent. (default: 255.255.255.255)\n\n#### broadcast-jenkins.timeout \n\nsocket timeout (default: 5s)\n\n## Example Usage \n\n * nmap --script broadcast-jenkins-discover\n\n * nmap --script broadcast-jenkins-discover --script-args timeout=15s\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-jenkins:\n | Version: 2.60.2; Server ID: d5e31b7a9d69cf3c89cc799c23199760; Slave Port: 35928\n |_ Version: 2.60.2; Server ID: b98e8e1b862c3eecb14e8be0028cf4ee; Slave Port: 45435\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [os](<>)\n * [table](<>)\n * [rand](<../lib/rand.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-23T19:46:51", "type": "nmap", "title": "broadcast-jenkins-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-08T17:07:06", "id": "NMAP:BROADCAST-JENKINS-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-jenkins-discover.html", "sourceData": "local nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal os = require \"os\"\nlocal table = require \"table\"\nlocal rand = require \"rand\"\n\ndescription = [[\nDiscovers Jenkins servers on a LAN by sending a discovery broadcast probe.\n\nFor more information about Jenkins auto discovery, see:\n* https://wiki.jenkins.io/display/JENKINS/Auto-discovering+Jenkins+on+the+network\n]]\n\n---\n-- @usage nmap --script broadcast-jenkins-discover\n-- @usage nmap --script broadcast-jenkins-discover --script-args timeout=15s\n--\n-- @output\n-- Pre-scan script results:\n-- | broadcast-jenkins:\n-- | Version: 2.60.2; Server ID: d5e31b7a9d69cf3c89cc799c23199760; Slave Port: 35928\n-- |_ Version: 2.60.2; Server ID: b98e8e1b862c3eecb14e8be0028cf4ee; Slave Port: 45435\n--\n-- @args broadcast-jenkins.address\n-- address to which the probe packet is sent. (default: 255.255.255.255)\n-- @args broadcast-jenkins.timeout\n-- socket timeout (default: 5s)\n---\n\nauthor = \"Brendan Coles\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"broadcast\", \"safe\"}\n\nprerule = function() return ( nmap.address_family() == \"inet\") end\n\nlocal arg_address = stdnse.get_script_args(SCRIPT_NAME .. \".address\")\nlocal arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n\naction = function()\n\n local host = { ip = arg_address or \"255.255.255.255\" } -- broadcast\n -- local host = { ip = arg_address or \"239.77.124.213\" } -- multicast\n local port = { number = 33848, protocol = \"udp\" }\n local socket = nmap.new_socket(\"udp\")\n\n socket:set_timeout(500)\n\n -- send two packets, just in case\n local probe = rand.random_string(10)\n for i=1,2 do\n local status = socket:sendto(host, port, probe)\n if ( not(status) ) then\n return stdnse.format_output(false, \"Failed to send broadcast probe\")\n end\n end\n\n local timeout = tonumber(arg_timeout) or ( 20 / ( nmap.timing_level() + 1 ) )\n local results = {}\n local stime = os.time()\n\n -- listen until timeout\n repeat\n local status, data = socket:receive()\n if ( status ) then\n local jenkins_pkt = data:match(\"^<hudson>(.+)</hudson>\")\n if ( jenkins_pkt ) then\n local status, _, _, rhost, _ = socket:get_info()\n local version = jenkins_pkt:match(\"<version>(.*)</version>\")\n local server_id = jenkins_pkt:match(\"<server%-id>(.*)</server%-id>\")\n local slave_port = jenkins_pkt:match(\"<slave%-port>(.*)</slave%-port>\")\n if version and server_id and slave_port then\n stdnse.print_debug(2, \"Received Jenkins discovery response from %s (%s bytes)\", rhost, string.len(jenkins_pkt))\n local str = (\"Version: %s; Server ID: %s; Slave Port: %s\"):format(version, server_id, slave_port)\n table.insert( results, str )\n end\n end\n end\n until( os.time() - stime > timeout )\n socket:close()\n\n local response = stdnse.output_table()\n if #results > 0 then\n -- remove duplicates\n local hash = {}\n for _,v in ipairs(results) do\n if (not hash[v]) then\n table.insert( response, v )\n hash[v] = true\n end\n end\n return response\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:03", "description": "Detects RSA keys vulnerable to Return Of Coppersmith Attack (ROCA) factorization. \n\nSSH hostkeys and SSL/TLS certificates are checked. The checks require recent updates to the openssl NSE library. \n\nReferences: \n\n * <https://crocs.fi.muni.cz/public/papers/rsa_ccs17>\n\n### See also:\n\n * [ ssl-cert.nse ](<../scripts/ssl-cert.html>)\n * [ ssh-hostkey.nse ](<../scripts/ssh-hostkey.html>)\n\n## Script Arguments \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### tls.servername \n\nSee the documentation for the [tls](<../lib/tls.html#script-args>) library. \n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the [vulns](<../lib/vulns.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 22,443 --script rsa-vuln-roca <target>\n \n\n## Script Output \n\n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [openssl](<../lib/openssl.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [ssh2](<../lib/ssh2.html>)\n * [sslcert](<../lib/sslcert.html>)\n * [math](<>)\n * [string](<>)\n * [vulns](<../lib/vulns.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-10-18T20:26:42", "type": "nmap", "title": "rsa-vuln-roca NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-24T19:36:04", "id": "NMAP:RSA-VULN-ROCA.NSE", "href": "https://nmap.org/nsedoc/scripts/rsa-vuln-roca.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal openssl = stdnse.silent_require \"openssl\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal ssh2 = require \"ssh2\"\nlocal sslcert = require \"sslcert\"\nlocal math = require \"math\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nDetects RSA keys vulnerable to Return Of Coppersmith Attack (ROCA) factorization.\n\nSSH hostkeys and SSL/TLS certificates are checked. The checks require recent updates to the openssl NSE library.\n\nReferences:\n* https://crocs.fi.muni.cz/public/papers/rsa_ccs17\n]]\n\n---\n-- @usage\n-- nmap -p 22,443 --script rsa-vuln-roca <target>\n--\n-- @output\n--\n--@xmloutput\n--\n-- @see ssl-cert.nse\n-- @see ssh-hostkey.nse\n\nauthor = \"Daniel Miller\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\n-- only run this script if the target host is NOT a private (RFC1918) IP address)\n-- and the port is an open SSL service\nportrule = function(host, port)\n if not openssl.bignum_div then\n stdnse.verbose1(\"This script requires the latest update to NSE's openssl library bindings.\")\n return false\n end\n -- SSH key check\n return shortport.port_or_service(22, \"ssh\")\n -- same criteria as ssl-cert.nse\n or shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)\nend\n\nlocal function is_vulnerable (modulus)\n local dec2bn = openssl.bignum_dec2bn\n -- Prime tests used under MIT license from https://github.com/crocs-muni/roca\n local prime_tests = nmap.registry.roca_prime_tests or {\n {dec2bn(\"3\"), dec2bn(\"6\")},\n {dec2bn(\"5\"), dec2bn(\"30\")},\n {dec2bn(\"7\"), dec2bn(\"126\")},\n {dec2bn(\"11\"), dec2bn(\"1026\")},\n {dec2bn(\"13\"), dec2bn(\"5658\")},\n {dec2bn(\"17\"), dec2bn(\"107286\")},\n {dec2bn(\"19\"), dec2bn(\"199410\")},\n {dec2bn(\"23\"), dec2bn(\"8388606\")},\n {dec2bn(\"29\"), dec2bn(\"536870910\")},\n {dec2bn(\"31\"), dec2bn(\"2147483646\")},\n {dec2bn(\"37\"), dec2bn(\"67109890\")},\n {dec2bn(\"41\"), dec2bn(\"2199023255550\")},\n {dec2bn(\"43\"), dec2bn(\"8796093022206\")},\n {dec2bn(\"47\"), dec2bn(\"140737488355326\")},\n {dec2bn(\"53\"), dec2bn(\"5310023542746834\")},\n {dec2bn(\"59\"), dec2bn(\"576460752303423486\")},\n {dec2bn(\"61\"), dec2bn(\"1455791217086302986\")},\n {dec2bn(\"67\"), dec2bn(\"147573952589676412926\")},\n {dec2bn(\"71\"), dec2bn(\"20052041432995567486\")},\n {dec2bn(\"73\"), dec2bn(\"6041388139249378920330\")},\n {dec2bn(\"79\"), dec2bn(\"207530445072488465666\")},\n {dec2bn(\"83\"), dec2bn(\"9671406556917033397649406\")},\n {dec2bn(\"89\"), dec2bn(\"618970019642690137449562110\")},\n {dec2bn(\"97\"), dec2bn(\"79228162521181866724264247298\")},\n {dec2bn(\"101\"), dec2bn(\"2535301200456458802993406410750\")},\n {dec2bn(\"103\"), dec2bn(\"1760368345969468176824550810518\")},\n {dec2bn(\"107\"), dec2bn(\"50079290986288516948354744811034\")},\n {dec2bn(\"109\"), dec2bn(\"473022961816146413042658758988474\")},\n {dec2bn(\"113\"), dec2bn(\"10384593717069655257060992658440190\")},\n {dec2bn(\"127\"), dec2bn(\"144390480366845522447407333004847678774\")},\n {dec2bn(\"131\"), dec2bn(\"2722258935367507707706996859454145691646\")},\n {dec2bn(\"137\"), dec2bn(\"174224571863520493293247799005065324265470\")},\n {dec2bn(\"139\"), dec2bn(\"696898287454081973172991196020261297061886\")},\n {dec2bn(\"149\"), dec2bn(\"713623846352979940529142984724747568191373310\")},\n {dec2bn(\"151\"), dec2bn(\"1800793591454480341970779146165214289059119882\")},\n {dec2bn(\"157\"), dec2bn(\"126304807362733370595828809000324029340048915994\")},\n {dec2bn(\"163\"), dec2bn(\"11692013098647223345629478661730264157247460343806\")},\n {dec2bn(\"167\"), dec2bn(\"187072209578355573530071658587684226515959365500926\")},\n }\n nmap.registry.roca_prime_tests = prime_tests\n\n --stdnse.debug1(\"Testing %s\", openssl.bignum_bn2dec(modulus))\n for _, test in ipairs(prime_tests) do\n local prime, fingerprint = test[1], test[2]\n local _, bnshift = openssl.bignum_div(modulus, prime)\n -- prime is small, so bnshift is small. Safe to convert to Lua integer\n local string_shift = openssl.bignum_bn2dec(bnshift)\n local shift = math.tointeger(string_shift)\n if not shift then\n stdnse.debug1(\"Unable to convert %s to integer\", string_shift)\n return nil\n end\n --stdnse.debug1(\"Testing mod %s, shift is %s\", openssl.bignum_bn2dec(prime), shift)\n if not openssl.bignum_is_bit_set(fingerprint, shift) then\n stdnse.debug1(\"Not vulnerable\")\n return nil\n end\n end\n stdnse.debug1(\"VULNERABLE!!!!!!\")\n\n return \"Vulnerable to ROCA\"\nend\n\nlocal function ssl_get_modulus(host, port)\n local ok, cert = sslcert.getCertificate(host, port)\n if not ok then\n stdnse.debug1(\"failed to obtain SSL certificate\")\n return nil\n end\n\n if cert.pubkey.type ~= \"rsa\" then\n stdnse.debug1(\"Non-RSA certificate, not vulnerable to ROCA\")\n return nil\n end\n\n local modulus = cert.pubkey.modulus\n if not modulus then\n stdnse.debug1(\"No modulus available; upgrade Nmap?\")\n return nil\n end\n return modulus\nend\n\nlocal function ssh_get_modulus(host, port)\n local key = ssh2.fetch_host_key( host, port, \"ssh-rsa\" )\n if not key then\n stdnse.debug1(\"No RSA hostkey, not vulnerable to ROCA\")\n return nil\n end\n local _, e, n = string.unpack(\">s4s4s4\", key.fp_input)\n return openssl.bignum_bin2bn(n)\nend\n\naction = function(host, port)\n local vuln_table = {\n title = \"ROCA: Vulnerable RSA generation\",\n state = vulns.STATE.NOT_VULN,\n -- TODO: Update when CVE is scored\n --risk_factor = \"High\",\n description = [[\n The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM)\n firmware, such as versions before 0000000000000422 - 4.34, before\n 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles\n RSA key generation, which makes it easier for attackers to defeat various\n cryptographic protection mechanisms via targeted attacks, aka ROCA.\n ]],\n IDS = {CVE = \"CVE-2017-15361\"},\n references = {\n \"https://crocs.fi.muni.cz/public/papers/rsa_ccs17\",\n }\n }\n\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n local modulus\n if shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port) then\n modulus = ssl_get_modulus(host, port)\n elseif shortport.port_or_service(22, \"ssh\")(host, port) then\n modulus = ssh_get_modulus(host, port)\n end\n\n if modulus and is_vulnerable(modulus) then\n vuln_table.state = vulns.STATE.VULN\n end\n return report:make_output(vuln_table)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:49", "description": "Retrieves information from a listening acarsd daemon. Acarsd decodes ACARS (Aircraft Communication Addressing and Reporting System) data in real time. The information retrieved by this script includes the daemon version, API version, administrator e-mail address and listening frequency. \n\nFor more information about acarsd, see: \n\n * <http://www.acarsd.org/>\n\n## Script Arguments \n\n#### acarsd-info.timeout \n\nSet the timeout in seconds. The default value is 10.\n\n#### acarsd-info.bytes \n\nSet the number of bytes to retrieve. The default value is 512.\n\n## Example Usage \n \n \n nmap --script acarsd-info --script-args \"acarsd-info.timeout=10,acarsd-info.bytes=512\" -p <port> <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 2202/tcp open unknown\n | acarsd-info:\n | Version: 1.65\n | API Version: API-2005-Oct-18\n | Authorization Required: 0\n | Admin E-mail: admin@acarsd\n | Clients Connected: 1\n |_ Frequency: 131.7250 & 131.45\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-08T18:22:00", "type": "nmap", "title": "acarsd-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:ACARSD-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/acarsd-info.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nRetrieves information from a listening acarsd daemon. Acarsd decodes\nACARS (Aircraft Communication Addressing and Reporting System) data in\nreal time. The information retrieved by this script includes the\ndaemon version, API version, administrator e-mail address and\nlistening frequency.\n\nFor more information about acarsd, see:\n* http://www.acarsd.org/\n]]\n\n---\n-- @usage\n-- nmap --script acarsd-info --script-args \"acarsd-info.timeout=10,acarsd-info.bytes=512\" -p <port> <host>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 2202/tcp open unknown\n-- | acarsd-info:\n-- | Version: 1.65\n-- | API Version: API-2005-Oct-18\n-- | Authorization Required: 0\n-- | Admin E-mail: admin@acarsd\n-- | Clients Connected: 1\n-- |_ Frequency: 131.7250 & 131.45\n--\n-- @args acarsd-info.timeout\n-- Set the timeout in seconds. The default value is 10.\n-- @args acarsd-info.bytes\n-- Set the number of bytes to retrieve. The default value is 512.\n--\n-- @changelog\n-- 2012-02-23 - v0.1 - created by Brendan Coles - itsecuritysolutions.org\n--\n\nauthor = \"Brendan Coles\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\",\"discovery\"}\n\n\nportrule = shortport.port_or_service (2202, \"acarsd\", {\"tcp\"})\n\naction = function(host, port)\n\n local result = {}\n\n -- Set timeout\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n if not timeout or timeout < 0 then timeout = 10 end\n\n -- Set bytes\n local bytes = tonumber(nmap.registry.args[SCRIPT_NAME .. '.bytes']) or 512\n\n -- Connect and retrieve acarsd info in XML format over TCP\n stdnse.debug1(\"Connecting to %s:%s [Timeout: %ss]\", host.targetname or host.ip, port.number, timeout)\n local status, data = comm.get_banner(host, port, {timeout=timeout*1000,bytes=bytes})\n if not status or not data then\n stdnse.debug1(\"Retrieving data from %s:%s failed [Timeout expired]\", host.targetname or host.ip, port.number)\n return\n end\n\n -- Check if retrieved data is valid acarsd data\n if not string.match(data, \"acarsd\") then\n stdnse.debug1(\"%s:%s is not an acarsd Daemon.\", host.targetname or host.ip, port.number)\n return\n end\n\n -- Check for restricted access -- Parse daemon info\n if string.match(data, \"Authorization needed%. If your client doesnt support this\") then\n\n local version_match = string.match(data, \"acarsd\\t(.+)\\t\")\n if version_match then table.insert(result, string.format(\"Version: %s\", version_match)) end\n local api_version_match = string.match(data, \"acarsd\\t.+\\t(API.+[0-9][0-9]?)\")\n if api_version_match then table.insert(result, string.format(\"API Version: %s\", api_version_match)) end\n table.insert(result, \"Authorization Required: 1\")\n\n -- Check for unrestricted access -- Parse daemon info\n else\n\n stdnse.debug1(\"Parsing data from %s:%s\", host.targetname or host.ip, port.number)\n local vars = {\n {\"Version\",\"Version\"},\n {\"API Version\",\"APIVersion\"},\n --{\"Hostname\",\"Hostname\"},\n --{\"Port\",\"Port\"},\n --{\"Server UUID\",\"ServerUUID\"},\n {\"Authorization Required\",\"NeedAuth\"},\n {\"Admin E-mail\",\"AdminMail\"},\n {\"Clients Connected\",\"ClientsConnected\"},\n {\"Frequency\",\"Frequency\"},\n {\"License\",\"License\"},\n }\n for _, var in ipairs(vars) do\n local tag = var[2]\n local var_match = string.match(data, string.format('<%s>(.+)</%s>', tag, tag))\n if var_match then table.insert(result, string.format(\"%s: %s\", var[1], string.gsub(var_match, \"&amp;\", \"&\"))) end\n end\n\n end\n port.version.name = \"acarsd\"\n port.version.product = \"ACARS Decoder\"\n nmap.set_port_version(host, port)\n\n -- Return results\n return stdnse.format_output(true, result)\n\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:31", "description": "Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents. \n\nWind DeBug is a SunRPC-type service that is enabled by default on many devices that use the popular VxWorks real-time embedded operating system. H.D. Moore of Metasploit has identified several security vulnerabilities and design flaws with the service, including weakly-hashed passwords and raw memory dumping. \n\nSee also: <http://www.kb.cert.org/vuls/id/362332>\n\n## Script Arguments \n\n#### mount.version, nfs.version, rpc.protocol \n\nSee the documentation for the [rpc](<../lib/rpc.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sU -p 17185 --script wdb-version <target>\n\n## Script Output \n \n \n 17185/udp open wdb Wind DeBug Agent 2.0\n | wdb-version:\n | VULNERABLE: Wind River Systems VxWorks debug service enabled. See http://www.kb.cert.org/vuls/id/362332\n | Agent version: 2.0\n | VxWorks version: VxWorks5.4.2\n | Board Support Package: PCD ARM940T REV 1\n | Boot line: host:vxWorks.z\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [rpc](<../lib/rpc.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-16T14:39:13", "type": "nmap", "title": "wdb-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-08-15T07:26:00", "id": "NMAP:WDB-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/wdb-version.html", "sourceData": "local nmap = require \"nmap\"\nlocal rpc = require \"rpc\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nDetects vulnerabilities and gathers information (such as version\nnumbers and hardware support) from VxWorks Wind DeBug agents.\n\nWind DeBug is a SunRPC-type service that is enabled by default on many devices\nthat use the popular VxWorks real-time embedded operating system. H.D. Moore\nof Metasploit has identified several security vulnerabilities and design flaws\nwith the service, including weakly-hashed passwords and raw memory dumping.\n\nSee also:\nhttp://www.kb.cert.org/vuls/id/362332\n]]\n\n---\n-- @usage\n-- nmap -sU -p 17185 --script wdb-version <target>\n-- @output\n-- 17185/udp open wdb Wind DeBug Agent 2.0\n-- | wdb-version:\n-- | VULNERABLE: Wind River Systems VxWorks debug service enabled. See http://www.kb.cert.org/vuls/id/362332\n-- | Agent version: 2.0\n-- | VxWorks version: VxWorks5.4.2\n-- | Board Support Package: PCD ARM940T REV 1\n-- | Boot line: host:vxWorks.z\n--@xmloutput\n-- <elem>VULNERABLE: Wind River Systems VxWorks debug service enabled. See http://www.kb.cert.org/vuls/id/362332</elem>\n-- <elem key=\"Agent version\">2.0</elem>\n-- <elem key=\"VxWorks version\">5.4</elem>\n-- <elem key=\"Board Support Package\">Alcatel CMM MPC8245/100</elem>\n-- <elem key=\"Boot line\">lanswitchCmm:</elem>\n\nauthor = \"Daniel Miller\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"safe\", \"version\", \"discovery\", \"vuln\"}\n\n\n-- WDB protocol information\n-- http://www.vxdev.com/docs/vx55man/tornado-api/wdbpcl/wdb.html\n-- http://www.verysource.com/code/2817990_1/wdb.h.html\n-- Metasploit scanner module\n-- https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/wdbrpc.rb\n\nportrule = shortport.version_port_or_service(17185, \"wdbrpc\", {\"udp\"} )\n\nrpc.RPC_version[\"wdb\"] = { min=1, max=1 }\n\nlocal WDB_Procedure = {\n [\"WDB_TARGET_PING\"] = 0,\n [\"WDB_TARGET_CONNECT\"] = 1,\n [\"WDB_TARGET_DISCONNECT\"] = 2,\n [\"WDB_TARGET_MODE_SET\"] = 3,\n [\"WDB_TARGET_MODE_GET\"] = 4,\n}\n\nlocal function checksum(data)\n local sum = 0\n local p = 5 -- skip first 4 bytes\n while p < #data do\n local c\n c, p = (\">I2\"):unpack(data, p)\n sum = sum + c\n end\n sum = (sum & 0xffff) + (sum >> 16)\n return ~sum & 0xffff\nend\n\nlocal seqnum = 0\nlocal function seqno()\n seqnum = seqnum + 1\n return seqnum\nend\n\nlocal function request(comm, procedure, data)\n local packet = comm:EncodePacket( nil, procedure, {type = rpc.Portmap.AuthType.NULL}, nil )\n local wdbwrapper = (\">I4I4\"):pack(#data + #packet + 8, seqno())\n local sum = checksum(packet .. \"\\0\\0\\0\\0\" .. wdbwrapper .. data)\n return packet .. (\">I2I2\"):pack(0xffff, sum) .. wdbwrapper .. data\nend\n\nlocal function stripnull(str)\n return (str:gsub(\"\\0*$\",\"\"))\nend\n\nlocal function decode_reply(data, pos)\n local wdberr, len\n local done = data:len()\n local info = {}\n local _\n pos, _ = rpc.Util.unmarshall_uint32(data, pos)\n pos, _ = rpc.Util.unmarshall_uint32(data, pos)\n pos, wdberr = rpc.Util.unmarshall_uint32(data, pos)\n info[\"error\"] = wdberr & 0xc0000000\n if info[\"error\"] ~= 0x00000000 then\n stdnse.debug1(\"Error from decode_reply: %x\", info[\"error\"])\n return nil, info\n end\n pos, len = rpc.Util.unmarshall_uint32(data, pos)\n if len ~= 0 then\n pos, info[\"agent_ver\"] = rpc.Util.unmarshall_vopaque(len, data, pos)\n end\n pos, info[\"agent_mtu\"] = rpc.Util.unmarshall_uint32(data, pos)\n pos, info[\"agent_mod\"] = rpc.Util.unmarshall_uint32(data, pos)\n pos, info[\"rt_type\"] = rpc.Util.unmarshall_uint32(data, pos)\n pos, len = rpc.Util.unmarshall_uint32(data, pos)\n if pos == done then return pos, info end\n if len ~= 0 then\n pos, info[\"rt_vers\"] = rpc.Util.unmarshall_vopaque(len, data, pos)\n end\n pos, info[\"rt_cpu_type\"] = rpc.Util.unmarshall_uint32(data, pos)\n pos, len = rpc.Util.unmarshall_uint32(data, pos)\n info[\"rt_has_fpp\"] = ( len ~= 0 )\n pos, len = rpc.Util.unmarshall_uint32(data, pos)\n info[\"rt_has_wp\"] = ( len ~= 0 )\n pos, info[\"rt_page_size\"] = rpc.Util.unmarshall_uint32(data, pos)\n pos, info[\"rt_endian\"] = rpc.Util.unmarshall_uint32(data, pos)\n pos, len = rpc.Util.unmarshall_uint32(data, pos)\n if len ~= 0 then\n pos, info[\"rt_bsp_name\"] = rpc.Util.unmarshall_vopaque(len, data, pos)\n end\n pos, len = rpc.Util.unmarshall_uint32(data, pos)\n if len ~= 0 then\n pos, info[\"rt_bootline\"] = rpc.Util.unmarshall_vopaque(len, data, pos)\n end\n if pos == done then return pos, info end\n pos, info[\"rt_membase\"] = rpc.Util.unmarshall_uint32(data, pos)\n if pos == done then return pos, info end\n pos, info[\"rt_memsize\"] = rpc.Util.unmarshall_uint32(data, pos)\n if pos == done then return pos, info end\n pos, info[\"rt_region_count\"] = rpc.Util.unmarshall_uint32(data, pos)\n if pos == done then return pos, info end\n pos, len = rpc.Util.unmarshall_uint32(data, pos)\n if len ~= 0 then\n info[\"rt_regions\"] = {}\n for i = 1, len do\n pos, info[\"rt_regions\"][i] = rpc.Util.unmarshall_uint32(data, pos)\n end\n end\n if pos == done then return pos, info end\n pos, len = rpc.Util.unmarshall_uint32(data, pos)\n if len == nil then return pos, info end\n if len ~= 0 then\n pos, info[\"rt_hostpool_base\"] = rpc.Util.unmarshall_vopaque(len, data, pos)\n end\n if pos == done then return pos, info end\n pos, len = rpc.Util.unmarshall_uint32(data, pos)\n if len ~= 0 then\n pos, info[\"rt_hostpool_size\"] = rpc.Util.unmarshall_vopaque(len, data, pos)\n end\n return pos, info\nend\n\naction = function(host, port)\n local comm = rpc.Comm:new(\"wdb\", 1)\n local status, err = comm:Connect(host, port)\n if not status then\n return stdnse.format_output(false, err)\n end\n local packet = request(comm, WDB_Procedure[\"WDB_TARGET_CONNECT\"], (\">I4I4I4\"):pack(2, 0, 0))\n if not comm:SendPacket(packet) then\n return stdnse.format_output(false, \"Failed to send request\")\n end\n\n local status, data = comm:ReceivePacket()\n if not status then\n --return stdnse.format_output(false, \"Failed to read data\")\n return nil\n end\n nmap.set_port_state(host, port, \"open\")\n\n local pos, header = comm:DecodeHeader(data, 1)\n if not header then\n return stdnse.format_output(false, \"Failed to decode header\")\n end\n\n if pos == #data then\n return stdnse.format_output(false, \"No WDB data in reply\")\n end\n\n local pos, info = decode_reply(data, pos)\n if not pos then\n return stdnse.format_output(false, \"WDB error: \"..info.error)\n end\n port.version.name = \"wdb\"\n port.version.name_confidence = 10\n port.version.product = \"Wind DeBug Agent\"\n port.version.version = stripnull(info[\"agent_ver\"])\n if port.version.ostype ~= nil then\n port.version.ostype = \"VxWorks \" .. stripnull(info[\"rt_vers\"])\n end\n nmap.set_port_version(host, port)\n -- Clean up (some agents will continue to send data until we disconnect)\n packet = request(comm, WDB_Procedure[\"WDB_TARGET_DISCONNECT\"], (\">I4I4I4\"):pack(2, 0, 0))\n if not comm:SendPacket(packet) then\n return stdnse.format_output(false, \"Failed to send request\")\n end\n\n local o = stdnse.output_table()\n table.insert(o, \"VULNERABLE: Wind River Systems VxWorks debug service enabled. See http://www.kb.cert.org/vuls/id/362332\")\n if info.agent_ver then\n o[\"Agent version\"] = stripnull(info.agent_ver)\n end\n --table.insert(o, \"Agent MTU: \" .. info.agent_mtu)\n if info.rt_vers then\n o[\"VxWorks version\"] = stripnull(info.rt_vers)\n end\n -- rt_cpu_type is an enum type, but I don't have access to\n -- cputypes.h, where it is defined\n --table.insert(o, \"CPU Type: \" .. info.rt_cpu_type)\n if info.rt_bsp_name then\n o[\"Board Support Package\"] = stripnull(info.rt_bsp_name)\n end\n if info.rt_bootline then\n o[\"Boot line\"] = stripnull(info.rt_bootline)\n end\n return o\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:31", "description": "Performs brute force passwords auditing against a Redis key-value store.\n\n## Script Arguments \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 6379 <ip> --script redis-brute\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 6379/tcp open unknown\n | redis-brute:\n | Accounts\n | toledo - Valid credentials\n | Statistics\n |_ Performed 5000 guesses in 3 seconds, average tps: 1666\n \n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [redis](<../lib/redis.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-02T11:27:06", "type": "nmap", "title": "redis-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-03-10T03:09:39", "id": "NMAP:REDIS-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/redis-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal redis = require \"redis\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nPerforms brute force passwords auditing against a Redis key-value store.\n]]\n\n---\n-- @usage\n-- nmap -p 6379 <ip> --script redis-brute\n--\n-- @output\n-- PORT STATE SERVICE\n-- 6379/tcp open unknown\n-- | redis-brute:\n-- | Accounts\n-- | toledo - Valid credentials\n-- | Statistics\n-- |_ Performed 5000 guesses in 3 seconds, average tps: 1666\n--\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\n\nportrule = shortport.port_or_service(6379, \"redis\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\nDriver = {\n\n new = function(self, host, port)\n local o = { host = host, port = port }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n connect = function( self )\n self.helper = redis.Helper:new(self.host, self.port)\n return self.helper:connect(brute.new_socket())\n end,\n\n login = function( self, username, password )\n local status, response = self.helper:reqCmd(\"AUTH\", password)\n\n -- some error occurred, attempt to retry\n if ( status and response.type == redis.Response.Type.ERROR and\n \"-ERR invalid password\" == response.data ) then\n return false, brute.Error:new( \"Incorrect password\" )\n elseif ( status and response.type == redis.Response.Type.STATUS and\n \"+OK\" ) then\n return true, creds.Account:new( \"\", password, creds.State.VALID)\n else\n local err = brute.Error:new( response.data )\n err:setRetry( true )\n return false, err\n end\n\n end,\n\n disconnect = function(self)\n return self.helper:close()\n end,\n\n}\n\n\nlocal function checkRedis(host, port)\n\n local helper = redis.Helper:new(host, port)\n local status = helper:connect()\n if( not(status) ) then\n return false, \"Failed to connect to server\"\n end\n\n local status, response = helper:reqCmd(\"INFO\")\n if ( not(status) ) then\n return false, \"Failed to request INFO command\"\n end\n\n if ( redis.Response.Type.ERROR == response.type ) then\n if ( \"-ERR operation not permitted\" == response.data ) or\n ( \"-NOAUTH Authentication required.\" == response.data) then\n return true\n end\n end\n\n return false, \"Server does not require authentication\"\nend\n\naction = function(host, port)\n\n local status, err = checkRedis(host, port)\n if ( not(status) ) then\n return fail(err)\n end\n\n local engine = brute.Engine:new(Driver, host, port )\n\n engine.options.script_name = SCRIPT_NAME\n engine.options.firstonly = true\n engine.options:setOption( \"passonly\", true )\n\n local result\n status, result = engine:start()\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:04", "description": "Check if the Secure Socket Tunneling Protocol is supported. This is accomplished by trying to establish the HTTPS layer which is used to carry SSTP traffic as described in: \\- <http://msdn.microsoft.com/en-us/library/cc247364.aspx>\n\nCurrent SSTP server implementations: \\- Microsoft Windows (Server 2008/Server 2012) \\- MikroTik RouterOS \\- SEIL (<http://www.seil.jp>)\n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n 443/tcp open https\n |_sstp-discover: SSTP is supported.\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [string](<>)\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2014-01-16T19:07:43", "type": "nmap", "title": "sstp-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-06-27T15:01:27", "id": "NMAP:SSTP-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/sstp-discover.html", "sourceData": "local comm = require 'comm'\nlocal string = require 'string'\nlocal stdnse = require 'stdnse'\nlocal shortport = require 'shortport'\n\ndescription = [[\nCheck if the Secure Socket Tunneling Protocol is supported. This is\naccomplished by trying to establish the HTTPS layer which is used to\ncarry SSTP traffic as described in:\n - http://msdn.microsoft.com/en-us/library/cc247364.aspx\n\nCurrent SSTP server implementations:\n - Microsoft Windows (Server 2008/Server 2012)\n - MikroTik RouterOS\n - SEIL (http://www.seil.jp)\n]]\n\n--SSTP specification:\n-- _ http://msdn.microsoft.com/en-us/library/cc247338.aspx\n--\n--Info about the default URI (ServerUri):\n-- - http://support.microsoft.com/kb/947054\n--\n--SSTP Remote Access Step-by-Step Guide: Deployment:\n-- - http://technet.microsoft.com/de-de/library/cc731352(v=ws.10).aspx\n--\n--SSTP enabled hosts (for testing purposes):\n-- - http://billing.purevpn.com/sstp-manual-setup-hostname-list.php\n\nauthor = \"Niklaus Schiess <nschiess@adversec.com>\"\ncategories = {'discovery', 'default', 'safe'}\n\n---\n--@output\n-- 443/tcp open https\n-- |_sstp-discover: SSTP is supported.\n--@xmloutput\n-- true\n\n-- SSTP negotiation response (Windows)\n--\n-- HTTP/1.1 200\n-- Content-Length: 18446744073709551615\n-- Server: Microsoft-HTTPAPI/2.0\n-- Date: Fri, 01 Nov 2013 00:00:00 GMT\n\n-- SSTP negotiation response (Mikrotik RouterOS)\n--\n-- HTTP/1.1 200\n-- Content-Length: 18446744073709551615\n-- Server: MikroTik-SSTP\n-- Date: Fri, 01 Nov 2013 00:00:00 GMT\n\nportrule = function(host, port)\n return shortport.http(host, port) and shortport.ssl(host, port)\nend\n\n-- The SSTPCORRELATIONID GUID is optional and client-generated.\n-- The last 5 bytes are \"Nmap!\"\nlocal request =\n'SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1\\r\\n' ..\n'Host: %s\\r\\n' ..\n'SSTPCORRELATIONID: {5a433238-8781-11e3-b2e4-4e6d617021}\\r\\n' ..\n'Content-Length: 18446744073709551615\\r\\n\\r\\n'\n\naction = function(host, port)\n local socket, response = comm.tryssl(host,port,\n string.format(request, host.targetname or host.ip),\n { timeout=3000, lines=4 })\n if not socket then\n stdnse.debug1(\"Problem establishing connection: %s\", response)\n return nil\n end\n socket:close()\n\n if string.match(response, 'HTTP/1.1 200') then\n return true, 'SSTP is supported.'\n end\n return nil\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:39:06", "description": "Performs brute force password auditing against Oracle servers. \n\nRunning it in default mode it performs an audit against a list of common Oracle usernames and passwords. The mode can be changed by supplying the argument oracle-brute.nodefault at which point the script will use the username- and password- lists supplied with Nmap. Custom username- and password- lists may be supplied using the userdb and passdb arguments. The default credential list can be changed too by using the brute.credfile argument. In case the userdb or passdb arguments are supplied, the script assumes that it should run in the nodefault mode. \n\nIn modern versions of Oracle password guessing speeds decrease after a few guesses and remain slow, due to connection throttling. \n\nWARNING: The script makes no attempt to discover the amount of guesses that can be made before locking an account. Running this script may therefor result in a large number of accounts being locked out on the database server.\n\n### See also:\n\n * [ oracle-brute-stealth.nse ](<../scripts/oracle-brute-stealth.html>)\n\n## Script Arguments \n\n#### oracle-brute.sid \n\n\\- the instance against which to perform password guessing\n\n#### oracle-brute.nodefault \n\n\\- do not attempt to guess any Oracle default accounts\n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### tns.sid \n\nSee the documentation for the [tns](<../lib/tns.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 1521/tcp open oracle syn-ack\n | oracle-brute:\n | Accounts\n | system:powell => Account locked\n | haxxor:haxxor => Valid credentials\n | Statistics\n |_ Perfomed 157 guesses in 8 seconds, average tps: 19\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [coroutine](<>)\n * [creds](<../lib/creds.html>)\n * [io](<>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [tns](<../lib/tns.html>)\n * [openssl](<../lib/openssl.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-19T23:09:32", "type": "nmap", "title": "oracle-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-03-10T03:09:39", "id": "NMAP:ORACLE-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/oracle-brute.html", "sourceData": "local brute = require \"brute\"\nlocal coroutine = require \"coroutine\"\nlocal creds = require \"creds\"\nlocal io = require \"io\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal tns = require \"tns\"\n\nlocal openssl = stdnse.silent_require \"openssl\"\n\ndescription = [[\nPerforms brute force password auditing against Oracle servers.\n\nRunning it in default mode it performs an audit against a list of common\nOracle usernames and passwords. The mode can be changed by supplying the\nargument oracle-brute.nodefault at which point the script will use the\nusername- and password- lists supplied with Nmap. Custom username- and\npassword- lists may be supplied using the userdb and passdb arguments.\nThe default credential list can be changed too by using the brute.credfile\nargument. In case the userdb or passdb arguments are supplied, the script\nassumes that it should run in the nodefault mode.\n\nIn modern versions of Oracle password guessing speeds decrease after a few\nguesses and remain slow, due to connection throttling.\n\nWARNING: The script makes no attempt to discover the amount of guesses\nthat can be made before locking an account. Running this script may therefor\nresult in a large number of accounts being locked out on the database server.\n]]\n\n---\n-- @see oracle-brute-stealth.nse\n--\n-- @usage\n-- nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL <host>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 1521/tcp open oracle syn-ack\n-- | oracle-brute:\n-- | Accounts\n-- | system:powell => Account locked\n-- | haxxor:haxxor => Valid credentials\n-- | Statistics\n-- |_ Perfomed 157 guesses in 8 seconds, average tps: 19\n--\n-- @args oracle-brute.sid - the instance against which to perform password\n-- guessing\n-- @args oracle-brute.nodefault - do not attempt to guess any Oracle default\n-- accounts\n\n--\n-- Version 0.3\n-- Created 07/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 07/23/2010 - v0.2 - added script usage and output and\n-- - oracle-brute.sid argument\n-- Revised 07/25/2011 - v0.3 - added support for guessing default accounts\n-- changed code to use ConnectionPool\n-- Revised 03/13/2012 - v0.4 - revised by L\u00e1szl\u00f3 T\u00f3th\n-- added support for SYSDBA accounts\n-- Revised 08/07/2012 - v0.5 - revised to suit the changes in brute\n-- library [Aleksandar Nikolic]\n\n--\n-- Summary\n-- -------\n-- x The Driver class contains the driver implementation used by the brute\n-- library\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\n\nportrule = shortport.port_or_service(1521, \"oracle-tns\", \"tcp\", \"open\")\n\nlocal ConnectionPool = {}\nlocal sysdba = {}\n\nDriver =\n{\n\n new = function(self, host, port, sid )\n local o = { host = host, port = port, sid = sid }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n --- Connects performs protocol negotiation\n --\n -- @return true on success, false on failure\n connect = function( self )\n local MAX_RETRIES = 10\n local tries = MAX_RETRIES\n\n self.helper = ConnectionPool[coroutine.running()]\n if ( self.helper ) then return true end\n\n self.helper = tns.Helper:new( self.host, self.port, self.sid, brute.new_socket() )\n\n -- This loop is intended for handling failed connections\n -- A connection may fail for a number of different reasons.\n -- For the moment, we're just handling the error code 12520\n --\n -- Error 12520 has been observed on Oracle XE and seems to\n -- occur when a maximum connection count is reached.\n local status, data\n repeat\n if ( tries < MAX_RETRIES ) then\n stdnse.debug2(\"Attempting to re-connect (attempt %d of %d)\", MAX_RETRIES - tries, MAX_RETRIES)\n end\n status, data = self.helper:Connect()\n if ( not(status) ) then\n stdnse.debug2(\"ERROR: An Oracle %s error occurred\", data)\n self.helper:Close()\n else\n break\n end\n tries = tries - 1\n stdnse.sleep(1)\n until( tries == 0 or data ~= \"12520\" )\n\n if ( status ) then\n ConnectionPool[coroutine.running()] = self.helper\n end\n\n return status, data\n end,\n\n --- Attempts to login to the Oracle server\n --\n -- @param username string containing the login username\n -- @param password string containing the login password\n -- @return status, true on success, false on failure\n -- @return brute.Error object on failure\n -- creds.Account object on success\n login = function( self, username, password )\n local status, data = self.helper:Login( username, password )\n\n if ( sysdba[username] ) then\n return false, brute.Error:new(\"Account already discovered\")\n end\n\n if ( status ) then\n self.helper:Close()\n ConnectionPool[coroutine.running()] = nil\n return true, creds.Account:new(username, password, creds.State.VALID)\n -- Check for account locked message\n elseif ( data:match(\"ORA[-]28000\") ) then\n return true, creds.Account:new(username, password, creds.State.LOCKED)\n -- Check for account is SYSDBA message\n elseif ( data:match(\"ORA[-]28009\") ) then\n sysdba[username] = true\n return true, creds.Account:new(username .. \" as sysdba\", password, creds.State.VALID)\n -- check for any other message\n elseif ( data:match(\"ORA[-]%d+\")) then\n stdnse.debug3(\"username: %s, password: %s, error: %s\", username, password, data )\n return false, brute.Error:new(data)\n -- any other errors are likely communication related, attempt to re-try\n else\n self.helper:Close()\n ConnectionPool[coroutine.running()] = nil\n local err = brute.Error:new(data)\n err:setRetry(true)\n return false, err\n end\n\n return false, brute.Error:new( data )\n\n end,\n\n --- Disconnects and terminates the Oracle TNS communication\n disconnect = function( self )\n return true\n end,\n\n}\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n local DEFAULT_ACCOUNTS = \"nselib/data/oracle-default-accounts.lst\"\n local sid = stdnse.get_script_args('oracle-brute.sid') or\n stdnse.get_script_args('tns.sid')\n local engine = brute.Engine:new(Driver, host, port, sid)\n local mode = \"default\"\n\n if ( not(sid) ) then\n return fail(\"Oracle instance not set (see oracle-brute.sid or tns.sid)\")\n end\n\n local helper = tns.Helper:new( host, port, sid )\n local status, result = helper:Connect()\n if ( not(status) ) then\n return fail(\"Failed to connect to oracle server\")\n end\n helper:Close()\n\n local f\n\n if ( stdnse.get_script_args('userdb') or\n stdnse.get_script_args('passdb') or\n stdnse.get_script_args('oracle-brute.nodefault') or\n stdnse.get_script_args('brute.credfile') ) then\n mode = nil\n end\n\n if ( mode == \"default\" ) then\n f = nmap.fetchfile(DEFAULT_ACCOUNTS)\n if ( not(f) ) then\n return fail((\"Failed to find %s\"):format(DEFAULT_ACCOUNTS))\n end\n\n f = io.open(f)\n if ( not(f) ) then\n return fail((\"Failed to open %s\"):format(DEFAULT_ACCOUNTS))\n end\n\n engine.iterator = brute.Iterators.credential_iterator(f)\n end\n\n engine.options.script_name = SCRIPT_NAME\n status, result = engine:start()\n\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:01", "description": "Enumerates a TLS server's supported application-layer protocols using the ALPN protocol. \n\nRepeated queries are sent to determine which of the registered protocols are supported. \n\nFor more information, see: \n\n * <https://tools.ietf.org/html/rfc7301>\n\n## Script Arguments \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### tls.servername \n\nSee the documentation for the [tls](<../lib/tls.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=tls-alpn <targets>\n \n\n## Script Output \n \n \n 443/tcp open https\n | tls-alpn:\n | h2\n | spdy/3\n |_ http/1.1\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [sslcert](<../lib/sslcert.html>)\n * [tls](<../lib/tls.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-10-30T17:27:44", "type": "nmap", "title": "tls-alpn NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2021-07-02T20:01:30", "id": "NMAP:TLS-ALPN.NSE", "href": "https://nmap.org/nsedoc/scripts/tls-alpn.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal sslcert = require \"sslcert\"\nlocal tls = require \"tls\"\n\ndescription = [[\nEnumerates a TLS server's supported application-layer protocols using the ALPN protocol.\n\nRepeated queries are sent to determine which of the registered protocols are supported.\n\nFor more information, see:\n* https://tools.ietf.org/html/rfc7301\n]]\n\n---\n-- @usage\n-- nmap --script=tls-alpn <targets>\n--\n--@output\n-- 443/tcp open https\n-- | tls-alpn:\n-- | h2\n-- | spdy/3\n-- |_ http/1.1\n--\n-- @xmloutput\n-- <elem>h2</elem>\n-- <elem>spdy/3</elem>\n-- <elem>http/1.1</elem>\n\n\nauthor = \"Daniel Miller\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\", \"default\"}\ndependencies = {\"https-redirect\"}\n\nportrule = function(host, port)\n return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)\nend\n\n\nlocal ALPN_NAME = \"application_layer_protocol_negotiation\"\n\n--- Function that sends a client hello packet with the TLS ALPN extension to the\n-- target host and returns the response\n--@args host The target host table.\n--@args port The target port table.\n--@return status true if response, false else.\n--@return response if status is true.\nlocal client_hello = function(host, port, protos)\n local sock, status, response, err, cli_h\n\n cli_h = tls.client_hello({\n -- TLSv1.3 does not send this extension plaintext.\n -- TODO: implement key exchange crypto to retrieve encrypted extensions\n protocol = \"TLSv1.2\",\n [\"extensions\"] = {\n [ALPN_NAME] = tls.EXTENSION_HELPERS[ALPN_NAME](protos)\n },\n })\n\n -- Connect to the target server\n local status, err\n local sock\n local specialized = sslcert.getPrepareTLSWithoutReconnect(port)\n if specialized then\n status, sock = specialized(host, port)\n if not status then\n stdnse.debug1(\"Connection to server failed: %s\", sock)\n return false\n end\n else\n sock = nmap.new_socket()\n status, err = sock:connect(host, port)\n if not status then\n stdnse.debug1(\"Connection to server failed: %s\", err)\n return false\n end\n end\n\n sock:set_timeout(5000)\n\n -- Send Client Hello to the target server\n status, err = sock:send(cli_h)\n if not status then\n stdnse.debug1(\"Couldn't send: %s\", err)\n sock:close()\n return false\n end\n\n -- Read response\n status, response, err = tls.record_buffer(sock)\n if not status then\n stdnse.debug1(\"Couldn't receive: %s\", err)\n sock:close()\n return false\n end\n\n return true, response\nend\n\n--- Function that checks for the returned protocols to a ALPN extension request.\n--@args response Response to parse.\n--@return results List of found protocols.\nlocal check_alpn = function(response)\n local i, record = tls.record_read(response, 1)\n if record == nil then\n stdnse.debug1(\"Unknown response from server\")\n return nil\n end\n\n if record.type == \"handshake\" and record.body[1].type == \"server_hello\" then\n if record.body[1].extensions == nil then\n stdnse.debug1(\"Server did not return TLS ALPN extension.\")\n return nil\n end\n local results = {}\n local alpndata = record.body[1].extensions[ALPN_NAME]\n if alpndata == nil then\n stdnse.debug1(\"Server did not return TLS ALPN extension.\")\n return nil\n end\n -- Parse data\n alpndata = string.unpack(\">s2\", alpndata, 1)\n i = 1\n while i <= #alpndata do\n if i > 1 then\n stdnse.debug1(\"Server sent multiple protocols but RFC only permits 1\")\n end\n local protocol\n protocol, i = string.unpack(\">s1\", alpndata, i)\n table.insert(results, protocol)\n end\n\n if next(results) then\n return results\n else\n stdnse.debug1(\"Server supports TLS ALPN extension, but no protocols were offered.\")\n return nil\n end\n else\n stdnse.debug1(\"Server response was not server_hello\")\n return nil\n end\nend\n\nlocal function find_and_remove(t, value)\n for i, v in ipairs(t) do\n if v == value then\n table.remove(t, i)\n return true\n end\n end\n return false\nend\n\naction = function(host, port)\n local alpn_protos = {\n -- IANA-registered names\n -- https://www.iana.org/assignments/tls-extensiontype-values/alpn-protocol-ids.csv\n -- Last-Modified: Thu, 31 Oct 2019 22:30:11 GMT\n \"http/0.9\",\n \"http/1.0\",\n \"http/1.1\",\n \"spdy/1\",\n \"spdy/2\",\n \"spdy/3\",\n \"stun.turn\",\n \"stun.nat-discovery\",\n \"h2\",\n \"h2c\", -- should never be negotiated over TLS\n \"webrtc\",\n \"c-webrtc\",\n \"ftp\",\n \"imap\",\n \"pop3\",\n \"managesieve\",\n \"coap\",\n \"xmpp-client\",\n \"xmpp-server\",\n \"acme-tls/1\",\n \"mqtt\",\n -- Other sources\n \"grpc-exp\", -- gRPC, see grpc.io\n }\n\n local chosen = {}\n local unique = {}\n while next(alpn_protos) do\n -- Send crafted client hello\n local status, response = client_hello(host, port, alpn_protos)\n if status and response then\n -- Analyze response\n local result = check_alpn(response)\n if not result then\n stdnse.debug1(\"None of %d protocols chosen\", #alpn_protos)\n goto ALPN_DONE\n end\n for i, p in ipairs(result) do\n if i > 1 then\n stdnse.verbose1(\"Server violates RFC: sent additional protocol %s\", p)\n else\n if not unique[p] then\n chosen[#chosen+1] = p\n end\n unique[p] = true\n if not find_and_remove(alpn_protos, p) then\n stdnse.debug1(\"Chosen ALPN protocol %s was not offered\", p)\n -- Server is forcing this protocol, no need to continue offering.\n goto ALPN_DONE\n end\n end\n end\n else\n stdnse.debug1(\"Client hello failed with %d protocols\", #alpn_protos)\n goto ALPN_DONE\n end\n end\n ::ALPN_DONE::\n if next(chosen) then\n return chosen\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:25", "description": "Queries the Microsoft SQL Browser service for the DAC (Dedicated Admin Connection) port of a given (or all) SQL Server instance. The DAC port is used to connect to the database instance when normal connection attempts fail, for example, when server is hanging, out of memory or in other bad states. In addition, the DAC port provides an admin with access to system objects otherwise not accessible over normal connections. \n\nThe DAC feature is accessible on the loopback adapter per default, but can be activated for remote access by setting the 'remote admin connection' configuration value to 1. In some cases, when DAC has been remotely enabled but later disabled, the sql browser service may incorrectly report it as available. The script therefore attempts to connect to the reported port in order to verify whether it's accessible or not.\n\n## Script Arguments \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n sudo nmap -sU -p 1434 --script ms-sql-dac <ip>\n \n\n## Script Output \n \n \n | ms-sql-dac:\n | SQLSERVER:\n | port: 1533\n |_ state: open\n \n\n## Requires \n\n * [mssql](<../lib/mssql.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-07-10T09:50:51", "type": "nmap", "title": "ms-sql-dac NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2022-01-03T21:08:52", "id": "NMAP:MS-SQL-DAC.NSE", "href": "https://nmap.org/nsedoc/scripts/ms-sql-dac.html", "sourceData": "local mssql = require \"mssql\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nQueries the Microsoft SQL Browser service for the DAC (Dedicated Admin\nConnection) port of a given (or all) SQL Server instance. The DAC port\nis used to connect to the database instance when normal connection\nattempts fail, for example, when server is hanging, out of memory or\nin other bad states. In addition, the DAC port provides an admin with\naccess to system objects otherwise not accessible over normal\nconnections.\n\nThe DAC feature is accessible on the loopback adapter per default, but\ncan be activated for remote access by setting the 'remote admin\nconnection' configuration value to 1. In some cases, when DAC has been\nremotely enabled but later disabled, the sql browser service may\nincorrectly report it as available. The script therefore attempts to\nconnect to the reported port in order to verify whether it's\naccessible or not.\n]]\n\n---\n-- @usage\n-- sudo nmap -sU -p 1434 --script ms-sql-dac <ip>\n--\n-- @output\n-- | ms-sql-dac:\n-- | SQLSERVER:\n-- | port: 1533\n-- |_ state: open\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\ndependencies = {\"broadcast-ms-sql-discover\"}\n\nlocal function checkPort(host, port)\n local scanport = nmap.get_port_state(host, {number=port, protocol=\"tcp\"})\n if scanport then\n return scanport.state\n end\n local s = nmap.new_socket()\n s:set_timeout(5000)\n local status, err = s:connect(host, port, \"tcp\")\n s:close()\n return (status and \"open\" or \"closed\"), err\nend\n\nlocal function discoverDAC(instance)\n stdnse.debug2(\"Discovering DAC port on instance: %s\", instance:GetName())\n local port = mssql.Helper.DiscoverDACPort(instance)\n if not port then\n return nil\n end\n\n local result = stdnse.output_table()\n result.port = port\n local state, err = checkPort(instance.host, port)\n result.state = state\n result.error = err\n return result\nend\n\nlocal lib_portrule, lib_hostrule\naction, lib_portrule, lib_hostrule = mssql.Helper.InitScript(discoverDAC)\n\nlocal function rule_if_browser_open(lib_rule)\n return function (host, ...)\n if not lib_rule(host, ...) then\n return false\n end\n local bport = nmap.get_port_state(host, {number=1434, protocol=\"udp\"})\n -- If port is nil, we don't know the state\n return bport == nil or (\n -- we know the state, so it has to be a good one\n bport.state == \"open\" or bport.state == \"open|filtered\"\n )\n end\nend\n\nportrule = rule_if_browser_open(lib_portrule)\nhostrule = rule_if_browser_open(lib_hostrule)\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:17", "description": "Performs brute force password auditing against the WinPcap Remote Capture Daemon (rpcap).\n\n## Script Arguments \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 2002 <ip> --script rpcap-brute\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 2002/tcp open globe syn-ack\n | rpcap-brute:\n | Accounts\n | monkey:Password1 - Valid credentials\n | Statistics\n |_ Performed 3540 guesses in 3 seconds, average tps: 1180\n \n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [rpcap](<../lib/rpcap.html>)\n * [shortport](<../lib/shortport.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-02T12:39:18", "type": "nmap", "title": "rpcap-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-03-10T03:09:39", "id": "NMAP:RPCAP-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/rpcap-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal rpcap = require \"rpcap\"\nlocal shortport = require \"shortport\"\n\ndescription = [[\nPerforms brute force password auditing against the WinPcap Remote Capture\nDaemon (rpcap).\n]]\n\n---\n-- @usage\n-- nmap -p 2002 <ip> --script rpcap-brute\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 2002/tcp open globe syn-ack\n-- | rpcap-brute:\n-- | Accounts\n-- | monkey:Password1 - Valid credentials\n-- | Statistics\n-- |_ Performed 3540 guesses in 3 seconds, average tps: 1180\n--\n--\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\nportrule = shortport.port_or_service(2002, \"rpcap\", \"tcp\")\n\nDriver = {\n\n new = function(self, host, port)\n local o = { helper = rpcap.Helper:new(host, port, brute.new_socket()) }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n connect = function(self)\n return self.helper:connect()\n end,\n\n login = function(self, username, password)\n local status, resp = self.helper:login(username, password)\n if ( status ) then\n return true, creds.Account:new(username, password, creds.State.VALID)\n end\n return false, brute.Error:new( \"Incorrect password\" )\n end,\n\n disconnect = function(self)\n return self.helper:close()\n end,\n\n}\n\nlocal function validateAuth(host, port)\n local helper = rpcap.Helper:new(host, port)\n local status, result = helper:connect()\n if ( not(status) ) then\n return false, result\n end\n status, result = helper:login()\n helper:close()\n\n if ( status ) then\n return false, \"Authentication not required\"\n elseif ( not(status) and\n \"Authentication failed; NULL authentication not permitted.\" == result ) then\n return true\n end\n return status, result\nend\n\naction = function(host, port)\n\n local status, result = validateAuth(host, port)\n if ( not(status) ) then\n return result\n end\n\n local engine = brute.Engine:new(Driver, host, port )\n\n engine.options.script_name = SCRIPT_NAME\n engine.options.firstonly = true\n status, result = engine:start()\n\n return result\nend\n\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:35", "description": "Performs a HEAD or GET request against either the root directory or any optional directory of an Apache JServ Protocol server and returns the server response headers.\n\n## Script Arguments \n\n#### ajp-headers.path \n\nThe path to request, such as `/index.php`. Default `/`.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 8009 <ip> --script ajp-headers\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 8009/tcp open ajp13\n | ajp-headers:\n | X-Powered-By: JSP/2.2\n | Set-Cookie: JSESSIONID=goTHax+8ktEcZsBldANHBAuf.undefined; Path=/helloworld\n | Content-Type: text/html;charset=ISO-8859-1\n |_ Content-Length: 149\n \n\n## Requires \n\n * [ajp](<../lib/ajp.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-07T18:49:22", "type": "nmap", "title": "ajp-headers NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:AJP-HEADERS.NSE", "href": "https://nmap.org/nsedoc/scripts/ajp-headers.html", "sourceData": "local ajp = require \"ajp\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nPerforms a HEAD or GET request against either the root directory or any\noptional directory of an Apache JServ Protocol server and returns the server response headers.\n]]\n\n---\n-- @usage\n-- nmap -p 8009 <ip> --script ajp-headers\n--\n-- @output\n-- PORT STATE SERVICE\n-- 8009/tcp open ajp13\n-- | ajp-headers:\n-- | X-Powered-By: JSP/2.2\n-- | Set-Cookie: JSESSIONID=goTHax+8ktEcZsBldANHBAuf.undefined; Path=/helloworld\n-- | Content-Type: text/html;charset=ISO-8859-1\n-- |_ Content-Length: 149\n--\n-- @args ajp-headers.path The path to request, such as <code>/index.php</code>. Default <code>/</code>.\n\n\nportrule = shortport.port_or_service(8009, 'ajp13', 'tcp')\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\nlocal arg_path = stdnse.get_script_args(SCRIPT_NAME .. '.path') or \"/\"\n\naction = function(host, port)\n local method\n local helper = ajp.Helper:new(host, port)\n helper:connect()\n\n local status, response = helper:get(arg_path)\n helper:close()\n\n if ( not(status) ) then\n return stdnse.format_output(false, \"Failed to retrieve server headers\")\n end\n return stdnse.format_output(true, response.rawheaders)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:41", "description": "This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Google Map of markers representing the targets. \n\nAdditional information for the Google Static Maps API can be found at: \\- <https://developers.google.com/maps/documentation/static-maps/intro>\n\n### See also:\n\n * [ ip-geolocation-geoplugin.nse ](<../scripts/ip-geolocation-geoplugin.html>)\n * [ ip-geolocation-ipinfodb.nse ](<../scripts/ip-geolocation-ipinfodb.html>)\n * [ ip-geolocation-map-bing.nse ](<../scripts/ip-geolocation-map-bing.html>)\n * [ ip-geolocation-map-kml.nse ](<../scripts/ip-geolocation-map-kml.html>)\n * [ ip-geolocation-maxmind.nse ](<../scripts/ip-geolocation-maxmind.html>)\n\n## Script Arguments \n\n#### ip-geolocation-map-google.layer \n\nThe default value is 'roadmap', 'satellite', 'hybrid', and 'terrain' are also allowed. <https://developers.google.com/maps/documentation/static-maps/intro#MapTypes>\n\n#### ip-geolocation-map-google.map_path \n\nThe path at which the rendered Google Map will be saved to the local filesystem.\n\n#### ip-geolocation-map-google.format \n\nThe default value is 'png' (alias for 'png8'), 'png32', 'gif', 'jpg', and 'jpg-baseline' are also allowed. <https://developers.google.com/maps/documentation/static-maps/intro#ImageFormats>\n\n#### ip-geolocation-map-google.api_key \n\nThe required Google Maps API key for your account. An API key can be generated at <https://developers.google.com/maps/documentation/static-maps/>\n\n#### ip-geolocation-map-google.scale \n\nThe default value is 1, but values 2 and 4 are permitted. Scale level 4 is only available to Google Maps Premium customers. <https://developers.google.com/maps/documentation/static-maps/intro#scale_values>\n\n#### ip-geolocation-map-google.marker_style \n\nThis argument can apply styling to the markers. <https://developers.google.com/maps/documentation/static-maps/intro#MarkerStyles>\n\n#### ip-geolocation-map-google.center \n\nGPS coordinates defining the center of the image. If omitted, Google Maps will choose a center that shows all the markers.\n\n#### ip-geolocation-map-google.size \n\nThe default value is '640x640' pixels, but can be increased by Google Maps Premium customers. <https://developers.google.com/maps/documentation/static-maps/intro#Imagesizes>\n\n#### ip-geolocation-map-google.language \n\nThe default value is 'en', but other two-letter language codes are accepted.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sn -Pn --script ip-geolocation-geoplugin,ip-geolocation-map-google --script-args ip-geolocation-map-google.api_key=[redacted],ip-geolocation-map-google.map_path=map.png <target>\n \n\n## Script Output \n \n \n | ip-geolocation-map-google:\n |_ The map has been saved at 'map.png'.\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [geoip](<../lib/geoip.html>)\n * [io](<>)\n * [oops](<../lib/oops.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [url](<../lib/url.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-17T14:37:35", "type": "nmap", "title": "ip-geolocation-map-google NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-09-20T04:40:20", "id": "NMAP:IP-GEOLOCATION-MAP-GOOGLE.NSE", "href": "https://nmap.org/nsedoc/scripts/ip-geolocation-map-google.html", "sourceData": "local http = require \"http\"\nlocal geoip = require \"geoip\"\nlocal io = require \"io\"\nlocal oops = require \"oops\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal url = require \"url\"\n\ndescription = [[\nThis script queries the Nmap registry for the GPS coordinates of targets stored\nby previous geolocation scripts and renders a Google Map of markers representing\nthe targets.\n\nAdditional information for the Google Static Maps API can be found at:\n- https://developers.google.com/maps/documentation/static-maps/intro\n]]\n\n---\n-- @usage\n-- nmap -sn -Pn --script ip-geolocation-geoplugin,ip-geolocation-map-google --script-args ip-geolocation-map-google.api_key=[redacted],ip-geolocation-map-google.map_path=map.png <target>\n--\n-- @output\n-- | ip-geolocation-map-google:\n-- |_ The map has been saved at 'map.png'.\n--\n-- @args ip-geolocation-map-google.api_key The required Google Maps API key for\n-- your account. An API key can be generated at\n-- https://developers.google.com/maps/documentation/static-maps/\n--\n-- @args ip-geolocation-map-google.center GPS coordinates defining the center of the\n-- image. If omitted, Google Maps will choose a center that shows all the\n-- markers.\n--\n-- @args ip-geolocation-map-google.format The default value is 'png' (alias for\n-- 'png8'), 'png32', 'gif', 'jpg', and 'jpg-baseline' are also allowed.\n-- https://developers.google.com/maps/documentation/static-maps/intro#ImageFormats\n--\n-- @args ip-geolocation-map-google.language The default value is 'en', but other\n-- two-letter language codes are accepted.\n--\n-- @args ip-geolocation-map-google.layer The default value is 'roadmap',\n-- 'satellite', 'hybrid', and 'terrain' are also allowed.\n-- https://developers.google.com/maps/documentation/static-maps/intro#MapTypes\n--\n-- @args ip-geolocation-map-google.map_path The path at which the rendered\n-- Google Map will be saved to the local filesystem.\n--\n-- @args ip-geolocation-map-google.marker_style This argument can apply styling\n-- to the markers.\n-- https://developers.google.com/maps/documentation/static-maps/intro#MarkerStyles\n--\n-- @args ip-geolocation-map-google.scale The default value is 1, but values 2\n-- and 4 are permitted. Scale level 4 is only available to Google Maps Premium\n-- customers.\n-- https://developers.google.com/maps/documentation/static-maps/intro#scale_values\n--\n-- @args ip-geolocation-map-google.size The default value is '640x640' pixels,\n-- but can be increased by Google Maps Premium customers.\n-- https://developers.google.com/maps/documentation/static-maps/intro#Imagesizes\n--\n-- @see ip-geolocation-geoplugin.nse\n-- @see ip-geolocation-ipinfodb.nse\n-- @see ip-geolocation-map-bing.nse\n-- @see ip-geolocation-map-kml.nse\n-- @see ip-geolocation-maxmind.nse\n\nauthor = \"Mak Kolybabi <mak@kolybabi.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"external\", \"safe\"}\n\nlocal render = function(params, options)\n -- Add in a marker for each GPS coordinate.\n local markers = {}\n for coords, ips in pairs(geoip.get_all_by_gps()) do\n table.insert(markers, coords)\n end\n params[\"markers\"] = options[\"marker_style\"] .. \"|\" .. table.concat(markers, \"|\")\n\n -- Format the parameters into a properly encoded URL.\n local query = \"/maps/api/staticmap?\" .. url.build_query(params)\n stdnse.debug1(\"The query URL is: %s\", query)\n\n -- Check that the query string is below the 8192 character limit after\n -- URL-encoding.\n if #query > 8192 then\n return false, (\"Refused to send query since URL path is %d chararacters, but Google Maps limits to 8192.\"):format(#query)\n end\n\n local res = http.get(\"maps.googleapis.com\", 80, query)\n if not res or res.status ~= 200 then\n return false, (\"Failed to receive map using query '%s'.\"):format(query)\n end\n\n local f = io.open(options[\"map_path\"], \"w\")\n if not f then\n return false, (\"Failed to open file '%s'.\"):format(options[\"map_path\"])\n end\n\n if not f:write(res.body) then\n return false, (\"Failed to write file '%s'.\"):format(options[\"map_path\"])\n end\n\n f:close()\n\n return true, (\"The map has been saved at '%s'.\"):format(options[\"map_path\"])\nend\n\nlocal parse_args = function()\n local options = {}\n local params = {}\n\n local api_key = stdnse.get_script_args(SCRIPT_NAME .. '.api_key')\n if not api_key then\n return false, \"Need to specify an API key, get one at https://developers.google.com/maps/documentation/static-maps/.\"\n end\n params[\"key\"] = api_key\n\n local center = stdnse.get_script_args(SCRIPT_NAME .. \".center\")\n if center then\n params[\"center\"] = center\n end\n\n local format = stdnse.get_script_args(SCRIPT_NAME .. \".format\")\n if format then\n params[\"format\"] = format\n end\n\n local language = stdnse.get_script_args(SCRIPT_NAME .. \".language\")\n if language then\n params[\"language\"] = language\n end\n\n local layer = stdnse.get_script_args(SCRIPT_NAME .. \".layer\")\n if layer then\n params[\"layer\"] = layer\n end\n\n local map_path = stdnse.get_script_args(SCRIPT_NAME .. '.map_path')\n if map_path then\n options[\"map_path\"] = map_path\n else\n return false, \"Need to specify a path for the map.\"\n end\n\n local marker_style = stdnse.get_script_args(SCRIPT_NAME .. \".marker_style\")\n if not marker_style then\n marker_style = \"\"\n end\n options[\"marker_style\"] = marker_style\n\n local scale = stdnse.get_script_args(SCRIPT_NAME .. \".scale\")\n if scale then\n params[\"scale\"] = scale\n end\n\n local size = stdnse.get_script_args(SCRIPT_NAME .. \".size\")\n if not size then\n size = \"640x640\"\n end\n params[\"size\"] = size\n\n return true, params, options\nend\n\npostrule = function()\n -- Only run if a previous script has registered geolocation data.\n return not geoip.empty()\nend\n\naction = function()\n -- Parse and sanity check the command line arguments.\n local status, params, options = oops.raise(\n \"Script argument problem\",\n parse_args())\n if not status then\n return params\n end\n\n -- Render the map.\n return oops.output(render(params, options))\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:20", "description": "Detects the Freelancer game server (FLServer.exe) service by sending a status query UDP probe. \n\nWhen run as a version detection script (`-sV`), the script will report on the server name, current number of players, maximum number of players, and whether it has a password set. When run explicitly (`--script freelancer-info`), the script will additionally report on the server description, whether players can harm other players, and whether new players are allowed. \n\nSee <http://sourceforge.net/projects/gameq/> (relevant files: games.ini, packets.ini, freelancer.php)\n\n## Example Usage \n \n \n nmap -sU -sV -p 2302 <target>\n nmap -sU -p 2302 --script=freelancer-info <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON VERSION\n 2302/udp open freelancer udp-response Freelancer (name: Discovery Freelancer RP 24/7; players: 152/225; password: no)\n | freelancer-info:\n | server name: Discovery Freelancer RP 24/7\n | server description: This is the official discovery freelancer RP server. To know more about the server, please visit www.discoverygc.com\n | players: 152\n | max. players: 225\n | password: no\n | allow players to harm other players: yes\n |_ allow new players: yes\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2013-11-20T04:31:31", "type": "nmap", "title": "freelancer-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-13T14:58:56", "id": "NMAP:FREELANCER-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/freelancer-info.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nDetects the Freelancer game server (FLServer.exe) service by sending a\nstatus query UDP probe.\n\nWhen run as a version detection script (<code>-sV</code>), the script\nwill report on the server name, current number of players, maximum\nnumber of players, and whether it has a password set. When run\nexplicitly (<code>--script freelancer-info</code>), the script will\nadditionally report on the server description, whether players can harm\nother players, and whether new players are allowed.\n\nSee http://sourceforge.net/projects/gameq/\n(relevant files: games.ini, packets.ini, freelancer.php)\n]]\n\n---\n-- @usage\n-- nmap -sU -sV -p 2302 <target>\n-- nmap -sU -p 2302 --script=freelancer-info <target>\n-- @output\n-- PORT STATE SERVICE REASON VERSION\n-- 2302/udp open freelancer udp-response Freelancer (name: Discovery Freelancer RP 24/7; players: 152/225; password: no)\n-- | freelancer-info:\n-- | server name: Discovery Freelancer RP 24/7\n-- | server description: This is the official discovery freelancer RP server. To know more about the server, please visit www.discoverygc.com\n-- | players: 152\n-- | max. players: 225\n-- | password: no\n-- | allow players to harm other players: yes\n-- |_ allow new players: yes\n--\n-- @xmloutput\n-- <elem key=\"server name\">Discovery Freelancer RP 24/7</elem>\n-- <elem key=\"server description\">This is the official discovery freelancer RP server. To know more about the server, please visit www.discoverygc.com</elem>\n-- <elem key=\"players\">152</elem>\n-- <elem key=\"max. players\">225</elem>\n-- <elem key=\"password\">no</elem>\n-- <elem key=\"allow players to harm other players\">yes</elem>\n-- <elem key=\"allow new players\">yes</elem>\n\nauthor = \"Marin Mar\u017ei\u0107\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = { \"default\", \"discovery\", \"safe\", \"version\" }\n\nportrule = shortport.version_port_or_service({2302}, \"freelancer\", \"udp\")\n\naction = function(host, port)\n local status, data = comm.exchange(host, port,\n \"\\x00\\x02\\xf1\\x26\\x01\\x26\\xf0\\x90\\xa6\\xf0\\x26\\x57\\x4e\\xac\\xa0\\xec\\xf8\\x68\\xe4\\x8d\\x21\",\n { timeout = 3000 })\n if not status then\n return\n end\n\n -- port is open\n nmap.set_port_state(host, port, \"open\")\n\n local passwordbyte, maxplayers, numplayers, name, pvpallow, newplayersallow, description =\n string.match(data, \"^\\x00\\x03\\xf1\\x26............(.)...(.)...(.)...................................................................(.*)\\0\\0(.):(.):.*:.*:.*:(.*)\\0\\0$\")\n if not passwordbyte then\n return\n end\n\n local o = stdnse.output_table()\n\n o[\"server name\"] = string.gsub(name, \"[^%g%s]\", \"\")\n o[\"server description\"] = string.gsub(description, \"[^%g%s]\", \"\")\n o[\"players\"] = numplayers:byte(1) - 1\n o[\"max. players\"] = maxplayers:byte(1) - 1\n\n passwordbyte = passwordbyte:byte(1)\n if passwordbyte & 128 ~= 0 then\n o[\"password\"] = \"yes\"\n else\n o[\"password\"] = \"no\"\n end\n\n o[\"allow players to harm other players\"] = \"n/a\"\n if pvpallow == \"1\" then\n o[\"allow players to harm other players\"] = \"yes\"\n elseif pvpallow == \"0\" then\n o[\"allow players to harm other players\"] = \"no\"\n end\n\n o[\"allow new players\"] = \"n/a\"\n if newplayersallow == \"1\" then\n o[\"allow new players\"] = \"yes\"\n elseif newplayersallow == \"0\" then\n o[\"allow new players\"] = \"no\"\n end\n\n port.version.name = \"freelancer\"\n port.version.name_confidence = 10\n port.version.product = \"Freelancer\"\n port.version.extrainfo = \"name: \" .. o[\"server name\"] .. \"; players: \" ..\n o[\"players\"] .. \"/\" .. o[\"max. players\"] .. \"; password: \" .. o[\"password\"]\n\n nmap.set_port_version(host, port, \"hardmatched\")\n\n return o\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:19", "description": "Lists portals and iSCSI nodes registered with the Internet Storage Name Service (iSNS).\n\n## Example Usage \n \n \n nmap -p 3205 <ip> --script isns-info\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 3205/tcp open unknown\n | isns-info:\n | Portal\n | ip port\n | 192.168.0.1 3260/tcp\n | 192.168.0.2 3260/tcp\n | iSCSI Nodes\n | node type\n | iqn.2001-04.com.example:storage.disk2.sys1.xyz Target\n | iqn.2001-05.com.example:storage.disk2.sys1.xyz Target\n |_ iqn.2001-04.a.com.example:storage.disk3.sys2.abc Target\n \n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n * [isns](<../lib/isns.html>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-29T18:02:19", "type": "nmap", "title": "isns-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:ISNS-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/isns-info.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal isns = require \"isns\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\n\ndescription = [[\nLists portals and iSCSI nodes registered with the Internet Storage Name\nService (iSNS).\n]]\n\n---\n-- @usage\n-- nmap -p 3205 <ip> --script isns-info\n--\n-- @output\n-- PORT STATE SERVICE\n-- 3205/tcp open unknown\n-- | isns-info:\n-- | Portal\n-- | ip port\n-- | 192.168.0.1 3260/tcp\n-- | 192.168.0.2 3260/tcp\n-- | iSCSI Nodes\n-- | node type\n-- | iqn.2001-04.com.example:storage.disk2.sys1.xyz Target\n-- | iqn.2001-05.com.example:storage.disk2.sys1.xyz Target\n-- |_ iqn.2001-04.a.com.example:storage.disk3.sys2.abc Target\n--\n\nportrule = shortport.port_or_service(3205, 'isns')\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\"}\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n local helper = isns.Helper:new(host, port)\n if ( not(helper:connect()) ) then\n return fail(\"Failed to connect to server\")\n end\n\n local status, portals = helper:listPortals()\n if ( not(status) ) then\n return\n end\n\n local results = {}\n local restab = tab.new(2)\n tab.addrow(restab, \"ip\", \"port\")\n for _, portal in ipairs(portals) do\n tab.addrow(restab, portal.addr, (\"%d/%s\"):format(portal.port, portal.proto))\n end\n table.insert(results, { name = \"Portal\", tab.dump(restab) })\n\n local status, nodes = helper:listISCINodes()\n if ( not(status) ) then\n return\n end\n\n restab = tab.new(2)\n tab.addrow(restab, \"node\", \"type\")\n for _, portal in ipairs(nodes) do\n tab.addrow(restab, portal.name, portal.type)\n end\n table.insert(results, { name = \"iSCSI Nodes\", tab.dump(restab) })\n\n return stdnse.format_output(true, results)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:33", "description": "Discovers which options are supported by the AJP (Apache JServ Protocol) server by sending an OPTIONS request and lists potentially risky methods. \n\nIn this script, \"potentially risky\" methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure. This page lists the dangers of some common methods: \n\n<http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29>\n\n## Script Arguments \n\n#### ajp-methods.path \n\nthe path to check or &lt;code&gt;/&lt;code&gt; if none was given\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 8009 <ip> --script ajp-methods\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 8009/tcp open ajp13\n | ajp-methods:\n | Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS\n | Potentially risky methods: PUT DELETE TRACE\n |_ See https://nmap.org/nsedoc/scripts/ajp-methods.html\n \n\n## Requires \n\n * [ajp](<../lib/ajp.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n * [tableaux](<../lib/tableaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-07T18:49:22", "type": "nmap", "title": "ajp-methods NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-11-06T15:07:01", "id": "NMAP:AJP-METHODS.NSE", "href": "https://nmap.org/nsedoc/scripts/ajp-methods.html", "sourceData": "local ajp = require \"ajp\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\nlocal tableaux = require \"tableaux\"\n\ndescription = [[\nDiscovers which options are supported by the AJP (Apache JServ\nProtocol) server by sending an OPTIONS request and lists potentially\nrisky methods.\n\nIn this script, \"potentially risky\" methods are anything except GET,\nHEAD, POST, and OPTIONS. If the script reports potentially risky\nmethods, they may not all be security risks, but you should check to\nmake sure. This page lists the dangers of some common methods:\n\nhttp://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29\n]]\n\n---\n-- @usage\n-- nmap -p 8009 <ip> --script ajp-methods\n--\n-- @output\n-- PORT STATE SERVICE\n-- 8009/tcp open ajp13\n-- | ajp-methods:\n-- | Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS\n-- | Potentially risky methods: PUT DELETE TRACE\n-- |_ See https://nmap.org/nsedoc/scripts/ajp-methods.html\n--\n-- @args ajp-methods.path the path to check or <code>/<code> if none was given\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"safe\"}\n\n\nportrule = shortport.port_or_service(8009, 'ajp13', 'tcp')\n\nlocal arg_url = stdnse.get_script_args(SCRIPT_NAME .. \".path\") or \"/\"\nlocal UNINTERESTING_METHODS = { \"GET\", \"HEAD\", \"POST\", \"OPTIONS\" }\n\nlocal function filter_out(t, filter)\n local result = {}\n for _, e in ipairs(t) do\n if ( not(tableaux.contains(filter, e)) ) then\n result[#result + 1] = e\n end\n end\n return result\nend\n\naction = function(host, port)\n\n local helper = ajp.Helper:new(host, port)\n if ( not(helper:connect()) ) then\n return stdnse.format_output(false, \"Failed to connect to server\")\n end\n\n local status, response = helper:options(arg_url)\n helper:close()\n if ( not(status) or response.status ~= 200 or\n not(response.headers) or not(response.headers['allow']) ) then\n return \"Failed to get a valid response for the OPTION request\"\n end\n\n local methods = stringaux.strsplit(\",%s\", response.headers['allow'])\n\n local output = {}\n table.insert(output, (\"Supported methods: %s\"):format(table.concat(methods, \" \")))\n\n local interesting = filter_out(methods, UNINTERESTING_METHODS)\n if ( #interesting > 0 ) then\n table.insert(output, \"Potentially risky methods: \" .. table.concat(interesting, \" \"))\n table.insert(output, \"See https://nmap.org/nsedoc/scripts/ajp-methods.html\")\n end\n return stdnse.format_output(true, output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:33", "description": "Uses Multicast Listener Discovery to list the multicast addresses subscribed to by IPv6 multicast listeners on the link-local scope. Addresses in the IANA IPv6 Multicast Address Space Registry have their descriptions listed.\n\n## Script Arguments \n\n#### ipv6-multicast-mld-list.timeout \n\ntimeout to wait for responses (default: 10s)\n\n#### ipv6-multicast-mld-list.interface \n\nInterface to send on (default: the interface specified with -e or every available Ethernet interface with an IPv6 address.)\n\n## Example Usage \n \n \n nmap --script=ipv6-multicast-mld-list\n \n\n## Script Output \n \n \n Pre-scan script results:\n | ipv6-multicast-mld-list:\n | fe80::9fb:25b7:1b7c:e53:\n | device: wlan0\n | mac: 38:60:77:3d:b1:ec\n | multicast_ips:\n | ff02::1:ff7c:e53 (NDP Solicited-node)\n | ff02::fb (mDNSv6)\n | ff02::c (SSDP)\n |_ ff02::1:3 (Link-local Multicast Name Resolution)\n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [coroutine](<>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [multicast](<../lib/multicast.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-12-19T15:50:08", "type": "nmap", "title": "ipv6-multicast-mld-list NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-08-15T07:26:00", "id": "NMAP:IPV6-MULTICAST-MLD-LIST.NSE", "href": "https://nmap.org/nsedoc/scripts/ipv6-multicast-mld-list.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal coroutine = require \"coroutine\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal multicast = require \"multicast\"\n\ndescription = [[\nUses Multicast Listener Discovery to list the multicast addresses subscribed to\nby IPv6 multicast listeners on the link-local scope. Addresses in the IANA IPv6\nMulticast Address Space Registry have their descriptions listed.\n]]\n\n---\n-- @usage\n-- nmap --script=ipv6-multicast-mld-list\n--\n-- @output\n-- Pre-scan script results:\n-- | ipv6-multicast-mld-list:\n-- | fe80::9fb:25b7:1b7c:e53:\n-- | device: wlan0\n-- | mac: 38:60:77:3d:b1:ec\n-- | multicast_ips:\n-- | ff02::1:ff7c:e53 (NDP Solicited-node)\n-- | ff02::fb (mDNSv6)\n-- | ff02::c (SSDP)\n-- |_ ff02::1:3 (Link-local Multicast Name Resolution)\n--\n-- @args ipv6-multicast-mld-list.timeout timeout to wait for\n-- responses (default: 10s)\n-- @args ipv6-multicast-mld-list.interface Interface to send on (default:\n-- the interface specified with -e or every available Ethernet interface\n-- with an IPv6 address.)\n--\n-- @xmloutput\n-- <table key=\"fe80::9fb:25b7:1b7c:e53\">\n-- <elem key=\"device\">wlan0</elem>\n-- <elem key=\"mac\">38:60:77:3d:b1:ec</elem>\n-- <table key=\"multicast_ips\">\n-- <table>\n-- <elem key=\"description\">NDP Solicited-node</elem>\n-- <elem key=\"ip\">ff02::1:ff7c:e53</elem>\n-- </table>\n-- <table>\n-- <elem key=\"description\">mDNSv6</elem>\n-- <elem key=\"ip\">ff02::fb</elem>\n-- </table>\n-- <table>\n-- <elem key=\"description\">SSDP</elem>\n-- <elem key=\"ip\">ff02::c</elem>\n-- </table>\n-- <table>\n-- <elem key=\"description\">Link-local Multicast Name Resolution</elem>\n-- <elem key=\"ip\">ff02::1:3</elem>\n-- </table>\n-- </table>\n-- </table>\n\nauthor = {\"alegen\", \"Daniel Miller\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n-- Technically multicast, not broadcast\ncategories = {\"broadcast\", \"discovery\"}\n\n-- https://www.iana.org/assignments/ipv6-multicast-addresses/link-local.csv\n-- Removed \"variable scope\" and \"Unassigned\"\n-- Address(s),Description,Reference,Date Registered,Last Reviewed\nlocal link_scope = [==[\nFF02:0:0:0:0:0:0:1,All Nodes Address,[RFC4291],,\nFF02:0:0:0:0:0:0:2,All Routers Address,[RFC4291],,\nFF02:0:0:0:0:0:0:4,DVMRP Routers,[RFC1075][Jon_Postel],,\nFF02:0:0:0:0:0:0:5,OSPFIGP,[RFC2328][John_Moy],,\nFF02:0:0:0:0:0:0:6,OSPFIGP Designated Routers,[RFC2328][John_Moy],,\nFF02:0:0:0:0:0:0:7,ST Routers,[RFC1190][<mystery contact>],,\nFF02:0:0:0:0:0:0:8,ST Hosts,[RFC1190][<mystery contact>],,\nFF02:0:0:0:0:0:0:9,RIP Routers,[RFC2080],,\nFF02:0:0:0:0:0:0:A,EIGRP Routers,[draft-savage-eigrp],,\nFF02:0:0:0:0:0:0:B,Mobile-Agents,[Bill_Simpson],1994-11-01,\nFF02:0:0:0:0:0:0:C,SSDP,[UPnP_Forum],2006-09-21,\nFF02:0:0:0:0:0:0:D,All PIM Routers,[Dino_Farinacci],,\nFF02:0:0:0:0:0:0:E,RSVP-ENCAPSULATION,[Bob_Braden],1996-04-01,\nFF02:0:0:0:0:0:0:F,UPnP,[UPnP_Forum],2006-09-21,\nFF02:0:0:0:0:0:0:10,All-BBF-Access-Nodes,[RFC6788],,\nFF02:0:0:0:0:0:0:12,VRRP,[RFC5798],,\nFF02:0:0:0:0:0:0:16,All MLDv2-capable routers,[RFC3810],,\nFF02:0:0:0:0:0:0:1A,all-RPL-nodes,[RFC6550],,\nFF02:0:0:0:0:0:0:6A,All-Snoopers,[RFC4286],,\nFF02:0:0:0:0:0:0:6B,PTP-pdelay,[http://ieee1588.nist.gov/][Kang_Lee],2007-02-02,\nFF02:0:0:0:0:0:0:6C,Saratoga,[Lloyd_Wood],2007-08-30,\nFF02:0:0:0:0:0:0:6D,LL-MANET-Routers,[RFC5498],,\nFF02:0:0:0:0:0:0:6E,IGRS,[Xiaoyu_Zhou],2009-01-20,\nFF02:0:0:0:0:0:0:6F,iADT Discovery,[Paul_Suhler],2009-05-12,\nFF02:0:0:0:0:0:0:FB,mDNSv6,[RFC6762],2005-10-05,\nFF02:0:0:0:0:0:1:1,Link Name,[Dan_Harrington],1996-07-01,\nFF02:0:0:0:0:0:1:2,All-dhcp-agents,[RFC3315],,\nFF02:0:0:0:0:0:1:3,Link-local Multicast Name Resolution,[RFC4795],,\nFF02:0:0:0:0:0:1:4,DTCP Announcement,[Moritz_Vieth][Hanno_Tersteegen],2004-05-01,\nFF02:0:0:0:0:0:1:5,afore_vdp,[Michael_Richardson],2010-11-30,\nFF02:0:0:0:0:0:1:6,Babel,[RFC6126],,\nFF02::1:FF00:0000/104,Solicited-Node Address,[RFC4291],,\nFF02:0:0:0:0:2:FF00::/104,Node Information Queries,[RFC4620],,\n]==]\n\n-- https://www.iana.org/assignments/ipv6-multicast-addresses/variable.csv\n-- Removed \"Unassigned\"\nlocal var_scope = [==[\nFF0X:0:0:0:0:0:0:0,Reserved Multicast Address,[RFC4291],,\nFF0X:0:0:0:0:0:0:C,SSDP,[UPnP_Forum],2006-09-21,\nFF0X:0:0:0:0:0:0:FB,mDNSv6,[RFC6762],2005-10-05,\nFF0X:0:0:0:0:0:0:FC,ALL_MPL_FORWARDERS,[RFC-ietf-roll-trickle-mcast-12],2013-04-10,\nFF0X:0:0:0:0:0:0:FD,All CoAP Nodes,[RFC7252],2013-07-25,\nFF0X:0:0:0:0:0:0:100,VMTP Managers Group,[RFC1045][Dave_Cheriton],,\nFF0X:0:0:0:0:0:0:101,Network Time Protocol (NTP),[RFC1119][RFC5905][David_Mills],,\nFF0X:0:0:0:0:0:0:102,SGI-Dogfight,[Andrew_Cherenson],,\nFF0X:0:0:0:0:0:0:103,Rwhod,[Steve_Deering],,\nFF0X:0:0:0:0:0:0:104,VNP,[Dave_Cheriton],,\nFF0X:0:0:0:0:0:0:105,Artificial Horizons - Aviator,[Bruce_Factor],,\nFF0X:0:0:0:0:0:0:106,NSS - Name Service Server,[Bill_Schilit],,\nFF0X:0:0:0:0:0:0:107,AUDIONEWS - Audio News Multicast,[Martin_Forssen],,\nFF0X:0:0:0:0:0:0:108,SUN NIS+ Information Service,[Chuck_McManis],,\nFF0X:0:0:0:0:0:0:109,MTP Multicast Transport Protocol,[Susie_Armstrong],,\nFF0X:0:0:0:0:0:0:10A,IETF-1-LOW-AUDIO,[Steve_Casner],,\nFF0X:0:0:0:0:0:0:10B,IETF-1-AUDIO,[Steve_Casner],,\nFF0X:0:0:0:0:0:0:10C,IETF-1-VIDEO,[Steve_Casner],,\nFF0X:0:0:0:0:0:0:10D,IETF-2-LOW-AUDIO,[Steve_Casner],,\nFF0X:0:0:0:0:0:0:10E,IETF-2-AUDIO,[Steve_Casner],,\nFF0X:0:0:0:0:0:0:10F,IETF-2-VIDEO,[Steve_Casner],,\nFF0X:0:0:0:0:0:0:110,MUSIC-SERVICE,[[Guido van Rossum]],,\nFF0X:0:0:0:0:0:0:111,SEANET-TELEMETRY,[[Andrew Maffei]],,\nFF0X:0:0:0:0:0:0:112,SEANET-IMAGE,[[Andrew Maffei]],,\nFF0X:0:0:0:0:0:0:113,MLOADD,[Bob_Braden],1996-04-01,\nFF0X:0:0:0:0:0:0:114,any private experiment,[Jon_Postel],,\nFF0X:0:0:0:0:0:0:115,DVMRP on MOSPF,[John_Moy],,\nFF0X:0:0:0:0:0:0:116,SVRLOC,[Erik_Guttman],2001-05-01,\nFF0X:0:0:0:0:0:0:117,XINGTV,[<hgxing&aol.com>],,\nFF0X:0:0:0:0:0:0:118,microsoft-ds,[Arnold_M],,\nFF0X:0:0:0:0:0:0:119,nbc-pro,[Bloomer],,\nFF0X:0:0:0:0:0:0:11A,nbc-pfn,[Bloomer],,\nFF0X:0:0:0:0:0:0:11B,lmsc-calren-1,[Yea_Uang],1994-11-01,\nFF0X:0:0:0:0:0:0:11C,lmsc-calren-2,[Yea_Uang],1994-11-01,\nFF0X:0:0:0:0:0:0:11D,lmsc-calren-3,[Yea_Uang],1994-11-01,\nFF0X:0:0:0:0:0:0:11E,lmsc-calren-4,[Yea_Uang],1994-11-01,\nFF0X:0:0:0:0:0:0:11F,ampr-info,[Rob_Janssen],1995-01-01,\nFF0X:0:0:0:0:0:0:120,mtrace,[Steve_Casner],1995-01-01,\nFF0X:0:0:0:0:0:0:121,RSVP-encap-1,[Bob_Braden],1996-04-01,\nFF0X:0:0:0:0:0:0:122,RSVP-encap-2,[Bob_Braden],1996-04-01,\nFF0X:0:0:0:0:0:0:123,SVRLOC-DA,[Erik_Guttman],2001-05-01,\nFF0X:0:0:0:0:0:0:124,rln-server,[Brian_Kean],1995-08-01,\nFF0X:0:0:0:0:0:0:125,proshare-mc,[Mark_Lewis],1995-10-01,\nFF0X:0:0:0:0:0:0:126,dantz,[Dotty_Yackle],1996-02-01,\nFF0X:0:0:0:0:0:0:127,cisco-rp-announce,[Dino_Farinacci],,\nFF0X:0:0:0:0:0:0:128,cisco-rp-discovery,[Dino_Farinacci],,\nFF0X:0:0:0:0:0:0:129,gatekeeper,[Jim_Toga],1996-05-01,\nFF0X:0:0:0:0:0:0:12A,iberiagames,[Jose_Luis_Marocho],1996-07-01,\nFF0X:0:0:0:0:0:0:12B,X Display,[John_McKernan],2003-05-01,\nFF0X:0:0:0:0:0:0:12C,dof-multicast,[Bryant_Eastham],2005-04-01,2015-04-23\nFF0X:0:0:0:0:0:0:12D,DvbServDisc,[Bert_van_Willigen],2005-09-16,\nFF0X:0:0:0:0:0:0:12E,Ricoh-device-ctrl,[Kohki_Ohhira],2006-06-20,\nFF0X:0:0:0:0:0:0:12F,Ricoh-device-ctrl,[Kohki_Ohhira],2006-06-20,\nFF0X:0:0:0:0:0:0:130,UPnP,[UPnP_Forum],2006-09-21,\nFF0X:0:0:0:0:0:0:131,Systech Mcast,[Dan_Jakubiec],2006-09-21,\nFF0X:0:0:0:0:0:0:132,omasg,[Mark_Lipford],2006-09-21,\nFF0X:0:0:0:0:0:0:133,ASAP,[RFC5352],,\nFF0X:0:0:0:0:0:0:134,unserding,[Sebastian_Freundt],2009-11-30,\nFF0X:0:0:0:0:0:0:135,PHILIPS-HEALTH,[Anthony_Kandaya],2010-02-26,\nFF0X:0:0:0:0:0:0:136,PHILIPS-HEALTH,[Anthony_Kandaya],2010-02-26,\nFF0X:0:0:0:0:0:0:137,Niagara,[Owen_Michael_James],2010-09-13,\nFF0X:0:0:0:0:0:0:138,LXI-EVENT,[Tom_Fay],2011-01-31,\nFF0X:0:0:0:0:0:0:139,LANCOM Discover,[Martin_Krebs],2011-05-09,\nFF0X:0:0:0:0:0:0:13A,AllJoyn,[Craig_Dowell],2011-11-18,\nFF0X:0:0:0:0:0:0:13B,GNUnet,[Christian_Grothoff],2011-11-22,\nFF0X:0:0:0:0:0:0:13C,fos4Xdevices,[Rolf_Wojtech],2011-12-07,\nFF0X:0:0:0:0:0:0:13D,USNAMES-NET-MC,[Christopher_Mettin],2013-01-24,\nFF0X:0:0:0:0:0:0:13E,hp-msm-discover,[John_Flick],2013-02-28,\nFF0X:0:0:0:0:0:0:13F,\"SANYO DENKI CO., LTD.\",[Yuuki_Hara],2014-03-20,\nFF0X:0:0:0:0:0:0:140-FF0X:0:0:0:0:0:0:14F,EPSON-disc-set,[Seiko_Epson_Corp],2010-02-26,\nFF0X:0:0:0:0:0:0:150,an-adj-disc,[Toerless_Eckert],2014-06-04,\nFF0X:0:0:0:0:0:0:151,Canon-Device-control,[Hiroshi_Okubo],2014-08-01,\nFF0X:0:0:0:0:0:0:152,TinyMessage,[Josip_Medved],2014-12-09,\nFF0X:0:0:0:0:0:0:153,ZigBee NAN DS,[Yusuke_Doi],2015-08-21,\nFF0X:0:0:0:0:0:0:154,ZigBee NAN DI,[Yusuke_Doi],2015-08-21,\nFF0X:0:0:0:0:0:0:155,jini-announcement,[Jini Discovery and Join Specification][Peter_Grahame_Firmstone],2015-08-27,\nFF0X:0:0:0:0:0:0:156,jini-request,[Jini Discovery and Join Specification][Peter_Grahame_Firmstone],2015-08-27,\nFF0X:0:0:0:0:0:0:157,hbmdevices,[Stephan_Gatzka],2015-10-26,\nFF0X:0:0:0:0:0:0:160-FF0X:0:0:0:0:0:0:16F,NMEA OneNet,[Steve_Spitzer],2015-06-29,\nFF0X:0:0:0:0:0:0:175,all SIP servers,[Rick_van_Rein],2015-07-21,\nFF0X:0:0:0:0:0:0:181,PTP-primary,[http://ieee1588.nist.gov/][Kang_Lee],2007-02-02,\nFF0X:0:0:0:0:0:0:182,PTP-alternate1,[http://ieee1588.nist.gov/][Kang_Lee],2007-02-02,\nFF0X:0:0:0:0:0:0:183,PTP-alternate2,[http://ieee1588.nist.gov/][Kang_Lee],2007-02-02,\nFF0X:0:0:0:0:0:0:184,PTP-alternate3,[http://ieee1588.nist.gov/][Kang_Lee],2007-02-02,\nFF0X:0:0:0:0:0:0:18C,All ACs multicast address,[RFC5415],,\nFF0X:0:0:0:0:0:0:201,\"\"\"rwho\"\" Group (BSD) (unofficial)\",[Jon_Postel],,\nFF0X:0:0:0:0:0:0:202,SUN RPC PMAPPROC_CALLIT,[Brendan_Eic],,\nFF0X:0:0:0:0:0:0:204,All C1222 Nodes,[RFC6142],2009-08-28,\nFF0X:0:0:0:0:0:0:205,Hexabus,[Mathias_Dalheimer],2013-08-09,\nFF0X:0:0:0:0:0:0:206,multicast chat,[Patrik_Lahti],2013-08-13,\nFF0X:0:0:0:0:0:0:2C0-FF0X:0:0:0:0:0:0:2FF,Garmin Marine,[Nathan_Karstens],2015-02-19,\nFF0X:0:0:0:0:0:0:300,Mbus/Ipv6,[RFC3259],,\nFF0X:0:0:0:0:0:0:3486,IFSF Heartbeat,[John_Carrier],2015-06-15,\nFF0X:0:0:0:0:0:0:BAC0,BACnet,[Coleman_Brumley],2010-11-22,\nFF0X::1:1000/118,\"Service Location, Version 2\",[RFC3111],,\nFF0X:0:0:0:0:0:2:0000-FF0X:0:0:0:0:0:2:7FFD,Multimedia Conference Calls,[Steve_Casner],,\nFF0X:0:0:0:0:0:2:7FFE,SAPv1 Announcements,[Steve_Casner],,\nFF0X:0:0:0:0:0:2:7FFF,SAPv0 Announcements (deprecated),[Steve_Casner],,\nFF0X:0:0:0:0:0:2:8000-FF0X:0:0:0:0:0:2:FFFF,SAP Dynamic Assignments,[Steve_Casner],,\nFF0X::DB8:0:0/96,Documentation Addresses,[RFC6676],,\n]==]\n\nlocal function sort_ip_ascending(a, b)\n return ipOps.compare_ip(a[0], \"lt\", b[0])\nend\n\nlocal multicast_addresses = {}\nlocal multicast_ranges = {}\ndo\n local starts, ends, addr, name = string.find(link_scope, \"^([^,]+),([^,]+),.-\\n\")\n while starts do\n if string.match(addr, \"[/-]\") then\n local low, high, err = ipOps.get_ips_from_range(addr)\n if not low then\n stdnse.debug1(\"Error parsing IP range %s: %s\", addr, err)\n else\n table.insert(multicast_ranges, {low, high, name})\n end\n else\n multicast_addresses[string.lower(ipOps.expand_ip(addr))] = name\n end\n starts, ends, addr, name = string.find(link_scope, \"^([^,]+),([^,]+),.-\\n\", ends + 1)\n end\n\n starts, ends, addr, name = string.find(var_scope, \"^([^,]+),([^,]+),.-\\n\")\n while starts do\n addr = string.gsub(addr, \"FF0X\", \"FF02\")\n if string.match(addr, \"[/-]\") then\n local low, high, err = ipOps.get_ips_from_range(addr)\n if not low then\n stdnse.debug1(\"Error parsing IP range %s: %s\", addr, err)\n else\n table.insert(multicast_ranges, {low, high, name})\n end\n else\n multicast_addresses[string.lower(ipOps.expand_ip(addr))] = name\n end\n starts, ends, addr, name = string.find(link_scope, \"^([^,]+),([^,]+),.-\\n\", ends + 1)\n end\n\n table.sort(multicast_ranges, sort_ip_ascending)\nend\n\nlocal function get_interfaces()\n local if_list = nmap.list_interfaces()\n local if_ret = {}\n local arg_interface = stdnse.get_script_args(SCRIPT_NAME .. \".interface\") or nmap.get_interface()\n\n for _, if_nfo in pairs(if_list) do\n if (arg_interface == nil or if_nfo.device == arg_interface) -- check for correct interface\n and ipOps.ip_in_range(if_nfo.address, \"fe80::/10\") -- link local address\n and if_nfo.link == \"ethernet\" then -- not the loopback interface\n table.insert(if_ret, if_nfo)\n end\n end\n\n return if_ret\nend\n\nlocal function single_interface_broadcast(if_nfo, results)\n stdnse.debug2(\"Starting \" .. SCRIPT_NAME .. \" on \" .. if_nfo.device)\n local condvar = nmap.condvar(results)\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. '.timeout')) or 10\n\n local reports = multicast.mld_query(if_nfo, timeout)\n for addr, info in pairs(multicast.mld_report_addresses(reports)) do\n if results[addr] then\n stdnse.debug1(\"Duplicate address found: %s, interface %s\", addr, info.device)\n end\n results[addr] = info\n end\n\n condvar(\"signal\")\nend\n\n---\n-- Calculates the solicited-node multicast address used by NDP from a unicast\n-- link-local IPv6 address.\n--\n-- @param ll_ip String representation of a link-local IPv6 unicast address\n-- @usage\n-- mcast_ip = get_sol_mcast(ll_ip)\n-- @return The calculated solicited-node multicast address or <code>nil</code>\n-- if the given parameter is not a valid link-local address.\n--\nlocal function get_sol_mcast (ll_ip)\n -- check if address is link-local\n local is_ll, err = ipOps.ip_in_range(ll_ip, \"FE80::/10\")\n if not(is_ll) then\n return nil\n end\n -- calculate multicast address\n local three_bytes = string.sub(ipOps.ip_to_str(ll_ip), 14, 16)\n local thirteen_bytes = \"\\xff\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\00\\x01\\xff\"\n return ipOps.str_to_ip(thirteen_bytes .. three_bytes)\nend\n\nlocal function sorted_keys(t)\n local ret = {}\n local k, v\n -- deliberately avoiding pairs() because of __pairs metamethod in action\n repeat\n k, v = next(t, k)\n ret[#ret+1] = k\n until k == nil\n table.sort(ret, sort_ip_ascending)\n return ret\nend\n\nprerule = function()\n if not(nmap.is_privileged()) then\n stdnse.verbose1(\"not running for lack of privileges.\")\n return false\n end\n return true\nend\n\naction = function()\n local results = {}\n local threads = {}\n local condvar = nmap.condvar(results)\n\n for _, if_nfo in ipairs(get_interfaces()) do\n -- create a thread for each interface\n local co = stdnse.new_thread(single_interface_broadcast, if_nfo, results)\n threads[co] = true\n end\n\n repeat\n for thread in pairs(threads) do\n if coroutine.status(thread) == \"dead\" then threads[thread] = nil end\n end\n if ( next(threads) ) then\n condvar \"wait\"\n end\n until next(threads) == nil\n\n local guesses = {}\n local mip_metatable = {\n __tostring = function(t)\n return (\"%-25s (%s)\"):format(t.ip, t.description)\n end\n }\n for target_ip, info in pairs(results) do\n table.sort(info.multicast_ips, sort_ip_ascending)\n for i=1, #info.multicast_ips do\n local ip = info.multicast_ips[i]\n local t = {ip=ip}\n local tmp = string.lower(ipOps.expand_ip(ip))\n local desc = multicast_addresses[tmp]\n if not desc then\n if ipOps.compare_ip(ip, \"eq\", get_sol_mcast(target_ip)) then\n desc = \"NDP Solicited-node\"\n else\n stdnse.debug1(\"Addr: %s\", ip)\n for j=1, #multicast_ranges do\n if ipOps.compare_ip(ip, \"le\", multicast_ranges[j][2]) then\n stdnse.debug1(\"<= %s\", multicast_ranges[j][2])\n if ipOps.compare_ip(ip, \"ge\", multicast_ranges[j][1]) then\n stdnse.debug1(\">= %s\", multicast_ranges[j][1])\n desc = multicast_ranges[j][3]\n else\n stdnse.debug1(\"> %s\", multicast_ranges[j][2])\n end\n stdnse.debug1(\"done %s\", multicast_ranges[j][3])\n break\n end\n stdnse.debug1(\"> %s\", multicast_ranges[j][2])\n end\n end\n end\n t.description = desc or \"unknown\"\n setmetatable(t, mip_metatable)\n info.multicast_ips[i] = t\n end\n end\n\n setmetatable(results, {\n __pairs = function(t)\n local order = sorted_keys(t)\n return coroutine.wrap(function()\n for i,k in ipairs(order) do\n coroutine.yield(k, t[k])\n end\n end)\n end\n })\n if next(results) then\n return results\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:52", "description": "Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation. \n\nSMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs. \n\nRemember that a rebooted system may still be vulnerable. This check only reveals unpatched systems based on the uptime, no additional probes are sent. \n\nReferences: \n\n * <https://twitter.com/breakersall/status/880496571581857793>\n\n## Script Arguments \n\n#### smb2-vuln-uptime.skip-os \n\nIgnore OS detection results and show results\n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the [vulns](<../lib/vulns.html#script-args>) library. \n\n## Example Usage \n\n * nmap -O --script smb2-vuln-uptime <target>\n\n * nmap -p445 --script smb2-vuln-uptime --script-args smb2-vuln-uptime.skip-os=true <target>\n \n\n## Script Output \n \n \n | smb2-vuln-uptime:\n | VULNERABLE:\n | MS17-010: Security update for Windows SMB Server\n | State: LIKELY VULNERABLE\n | IDs: ms:ms17-010 CVE:2017-0147\n | This system is missing a security update that resolves vulnerabilities in\n | Microsoft Windows SMB Server.\n |\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0147\n |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n \n\n## Requires \n\n * [os](<>)\n * [datetime](<../lib/datetime.html>)\n * [smb](<../lib/smb.html>)\n * [vulns](<../lib/vulns.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [smb2](<../lib/smb2.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-28T09:01:02", "type": "nmap", "title": "smb2-vuln-uptime NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2021-01-18T21:21:43", "id": "NMAP:SMB2-VULN-UPTIME.NSE", "href": "https://nmap.org/nsedoc/scripts/smb2-vuln-uptime.html", "sourceData": "local os = require \"os\"\nlocal datetime = require \"datetime\"\nlocal smb = require \"smb\"\nlocal vulns = require \"vulns\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal smb2 = require \"smb2\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to detect missing patches in Windows systems by checking the\nuptime returned during the SMB2 protocol negotiation.\n\nSMB2 protocol negotiation response returns the system boot time\n pre-authentication. This information can be used to determine\n if a system is missing critical patches without triggering IDS/IPS/AVs.\n\nRemember that a rebooted system may still be vulnerable. This check\nonly reveals unpatched systems based on the uptime, no additional probes are sent.\n\nReferences:\n* https://twitter.com/breakersall/status/880496571581857793\n]]\n\n---\n-- @usage nmap -O --script smb2-vuln-uptime <target>\n-- @usage nmap -p445 --script smb2-vuln-uptime --script-args smb2-vuln-uptime.skip-os=true <target>\n--\n-- @output\n-- | smb2-vuln-uptime:\n-- | VULNERABLE:\n-- | MS17-010: Security update for Windows SMB Server\n-- | State: LIKELY VULNERABLE\n-- | IDs: ms:ms17-010 CVE:2017-0147\n-- | This system is missing a security update that resolves vulnerabilities in\n-- | Microsoft Windows SMB Server.\n-- |\n-- | References:\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0147\n-- |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n--\n-- @xmloutput\n-- <table key=\"2017-0147\">\n-- <elem key=\"title\">MS17-010: Security update for Windows SMB Server</elem>\n-- <elem key=\"state\">LIKELY VULNERABLE</elem>\n-- <table key=\"ids\">\n-- <elem>CVE:2017-0147</elem>\n-- <elem>ms:ms17-010</elem>\n-- </table>\n-- <table key=\"description\">\n-- <elem>This system is missing a security update that resolves vulnerabilities in&#xa; Microsoft Windows SMB Server.&#xa;</elem>\n-- </table>\n-- <table key=\"refs\">\n-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0147</elem>\n-- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>\n-- </table>\n-- </table>\n--\n-- @args smb2-vuln-uptime.skip-os Ignore OS detection results and show results\n---\n\nauthor = \"Paulino Calderon <calderon()calderonpale.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\nhostrule = function(host)\n local ms = false\n local os_detection = stdnse.get_script_args(SCRIPT_NAME .. \".skip-os\") or false\n if host.os then\n for k, v in pairs(host.os) do -- Loop through OS matches\n if string.match(v['name'], \"Microsoft\") then\n ms = true\n end\n end\n end\n return (smb.get_port(host) ~= nil and ms) or (os_detection)\nend\n\nlocal ms_vulns = {\n {\n title = 'MS17-010: Security update for Windows SMB Server',\n ids = {ms = \"ms17-010\", CVE = \"2017-0147\"},\n desc = [[\nThis system is missing a security update that resolves vulnerabilities in\n Microsoft Windows SMB Server.\n]],\n disclosure_time = 1489471200,\n disclosure_date = {year=2017, month=3, day=14},\n references = {\n 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',\n },\n },\n {\n title = 'Microsoft Kerberos Checksum Vulnerability',\n ids = {ms = \"ms14-068\", CVE = \"2014-6324\"},\n desc = [[\nThis security update resolves a privately reported vulnerability in Microsoft\n Windows Kerberos KDC that could allow an attacker to elevate unprivileged\n domain user account privileges to those of the domain administrator account.\n]],\n disclosure_time = 1416290400,\n disclosure_date = {year=2014, month=11, day=18},\n references = {\n 'https://technet.microsoft.com/en-us/library/security/ms14-068.aspx'\n },\n },\n}\n\nlocal function check_vulns(host, port)\n local smbstate, status\n local vulns_detected = {}\n\n status, smbstate = smb.start(host)\n status = smb2.negotiate_v2(smbstate)\n\n if not status then\n stdnse.debug2(\"Negotiation failed\")\n return nil, \"Protocol negotiation failed (SMB2)\"\n end\n\n datetime.record_skew(host, smbstate.time, os.time())\n stdnse.debug2(\"SMB2: Date: %s (%s) Start date:%s (%s)\",\n smbstate['date'], smbstate['time'],\n smbstate['start_date'], smbstate['start_time'])\n if smbstate['start_time'] == 0 then\n stdnse.debug2(\"Boot time not provided\")\n return nil, \"Boot time not provided\"\n end\n\n for _, vuln in pairs(ms_vulns) do\n if smbstate['start_time'] < vuln['disclosure_time'] then\n stdnse.debug2(\"Vulnerability detected\")\n vuln.extra_info = string.format(\"The system hasn't been rebooted since %s\", smbstate['start_date'])\n table.insert(vulns_detected, vuln)\n end\n end\n\n return true, vulns_detected\nend\n\naction = function(host,port)\n local status, vulnerabilities\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n\n status, vulnerabilities = check_vulns(host, port)\n if status then\n for i, v in pairs(vulnerabilities) do\n local vuln = { title = v['title'], description = v['desc'],\n references = v['references'], disclosure_date = v['disclosure_date'],\n IDS = v['ids']}\n vuln.state = vulns.STATE.LIKELY_VULN\n vuln.extra_info = v['extra_info']\n report:add_vulns(SCRIPT_NAME, vuln)\n end\n end\n return report:make_output()\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:13", "description": "Performs XMLRPC Introspection via the system.listMethods method. \n\nIf the verbosity is &gt; 1 then the script fetches the response of system.methodHelp for each method returned by listMethods.\n\n## Script Arguments \n\n#### xmlrpc-methods.url \n\nThe URI path to request.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n | xmlrpc-methods:\n | Supported Methods:\n | list\n | system.listMethods\n | system.methodHelp\n |_ system.methodSignature\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [slaxml](<../lib/slaxml.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [strbuf](<../lib/strbuf.html>)\n * [string](<>)\n * [table](<>)\n * [tableaux](<../lib/tableaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-08-17T19:03:34", "type": "nmap", "title": "xmlrpc-methods NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-11-06T15:07:01", "id": "NMAP:XMLRPC-METHODS.NSE", "href": "https://nmap.org/nsedoc/scripts/xmlrpc-methods.html", "sourceData": "local http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal slaxml = require \"slaxml\"\nlocal stdnse = require \"stdnse\"\nlocal strbuf = require \"strbuf\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal tableaux = require \"tableaux\"\n\ndescription = [[\nPerforms XMLRPC Introspection via the system.listMethods method.\n\nIf the verbosity is > 1 then the script fetches the response\nof system.methodHelp for each method returned by listMethods.\n]]\n\n---\n-- @args xmlrpc-methods.url The URI path to request.\n--\n-- @output\n-- | xmlrpc-methods:\n-- | Supported Methods:\n-- | list\n-- | system.listMethods\n-- | system.methodHelp\n-- |_ system.methodSignature\n--\n-- @xmloutput\n-- <table key=\"Supported Methods\">\n-- <elem>list</elem>\n-- <elem>system.listMethods</elem>\n-- <elem>system.methodHelp</elem>\n-- <elem>system.methodSignature</elem>\n-- </table>\n\nauthor = \"Gyanendra Mishra\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"safe\", \"discovery\"}\n\nportrule = shortport.http\n\nlocal function set_80_columns(t)\n local buffer = strbuf.new()\n for method, description in pairs(t) do\n buffer = (buffer .. string.format(\" %s:\\n\\n\", method))\n local line, ll = {}, 0\n local add_word = function(word)\n if #word + ll + 1 < 78 then\n table.insert(line, word)\n ll = ll + #word + 1\n else\n buffer = buffer .. table.concat(line, \" \") .. \"\\n\"\n ll = #word + 1\n line = {word}\n end\n end\n string.gsub(description, \"(%S+)\", add_word)\n buffer = buffer .. table.concat(line, \" \") .. \"\\n\\n\"\n end\n return \"\\n\" .. strbuf.dump(buffer)\nend\n\naction = function(host, port)\n\n local url = stdnse.get_script_args(SCRIPT_NAME .. \".url\") or \"/\"\n local data = '<methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>'\n local response = http.post(host, port, url, {header = {[\"Content-Type\"] = \"application/x-www-form-urlencoded\"}}, nil, data )\n if not (response and response.status and response.body) then\n stdnse.debug1(\"HTTP POST failed\")\n return nil\n end\n local output = stdnse.output_table()\n local parser = slaxml.parser:new()\n\n local under_80 = {\n __tostring = set_80_columns\n }\n\n if response.status == 200 and response.body:find(\"<value><string>system.listMethods</string></value>\", nil, true) then\n\n parser._call = {startElement = function(name)\n parser._call.text = name == \"string\" and function(content) output[\"Supported Methods\"] = output[\"Supported Methods\"] or {} table.insert(output[\"Supported Methods\"], content) end end,\n closeElement = function(name) parser._call.text = function() return nil end end\n }\n parser:parseSAX(response.body, {stripWhitespace=true})\n\n if nmap.verbosity() > 1 and tableaux.contains(output[\"Supported Methods\"], \"system.methodHelp\") then\n for i, method in ipairs(output[\"Supported Methods\"]) do\n data = '<methodCall> <methodName>system.methodHelp</methodName> <params> <param><value> <string>' .. method .. '</string> </value></param> </params> </methodCall>'\n response = http.post(host, port, url, {header = {[\"Content-Type\"] = \"application/x-www-form-urlencoded\"}}, nil, data)\n if response and response.status == 200 then\n parser._call.startElement = function(name)\n parser._call.text = name == \"string\" and function(content)\n content = parser.unescape(content)\n output[\"Supported Methods\"][i] = nil\n output[\"Supported Methods\"][method] = content\n end\n end\n parser:parseSAX(response.body, {stripWhitespace=true})\n end\n -- useful in cases when the output returned by the above request is empty\n -- or the <value><string></string></value> has no text in the string\n -- element.\n if output[\"Supported Methods\"][i] then\n output[\"Supported Methods\"][i] = nil\n output[\"Supported Methods\"][method] = \"Empty system.methodHelp output.\"\n end\n end\n setmetatable(output[\"Supported Methods\"], under_80)\n end\n return output\n elseif response.body:find(\"<name>faultCode</name>\", nil, true) then\n output.error = \"XMLRPC instance doesn't support introspection.\"\n return output, output.error\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:27", "description": "Attempts to enumerate running processes through SNMP.\n\n## Script Arguments \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### snmp.version \n\nSee the documentation for the [snmp](<../lib/snmp.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sU -p 161 --script=snmp-processes <target>\n\n## Script Output \n \n \n | snmp-processes:\n | 1:\n | Name: System Idle Process\n | 4:\n | Name: System\n | 256:\n | Name: smss.exe\n | Path: \\SystemRoot\\System32\\\n | 308:\n | Name: csrss.exe\n | Path: C:\\WINDOWS\\system32\\\n | Params: ObjectDirectory=\\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserS\n | 332:\n | Name: winlogon.exe\n | 380:\n | Name: services.exe\n | Path: C:\\WINDOWS\\system32\\\n | 392:\n | Name: lsass.exe\n |_ Path: C:\\WINDOWS\\system32\\\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [snmp](<../lib/snmp.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-02-16T09:15:38", "type": "nmap", "title": "snmp-processes NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-07-27T03:32:27", "id": "NMAP:SNMP-PROCESSES.NSE", "href": "https://nmap.org/nsedoc/scripts/snmp-processes.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal snmp = require \"snmp\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nAttempts to enumerate running processes through SNMP.\n]]\n\n---\n-- @usage\n-- nmap -sU -p 161 --script=snmp-processes <target>\n-- @output\n-- | snmp-processes:\n-- | 1:\n-- | Name: System Idle Process\n-- | 4:\n-- | Name: System\n-- | 256:\n-- | Name: smss.exe\n-- | Path: \\SystemRoot\\System32\\\n-- | 308:\n-- | Name: csrss.exe\n-- | Path: C:\\WINDOWS\\system32\\\n-- | Params: ObjectDirectory=\\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserS\n-- | 332:\n-- | Name: winlogon.exe\n-- | 380:\n-- | Name: services.exe\n-- | Path: C:\\WINDOWS\\system32\\\n-- | 392:\n-- | Name: lsass.exe\n-- |_ Path: C:\\WINDOWS\\system32\\\n--\n-- @xmloutput\n-- <table key=\"1\">\n-- <elem key=\"Name\">System Idle Process</elem>\n-- </table>\n-- <table key=\"4\">\n-- <elem key=\"Name\">System</elem>\n-- </table>\n-- <table key=\"256\">\n-- <elem key=\"Name\">smss.exe</elem>\n-- <elem key=\"Path\">\\SystemRoot\\System32\\</elem>\n-- </table>\n-- <table key=\"308\">\n-- <elem key=\"Name\">csrss.exe</elem>\n-- <elem key=\"Path\">C:\\WINDOWS\\system32\\</elem>\n-- <elem key=\"Params\">ObjectDirectory=\\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserS</elem>\n-- </table>\n-- <table key=\"332\">\n-- <elem key=\"Name\">winlogon.exe</elem>\n-- </table>\n-- <table key=\"380\">\n-- <elem key=\"Name\">services.exe</elem>\n-- <elem key=\"Path\">C:\\WINDOWS\\system32\\</elem>\n-- </table>\n-- <table key=\"392\">\n-- <elem key=\"Name\">lsass.exe</elem>\n-- <elem key=\"Path\">C:\\WINDOWS\\system32\\</elem>\n-- </table>\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\ndependencies = {\"snmp-brute\"}\n\n-- Version 0.4\n-- Created 01/15/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 01/19/2010 - v0.2 - fixed loop that would occur if a mib did not exist\n-- Revised 01/19/2010 - v0.3 - removed debugging output and renamed file\n-- Revised 04/11/2010 - v0.4 - moved snmp_walk to snmp library <patrik@cqure.net>\n\n\nportrule = shortport.port_or_service(161, \"snmp\", \"udp\", {\"open\", \"open|filtered\"})\n\n--- Gets a value for the specified oid\n--\n-- @param tbl table containing <code>oid</code> and <code>value</code>\n-- @param oid string containing the object id for which the value should be extracted\n-- @return value of relevant type or nil if oid was not found\nfunction get_value_from_table( tbl, oid )\n\n for _, v in ipairs( tbl ) do\n if v.oid == oid then\n return v.value\n end\n end\n\n return nil\nend\n\n--- Processes the table and creates the script output\n--\n-- @param tbl table containing <code>oid</code> and <code>value</code>\n-- @return table suitable for <code>stdnse.format_output</code>\nfunction process_answer( tbl )\n\n local swrun_name = \"1.3.6.1.2.1.25.4.2.1.2\"\n local swrun_pid = \"1.3.6.1.2.1.25.4.2.1.1\"\n local swrun_path = \"1.3.6.1.2.1.25.4.2.1.4\"\n local swrun_params = \"1.3.6.1.2.1.25.4.2.1.5\"\n local new_tbl = stdnse.output_table()\n\n for _, v in ipairs( tbl ) do\n\n if ( v.oid:match(\"^\" .. swrun_pid) ) then\n local item = stdnse.output_table()\n local objid = v.oid:gsub( \"^\" .. swrun_pid, swrun_name)\n local value = get_value_from_table( tbl, objid )\n\n if value then\n item[\"Name\"] = value\n end\n\n objid = v.oid:gsub( \"^\" .. swrun_pid, swrun_path)\n value = get_value_from_table( tbl, objid )\n\n if value and value:len() > 0 then\n item[\"Path\"] = value\n end\n\n objid = v.oid:gsub( \"^\" .. swrun_pid, swrun_params)\n value = get_value_from_table( tbl, objid )\n\n if value and value:len() > 0 then\n item[\"Params\"] = value\n end\n\n -- key (PID) must be a string for output to work.\n new_tbl[tostring(v.value)] = item\n end\n\n end\n\n return new_tbl\n\nend\n\n\naction = function(host, port)\n\n local data, snmpoid = nil, \"1.3.6.1.2.1.25.4.2\"\n local shares = {}\n local status\n\n local snmpHelper = snmp.Helper:new(host, port)\n snmpHelper:connect()\n\n status, shares = snmpHelper:walk( snmpoid )\n\n if (not(status)) or ( shares == nil ) or ( #shares == 0 ) then\n return\n end\n\n shares = process_answer( shares )\n\n nmap.set_port_state(host, port, \"open\")\n\n return shares\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:08", "description": "Performs brute force password guessing against HTTP proxy servers.\n\n## Script Arguments \n\n#### http-proxy-brute.url \n\nsets an alternative URL to use when brute forcing (default: <http://scanme.insecure.org>)\n\n#### http-proxy-brute.method \n\nchanges the HTTP method to use when performing brute force guessing (default: HEAD)\n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script http-proxy-brute -p 8080 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 8080/tcp open http-proxy\n | http-proxy-brute:\n | Accounts\n | patrik:12345 - Valid credentials\n | Statistics\n |_ Performed 6 guesses in 2 seconds, average tps: 3\n \n\n## Requires \n\n * [base64](<../lib/base64.html>)\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [http](<../lib/http.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-02T11:21:57", "type": "nmap", "title": "http-proxy-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:HTTP-PROXY-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/http-proxy-brute.html", "sourceData": "local base64 = require \"base64\"\nlocal brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nPerforms brute force password guessing against HTTP proxy servers.\n]]\n\n---\n-- @usage\n-- nmap --script http-proxy-brute -p 8080 <host>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 8080/tcp open http-proxy\n-- | http-proxy-brute:\n-- | Accounts\n-- | patrik:12345 - Valid credentials\n-- | Statistics\n-- |_ Performed 6 guesses in 2 seconds, average tps: 3\n--\n-- @args http-proxy-brute.url sets an alternative URL to use when brute forcing\n-- (default: http://scanme.insecure.org)\n-- @args http-proxy-brute.method changes the HTTP method to use when performing\n-- brute force guessing (default: HEAD)\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\n-- maybe the script does not need to be in the external category\n-- as most request should not \"leave\" the proxy.\ncategories = {\"brute\", \"intrusive\", \"external\"}\n\n\nportrule = shortport.port_or_service({8123,3128,8000,8080},{'polipo','squid-http','http-proxy'})\n\nlocal arg_url = stdnse.get_script_args(SCRIPT_NAME .. '.url') or 'http://scanme.nmap.org/'\nlocal arg_method = stdnse.get_script_args(SCRIPT_NAME .. '.method') or \"HEAD\"\n\nDriver = {\n\n new = function(self, host, port)\n local o = { host = host, port = port }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n connect = function( self )\n return true\n end,\n\n login = function( self, username, password )\n\n -- the http library does not yet support proxy authentication, so let's\n -- do what's necessary here.\n local header = { [\"Proxy-Authorization\"] = \"Basic \" .. base64.enc(username .. \":\" .. password) }\n local response = http.generic_request(self.host, self.port, arg_method, arg_url, { header = header, bypass_cache = true } )\n\n -- if we didn't get a 407 error, assume the credentials\n -- were correct. we should probably do some more checks here\n if ( response.status ~= 407 ) then\n return true, creds.Account:new( username, password, creds.State.VALID)\n end\n\n return false, brute.Error:new( \"Incorrect password\" )\n end,\n\n disconnect = function( self )\n return true\n end,\n}\n\n-- checks whether the proxy really needs authentication and that the\n-- authentication mechanism can be handled by our script, currently only\n-- BASIC authentication is supported.\nlocal function checkProxy(host, port, url)\n local response = http.generic_request(host, port, arg_method, url, { bypass_cache = true })\n\n if ( response.status ~= 407 ) then\n return false, \"Proxy server did not require authentication\"\n end\n\n local proxy_auth = response.header[\"proxy-authenticate\"]\n if ( not(proxy_auth) ) then\n return false, \"No proxy authentication header was found\"\n end\n\n local challenges = http.parse_www_authenticate(proxy_auth)\n\n for _, challenge in ipairs(challenges) do\n if ( \"Basic\" == challenge.scheme ) then\n return true\n end\n end\n return false, \"The authentication scheme wasn't supported\"\nend\n\naction = function(host, port)\n\n local status, err = checkProxy(host, port, arg_url)\n if ( not(status) ) then\n return stdnse.format_output(false, err)\n end\n\n local engine = brute.Engine:new(Driver, host, port)\n engine.options.script_name = SCRIPT_NAME\n local result\n status, result = engine:start()\n\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:44:54", "description": "Retrieves information from an Apache HBase (Hadoop database) master HTTP status page. \n\nInformation gathered: \n\n * Hbase version \n * Hbase compile date \n * Hbase root directory \n * Hadoop version \n * Hadoop compile date \n * Average load \n * Zookeeper quorum server \n * Associated region servers\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script hbase-master-info -p 60010 host\n \n\n## Script Output \n \n \n | hbase-master-info:\n | Hbase Version: 0.90.1\n | Hbase Compiled: Wed May 11 22:33:44 PDT 2011, bob\n | HBase Root Directory: hdfs://master.example.com:8020/hbase\n | Hadoop Version: 0.20 f415ef415ef415ef415ef415ef415ef415ef415e\n | Hadoop Compiled: Wed May 11 22:33:44 PDT 2011, bob\n | Average Load: 0.12\n | Zookeeper Quorum: zookeeper.example.com:2181\n | Region Servers:\n | region1.example.com:60030\n |_ region2.example.com:60030\n\n## Requires \n\n * [http](<../lib/http.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [target](<../lib/target.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-11-08T16:00:16", "type": "nmap", "title": "hbase-master-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-02-21T03:10:27", "id": "NMAP:HBASE-MASTER-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/hbase-master-info.html", "sourceData": "local http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal target = require \"target\"\n\ndescription = [[\nRetrieves information from an Apache HBase (Hadoop database) master HTTP status page.\n\nInformation gathered:\n* Hbase version\n* Hbase compile date\n* Hbase root directory\n* Hadoop version\n* Hadoop compile date\n* Average load\n* Zookeeper quorum server\n* Associated region servers\n]]\n\n---\n-- @usage\n-- nmap --script hbase-master-info -p 60010 host\n--\n-- @output\n-- | hbase-master-info:\n-- | Hbase Version: 0.90.1\n-- | Hbase Compiled: Wed May 11 22:33:44 PDT 2011, bob\n-- | HBase Root Directory: hdfs://master.example.com:8020/hbase\n-- | Hadoop Version: 0.20 f415ef415ef415ef415ef415ef415ef415ef415e\n-- | Hadoop Compiled: Wed May 11 22:33:44 PDT 2011, bob\n-- | Average Load: 0.12\n-- | Zookeeper Quorum: zookeeper.example.com:2181\n-- | Region Servers:\n-- | region1.example.com:60030\n-- |_ region2.example.com:60030\n-- @xmloutput\n-- <elem key=\"Hbase Version\">0.90.1</elem>\n-- <elem key=\"Hbase Compiled\">Wed May 11 22:33:44 PDT 2011, bob</elem>\n-- <elem key=\"HBase Root Directory\">hdfs://master.example.com:8020/hbase</elem>\n-- <elem key=\"Hadoop Version\">0.20 f415ef415ef415ef415ef415ef415ef415ef415e</elem>\n-- <elem key=\"Hadoop Compiled\">Wed May 11 22:33:44 PDT 2011, bob</elem>\n-- <elem key=\"Average Load\">0.12</elem>\n-- <elem key=\"Zookeeper Quorum\">zookeeper.example.com:2181</elem>\n-- <table key=\"Region Servers\">\n-- <elem>region1.example.com:60030</elem>\n-- <elem>region2.example.com:60030</elem>\n-- </table>\n\n\nauthor = \"John R. Bond\"\nlicense = \"Simplified (2-clause) BSD license--See https://nmap.org/svn/docs/licenses/BSD-simplified\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\n\nportrule = function(host, port)\n -- Run for the special port number, or for any HTTP-like service that is\n -- not on a usual HTTP port.\n return shortport.port_or_service ({60010}, \"hbase-master\")(host, port)\n or (shortport.service(shortport.LIKELY_HTTP_SERVICES)(host, port) and not shortport.portnumber(shortport.LIKELY_HTTP_PORTS)(host, port))\nend\n\naction = function( host, port )\n\n local result = stdnse.output_table()\n local region_servers = {}\n local uri = \"/master.jsp\"\n stdnse.debug1(\"HTTP GET %s:%s%s\", host.targetname or host.ip, port.number, uri)\n local response = http.get( host, port, uri )\n stdnse.debug1(\"Status %s\",response['status-line'] or \"No Response\")\n if not (response['status-line'] and response['status-line']:match(\"200%s+OK\") and response['body']) then\n return nil\n end\n local body = response['body']:gsub(\"%%\",\"%%%%\")\n stdnse.debug2(\"Body %s\\n\",body)\n if body:match(\"HBase%s+Version</td><td>([^][<]+)\") then\n local version = body:match(\"HBase%s+Version</td><td>([^][<]+)\"):gsub(\"%s+\", \" \")\n stdnse.debug1(\"Hbase Version %s\",version)\n result[\"Hbase Version\"] = version\n port.version.version = version\n end\n if body:match(\"HBase%s+Compiled</td><td>([^][<]+)\") then\n local compiled = body:match(\"HBase%s+Compiled</td><td>([^][<]+)\"):gsub(\"%s+\", \" \")\n stdnse.debug1(\"Hbase Compiled %s\",compiled)\n result[\"Hbase Compiled\"] = compiled\n end\n if body:match(\"Directory</td><td>([^][<]+)\") then\n local compiled = body:match(\"Directory</td><td>([^][<]+)\"):gsub(\"%s+\", \" \")\n stdnse.debug1(\"HBase RootDirectory %s\",compiled)\n result[\"HBase Root Directory\"] = compiled\n end\n if body:match(\"Hadoop%s+Version</td><td>([^][<]+)\") then\n local version = body:match(\"Hadoop%s+Version</td><td>([^][<]+)\"):gsub(\"%s+\", \" \")\n stdnse.debug1(\"Hadoop Version %s\",version)\n result[\"Hadoop Version\"] = version\n end\n if body:match(\"Hadoop%s+Compiled</td><td>([^][<]+)\") then\n local compiled = body:match(\"Hadoop%s+Compiled</td><td>([^][<]+)\"):gsub(\"%s+\", \" \")\n stdnse.debug1(\"Hadoop Compiled %s\",compiled)\n result[\"Hadoop Compiled\"] = compiled\n end\n if body:match(\"average</td><td>([^][<]+)\") then\n local average = body:match(\"average</td><td>([^][<]+)\"):gsub(\"%s+\", \" \")\n stdnse.debug1(\"Average Load %s\",average)\n result[\"Average Load\"] = average\n end\n if body:match(\"Quorum</td><td>([^][<]+)\") then\n local quorum = body:match(\"Quorum</td><td>([^][<]+)\"):gsub(\"%s+\", \" \")\n stdnse.debug1(\"Zookeeper Quorum %s\",quorum)\n result[\"Zookeeper Quorum\"] = quorum\n if target.ALLOW_NEW_TARGETS then\n if quorum:match(\"([%w%.]+)\") then\n local newtarget = quorum:match(\"([%w%.]+)\")\n stdnse.debug1(\"Added target: %s\", newtarget)\n local status,err = target.add(newtarget)\n end\n end\n end\n for line in string.gmatch(body, \"[^\\n]+\") do\n stdnse.debug3(\"Line %s\\n\",line)\n if line:match(\"maxHeap\") then\n local region_server= line:match(\"\\\">([^][<]+)</a>\")\n stdnse.debug1(\"Region Server %s\",region_server)\n table.insert(region_servers, region_server)\n if target.ALLOW_NEW_TARGETS then\n if region_server:match(\"([%w%.]+)\") then\n local newtarget = region_server:match(\"([%w%.]+)\")\n stdnse.debug1(\"Added target: %s\", newtarget)\n local status,err = target.add(newtarget)\n end\n end\n end\n end\n if next(region_servers) then\n result[\"Region Servers\"] = region_servers\n end\n if #result > 0 then\n port.version.name = \"hbase-master\"\n port.version.product = \"Apache Hadoop Hbase\"\n nmap.set_port_version(host, port)\n return result\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:33", "description": "Performs IPMI Information Discovery through Channel Auth probes.\n\n## Example Usage \n \n \n nmap -sU --script ipmi-version -p 623 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 623/udp open|filtered unknown\n | ipmi-version:\n | Version: IPMI-2.0\n | UserAuth: password, md5, md2\n | PassAuth: null_user\n |_ Level: 1.2,2.0\n \n\n## Requires \n\n * [ipmi](<../lib/ipmi.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-09-08T17:30:40", "type": "nmap", "title": "ipmi-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-01-14T15:30:31", "id": "NMAP:IPMI-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/ipmi-version.html", "sourceData": "local ipmi = require \"ipmi\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\n Performs IPMI Information Discovery through Channel Auth probes.\n]]\n\n---\n-- @usage\n-- nmap -sU --script ipmi-version -p 623 <host>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 623/udp open|filtered unknown\n-- | ipmi-version:\n-- | Version: IPMI-2.0\n-- | UserAuth: password, md5, md2\n-- | PassAuth: null_user\n-- |_ Level: 1.2,2.0\n--\n-- @xmloutput\n-- <table>\n-- <table key=\"Version\">\n-- <elem>IPMI-2.0</elem>\n-- </table>\n--\n-- <table key=\"UserAuth\">\n-- <elem>password</elem>\n-- <elem>md5</elem>\n-- <elem>md2</elem>\n-- </table>\n--\n-- <table key=\"PassAuth\">\n-- <elem>kg_default</elem>\n-- <elem>null_user</elem>\n-- </table>\n--\n-- <table key=\"Level\">\n-- <elem>1.2</elem>\n-- <elem>2.0</elem>\n-- </table>\n-- </table>\n--\n\nauthor = \"Claudiu Perta <claudiu.perta@gmail.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\nportrule = shortport.version_port_or_service(623, \"asf-rmcp\", \"udp\", {\"open\", \"open|filtered\"})\n\nlocal comma_separated = {\n __tostring = function(t) return table.concat(t, \", \") end\n}\n\naction = function(host, port)\n\n local request = ipmi.channel_auth_request()\n local socket = nmap.new_socket()\n\n socket:set_timeout(\n ((host.times and host.times.timeout) or 8) * 1000)\n socket:connect(host, port, \"udp\")\n\n -- Send 3 probes\n local tries = 3\n repeat\n socket:send(request)\n tries = tries - 1\n until tries == 0\n\n local status, reply = socket:receive()\n socket:close()\n\n if not status then\n stdnse.debug1(string.format(\"No response (%s)\", reply))\n return nil\n end\n\n nmap.set_port_state(host, port, \"open\")\n\n -- Invalid reply\n local info = ipmi.parse_channel_auth_reply(reply)\n if info[\"ipmi_command\"] ~= 56 then\n return \"IPMI - Invalid response\"\n end\n\n -- Valid reply\n local Version = {}\n if info[\"ipmi_compat_20\"] then\n table.insert(Version, \"IPMI-2.0\")\n else\n table.insert(Version, \"IPMI-1.5\")\n end\n\n local UserAuth = {}\n setmetatable(UserAuth, comma_separated)\n\n if info[\"ipmi_compat_oem_auth\"] then\n table.insert(UserAuth, \"oem_auth\")\n end\n\n if info[\"ipmi_compat_password\"] then\n table.insert(UserAuth, \"password\")\n end\n\n if info[\"ipmi_compat_md5\"] then\n table.insert(UserAuth, \"md5\")\n end\n\n if info[\"ipmi_compat_md2\"] then\n table.insert(UserAuth, \"md2\")\n end\n\n if info[\"ipmi_compat_none\"] then\n table.insert(UserAuth, \"null\")\n end\n\n local PassAuth = {}\n setmetatable(PassAuth, comma_separated)\n\n if info[\"ipmi_compat_20\"] and info[\"ipmi_user_kg\"] then\n table.insert(PassAuth, \"kg_default\")\n end\n\n if not info[\"ipmi_user_disable_message_auth\"] then\n table.insert(PassAuth, \"auth_msg\")\n end\n\n if not info[\"ipmi_user_disable_user_auth\"] then\n table.insert(PassAuth, \"auth_user\")\n end\n\n if info[\"ipmi_user_non_null\"] then\n table.insert(PassAuth, \"non_null_user\")\n end\n\n if info[\"ipmi_user_null\"] then\n table.insert(PassAuth, \"null_user\")\n end\n\n if info[\"ipmi_user_anonymous\"] then\n table.insert(PassAuth, \"anonymous_user\")\n end\n\n local ConnInfo = {}\n setmetatable(ConnInfo, comma_separated)\n\n if info[\"ipmi_conn_15\"] then\n table.insert(ConnInfo, \"1.5\")\n end\n\n if info[\"ipmi_conn_20\"] then\n table.insert(ConnInfo, \"2.0\")\n end\n\n local output = stdnse.output_table()\n output[\"Version\"] = Version\n output[\"UserAuth\"] = UserAuth\n output[\"PassAuth\"] = PassAuth\n output[\"Level\"] = ConnInfo\n if info[\"ipmi_oem_id\"] ~= 0 then\n output[\"OEMID\"] = info[\"ipmi_oem_id\"]\n end\n\n return output\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:15", "description": "Connects to the rpcap service (provides remote sniffing capabilities through WinPcap) and retrieves interface information. The service can either be setup to require authentication or not and also supports IP restrictions.\n\n### See also:\n\n * [ rpcap-brute.nse ](<../scripts/rpcap-brute.html>)\n\n## Script Arguments \n\n#### creds.rpcap \n\nusername:password to use for authentication\n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 2002 <ip> --script rpcap-info\n nmap -p 2002 <ip> --script rpcap-info --script-args=\"creds.rpcap='administrator:foobar'\"\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 2002/tcp open rpcap syn-ack\n | rpcap-info:\n | \\Device\\NPF_{0D5D1364-1F1F-4892-8AC3-B838258F9BB8}\n | Intel(R) PRO/1000 MT Desktop Adapter\n | Addresses\n | fe80:0:0:0:aabb:ccdd:eeff:0011\n | 192.168.1.127/24\n | \\Device\\NPF_{D5EAD105-B0BA-4D38-ACB4-6E95512BC228}\n | Hamachi Virtual Network Interface Driver\n | Addresses\n |_ fe80:0:0:0:aabb:ccdd:eeff:0022\n \n\n## Requires \n\n * [creds](<../lib/creds.html>)\n * [nmap](<../lib/nmap.html>)\n * [rpcap](<../lib/rpcap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-02T12:39:18", "type": "nmap", "title": "rpcap-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-01-14T04:16:27", "id": "NMAP:RPCAP-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/rpcap-info.html", "sourceData": "local creds = require \"creds\"\nlocal nmap = require \"nmap\"\nlocal rpcap = require \"rpcap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nConnects to the rpcap service (provides remote sniffing capabilities\nthrough WinPcap) and retrieves interface information. The service can either be\nsetup to require authentication or not and also supports IP restrictions.\n]]\n\n---\n-- @usage\n-- nmap -p 2002 <ip> --script rpcap-info\n-- nmap -p 2002 <ip> --script rpcap-info --script-args=\"creds.rpcap='administrator:foobar'\"\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 2002/tcp open rpcap syn-ack\n-- | rpcap-info:\n-- | \\Device\\NPF_{0D5D1364-1F1F-4892-8AC3-B838258F9BB8}\n-- | Intel(R) PRO/1000 MT Desktop Adapter\n-- | Addresses\n-- | fe80:0:0:0:aabb:ccdd:eeff:0011\n-- | 192.168.1.127/24\n-- | \\Device\\NPF_{D5EAD105-B0BA-4D38-ACB4-6E95512BC228}\n-- | Hamachi Virtual Network Interface Driver\n-- | Addresses\n-- |_ fe80:0:0:0:aabb:ccdd:eeff:0022\n--\n-- @args creds.rpcap username:password to use for authentication\n--\n-- @see rpcap-brute.nse\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\ndependencies = {\"rpcap-brute\"}\n\n\nportrule = shortport.port_or_service(2002, \"rpcap\", \"tcp\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\nlocal function getInfo(host, port, username, password)\n\n local helper = rpcap.Helper:new(host, port)\n local status, resp = helper:connect()\n if ( not(status) ) then\n return false, \"Failed to connect to server\"\n end\n status, resp = helper:login(username, password)\n\n if ( not(status) ) then\n return false, resp\n end\n\n status, resp = helper:findAllInterfaces()\n helper:close()\n if ( not(status) ) then\n return false, resp\n end\n\n port.version.name = \"rpcap\"\n port.version.product = \"WinPcap remote packet capture daemon\"\n nmap.set_port_version(host, port)\n\n return true, resp\nend\n\naction = function(host, port)\n\n -- patch-up the service name, so creds.rpcap will work, ugly but needed as\n -- tcp 2002 is registered to the globe service in nmap-services ...\n port.service = \"rpcap\"\n\n local c = creds.Credentials:new(creds.ALL_DATA, host, port)\n local states = creds.State.VALID + creds.State.PARAM\n local status, resp = getInfo(host, port)\n\n if ( status ) then\n return stdnse.format_output(true, resp)\n end\n\n for cred in c:getCredentials(states) do\n status, resp = getInfo(host, port, cred.user, cred.pass)\n if ( status ) then\n return stdnse.format_output(true, resp)\n end\n end\n\n return fail(resp)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:25", "description": "Performs a Forward-confirmed Reverse DNS lookup and reports anomalous results. \n\nReferences: \n\n * <https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS>\n\n## Example Usage \n \n \n nmap -sn -Pn --script fcrdns <target>\n \n\n## Script Output \n \n \n Host script results:\n |_fcrdns: FAIL (12.19.29.17, 12.19.20.14, 23.10.13.25)\n \n Host script results:\n |_fcrdns: PASS (37.58.100.86-static.reverse.softlayer.com)\n \n Host script results:\n | fcrdns:\n | <none>:\n | status: fail\n |_ reason: No PTR record\n \n Host script results:\n | fcrdns:\n | mail.example.com:\n | status: fail\n | reason: FCRDNS mismatch\n | addresses:\n | 12.19.29.17\n | mail.contoso.net:\n | status: fail\n | reason: FCRDNS mismatch\n | addresses:\n | 12.19.20.14\n |_ 23.10.13.25\n \n\n## Requires \n\n * [dns](<../lib/dns.html>)\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [tableaux](<../lib/tableaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2014-07-31T05:34:19", "type": "nmap", "title": "fcrdns NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-11-06T15:07:01", "id": "NMAP:FCRDNS.NSE", "href": "https://nmap.org/nsedoc/scripts/fcrdns.html", "sourceData": "local dns = require \"dns\"\nlocal ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal tableaux = require \"tableaux\"\n\ndescription = [[\nPerforms a Forward-confirmed Reverse DNS lookup and reports anomalous results.\n\nReferences:\n* https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS\n]]\n\n---\n-- @usage\n-- nmap -sn -Pn --script fcrdns <target>\n--\n-- @output\n-- Host script results:\n-- |_fcrdns: FAIL (12.19.29.17, 12.19.20.14, 23.10.13.25)\n--\n-- Host script results:\n-- |_fcrdns: PASS (37.58.100.86-static.reverse.softlayer.com)\n--\n-- Host script results:\n-- | fcrdns:\n-- | <none>:\n-- | status: fail\n-- |_ reason: No PTR record\n--\n-- Host script results:\n-- | fcrdns:\n-- | mail.example.com:\n-- | status: fail\n-- | reason: FCRDNS mismatch\n-- | addresses:\n-- | 12.19.29.17\n-- | mail.contoso.net:\n-- | status: fail\n-- | reason: FCRDNS mismatch\n-- | addresses:\n-- | 12.19.20.14\n-- |_ 23.10.13.25\n--\n--@xmloutput\n-- <table key=\"mail.example.com\">\n-- <elem key=\"status\">fail</elem>\n-- <elem key=\"reason\">FCRDNS mismatch</elem>\n-- <table key=\"addresses\">\n-- <elem>12.19.29.17</elem>\n-- </table>\n-- </table>\n-- <table key=\"mail.contoso.net\">\n-- <elem key=\"status\">fail</elem>\n-- <elem key=\"reason\">FCRDNS mismatch</elem>\n-- <table key=\"addresses\">\n-- <elem>12.19.20.14</elem>\n-- <elem>23.10.13.25</elem>\n-- </table>\n-- </table>\n\nauthor = \"Daniel Miller\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\n-- not default, because user may choose -n and expect no DNS\ncategories = {\"discovery\", \"safe\"}\n\n\nhostrule = function(host)\n -- Every host with an IP address can be checked\n return true\nend\n\naction = function(host)\n -- Do reverse-DNS lookup of the IP\n -- Can't just use host.name because some IPs have multiple PTR records\n local status, rdns = dns.query(dns.reverse(host.ip), {dtype=\"PTR\", retAll=true})\n if not status then\n stdnse.debug(\"PTR request for %s failed: %s\", host.ip, rdns)\n local ret = stdnse.output_table()\n ret.status = \"fail\"\n ret.reason = \"No PTR record\"\n return {[\"<none>\"]=ret}, \"FAIL (No PTR record)\"\n end\n\n local str_out = nil\n -- Now do forward lookup of the name(s) we got\n local names = stdnse.output_table()\n local fcrdns\n local fail_addrs = {}\n local forward_type = nmap.address_family() == \"inet\" and \"A\" or \"AAAA\"\n local no_record_err = string.format(\"No %s record\", forward_type)\n table.sort(rdns)\n for _, n in ipairs(rdns) do\n local name = stdnse.output_table()\n -- assume failure, we can override when/if we succeed\n name.status = \"fail\"\n name.reason = \"FCRDNS mismatch\"\n names[n] = name\n\n status, fcrdns = dns.query(n, {dtype=forward_type, retAll=true})\n if not status then\n stdnse.debug(\"%s request for %s failed: %s\", forward_type, n, fcrdns)\n name.reason = no_record_err\n else\n for _, ip in ipairs(fcrdns) do\n if ipOps.compare_ip( ip, \"eq\", host.ip) then\n name.status = \"pass\"\n name.reason = nil\n str_out = string.format(\"PASS (%s)\", n)\n end\n end\n name.addresses = fcrdns\n if name.status == \"fail\" then\n -- keep a list of unique addresses for short output\n for _, a in ipairs(name.addresses) do\n fail_addrs[a] = true\n end\n end\n end\n end\n\n if nmap.verbosity() > 0 then\n -- use default structured output for verbosity\n str_out = nil\n elseif str_out == nil then\n -- we failed, and need to format a short output string\n fail_addrs = tableaux.keys(fail_addrs)\n if #fail_addrs > 0 then\n table.sort(fail_addrs)\n str_out = string.format(\"FAIL (%s)\", table.concat(fail_addrs, \", \"))\n else\n str_out = string.format(\"FAIL (%s)\", no_record_err)\n end\n end\n\n return names, str_out\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:44:45", "description": "Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at <http://ip.robtex.com/>. \n\n*TEMPORARILY DISABLED* due to changes in Robtex's API. See <https://www.robtex.com/api/>\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script hostmap-robtex -sn -Pn scanme.nmap.org\n \n\n## Script Output \n \n \n | hostmap-robtex:\n | hosts:\n |_ scanme.nmap.org\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [ipOps](<../lib/ipOps.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [slaxml](<../lib/slaxml.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-04-09T06:35:12", "type": "nmap", "title": "hostmap-robtex NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-02-18T19:21:46", "id": "NMAP:HOSTMAP-ROBTEX.NSE", "href": "https://nmap.org/nsedoc/scripts/hostmap-robtex.html", "sourceData": "local http = require \"http\"\nlocal ipOps = require \"ipOps\"\nlocal stdnse = require \"stdnse\"\nlocal slaxml = require \"slaxml\"\n\ndescription = [[\nDiscovers hostnames that resolve to the target's IP address by querying the online Robtex service at http://ip.robtex.com/.\n\n*TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/\n]]\n\n---\n-- @usage\n-- nmap --script hostmap-robtex -sn -Pn scanme.nmap.org\n--\n-- @output\n-- | hostmap-robtex:\n-- | hosts:\n-- |_ scanme.nmap.org\n--\n-- @xmloutput\n-- <table key=\"hosts\">\n-- <elem>nmap.org</elem>\n-- </table>\n---\n\nauthor = \"Arturo 'Buanzo' Busleiman\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\n \"discovery\",\n \"safe\",\n \"external\"\n}\n\n\nprerule = function() return true end\naction = function()\n return \"*TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/\"\nend\n\n--[[\n--- Scrape domains sharing target host ip from robtex website\n--\n-- //section[@id=\"x_shared\"]//li//text()\n-- @param data string containing the retrieved web page\n-- @return table containing the host names sharing host.ip\nfunction parse_robtex_response (data)\n local in_li = false\n local result = {}\n\n local parser = slaxml.parser:new({\n startElement = function(name, nsURI, nsPrefix)\n in_li = in_li or name == \"li\"\n end,\n closeElement = function(name, nsURI, nsPrefix)\n if name == \"li\" then\n in_li = false\n end\n end,\n text = function(text)\n if in_li then\n result[#result+1] = text\n end\n end,\n })\n parser:parseSAX(data:match('<section[^>]-id=\"x_shared\".-</section>'))\n\n return result\nend\n\nhostrule = function (host)\n return not ipOps.isPrivate(host.ip)\nend\n\naction = function (host)\n local link = \"https://www.robtex.com/en/advisory/ip/\" .. host.ip:gsub(\"%.\", \"/\") .. \"/\"\n local htmldata = http.get_url(link)\n local domains = parse_robtex_response(htmldata.body)\n local output_tab = stdnse.output_table()\n if (#domains > 0) then\n output_tab.hosts = domains\n end\n return output_tab\nend\n]]--\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:06", "description": "Uploads a local file to a remote web server using the HTTP PUT method. You must specify the filename and URL path with NSE arguments.\n\n## Script Arguments \n\n#### http-put.file \n\n\\- The full path to the local file that should be uploaded to the server\n\n#### http-put.url \n\n\\- The remote directory and filename to store the file to e.g. (/uploads/file.txt)\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 80 <ip> --script http-put --script-args http-put.url='/uploads/rootme.php',http-put.file='/tmp/rootme.php'\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n PORT STATE SERVICE\n 80/tcp open http\n |_http-put: /uploads/rootme.php was successfully created\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [io](<>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-10-20T02:32:51", "type": "nmap", "title": "http-put NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2016-07-02T17:02:27", "id": "NMAP:HTTP-PUT.NSE", "href": "https://nmap.org/nsedoc/scripts/http-put.html", "sourceData": "local http = require \"http\"\nlocal io = require \"io\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nUploads a local file to a remote web server using the HTTP PUT method. You must specify the filename and URL path with NSE arguments.\n]]\n\n---\n-- @usage\n-- nmap -p 80 <ip> --script http-put --script-args http-put.url='/uploads/rootme.php',http-put.file='/tmp/rootme.php'\n--\n-- @output\n-- PORT STATE SERVICE\n-- PORT STATE SERVICE\n-- 80/tcp open http\n-- |_http-put: /uploads/rootme.php was successfully created\n--\n-- @args http-put.file - The full path to the local file that should be uploaded to the server\n-- @args http-put.url - The remote directory and filename to store the file to e.g. (/uploads/file.txt)\n--\n-- @xmloutput\n-- <elem key=\"result\">/uploads/rootme.php was successfully created</elem>\n--\n-- Version 0.1\n-- Created 10/15/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 10/20/2011 - v0.2 - changed coding style, fixed categories <patrik@cqure.net>\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\"}\n\n\nportrule = shortport.http\n\naction = function( host, port )\n local output = stdnse.output_table()\n local fname, url = stdnse.get_script_args('http-put.file', 'http-put.url')\n if ( not(fname) or not(url) ) then\n return\n end\n\n local f = io.open(fname, \"r\")\n if ( not(f) ) then\n output.error = (\"ERROR: Failed to open file: %s\"):format(fname)\n return output, output.error\n end\n local content = f:read(\"a\")\n f:close()\n\n local response = http.put(host, port, url, nil, content)\n if ( 200 <= response.status and response.status < 210 ) then\n output.result = (\"%s was successfully created\"):format(url)\n return output, output.result\n end\n\n output.error = (\"ERROR: %s could not be created\"):format(url)\n return output, output.error\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:36", "description": "Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the hh3c-user.mib OID \n\nFor devices running software released pre-Oct 2012 only an SNMP read-only string is required to access the OID. Otherwise a read-write string is required. \n\nOutput is 'username - password - level: {0|1|2|3}' \n\nPassword may be in cleartext, ciphertext or sha256 Levels are from 0 to 3 with 0 being the lowest security level \n\n<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685> <http://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html>\n\n## Script Arguments \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### snmp.version \n\nSee the documentation for the [snmp](<../lib/snmp.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sU -p 161 --script snmp-hh3c-logins --script-args creds.snmp=:<community> <target>\n \n\n## Script Output \n \n \n | snmp-hh3c-logins:\n | users:\n | admin - admin - level: 3\n |_ h3c - h3capadmin - level 0\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [snmp](<../lib/snmp.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-11-08T07:37:48", "type": "nmap", "title": "snmp-hh3c-logins NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-07-27T03:32:27", "id": "NMAP:SNMP-HH3C-LOGINS.NSE", "href": "https://nmap.org/nsedoc/scripts/snmp-hh3c-logins.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal snmp = require \"snmp\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nAttempts to enumerate Huawei / HP/H3C Locally Defined Users through the\nhh3c-user.mib OID\n\nFor devices running software released pre-Oct 2012 only an SNMP read-only\nstring is required to access the OID. Otherwise a read-write string is\nrequired.\n\nOutput is 'username - password - level: {0|1|2|3}'\n\nPassword may be in cleartext, ciphertext or sha256\nLevels are from 0 to 3 with 0 being the lowest security level\n\nhttps://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685\nhttp://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html\n]]\n\n---\n-- @usage\n-- nmap -sU -p 161 --script snmp-hh3c-logins --script-args creds.snmp=:<community> <target>\n--\n-- @output\n-- | snmp-hh3c-logins:\n-- | users:\n-- | admin - admin - level: 3\n-- |_ h3c - h3capadmin - level 0\n--\n-- @xmloutput\n-- <table>\n-- <elem key=\"password\">admin<elem>\n-- <elem key=\"username\">admin</elem>\n-- <elem key=\"level\">3</elem>\n-- </table>\n-- <table>\n-- <elem key=\"password\">h3capadmin<elem>\n-- <elem key=\"username\">h3c</elem>\n-- <elem key=\"level\">0</elem>\n-- </table>\n\nauthor = \"Kurt Grutzmacher\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\ndependencies = {\"snmp-brute\"}\n\n-- Version 0.3\n-- Created 10/01/2012 - v0.1 - created via modifying other walk scripts\n-- Updated 10/25/2012 - v0.2 - bugfixes and better output per NSE standards\n-- Updated 11/08/2012 - v0.3 - added xmloutput\n\n\nportrule = shortport.port_or_service(161, \"snmp\", \"udp\", {\"open\", \"open|filtered\"})\n\n--- Gets a value for the specified oid\n--\n-- @param tbl table containing <code>oid</code> and <code>value</code>\n-- @param oid string containing the object id for which the value should be extracted\n-- @return value of relevant type or nil if oid was not found\nfunction get_value_from_table( tbl, oid )\n\n for _, v in ipairs( tbl ) do\n if v.oid == oid then\n return v.value\n end\n end\n\n return nil\nend\n\n--- Processes the table and creates the script output\n--\n-- @param tbl table containing <code>oid</code> and <code>value</code>\n-- @return <code>stdnse.output_table</code> formatted table\nfunction process_answer( tbl )\n\n -- h3c-user MIB OIDs (oldoid)\n local h3cUserName = \"1.3.6.1.4.1.2011.10.2.12.1.1.1.1\"\n local h3cUserPassword = \"1.3.6.1.4.1.2011.10.2.12.1.1.1.2\"\n local h3cUserLevel = \"1.3.6.1.4.1.2011.10.2.12.1.1.1.4\"\n local h3cUserState = \"1.3.6.1.4.1.2011.10.2.12.1.1.1.5\"\n\n -- hh3c-user MIB OIDs (newoid)\n local hh3cUserName = \"1.3.6.1.4.1.25506.2.12.1.1.1.1\"\n local hh3cUserPassword = \"1.3.6.1.4.1.25506.2.12.1.1.1.2\"\n local hh3cUserLevel = \"1.3.6.1.4.1.25506.2.12.1.1.1.4\"\n local hh3cUserState = \"1.3.6.1.4.1.25506.2.12.1.1.1.5\"\n\n local output = stdnse.output_table()\n output.users = {}\n\n for _, v in ipairs( tbl ) do\n\n if ( v.oid:match(\"^\" .. h3cUserName) ) then\n local item = {}\n local oldobjid = v.oid:gsub( \"^\" .. h3cUserName, h3cUserPassword)\n local password = get_value_from_table( tbl, oldobjid )\n\n if ( password == nil ) or ( #password == 0 ) then\n local newobjid = v.oid:gsub( \"^\" .. hh3cUserName, hh3cUserPassword)\n password = get_value_from_table( tbl, newobjid )\n end\n\n oldobjid = v.oid:gsub( \"^\" .. h3cUserName, h3cUserLevel)\n local level = get_value_from_table( tbl, oldobjid )\n\n if ( level == nil ) then\n local newobjoid = v.oid:gsub( \"^\" .. hh3cUserName, hh3cUserLevel)\n level = get_value_from_table( tbl, oldobjid )\n end\n\n output.users[#output.users + 1] = {username=v.value, password=password, level=level}\n end\n\n end\n\n return output\nend\n\naction = function(host, port)\n\n local oldsnmpoid = \"1.3.6.1.4.1.2011.10.2.12.1.1.1\"\n local newsnmpoid = \"1.3.6.1.4.1.25506.2.12.1.1.1\"\n\n local snmpHelper = snmp.Helper:new(host, port)\n snmpHelper:connect()\n\n local status, users = snmpHelper:walk( oldsnmpoid )\n\n if (not(status)) or ( users == nil ) or ( #users == 0 ) then\n\n -- no status? try new snmp oid\n status, users = snmpHelper:walk( newsnmpoid )\n\n if (not(status)) or ( users == nil ) or ( #users == 0 ) then\n return nil\n end\n\n end\n\n nmap.set_port_state(host, port, \"open\")\n return process_answer(users)\n\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:00", "description": "Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page. \n\nInformation gathered: \n\n * Log directory (relative to <http://host:port/>)\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script hadoop-datanode-info.nse -p 50075 host\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 50075/tcp open hadoop-datanode syn-ack\n | hadoop-datanode-info:\n |_ Logs: /logs/\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-11-08T16:00:16", "type": "nmap", "title": "hadoop-datanode-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-02-21T03:10:27", "id": "NMAP:HADOOP-DATANODE-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/hadoop-datanode-info.html", "sourceData": "local http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nDiscovers information such as log directories from an Apache Hadoop DataNode\nHTTP status page.\n\nInformation gathered:\n* Log directory (relative to http://host:port/)\n]]\n\n---\n-- @usage\n-- nmap --script hadoop-datanode-info.nse -p 50075 host\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 50075/tcp open hadoop-datanode syn-ack\n-- | hadoop-datanode-info:\n-- |_ Logs: /logs/\n--\n-- @xmloutput\n-- <elem key=\"Logs\">/logs/</elem>\n\n\nauthor = \"John R. Bond\"\nlicense = \"Simplified (2-clause) BSD license--See https://nmap.org/svn/docs/licenses/BSD-simplified\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\n\nportrule = function(host, port)\n -- Run for the special port number, or for any HTTP-like service that is\n -- not on a usual HTTP port.\n return shortport.port_or_service({50075}, \"hadoop-datanode\")(host, port)\n or (shortport.service(shortport.LIKELY_HTTP_SERVICES)(host, port) and not shortport.portnumber(shortport.LIKELY_HTTP_PORTS)(host, port))\nend\n\naction = function( host, port )\n\n local result = stdnse.output_table()\n local uri = \"/browseDirectory.jsp\"\n stdnse.debug1(\"HTTP GET %s:%s%s\", host.targetname or host.ip, port.number, uri)\n local response = http.get( host, port, uri )\n stdnse.debug1(\"Status %s\",response['status-line'] or \"No Response\")\n if response['status-line'] and response['status-line']:match(\"200%s+OK\") and response['body'] then\n local body = response['body']:gsub(\"%%\",\"%%%%\")\n if body:match(\"([^][\\\"]+)\\\">Log\") then\n port.version.name = \"hadoop-datanode\"\n port.version.product = \"Apache Hadoop\"\n nmap.set_port_version(host, port)\n local logs = body:match(\"([^][\\\"]+)\\\">Log\")\n stdnse.debug1(\"Logs %s\",logs)\n result[\"Logs\"] = logs\n end\n end\n if #result > 0 then\n return result\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:55", "description": "Gets the favicon (\"favorites icon\") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed. \n\nIf the script argument `favicon.uri` is given, that relative URI is always used to find the favicon. Otherwise, first the page at the root of the web server is retrieved and parsed for a `<link rel=\"icon\">` element. If that fails, the icon is looked for in `/favicon.ico`. If a `<link>` favicon points to a different host or port, it is ignored.\n\n## Script Arguments \n\n#### favicon.root \n\nWeb server path to search for favicon.\n\n#### favicon.uri \n\nURI that will be requested for favicon.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=http-favicon.nse \\\n --script-args favicon.root=<root>,favicon.uri=<uri>\n\n## Script Output \n \n \n |_ http-favicon: Socialtext\n\n## Requires \n\n * [datafiles](<../lib/datafiles.html>)\n * [http](<../lib/http.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [url](<../lib/url.html>)\n * [openssl](<../lib/openssl.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-08-28T22:22:14", "type": "nmap", "title": "http-favicon NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-04-19T18:00:36", "id": "NMAP:HTTP-FAVICON.NSE", "href": "https://nmap.org/nsedoc/scripts/http-favicon.html", "sourceData": "local datafiles = require \"datafiles\"\nlocal http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal url = require \"url\"\n\nlocal openssl = stdnse.silent_require \"openssl\"\n\ndescription = [[\nGets the favicon (\"favorites icon\") from a web page and matches it against a\ndatabase of the icons of known web applications. If there is a match, the name\nof the application is printed; otherwise the MD5 hash of the icon data is\nprinted.\n\nIf the script argument <code>favicon.uri</code> is given, that relative URI is\nalways used to find the favicon. Otherwise, first the page at the root of the\nweb server is retrieved and parsed for a <code><link rel=\"icon\"></code>\nelement. If that fails, the icon is looked for in <code>/favicon.ico</code>. If\na <code><link></code> favicon points to a different host or port, it is ignored.\n]]\n\n---\n-- @args favicon.uri URI that will be requested for favicon.\n-- @args favicon.root Web server path to search for favicon.\n--\n-- @usage\n-- nmap --script=http-favicon.nse \\\n-- --script-args favicon.root=<root>,favicon.uri=<uri>\n-- @output\n-- |_ http-favicon: Socialtext\n\n-- HTTP default favicon enumeration script\n-- rev 1.2 (2009-03-11)\n-- Original NASL script by Javier Fernandez-Sanguino Pena\n\n\nauthor = \"Vlatko Kosturjak\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"discovery\", \"safe\"}\n\n\nportrule = shortport.http\n\naction = function(host, port)\n local md5sum,answer\n local match\n local status, favicondb\n local result\n local favicondbfile=\"nselib/data/favicon-db\"\n local index, icon\n local root = \"\"\n\n status, favicondb = datafiles.parse_file( favicondbfile, {[\"^%s*([^%s#:]+)[%s:]+\"] = \"^%s*[^%s#:]+[%s:]+(.*)\"})\n if not status then\n stdnse.debug1(\"Could not open file: %s\", favicondbfile )\n return\n end\n\n if(stdnse.get_script_args('favicon.root')) then\n root = stdnse.get_script_args('favicon.root')\n end\n local favicon_uri = stdnse.get_script_args(\"favicon.uri\")\n if(favicon_uri) then\n -- If we got a script arg URI, always use that.\n answer = http.get( host, port, root .. \"/\" .. favicon_uri)\n stdnse.debug4(\"Using URI %s\", favicon_uri)\n else\n -- Otherwise, first try parsing the home page.\n index = http.get( host, port, root .. \"/\" )\n if index.status == 200 or index.status == 503 then\n -- find the favicon pattern\n icon = parseIcon( index.body )\n -- if we find a pattern\n if icon then\n local hostname = host.targetname or (host.name ~= \"\" and host.name) or host.ip\n stdnse.debug1(\"Got icon URL %s.\", icon)\n local icon_host, icon_port, icon_path = parse_url_relative(icon, hostname, port.number, root)\n if (icon_host == host.ip or\n icon_host == host.targetname or\n icon_host == (host.name ~= '' and host.name)) and\n icon_port == port.number then\n -- request the favicon\n answer = http.get( icon_host, icon_port, icon_path )\n else\n answer = nil\n end\n else\n answer = nil\n end\n end\n\n -- If that didn't work, try /favicon.ico.\n if not answer or answer.status ~= 200 then\n answer = http.get( host, port, root .. \"/favicon.ico\" )\n stdnse.debug4(\"Using default URI.\")\n end\n end\n\n --- check for 200 response code\n if answer and answer.status == 200 then\n md5sum=string.upper(stdnse.tohex(openssl.md5(answer.body)))\n match=favicondb[md5sum]\n if match then\n result = match\n else\n if nmap.verbosity() > 0 then\n result = \"Unknown favicon MD5: \" .. md5sum\n end\n end\n else\n stdnse.debug1(\"No favicon found.\")\n return\n end --- status == 200\n return result\nend\n\nlocal function dirname(path)\n local dir\n dir = string.match(path, \"^(.*)/\")\n return dir or \"\"\nend\n\n-- Return a URL's host, port, and path, filling in the results with the given\n-- host, port, and path if the URL is relative. Return nil if the scheme is not\n-- \"http\" or \"https\".\nfunction parse_url_relative(u, host, port, path)\n local scheme, abspath\n u = url.parse(u)\n scheme = u.scheme or \"http\"\n if not (scheme == \"http\" or scheme == \"https\") then\n return nil\n end\n abspath = u.path or \"\"\n if not string.find(abspath, \"^/\") then\n abspath = dirname(path) .. \"/\" .. abspath\n end\n return u.host or host, u.port or url.get_default_port(scheme), abspath\nend\n\nfunction parseIcon( body )\n local _, i, j\n local rel, href, word\n\n -- Loop through link elements.\n i = 0\n while i do\n _, i = string.find(body, \"<%s*[Ll][Ii][Nn][Kk]%s\", i + 1)\n if not i then\n return nil\n end\n -- Loop through attributes.\n j = i\n while true do\n local name, quote, value\n _, j, name, quote, value = string.find(body, \"^%s*(%w+)%s*=%s*([\\\"'])(.-)%2\", j + 1)\n if not j then\n break\n end\n if string.lower(name) == \"rel\" then\n rel = value\n elseif string.lower(name) == \"href\" then\n href = value\n end\n end\n for word in string.gmatch(rel or \"\", \"%S+\") do\n if string.lower(word) == \"icon\" then\n return href\n end\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:31", "description": "CICS transaction ID enumerator for IBM mainframes. This script is based on mainframe_brute by Dominic White (<https://github.com/sensepost/mainframe_brute>). However, this script doesn't rely on any third party libraries or tools and instead uses the NSE TN3270 library which emulates a TN3270 screen in lua. \n\nCICS only allows for 4 byte transaction IDs, that is the only specific rule found for CICS transaction IDs.\n\n## Script Arguments \n\n#### cics-enum.commands \n\nCommands in a semi-colon separated list needed to access CICS. Defaults to `CICS`.\n\n#### cics-enum.path \n\nFolder used to store valid transaction id 'screenshots' Defaults to `None` and doesn't store anything.\n\n#### idlist \n\nPath to list of transaction IDs. Defaults to the list of CICS transactions from IBM.\n\n#### cics-enum.pass \n\nPassword to use for authenticated enumeration\n\n#### cics-enum.user \n\nUsername to use for authenticated enumeration\n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=cics-enum -p 23 <targets>\n \n nmap --script=cics-enum --script-args=idlist=default_cics.txt,\n cics-enum.command=\"exit;logon applid(cics42)\",\n cics-enum.path=\"/home/dade/screenshots/\",cics-enum.noSSL=true -p 23 <targets>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 23/tcp open tn3270\n | cics-enum:\n | Accounts:\n | CBAM: Valid - CICS Transaction ID\n | CETR: Valid - CICS Transaction ID\n | CEST: Valid - CICS Transaction ID\n | CMSG: Valid - CICS Transaction ID\n | CEDA: Valid - CICS Transaction ID\n | CEDF: Potentially Valid - CICS Transaction ID\n | DSNC: Valid - CICS Transaction ID\n |_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n * [tn3270](<../lib/tn3270.html>)\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [unpwdb](<../lib/unpwdb.html>)\n * [io](<>)\n * [table](<>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-08T21:27:09", "type": "nmap", "title": "cics-enum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-03-21T04:07:55", "id": "NMAP:CICS-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/cics-enum.html", "sourceData": "local nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal tn3270 = require \"tn3270\"\nlocal brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal unpwdb = require \"unpwdb\"\nlocal io = require \"io\"\nlocal table = require \"table\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\n\n\ndescription = [[\nCICS transaction ID enumerator for IBM mainframes.\nThis script is based on mainframe_brute by Dominic White\n(https://github.com/sensepost/mainframe_brute). However, this script\ndoesn't rely on any third party libraries or tools and instead uses\nthe NSE TN3270 library which emulates a TN3270 screen in lua.\n\nCICS only allows for 4 byte transaction IDs, that is the only specific rule\nfound for CICS transaction IDs.\n]]\n\n---\n-- @args idlist Path to list of transaction IDs.\n-- Defaults to the list of CICS transactions from IBM.\n-- @args cics-enum.commands Commands in a semi-colon separated list needed\n-- to access CICS. Defaults to <code>CICS</code>.\n-- @args cics-enum.path Folder used to store valid transaction id 'screenshots'\n-- Defaults to <code>None</code> and doesn't store anything.\n-- @args cics-enum.user Username to use for authenticated enumeration\n-- @args cics-enum.pass Password to use for authenticated enumeration\n--\n-- @usage\n-- nmap --script=cics-enum -p 23 <targets>\n--\n-- nmap --script=cics-enum --script-args=idlist=default_cics.txt,\n-- cics-enum.command=\"exit;logon applid(cics42)\",\n-- cics-enum.path=\"/home/dade/screenshots/\",cics-enum.noSSL=true -p 23 <targets>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 23/tcp open tn3270\n-- | cics-enum:\n-- | Accounts:\n-- | CBAM: Valid - CICS Transaction ID\n-- | CETR: Valid - CICS Transaction ID\n-- | CEST: Valid - CICS Transaction ID\n-- | CMSG: Valid - CICS Transaction ID\n-- | CEDA: Valid - CICS Transaction ID\n-- | CEDF: Potentially Valid - CICS Transaction ID\n-- | DSNC: Valid - CICS Transaction ID\n-- |_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0\n--\n-- @changelog\n-- 2015-07-04 - v0.1 - created by Soldier of Fortran\n-- 2015-11-14 - v0.2 - rewrote iterator\n-- 2017-01-22 - v0.3 - added authenticated CICS ID enumeration\n-- 2019-02-01 - v0.4 - Removed TN3270E support (breaks location)\n--\n-- @author Philip Young\n-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html\n--\n\nauthor = \"Philip Young aka Soldier of Fortran\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\nportrule = shortport.port_or_service({23,992}, \"tn3270\")\n\n--- Saves the Screen generated by the CICS command to disk\n--\n-- @param filename string containing the name and full path to the file\n-- @param data contains the data\n-- @return status true on success, false on failure\n-- @return err string containing error message if status is false\nlocal function save_screens( filename, data )\n local f = io.open( filename, \"w\")\n if not f then return false, (\"Failed to open file (%s)\"):format(filename) end\n if not(f:write(data)) then return false, (\"Failed to write file (%s)\"):format(filename) end\n f:close()\n return true\nend\n\nDriver = {\n new = function(self, host, port, options)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.options = options\n o.tn3270 = tn3270.Telnet:new()\n o.tn3270:disable_tn3270e()\n return o\n end,\n connect = function( self )\n local status, err = self.tn3270:initiate(self.host,self.port)\n self.tn3270:get_screen_debug(2)\n if not status then\n stdnse.debug(\"Could not initiate TN3270: %s\", err )\n return false\n end\n return true\n end,\n disconnect = function( self )\n self.tn3270:disconnect()\n self.tn3270 = nil\n return true\n end,\n login = function (self, user, pass) -- pass is actually the CICS transaction we want to try\n local commands = self.options['key1']\n local path = self.options['key2']\n local cics_user = self.options['user']\n local cics_pass = self.options['pass']\n local timeout = 300\n local max_blank = 1\n local loop = 1\n local err, status\n stdnse.debug(2,\"Getting to CICS\")\n local run = stringaux.strsplit(\";%s*\", commands)\n for i = 1, #run do\n stdnse.debug(1,\"Issuing Command (#%s of %s): %s\", i, #run ,run[i])\n self.tn3270:send_cursor(run[i])\n self.tn3270:get_all_data()\n self.tn3270:get_screen_debug(2)\n end\n while self.tn3270:isClear() and max_blank < 7 do\n stdnse.debug(2, \"Screen is not clear for %s. Reading all data with a timeout of %s. Count %s\",pass, timeout, max_blank)\n self.tn3270:get_all_data(timeout)\n timeout = timeout + 100\n max_blank = max_blank + 1\n end\n\n while not self.tn3270:isClear() and loop < 10 do\n -- by this point we're at *some* CICS transaction\n -- so we send F3 to exit it\n stdnse.debug(2,\"Sending: F3\")\n self.tn3270:send_pf(3) -- send F3\n self.tn3270:get_all_data()\n self.tn3270:get_screen_debug(2)\n -- now we want to clear the screen\n self.tn3270:send_clear()\n self.tn3270:get_all_data()\n stdnse.debug(2,\"Current CLEARed Screen. Loop: %s\", loop )\n self.tn3270:get_screen_debug(2)\n loop = loop + 1\n end\n\n if loop == 10 then\n -- something is wrong but we can still try transactions. Print error to debug.\n stdnse.debug('Error. Failed to get to a blank screen under CICS (sending F3 followed by CLEAR). Try lowering maxthreads to fix.')\n end\n -- If username/password provided try to authenticate first\n if not (cics_user == nil and cics_pass == nil) then -- We're doing authenticated CICS testing now baby!\n stdnse.debug(2,'Logging in with %s / %s for auth testing', cics_user, cics_pass)\n self.tn3270:send_cursor('CESN')\n self.tn3270:get_all_data()\n self.tn3270:get_screen_debug(2)\n local fields = self.tn3270:writeable() -- Get the writeable field areas\n local user_loc = {fields[1][1],cics_user} -- This is the 'UserID:' field\n local pass_loc = {fields[3][1],cics_pass} -- This is the 'Password:' field ([2] is a group ID)\n stdnse.debug(2,'Trying CICS: %s : %s', user, pass)\n self.tn3270:send_locations({user_loc,pass_loc})\n self.tn3270:get_all_data()\n stdnse.debug(2,\"Screen Received for User ID: %s / %s\", user, pass)\n self.tn3270:get_screen_debug(2)\n local count = 1\n while not self.tn3270:find('DFHCE3549') and count < 6 do -- some systems show a message for a bit before we get to CICS again\n self.tn3270:get_all_data(1000) -- loop for 6 seconds\n count = count + 1\n end\n end\n self.tn3270:get_screen_debug(2)\n self.tn3270:send_clear()\n self.tn3270:get_all_data()\n self.tn3270:get_screen_debug(2)\n stdnse.verbose(\"Trying Transaction ID: %s\", pass)\n self.tn3270:send_cursor(pass)\n self.tn3270:get_all_data()\n\n max_blank = 1\n while self.tn3270:isClear() and max_blank < 7 do\n stdnse.debug(2, \"Screen is not clear for %s. Reading all data with a timeout of %s. Count %s\",pass, timeout, max_blank)\n self.tn3270:get_all_data(timeout)\n timeout = timeout + 100\n max_blank = max_blank + 1\n end\n\n stdnse.debug(2,\"Screen Received for Transaction ID: %s\", pass)\n self.tn3270:get_screen_debug(2)\n if self.tn3270:find('not recognized') or self.tn3270:find('DFHAC2002') then -- known invalid command\n stdnse.debug(\"Invalid CICS Transaction ID: %s\", string.upper(pass))\n return false, brute.Error:new( \"Incorrect CICS Transaction ID\" )\n elseif self.tn3270:isClear() then\n stdnse.debug(2,\"Empty Screen when we expect an error.\")\n -- this can mean that the transaction ID was valid\n -- but it didn't send a screen update so you should check by hand.\n -- We're not dumping this screen to disk because it's blank.\n return true, creds.Account:new(\"CICS ID [blank screen]\", string.upper(pass), creds.State.VALID)\n elseif self.tn3270:find('Unauthorized') or self.tn3270:find('DFHAC2002') then\n -- this is a VALID cics transaction but you must be authenticated to used it\n -- This will be the same screen for each so we dont bother saving it either\n stdnse.verbose(\"Valid CICS Transaction ID [requires auth]: %s\", string.upper(pass))\n return true, creds.Account:new(\"CICS ID [requires auth]\", string.upper(pass), creds.State.VALID)\n elseif self.tn3270:find('DFHAC2008') or self.tn3270:find('DFHAC2206') or self.tn3270:find('DFHAC2028') or\n self.tn3270:find('DFHRT4415') or self.tn3270:find('DFHRT4480') or self.tn3270:find('TSS7254E') then\n -- these are technically valid CICS transactions\n -- but they are of little/no value. If verbosity is turned way up we'll return these/save a screenshot\n -- otherwise there's no point\n -- DFHAC2008 -- TranID has been Disabled\n -- DFHAC2206 -- Abend\n -- DFHRT4415 -- Cannot access through terminal\n -- DFHRT4480 -- No Longer Supported\n -- DFHAC2028 -- cannot be used\n -- TSS7254E -- Access not available through this facility\n stdnse.verbose(\"Valid CICS Transaction ID [Abbend or ID Disabled]: %s\", string.upper(pass))\n if nmap.verbosity() > 3 then\n if path ~= nil then\n stdnse.verbose(2,\"Writting screen to: %s\", path..string.upper(pass)..\".txt\")\n status, err = save_screens(path..string.upper(pass)..\".txt\",self.tn3270:get_screen())\n if not status then\n stdnse.verbose(2,\"Failed writting screen to: %s\", path..string.upper(pass)..\".txt\")\n end\n end\n return true, creds.Account:new(\"CICS ID [Abbend]\", string.upper(pass), creds.State.VALID)\n else\n return false, brute.Error:new( \"Correct Transaction ID - Access Denied\" )\n end\n elseif not (cics_user == nil and cics_pass == nil) and\n (self.tn3270:find('TSS7251E') or self.tn3270:find('DFHAC2033')) then\n -- We've logged on but we don't have access to this transaction\n -- TSS7251E : Access Denied to PROGRAM <X>\n -- DFHAC2033 : You are not authorized to use transaction <X>\n stdnse.verbose(\"Valid CICS Transaction ID [Access Denied]: %s\", string.upper(pass))\n if nmap.verbosity() > 3 then\n return true, creds.Account:new(\"CICS ID [Access Denied]\", string.upper(pass), creds.State.VALID)\n else\n return false, brute.Error:new( \"Correct Transaction ID - Access Denied\" )\n end\n else\n stdnse.verbose(\"Valid CICS Transaction ID: %s\", string.upper(pass))\n if path ~= nil then\n stdnse.verbose(2,\"Writting screen to: %s\", path..string.upper(pass)..\".txt\")\n status, err = save_screens(path..string.upper(pass)..\".txt\",self.tn3270:get_screen())\n if not status then\n stdnse.verbose(2,\"Failed writting screen to: %s\", path..string.upper(pass)..\".txt\")\n end\n end\n return true, creds.Account:new(\"CICS ID\", string.upper(pass), creds.State.VALID)\n end\n return false, brute.Error:new(\"Something went wrong, we didn't get a proper response\")\n end\n}\n\n--- Tests the target to see if we can even get to CICS\n--\n-- @param host host NSE object\n-- @param port port NSE object\n-- @param user CICS userID\n-- @param pass CICS userID password\n-- @param commands optional script-args of commands to use to get to CICS\n-- @return status true on success, false on failure\n\nlocal function cics_test( host, port, commands, user, pass )\n stdnse.debug(\"Checking for CICS\")\n local tn = tn3270.Telnet:new()\n tn:disable_tn3270e()\n local status, err = tn:initiate(host,port)\n local msg = 'Unable to get to CICS'\n local cics = false -- initially we're not at CICS\n if not status then\n stdnse.debug(\"Could not initiate TN3270: %s\", err )\n return cics\n end\n tn:get_screen_debug(2) -- prints TN3270 screen to debug\n stdnse.debug(\"Getting to CICS\")\n local run = stringaux.strsplit(\";%s*\", commands)\n for i = 1, #run do\n stdnse.debug(1,\"Issuing Command (#%s of %s): %s\", i, #run ,run[i])\n tn:send_cursor(run[i])\n tn:get_all_data()\n tn:get_screen_debug(2)\n end\n tn:get_all_data()\n tn:get_screen_debug(2) -- for debug purposes\n -- we should technically be at CICS. So we send:\n -- * F3 to exit the CICS program\n -- * CLEAR (a tn3270 command) to clear the screen.\n -- (you need to clear before sending a transaction ID)\n -- * a known default CICS transaction ID with predictable outcome\n -- (CESF with 'Sign-off is complete.' as the result)\n -- to confirm that we were in CICS. If so we return true\n -- otherwise we return false\n local count = 1\n while not tn:isClear() and count < 6 do\n -- some systems will just kick you off others are slow in responding\n -- this loop continues to try getting out of CICS 6 times. If it can't\n -- then we probably weren't in CICS to begin with.\n if tn:find(\"Signon\") then\n stdnse.debug(2,\"Found 'Signon' sending PF3\")\n tn:send_pf(3)\n tn:get_all_data()\n end\n tn:get_all_data()\n stdnse.debug(2,\"Clearing the Screen\")\n tn:send_clear()\n tn:get_all_data()\n tn:get_screen_debug(2)\n count = count + 1\n end\n if count == 6 then\n return cics\n end\n stdnse.debug(2,\"Sending CESF (CICS Default Sign-off)\")\n tn:send_cursor('CESF')\n tn:get_all_data()\n if tn:isClear() then\n tn:get_all_data(1000)\n end\n tn:get_screen_debug(2)\n\n if tn:find('off is complete.') then\n cics = true\n end\n\n if not (user == nil and pass == nil) then -- We're doing authenticated CICS testing now baby!\n stdnse.verbose(2,'Logging in with %s / %s for auth testing', user, pass)\n tn:send_clear()\n tn:get_all_data()\n tn:get_screen_debug(2)\n tn:send_cursor('CESN')\n tn:get_all_data()\n tn:get_screen_debug(2)\n local fields = tn:writeable() -- Get the writeable field areas\n local user_loc = {fields[1][1],user} -- This is the 'UserID:' field\n local pass_loc = {fields[3][1],pass} -- This is the 'Password:' field ([2] is a group ID)\n stdnse.verbose('Trying CICS: %s : %s', user, pass)\n tn:send_locations({user_loc,pass_loc})\n tn:get_all_data()\n stdnse.debug(2,\"Screen Received for User ID: %s / %s\", user, pass)\n tn:get_screen_debug(2)\n count = 1\n while not tn:find('DFHCE3549') and count < 6 do\n\t tn:get_all_data(1000) -- loop for 6 seconds\n tn:get_screen_debug(2)\n count = count + 1\n end\n if not tn:find('DFHCE3549') then\n cics = false\n msg = 'Unable to access CICS with User: '..user..' / Pass: '..pass\n else\n tn:send_cursor('CESF')\n tn:get_all_data()\n end\n end\n\n tn:disconnect()\n return cics,msg\nend\n\n-- Filter iterator for unpwdb\n-- CICS is limited to 4 characters.\nlocal valid_cics = function(x)\n return (string.len(x) <= 4)\nend\n\nfunction iter(t)\n local i, val\n return function()\n i, val = next(t, i)\n return val\n end\nend\n\naction = function(host, port)\n local cics_id_file = stdnse.get_script_args(\"idlist\")\n local path = stdnse.get_script_args(SCRIPT_NAME .. '.path') -- Folder for screenshots\n local commands = stdnse.get_script_args(SCRIPT_NAME .. '.commands') or 'cics'-- VTAM commands/macros to get to CICS\n local username = stdnse.get_script_args(SCRIPT_NAME .. '.user') or nil\n local password = stdnse.get_script_args(SCRIPT_NAME .. '.pass') or nil\n local cics_ids = {\"CADP\", \"CATA\", \"CATD\", \"CATR\", \"CBAM\", \"CCIN\", \"CCRL\", \"CDBC\", \"CDBD\",\n \"CDBF\", \"CDBI\", \"CDBM\", \"CDBN\", \"CDBO\", \"CDBQ\", \"CDBT\", \"CDFS\", \"CDST\",\n \"CDTS\", \"CEBR\", \"CEBT\", \"CECI\", \"CECS\", \"CEDA\", \"CEDB\", \"CEDC\", \"CEDF\",\n \"CEDX\", \"CEGN\", \"CEHP\", \"CEHS\", \"CEKL\", \"CEMN\", \"CEMT\", \"CEOT\", \"CEPD\",\n \"CEPF\", \"CEPH\", \"CEPM\", \"CEPQ\", \"CEPS\", \"CEPT\", \"CESC\", \"CESD\", \"CESF\",\n \"CESL\", \"CESN\", \"CEST\", \"CETR\", \"CEX2\", \"CFCL\", \"CFCR\", \"CFOR\", \"CFQR\",\n \"CFQS\", \"CFTL\", \"CFTS\", \"CGRP\", \"CHLP\", \"CIDP\", \"CIEP\", \"CIND\", \"CIS1\",\n \"CIS4\", \"CISB\", \"CISC\", \"CISD\", \"CISE\", \"CISM\", \"CISP\", \"CISQ\", \"CISR\",\n \"CISS\", \"CIST\", \"CISU\", \"CISX\", \"CITS\", \"CJLR\", \"CJSA\", \"CJSL\", \"CJSR\",\n \"CJTR\", \"CKAM\", \"CKBC\", \"CKBM\", \"CKBP\", \"CKBR\", \"CKCN\", \"CKDL\", \"CKDP\",\n \"CKQC\", \"CKRS\", \"CKRT\", \"CKSD\", \"CKSQ\", \"CKTI\", \"CLDM\", \"CLQ2\", \"CLR1\",\n \"CLR2\", \"CLS1\", \"CLS2\", \"CLS3\", \"CLS4\", \"CMAC\", \"CMPX\", \"CMSG\", \"CMTS\",\n \"COVR\", \"CPCT\", \"CPIA\", \"CPIH\", \"CPIL\", \"CPIQ\", \"CPIR\", \"CPIS\", \"CPLT\",\n \"CPMI\", \"CPSS\", \"CQPI\", \"CQPO\", \"CQRY\", \"CRLR\", \"CRMD\", \"CRMF\", \"CRPA\",\n \"CRPC\", \"CRPM\", \"CRSQ\", \"CRSR\", \"CRST\", \"CRSY\", \"CRTE\", \"CRTP\", \"CRTX\",\n \"CSAC\", \"CSCY\", \"CSFE\", \"CSFR\", \"CSFU\", \"CSGM\", \"CSHA\", \"CSHQ\", \"CSHR\",\n \"CSKP\", \"CSMI\", \"CSM1\", \"CSM2\", \"CSM3\", \"CSM5\", \"CSNC\", \"CSNE\", \"CSOL\",\n \"CSPG\", \"CSPK\", \"CSPP\", \"CSPQ\", \"CSPS\", \"CSQC\", \"CSRK\", \"CSRS\", \"CSSF\",\n \"CSSY\", \"CSTE\", \"CSTP\", \"CSXM\", \"CSZI\", \"CTIN\", \"CTSD\", \"CVMI\", \"CWBA\",\n \"CWBG\", \"CWTO\", \"CWWU\", \"CWXN\", \"CWXU\", \"CW2A\", \"CXCU\", \"CXRE\", \"CXRT\",\n \"DSNC\"} -- Default CICS from https://www-01.ibm.com/support/knowledgecenter/SSGMCP_5.2.0/com.ibm.cics.ts.systemprogramming.doc/topics/dfha726.html\n\n cics_id_file = ( (cics_id_file and nmap.fetchfile(cics_id_file)) or cics_id_file )\n\n if cics_id_file then\n for l in io.lines(cics_id_file) do\n if not l:match(\"#!comment:\") then\n table.insert(cics_ids, l)\n end\n end\n end\n local cicstst,msg = cics_test(host, port, commands, username, password)\n if cicstst then\n local title = 'CICS Transaction IDs'\n if not(username == nil and password == nil) then title = 'CICS Transaction IDs for User: '.. username end\n local options = { key1 = commands, key2 = path, user = username, pass = password }\n stdnse.debug(\"Starting CICS Transaction ID Enumeration\")\n if path ~= nil then stdnse.verbose(2,\"Saving Screenshots to: %s\", path) end\n local engine = brute.Engine:new(Driver, host, port, options)\n engine.options.script_name = SCRIPT_NAME\n engine:setPasswordIterator(unpwdb.filter_iterator(iter(cics_ids), valid_cics))\n engine.options.passonly = true\n engine.options:setTitle(title)\n local status, result = engine:start()\n return result\n else\n return msg\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:21", "description": "Determines the supported authentication mechanisms of a remote SOCKS proxy server. Starting with SOCKS version 5 socks servers may support authentication. The script checks for the following authentication types: 0 - No authentication 1 - GSSAPI 2 - Username and password\n\n## Example Usage \n \n \n nmap -p 1080 <ip> --script socks-auth-info\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 1080/tcp open socks\n | socks-auth-info:\n | No authentication\n |_ Username and password\n \n\n## Requires \n\n * [shortport](<../lib/shortport.html>)\n * [socks](<../lib/socks.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-02T11:34:27", "type": "nmap", "title": "socks-auth-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:SOCKS-AUTH-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/socks-auth-info.html", "sourceData": "local shortport = require \"shortport\"\nlocal socks = require \"socks\"\nlocal table = require \"table\"\n\ndescription = [[\nDetermines the supported authentication mechanisms of a remote SOCKS\nproxy server. Starting with SOCKS version 5 socks servers may support\nauthentication. The script checks for the following authentication\ntypes:\n 0 - No authentication\n 1 - GSSAPI\n 2 - Username and password\n]]\n\n---\n-- @usage\n-- nmap -p 1080 <ip> --script socks-auth-info\n--\n-- @output\n-- PORT STATE SERVICE\n-- 1080/tcp open socks\n-- | socks-auth-info:\n-- | No authentication\n-- |_ Username and password\n--\n-- @xmloutput\n-- <table>\n-- <elem key=\"method\">0</elem>\n-- <elem key=\"name\">No authentication</elem>\n-- </table>\n-- <table>\n-- <elem key=\"method\">2</elem>\n-- <elem key=\"name\">Username and password</elem>\n-- </table>\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\", \"default\"}\n\nportrule = shortport.port_or_service({1080, 9050}, {\"socks\", \"socks5\", \"tor-socks\"})\n\naction = function(host, port)\n\n local helper = socks.Helper:new(host, port)\n local auth_methods = {}\n\n -- iterate over all authentication methods as the server only responds with\n -- a single supported one if we send a list.\n local mt = { __tostring = function(t) return t.name end }\n for _, method in pairs(socks.AuthMethod) do\n local status, response = helper:connect( method )\n if ( status ) then\n local out = {\n method = response.method,\n name = helper:authNameByNumber(response.method)\n }\n setmetatable(out, mt)\n table.insert(auth_methods, out)\n end\n end\n\n helper:close()\n if ( 0 == #auth_methods ) then return end\n return auth_methods\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:26", "description": "Performs brute force password auditing against the classic UNIX rexec (remote exec) service.\n\n## Script Arguments \n\n#### rexec-brute.timeout \n\nsocket timeout for connecting to rexec (default 10s)\n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 512 --script rexec-brute <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 512/tcp open exec\n | rexec-brute:\n | Accounts\n | nmap:test - Valid credentials\n | Statistics\n |_ Performed 16 guesses in 7 seconds, average tps: 2\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-11-04T21:17:33", "type": "nmap", "title": "rexec-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-06-27T19:13:41", "id": "NMAP:REXEC-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/rexec-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription=[[\nPerforms brute force password auditing against the classic UNIX rexec (remote exec) service.\n]]\n\n---\n-- @usage\n-- nmap -p 512 --script rexec-brute <ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 512/tcp open exec\n-- | rexec-brute:\n-- | Accounts\n-- | nmap:test - Valid credentials\n-- | Statistics\n-- |_ Performed 16 guesses in 7 seconds, average tps: 2\n--\n-- @args rexec-brute.timeout socket timeout for connecting to rexec (default 10s)\n\n-- Version 0.1\n-- Created 11/02/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"brute\", \"intrusive\"}\n\nportrule = shortport.port_or_service(512, \"exec\", \"tcp\")\n\n--- Copied from telnet-brute\n-- Decide whether a given string (presumably received from a telnet server)\n-- indicates a failed login\n--\n-- @param str The string to analyze\n-- @return Verdict (true or false)\nlocal is_login_failure = function (str)\n local lcstr = str:lower()\n return lcstr:find(\"%f[%w]incorrect%f[%W]\")\n or lcstr:find(\"%f[%w]failed%f[%W]\")\n or lcstr:find(\"%f[%w]denied%f[%W]\")\n or lcstr:find(\"%f[%w]invalid%f[%W]\")\n or lcstr:find(\"%f[%w]bad%f[%W]\")\nend\n\nDriver = {\n\n -- creates a new Driver instance\n -- @param host table as received by the action function\n -- @param port table as received by the action function\n -- @return o instance of Driver\n new = function(self, host, port, options)\n local o = { host = host, port = port, timeout = options.timeout }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n connect = function(self)\n self.socket = brute.new_socket()\n self.socket:set_timeout(self.timeout)\n local status, err = self.socket:connect(self.host, self.port)\n if ( not(status) ) then\n local err = brute.Error:new(\"Connection failed\")\n err:setRetry( true )\n return false, err\n end\n return true\n end,\n\n login = function(self, username, password)\n local cmd = \"id\"\n local data = (\"\\0%s\\0%s\\0%s\\0\"):format(username, password, cmd)\n\n local status, err = self.socket:send(data)\n if ( not(status) ) then\n local err = brute.Error:new(\"Send failed\")\n err:setRetry( true )\n return false, err\n end\n\n local response\n status, response = self.socket:receive()\n if ( status and not is_login_failure(response)) then\n return true, creds.Account:new(username, password, creds.State.VALID)\n end\n return false, brute.Error:new( \"Incorrect password\" )\n end,\n\n disconnect = function(self)\n self.socket:close()\n end,\n\n}\n\n\nlocal arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\narg_timeout = (arg_timeout or 10) * 1000\n\naction = function(host, port)\n local options = {\n timeout = arg_timeout\n }\n\n local engine = brute.Engine:new(Driver, host, port, options)\n engine.options.script_name = SCRIPT_NAME\n local status, result = engine:start()\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:37:34", "description": "Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or \"families\") may be due to network mechanisms such as port forwarding to machines behind a NAT. \n\nIn order to group these ports into different families, some statistical values must be computed. Among these values are the mean and standard deviation of the round-trip times for each port. Once all of the times have been recorded and these values have been computed, the Student's t-test is used to test the statistical significance of the differences between each port's data. Ports which have round-trip times that are statistically the same are grouped together in the same family. \n\nThis script is based on Doug Hoyte's Qscan documentation and patches for Nmap.\n\n## Script Arguments \n\n#### numclosed \n\nMaximum number of closed ports to probe (default 1). A negative number disables the limit.\n\n#### numopen \n\nMaximum number of open ports to probe (default 8). A negative number disables the limit.\n\n#### confidence \n\nConfidence level: `0.75`, `0.9`, `0.95`, `0.975`, `0.99`, `0.995`, or `0.9995`.\n\n#### numtrips \n\nNumber of round-trip times to try to get.\n\n#### delay \n\nAverage delay between packet sends. This is a number followed by `ms` for milliseconds or `s` for seconds. (`m` and `h` are also supported but are too long for timeouts.) The actual delay will randomly vary between 50% and 150% of the time specified. Default: `200ms`.\n\n## Example Usage \n \n \n nmap --script qscan --script-args qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10 target\n \n\n## Script Output \n \n \n | qscan:\n | PORT FAMILY MEAN (us) STDDEV LOSS (%)\n | 21 0 2082.70 460.72 0.0%\n | 22 0 2211.70 886.69 0.0%\n | 23 1 4631.90 606.67 0.0%\n | 24 0 1922.40 336.90 0.0%\n | 25 0 2017.30 404.31 0.0%\n | 80 1 4180.80 856.98 0.0%\n |_443 0 2013.30 368.91 0.0%\n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [math](<>)\n * [nmap](<../lib/nmap.html>)\n * [packet](<../lib/packet.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-03-21T20:05:31", "type": "nmap", "title": "qscan NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-02-05T04:30:56", "id": "NMAP:QSCAN.NSE", "href": "https://nmap.org/nsedoc/scripts/qscan.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal math = require \"math\"\nlocal nmap = require \"nmap\"\nlocal packet = require \"packet\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\n\ndescription = [[\nRepeatedly probe open and/or closed ports on a host to obtain a series\nof round-trip time values for each port. These values are used to\ngroup collections of ports which are statistically different from other\ngroups. Ports being in different groups (or \"families\") may be due to\nnetwork mechanisms such as port forwarding to machines behind a NAT.\n\nIn order to group these ports into different families, some statistical\nvalues must be computed. Among these values are the mean and standard\ndeviation of the round-trip times for each port. Once all of the times\nhave been recorded and these values have been computed, the Student's\nt-test is used to test the statistical significance of the differences\nbetween each port's data. Ports which have round-trip times that are\nstatistically the same are grouped together in the same family.\n\nThis script is based on Doug Hoyte's Qscan documentation and patches\nfor Nmap.\n]]\n\n-- See http://hcsw.org/nmap/QSCAN for more on Doug's research\n\n---\n-- @usage\n-- nmap --script qscan --script-args qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10 target\n--\n-- @args confidence Confidence level: <code>0.75</code>, <code>0.9</code>,\n-- <code>0.95</code>, <code>0.975</code>, <code>0.99</code>,\n-- <code>0.995</code>, or <code>0.9995</code>.\n-- @args delay Average delay between packet sends. This is a number followed by\n-- <code>ms</code> for milliseconds or <code>s</code> for seconds.\n-- (<code>m</code> and <code>h</code> are also supported but are too long\n-- for timeouts.) The actual delay will randomly vary between 50% and\n-- 150% of the time specified. Default: <code>200ms</code>.\n-- @args numtrips Number of round-trip times to try to get.\n-- @args numopen Maximum number of open ports to probe (default 8). A negative\n-- number disables the limit.\n-- @args numclosed Maximum number of closed ports to probe (default 1). A\n-- negative number disables the limit.\n--\n-- @output\n-- | qscan:\n-- | PORT FAMILY MEAN (us) STDDEV LOSS (%)\n-- | 21 0 2082.70 460.72 0.0%\n-- | 22 0 2211.70 886.69 0.0%\n-- | 23 1 4631.90 606.67 0.0%\n-- | 24 0 1922.40 336.90 0.0%\n-- | 25 0 2017.30 404.31 0.0%\n-- | 80 1 4180.80 856.98 0.0%\n-- |_443 0 2013.30 368.91 0.0%\n--\n\n-- 03/17/2010\n\nauthor = \"Kris Katterjohn\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"safe\", \"discovery\"}\n\n\n-- defaults\nlocal DELAY = 0.200\nlocal NUMTRIPS = 10\nlocal CONF = 0.95\nlocal NUMOPEN = 8\nlocal NUMCLOSED = 1\n\n-- The following tdist{} and tinv() are based off of\n-- http://www.owlnet.rice.edu/~elec428/projects/tinv.c\nlocal tdist = {\n -- 75% 90% 95% 97.5% 99% 99.5% 99.95%\n { 1.0000, 3.0777, 6.3138, 12.7062, 31.8207, 63.6574, 636.6192 }, -- 1\n { 0.8165, 1.8856, 2.9200, 4.3027, 6.9646, 9.9248, 31.5991 }, -- 2\n { 0.7649, 1.6377, 2.3534, 3.1824, 4.5407, 5.8409, 12.9240 }, -- 3\n { 0.7407, 1.5332, 2.1318, 2.7764, 3.7649, 4.6041, 8.6103 }, -- 4\n { 0.7267, 1.4759, 2.0150, 2.5706, 3.3649, 4.0322, 6.8688 }, -- 5\n { 0.7176, 1.4398, 1.9432, 2.4469, 3.1427, 3.7074, 5.9588 }, -- 6\n { 0.7111, 1.4149, 1.8946, 2.3646, 2.9980, 3.4995, 5.4079 }, -- 7\n { 0.7064, 1.3968, 1.8595, 3.3060, 2.8965, 3.3554, 5.0413 }, -- 8\n { 0.7027, 1.3830, 1.8331, 2.2622, 2.8214, 3.2498, 4.7809 }, -- 9\n { 0.6998, 1.3722, 1.8125, 2.2281, 2.7638, 1.1693, 4.5869 }, -- 10\n { 0.6974, 1.3634, 1.7959, 2.2010, 2.7181, 3.1058, 4.4370 }, -- 11\n { 0.6955, 1.3562, 1.7823, 2.1788, 2.6810, 3.0545, 4.3178 }, -- 12\n { 0.6938, 1.3502, 1.7709, 2.1604, 2.6403, 3.0123, 4.2208 }, -- 13\n { 0.6924, 1.3450, 1.7613, 2.1448, 2.6245, 2.9768, 4.1405 }, -- 14\n { 0.6912, 1.3406, 1.7531, 2.1315, 2.6025, 2.9467, 4.0728 }, -- 15\n { 0.6901, 1.3368, 1.7459, 2.1199, 2.5835, 2.9208, 4.0150 }, -- 16\n { 0.6892, 1.3334, 1.7396, 2.1098, 2.5669, 2.8982, 3.9651 }, -- 17\n { 0.6884, 1.3304, 1.7341, 2.1009, 2.5524, 2.8784, 3.9216 }, -- 18\n { 0.6876, 1.3277, 1.7291, 2.0930, 2.5395, 2.8609, 3.8834 }, -- 19\n { 0.6870, 1.3253, 1.7247, 2.0860, 2.5280, 2.8453, 3.8495 }, -- 20\n { 0.6844, 1.3163, 1.7081, 2.0595, 2.4851, 2.7874, 3.7251 }, -- 25\n { 0.6828, 1.3104, 1.6973, 2.0423, 2.4573, 2.7500, 3.6460 }, -- 30\n { 0.6816, 1.3062, 1.6896, 2.0301, 2.4377, 2.7238, 3.5911 }, -- 35\n { 0.6807, 1.3031, 1.6839, 2.0211, 2.4233, 2.7045, 3.5510 }, -- 40\n { 0.6800, 1.3006, 1.6794, 2.0141, 2.4121, 2.6896, 3.5203 }, -- 45\n { 0.6794, 1.2987, 1.6759, 2.0086, 2.4033, 2.6778, 3.4960 }, -- 50\n { 0.6786, 1.2958, 1.6706, 2.0003, 2.3901, 2.6603, 3.4602 }, -- 60\n { 0.6780, 1.2938, 1.6669, 1.9944, 2.3808, 2.6479, 3.4350 }, -- 70\n { 0.6776, 1.2922, 1.6641, 1.9901, 2.3739, 2.6387, 3.4163 }, -- 80\n { 0.6772, 1.2910, 1.6620, 1.9867, 2.3685, 2.6316, 3.4019 }, -- 90\n { 0.6770, 1.2901, 1.6602, 1.9840, 2.3642, 2.6259, 3.3905 } -- 100\n}\n\n-- cache ports to probe between the hostrule and the action function\nlocal qscanports\n\n\nlocal tinv = function(p, dof)\n local din, pin\n\n if dof >= 1 and dof <= 20 then\n din = dof\n elseif dof < 25 then\n din = 20\n elseif dof < 30 then\n din = 21\n elseif dof < 35 then\n din = 22\n elseif dof < 40 then\n din = 23\n elseif dof < 45 then\n din = 24\n elseif dof < 50 then\n din = 25\n elseif dof < 60 then\n din = 26\n elseif dof < 70 then\n din = 27\n elseif dof < 80 then\n din = 28\n elseif dof < 90 then\n din = 29\n elseif dof < 100 then\n din = 30\n elseif dof >= 100 then\n din = 31\n end\n\n if p == 0.75 then\n pin = 1\n elseif p == 0.9 then\n pin = 2\n elseif p == 0.95 then\n pin = 3\n elseif p == 0.975 then\n pin = 4\n elseif p == 0.99 then\n pin = 5\n elseif p == 0.995 then\n pin = 6\n elseif p == 0.9995 then\n pin = 7\n end\n\n return tdist[din][pin]\nend\n\n--- Calculates intermediate t statistic\nlocal tstat = function(n1, n2, u1, u2, v1, v2)\n local dof = n1 + n2 - 2\n local a = (n1 + n2) / (n1 * n2)\n --local b = ((n1 - 1) * (s1 * s1) + (n2 - 1) * (s2 * s2))\n local b = ((n1 - 1) * v1) + ((n2 - 1) * v2)\n return math.abs(u1 - u2) / math.sqrt(a * (b / dof))\nend\n\n--- Pcap check\n-- @return Destination and source IP addresses and TCP ports\nlocal check = function(layer3)\n local ip = packet.Packet:new(layer3, layer3:len())\n return string.pack('>c4c4I2I2', ip.ip_bin_dst, ip.ip_bin_src, ip.tcp_dport, ip.tcp_sport)\nend\n\n--- Updates a TCP Packet object\n-- @param tcp The TCP object\nlocal updatepkt = function(tcp, dport)\n tcp:tcp_set_sport(math.random(0x401, 0xffff))\n tcp:tcp_set_dport(dport)\n tcp:tcp_set_seq(math.random(1, 0x7fffffff))\n tcp:tcp_count_checksum(tcp.ip_len)\n tcp:ip_count_checksum()\nend\n\n--- Create a TCP Packet object\n-- @param host Host object\n-- @return TCP Packet object\nlocal genericpkt = function(host)\n local pkt = stdnse.fromhex(\n \"4500 002c 55d1 0000 8006 0000 0000 0000\" ..\n \"0000 0000 0000 0000 0000 0000 0000 0000\" ..\n \"6002 0c00 0000 0000 0204 05b4\"\n )\n\n local tcp = packet.Packet:new(pkt, pkt:len())\n\n tcp:ip_set_bin_src(host.bin_ip_src)\n tcp:ip_set_bin_dst(host.bin_ip)\n\n updatepkt(tcp, 0)\n\n return tcp\nend\n\n--- Calculates \"family\" values for grouping\n-- @param stats Statistics table\n-- @param conf Confidence level\nlocal calcfamilies = function(stats, conf)\n local i, j\n local famidx = 0\n local stat\n local crit\n\n for _, i in pairs(stats) do repeat\n if i.fam ~= -1 then\n break\n end\n\n i.fam = famidx\n famidx = famidx + 1\n\n for _, j in pairs(stats) do repeat\n if j.port == i.port or j.fam ~= -1 then\n break\n end\n\n stat = tstat(i.num, j.num, i.mean, j.mean, i.K / (i.num - 1), j.K / (j.num - 1))\n crit = tinv(conf, i.num + j.num - 2)\n\n if stat < crit then\n j.fam = i.fam\n end\n until true end\n until true end\nend\n\n--- Builds report for output\n-- @param stats Array of port statistics\n-- @return Output report\nlocal report = function(stats)\n local j\n local outtab = tab.new()\n\n tab.add(outtab, 1, \"PORT\")\n tab.add(outtab, 2, \"FAMILY\")\n tab.add(outtab, 3, \"MEAN (us)\")\n tab.add(outtab, 4, \"STDDEV\")\n tab.add(outtab, 5, \"LOSS (%)\")\n tab.nextrow(outtab)\n local port, fam, mean, stddev, loss\n for _, j in pairs(stats) do\n port = tostring(j.port)\n fam = tostring(j.fam)\n mean = string.format(\"%.2f\", j.mean)\n stddev = string.format(\"%.2f\", math.sqrt(j.K / (j.num - 1)))\n loss = string.format(\"%.1f%%\", 100 * (1 - j.num / j.sent))\n\n tab.add(outtab, 1, port)\n tab.add(outtab, 2, fam)\n tab.add(outtab, 3, mean)\n tab.add(outtab, 4, stddev)\n tab.add(outtab, 5, loss)\n tab.nextrow(outtab)\n end\n\n return tab.dump(outtab)\nend\n\n--- Returns option values based on script arguments and defaults\n-- @return Confidence level, delay and number of trips\nlocal getopts = function()\n local conf, delay, numtrips = CONF, DELAY, NUMTRIPS\n local bool, err\n local k\n\n for _, k in ipairs({\"qscan.confidence\", \"confidence\"}) do\n if nmap.registry.args[k] then\n conf = tonumber(nmap.registry.args[k])\n break\n end\n end\n\n for _, k in ipairs({\"qscan.delay\", \"delay\"}) do\n if nmap.registry.args[k] then\n delay = stdnse.parse_timespec(nmap.registry.args[k])\n break\n end\n end\n\n for _, k in ipairs({\"qscan.numtrips\", \"numtrips\"}) do\n if nmap.registry.args[k] then\n numtrips = tonumber(nmap.registry.args[k])\n break\n end\n end\n\n bool = true\n\n if conf ~= 0.75 and conf ~= 0.9 and\n conf ~= 0.95 and conf ~= 0.975 and\n conf ~= 0.99 and conf ~= 0.995 and conf ~= 0.9995 then\n bool = false\n err = \"Invalid confidence level\"\n end\n\n if not delay then\n bool = false\n err = \"Invalid delay\"\n end\n\n if numtrips < 3 then\n bool = false\n err = \"Invalid number of trips (should be >= 3)\"\n end\n\n if bool then\n return bool, conf, delay, numtrips\n else\n return bool, err\n end\nend\n\nlocal table_extend = function(a, b)\n local t = {}\n\n for _, v in ipairs(a) do\n t[#t + 1] = v\n end\n for _, v in ipairs(b) do\n t[#t + 1] = v\n end\n\n return t\nend\n\n--- Get ports to probe\n-- @param host Host object\nlocal getports = function(host, numopen, numclosed)\n local open = {}\n local closed = {}\n local port\n\n port = nil\n while numopen < 0 or #open < numopen do\n port = nmap.get_ports(host, port, \"tcp\", \"open\")\n if not port then\n break\n end\n open[#open + 1] = port.number\n end\n port = nil\n while numclosed < 0 or #closed < numclosed do\n port = nmap.get_ports(host, port, \"tcp\", \"closed\")\n if not port then\n break\n end\n closed[#closed + 1] = port.number\n end\n\n return table_extend(open, closed)\nend\n\nhostrule = function(host)\n if not nmap.is_privileged() then\n nmap.registry[SCRIPT_NAME] = nmap.registry[SCRIPT_NAME] or {}\n if not nmap.registry[SCRIPT_NAME].rootfail then\n stdnse.verbose1(\"not running for lack of privileges.\")\n end\n nmap.registry[SCRIPT_NAME].rootfail = true\n return nil\n end\n\n local numopen, numclosed = NUMOPEN, NUMCLOSED\n\n if nmap.address_family() ~= 'inet' then\n stdnse.debug1(\"is IPv4 compatible only.\")\n return false\n end\n if not host.interface then\n return false\n end\n\n for _, k in ipairs({\"qscan.numopen\", \"numopen\"}) do\n if nmap.registry.args[k] then\n numopen = tonumber(nmap.registry.args[k])\n break\n end\n end\n\n for _, k in ipairs({\"qscan.numclosed\", \"numclosed\"}) do\n if nmap.registry.args[k] then\n numclosed = tonumber(nmap.registry.args[k])\n break\n end\n end\n\n qscanports = getports(host, numopen, numclosed)\n return (#qscanports > 1)\nend\n\naction = function(host)\n local sock = nmap.new_dnet()\n local pcap = nmap.new_socket()\n local saddr = ipOps.str_to_ip(host.bin_ip_src)\n local daddr = ipOps.str_to_ip(host.bin_ip)\n local start\n local rtt\n local stats = {}\n local try = nmap.new_try()\n\n local conf, delay, numtrips = try(getopts())\n\n pcap:pcap_open(host.interface, 104, false, \"tcp and dst host \" .. saddr .. \" and src host \" .. daddr)\n\n try(sock:ip_open())\n\n try = nmap.new_try(function() sock:ip_close() end)\n\n -- Simply double the calculated host timeout to account for possible\n -- extra time due to port forwarding or whathaveyou. Nmap has all\n -- ready scanned this host, so the timing should have taken into\n -- account some of the RTT differences, but I think it really depends\n -- on how many ports were scanned and how many were forwarded where.\n -- Play it safer here.\n pcap:set_timeout(2 * host.times.timeout * 1000)\n\n local tcp = genericpkt(host)\n\n for i = 1, numtrips do\n for j, port in ipairs(qscanports) do\n\n updatepkt(tcp, port)\n\n if not stats[j] then\n stats[j] = {}\n stats[j].port = port\n stats[j].num = 0\n stats[j].sent = 0\n stats[j].mean = 0\n stats[j].K = 0\n stats[j].fam = -1\n end\n\n start = stdnse.clock_us()\n\n try(sock:ip_send(tcp.buf, host))\n\n stats[j].sent = stats[j].sent + 1\n\n local test = string.pack('>c4c4I2I2', tcp.ip_bin_src, tcp.ip_bin_dst, tcp.tcp_sport, tcp.tcp_dport)\n local status, length, _, layer3, stop = pcap:pcap_receive()\n while status and test ~= check(layer3) do\n status, length, _, layer3, stop = pcap:pcap_receive()\n end\n\n if not stop then\n -- probably a timeout, just grab current time\n stop = stdnse.clock_us()\n else\n -- we use usecs\n stop = stop * 1000000\n end\n\n rtt = stop - start\n\n if status then\n -- update more stats on the port, Knuth-style\n local delta\n stats[j].num = stats[j].num + 1\n delta = rtt - stats[j].mean\n stats[j].mean = stats[j].mean + delta / stats[j].num\n stats[j].K = stats[j].K + delta * (rtt - stats[j].mean)\n end\n\n -- Unlike qscan.cc which loops around while waiting for\n -- the delay, I just sleep here (depending on rtt)\n local sleep = delay * (0.5 + math.random()) - rtt / 1000000\n if sleep > 0 then\n stdnse.sleep(sleep)\n end\n end\n end\n\n sock:ip_close()\n pcap:pcap_close()\n\n -- sort by port number\n table.sort(stats, function(t1, t2) return t1.port < t2.port end)\n\n calcfamilies(stats, conf)\n\n return \"\\n\" .. report(stats)\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:33", "description": "NOTE: This script has been replaced by the `--resolve-all` command-line option in Nmap 7.70 \n\nResolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmap's target list. This differs from Nmap's normal host resolution process, which only scans the first address (A or AAAA record) returned for each host name. \n\nThe script will run on any target provided by hostname. It can also be fed hostnames via the `resolveall.hosts` argument. Because it adds new targets by IP address it will not run recursively, since those new targets were not provided by hostname. It will also not add the same IP that was initially chosen for scanning by Nmap.\n\n## Script Arguments \n\n#### resolveall.hosts \n\nTable of hostnames to resolve\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=resolveall --script-args=newtargets,resolveall.hosts={<host1>, ...} ...\n nmap --script=resolveall manyaddresses.example.com\n\n## Script Output \n \n \n Pre-scan script results:\n | resolveall:\n | Host 'google.com' resolves to:\n | 74.125.39.106\n | 74.125.39.147\n | 74.125.39.99\n | 74.125.39.103\n | 74.125.39.105\n | 74.125.39.104\n |_ Successfully added 6 new targets\n Host script results:\n | resolveall:\n | Host 'chat.freenode.net' also resolves to:\n | 94.125.182.252\n | 185.30.166.37\n | 162.213.39.42\n | 193.10.255.100\n | 139.162.227.51\n | 195.154.200.232\n | 164.132.77.237\n | 185.30.166.38\n | 130.185.232.126\n | 38.229.70.22\n |_ Successfully added 10 new targets\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [target](<../lib/target.html>)\n * [ipOps](<../lib/ipOps.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-09-28T02:04:20", "type": "nmap", "title": "resolveall NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-07-25T14:13:28", "id": "NMAP:RESOLVEALL.NSE", "href": "https://nmap.org/nsedoc/scripts/resolveall.html", "sourceData": "local nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal target = require \"target\"\nlocal ipOps = require \"ipOps\"\n\ndescription = [[\nNOTE: This script has been replaced by the <code>--resolve-all</code>\ncommand-line option in Nmap 7.70\n\nResolves hostnames and adds every address (IPv4 or IPv6, depending on\nNmap mode) to Nmap's target list. This differs from Nmap's normal\nhost resolution process, which only scans the first address (A or AAAA\nrecord) returned for each host name.\n\nThe script will run on any target provided by hostname. It can also be fed\nhostnames via the <code>resolveall.hosts</code> argument. Because it adds new\ntargets by IP address it will not run recursively, since those new targets were\nnot provided by hostname. It will also not add the same IP that was initially\nchosen for scanning by Nmap.\n]]\n\n---\n-- @usage\n-- nmap --script=resolveall --script-args=newtargets,resolveall.hosts={<host1>, ...} ...\n-- nmap --script=resolveall manyaddresses.example.com\n-- @args resolveall.hosts Table of hostnames to resolve\n-- @output\n-- Pre-scan script results:\n-- | resolveall:\n-- | Host 'google.com' resolves to:\n-- | 74.125.39.106\n-- | 74.125.39.147\n-- | 74.125.39.99\n-- | 74.125.39.103\n-- | 74.125.39.105\n-- | 74.125.39.104\n-- |_ Successfully added 6 new targets\n-- Host script results:\n-- | resolveall:\n-- | Host 'chat.freenode.net' also resolves to:\n-- | 94.125.182.252\n-- | 185.30.166.37\n-- | 162.213.39.42\n-- | 193.10.255.100\n-- | 139.162.227.51\n-- | 195.154.200.232\n-- | 164.132.77.237\n-- | 185.30.166.38\n-- | 130.185.232.126\n-- | 38.229.70.22\n-- |_ Successfully added 10 new targets\n-- @xmloutput\n-- <elem key=\"newtargets\">4</elem>\n-- <table key=\"hosts\">\n-- <table key=\"google.com\">\n-- <elem>74.125.39.106</elem>\n-- <elem>74.125.39.147</elem>\n-- <elem>74.125.39.99</elem>\n-- <elem>74.125.39.103</elem>\n-- </table>\n-- </table>\n\nauthor = \"Kris Katterjohn\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"safe\", \"discovery\"}\n\n\nprerule = function()\n return stdnse.get_script_args(\"resolveall.hosts\")\nend\n\nhostrule = function(host)\n return host.targetname\nend\n\nlocal addtargets = function(list)\n local sum = 0\n\n for _, t in ipairs(list) do\n local st, err = target.add(t)\n if st then\n sum = sum + 1\n else\n stdnse.debug1(\"Couldn't add target %s: %s\", t, err)\n end\n end\n\n return sum\nend\n\npreaction = function()\n local hosts = stdnse.get_script_args(\"resolveall.hosts\")\n\n if type(hosts) ~= \"table\" then\n hosts = {hosts}\n end\n\n local sum = 0\n local output = {}\n local xmloutput = {}\n for _, host in ipairs(hosts) do\n local status, list = nmap.resolve(host, nmap.address_family())\n if status and #list > 0 then\n if target.ALLOW_NEW_TARGETS then\n sum = sum + addtargets(list)\n end\n xmloutput[host] = list\n table.insert(output, string.format(\"Host '%s' resolves to:\", host))\n table.insert(output, list)\n end\n end\n\n xmloutput = {\n hosts = xmloutput,\n newtargets = sum or 0,\n }\n if sum > 0 then\n table.insert(output, string.format(\"Successfully added %d new targets\", sum))\n else\n table.insert(output, \"Use the 'newtargets' script-arg to add the results as targets\")\n end\n table.insert(output, \"Use the --resolve-all option to scan all resolved addresses without using this script.\")\n return xmloutput, stdnse.format_output(true, output)\nend\n\nhostaction = function(host)\n local sum = 0\n local output = {}\n local status, list = nmap.resolve(host.targetname, nmap.address_family())\n if not status or #list <= 0 then\n return nil\n end\n -- Don't re-add this same IP!\n for i = #list, 1, -1 do\n if ipOps.compare_ip(list[i], \"eq\", host.ip) then\n table.remove(list, i)\n end\n end\n if target.ALLOW_NEW_TARGETS then\n sum = sum + addtargets(list)\n end\n table.insert(output, string.format(\"Host '%s' also resolves to:\", host.targetname))\n table.insert(output, list)\n\n local xmloutput = {\n addresses = list,\n newtargets = sum or 0,\n }\n if sum > 0 then\n table.insert(output, string.format(\"Successfully added %d new targets\", sum))\n else\n table.insert(output, \"Use the 'newtargets' script-arg to add the results as targets\")\n end\n table.insert(output, (\"Use the --resolve-all option to scan all resolved addresses without using this script.\"):format(host.targetname))\n return xmloutput, stdnse.format_output(true, output)\nend\n\nlocal ActionsTable = {\n -- prerule: resolve via script-args\n prerule = preaction,\n -- hostrule: resolve via scanned host\n hostrule = hostaction\n}\n\n-- execute the action function corresponding to the current rule\naction = function(...) return ActionsTable[SCRIPT_TYPE](...) end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:33:30", "description": "Connects to a tn3270 'server' and returns the screen. \n\nHidden fields will be listed below the screen with (row, col) coordinates.\n\n## Script Arguments \n\n#### tn3270-screen.commands \n\na semi-colon separated list of commands you want to issue before printing the screen tn3270-screen.lu specify a logical unit you with to use, fails if can't connect tn3270-screen.disable_tn3270e disables TN3270 Enhanced mode\n\n## Example Usage \n \n \n nmap --script tn3270-info,tn3270_screen <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 23/tcp open tn3270 Telnet TN3270\n | tn3270-screen:\n | screen:\n | Mainframe Operating System z/OS V1.6\n | FFFFF AAA N N DDDD EEEEE ZZZZZ H H III\n | F A A NN N D D E Z H H I\n | FFFF AAAAA N N N D D EEEE Z HHHHH I\n | F A A N NN D D E Z H H I\n | F A A N N DDDD EEEEE ZZZZZ H H III\n |\n | ZZZZZ / OOOOO SSSS\n | Z / O O S\n | Z / O O SSS\n | Z / O O S\n | ZZZZZ / OOOOO SSSS\n |\n | Welcome to Fan DeZhi Mainframe System!\n |\n | Support: http://zos.efglobe.com\n | TSO - Logon to TSO/ISPF NETVIEW - Netview System\n | CICS - CICS System NVAS - Netview Access\n | IMS - IMS System AOF - Netview Automation\n |\n | Enter your choice==>\n | Hi! Enter one of above commands in red.\n |\n |_Your IP(10.10.10.375 :64199), SNA LU( ) 05/30/15 13:33:37\n \n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n * [tn3270](<../lib/tn3270.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-08T20:23:16", "type": "nmap", "title": "tn3270-screen NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-03-21T04:07:55", "id": "NMAP:TN3270-SCREEN.NSE", "href": "https://nmap.org/nsedoc/scripts/tn3270-screen.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal tn3270 = require \"tn3270\"\n\ndescription = [[\nConnects to a tn3270 'server' and returns the screen.\n\nHidden fields will be listed below the screen with (row, col) coordinates.\n]]\n\n---\n-- @usage\n-- nmap --script tn3270-info,tn3270_screen <host>\n--\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 23/tcp open tn3270 Telnet TN3270\n-- | tn3270-screen:\n-- | screen:\n-- | Mainframe Operating System z/OS V1.6\n-- | FFFFF AAA N N DDDD EEEEE ZZZZZ H H III\n-- | F A A NN N D D E Z H H I\n-- | FFFF AAAAA N N N D D EEEE Z HHHHH I\n-- | F A A N NN D D E Z H H I\n-- | F A A N N DDDD EEEEE ZZZZZ H H III\n-- |\n-- | ZZZZZ / OOOOO SSSS\n-- | Z / O O S\n-- | Z / O O SSS\n-- | Z / O O S\n-- | ZZZZZ / OOOOO SSSS\n-- |\n-- | Welcome to Fan DeZhi Mainframe System!\n-- |\n-- | Support: http://zos.efglobe.com\n-- | TSO - Logon to TSO/ISPF NETVIEW - Netview System\n-- | CICS - CICS System NVAS - Netview Access\n-- | IMS - IMS System AOF - Netview Automation\n-- |\n-- | Enter your choice==>\n-- | Hi! Enter one of above commands in red.\n-- |\n-- |_Your IP(10.10.10.375 :64199), SNA LU( ) 05/30/15 13:33:37\n--\n-- @args tn3270-screen.commands a semi-colon separated list of commands you want to\n-- issue before printing the screen\n-- tn3270-screen.lu specify a logical unit you with to use, fails if can't connect\n-- tn3270-screen.disable_tn3270e disables TN3270 Enhanced mode\n--\n--\n-- @changelog\n-- 2015