nbns-interfaces NSE Script

Retrieves IP addresses of the target's network interfaces via NetBIOS NS. Additional network interfaces may reveal more information about the target, including finding paths to hidden non-routed networks via multihomed systems. Example Usage nmap -sU -p 137 --script nbns-interfaces Script Output...

port-states NSE Script

Prints a list of ports found in each state. Nmap ordinarily summarizes "uninteresting" ports as "Not shown: 94 closed ports, 4 filtered ports" but users may want to know which ports were filtered vs which were closed. This script will expand these summaries into a list of ports and port ranges th...

openflow-info NSE Script

Queries OpenFlow controllers for information. Newer versions of the OpenFlow protocol 1.3 and greater will return a list of all protocol versions supported by the controller. Versions prior to 1.3 only return their own version number. For additional information: Example Usage nmap -p 6633,6653...

uptime-agent-info NSE Script

Gets system information from an Idera Uptime Infrastructure Monitor agent. Example Usage nmap --script uptime-agent-info -p 9998 Script Output 9998/tcp open uptime-agent syn-ack | uptime-agent-info: SYSNAME=system123 | DOMAIN=none | ARCH="Linux system123 3.12.51-60.20-default 1 SMP Fri Dec 11...

dicom-brute NSE Script

Attempts to brute force the Application Entity Title of a DICOM server DICOM Service Provider. Application Entity Titles AET are used to restrict responses only to clients knowing the title. Hence, the called AET is used as a form of password. Script Arguments brute.credfile, brute.delay,...

dicom-ping NSE Script

Attempts to discover DICOM servers DICOM Service Provider through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not. The script responds with the message "Called AET check enabled" when the association request is rejected due configuration...

vulners NSE Script

For each available CPE the script prints out known vulns links to the correspondent info and correspondent CVSS scores. Its work is pretty simple: work only when some software version is identified for an open port take all the known CPEs for that software from the standard nmap -sV output make a...

rdp-ntlm-info NSE Script

This script enumerates information from remote RDP services with CredSSP NLA authentication enabled. Sending an incomplete CredSSP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and ...

http-hp-ilo-info NSE Script

Attempts to extract information from HP iLO boards including versions and addresses. HP iLO boards have an unauthenticated info disclosure at ip/xmldata?item=all. It lists board informations such as server model, firmware version, MAC addresses, IP addresses, etc. This script uses the slaxml...

lu-enum NSE Script

Attempts to enumerate Logical Units LU of TN3270E servers. When connecting to a TN3270E server you are assigned a Logical Unit LU or you can tell the TN3270E server which LU you'd like to use. Typically TN3270E servers are configured to give you an LU from a pool of LUs. They can also have LUs se...

ubiquiti-discovery NSE Script

Extracts information from Ubiquiti networking devices. This script leverages Ubiquiti's Discovery Service which is enabled by default on many products. It will attempt to leverage version 1 of the protocol first and, if that fails, attempt version 2. Example Usage nmap -sU -p 10001 --script...

smb-vuln-webexec NSE Script

A critical remote code execution vulnerability exists in WebExService WebExec. See also: smb-webexec-exploit.nse Script Arguments smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library. randomseed, smbbasic, smbport, smbsign See the...

smb-webexec-exploit NSE Script

Attempts to run a command via WebExService, using the WebExec vulnerability. Given a Windows account local or domain, this will start an arbitrary executable with SYSTEM privileges over the SMB protocol. The argument webexeccommand will run the command directly. It may or may not start with a GUI...

http-sap-netweaver-leak NSE Script

Detects SAP Netweaver Portal instances that allow anonymous access to the KM unit navigation page. This page leaks file names, ldap users, etc. SAP Netweaver Portal with the Knowledge Management Unit enable allows unauthenticated users to list file system directories through the URL...

https-redirect NSE Script

Check for HTTP services that redirect to the HTTPS on the same port. Example Usage nmap -sV Requires comm string shortport nmap url local comm = require "comm" local string = require "string" local shortport = require "shortport" local nmap = require "nmap" local url = require "url" local U =...

broadcast-jenkins-discover NSE Script

Discovers Jenkins servers on a LAN by sending a discovery broadcast probe. For more information about Jenkins auto discovery, see: Script Arguments broadcast-jenkins.address address to which the probe packet is sent. default: 255.255.255.255 broadcast-jenkins.timeout socket timeout default: 5s...

broadcast-hid-discoveryd NSE Script

Discovers HID devices on a LAN by sending a discoveryd network broadcast probe. For more information about HID discoveryd, see: Script Arguments broadcast-hid-discoveryd.timeout socket timeout default: 5s broadcast-hid-discoveryd.address address to which the probe packet is sent. default:...

hostmap-crtsh NSE Script

Finds subdomains of a web server by querying Google's Certificate Transparency logs database . The script will run against any target that has a name, either specified on the command line or obtained via reverse-DNS. NSE implementation of ctfr.py by Sheila Berta. References:...

nbd-info NSE Script

Displays protocol and block device information from NBD servers. The Network Block Device protocol is used to publish block devices over TCP. This script connects to an NBD server and attempts to pull down a list of exported block devices and their details For additional information: Script...

tls-alpn NSE Script

Enumerates a TLS server's supported application-layer protocols using the ALPN protocol. Repeated queries are sent to determine which of the registered protocols are supported. For more information, see: Script Arguments mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port,...

rsa-vuln-roca NSE Script

Detects RSA keys vulnerable to Return Of Coppersmith Attack ROCA factorization. SSH hostkeys and SSL/TLS certificates are checked. The checks require recent updates to the openssl NSE library. References: See also: ssl-cert.nse ssh-hostkey.nse Script Arguments mssql.domain, mssql.instance-all,...

http-trane-info NSE Script

Attempts to obtain information from Trane Tracer SC devices. Trane Tracer SC is an intelligent field panel for communicating with HVAC equipment controllers deployed across several sectors including commercial facilities and others. The information is obtained from the web server that exposes...

deluge-rpc-brute NSE Script

Performs brute force password auditing against the DelugeRPC daemon. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library. brute.credfile,...

smb-enum-services NSE Script

Retrieves the list of services running on a remote Windows system. Each service attribute contains service name, display name and service status of each service. Note: Modern Windows systems requires a privileged domain account in order to list the services. References: Script Arguments randomsee...

http-bigip-cookie NSE Script

Decodes any unencrypted F5 BIG-IP cookies in the HTTP response. BIG-IP cookies contain information on backend systems such as internal IP addresses and port numbers. See here for more info: Script Arguments http-bigip-cookie.path The URL path to request. The default path is "/". slaxml.debug See...

http-jsonp-detection NSE Script

Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers. The script searches for callback functions in the response to detect JSONP endpoints. It also tries to determine callback function through URLcallback functi...

smb2-capabilities NSE Script

Attempts to list the supported capabilities in a SMBv2 server for each enabled dialect. The script sends a SMB2COMNEGOTIATE command and parses the response using the SMB dialects: 2.0.2 2.1 3.0 3.0.2 3.1.1 References: Script Arguments randomseed, smbbasic, smbport, smbsign See the documentation f...

smb-protocols NSE Script

Attempts to list the supported protocols and dialects of a SMB server. The script attempts to initiate a connection using the dialects: NT LM 0.12 SMBv1 2.0.2 SMBv2 2.1 SMBv2 3.0 SMBv3 3.0.2 SMBv3 3.1.1 SMBv3 Additionally if SMBv1 is found enabled, it will mark it as insecure. This script is the...

smb2-security-mode NSE Script

Determines the message signing configuration in SMBv2 servers for all supported dialects. The script sends a SMB2COMNEGOTIATE request for each SMB2/SMB3 dialect and parses the security mode field to determine the message signing configuration of the SMB server. References: Script Arguments...

smb2-vuln-uptime NSE Script

Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation. SMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without...

smb2-time NSE Script

Attempts to obtain the current system date and the start date of a SMB2 server. Script Arguments randomseed, smbbasic, smbport, smbsign See the documentation for the smb library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library. Examp...

ftp-syst NSE Script

Sends FTP SYST and STAT commands and returns the result. The canonical SYST response of "UNIX Type: L8" is stripped or ignored, since it is meaningless. Typical FTP response codes 215 for SYST and 211 for STAT are also hidden. References: Example Usage nmap -sV -sC Script Output | ftp-syst: | SYS...

openwebnet-discovery NSE Script

OpenWebNet is a communications protocol developed by Bticino since 2000. Retrieves device identifying information and number of connected devices. References: Example Usage nmap --script openwebnet-discovery Script Output | openwebnet-discover: | IP Address: 192.168.200.35 | Net Mask: 255.255.255...

puppet-naivesigning NSE Script

Detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, allowing them to impersonate as a puppet agent. This can leak the configuration of the agents as well as any other sensitive information found in the...

iec-identify NSE Script

Attempts to identify IEC 60870-5-104 ICS protocol. After probing with a TESTFR test frame message, a STARTDT start data transfer message is sent and general interrogation is used to gather the list of information object addresses stored. Example Usage nmap -sV --script=iec-identify Script Output ...

ssh-publickey-acceptance NSE Script

This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication. If no keys are given or the known-bad option is given, the script will check if a list of known static public keys are...

ssh-run NSE Script

Runs remote command on ssh server and returns command output. Script Arguments ssh-run.username Username to authenticate as ssh-run.cmd Command to run on remote server ssh-run.password Password to use if using password authentication ssh-run.privatekey Privatekeyfile to use if using publickey...

http-vuln-cve2017-8917 NSE Script

An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 allows for unauthenticated users to execute arbitrary SQL commands. This vulnerability was caused by a new component, comfields, which was introduced in version 3.7. This component is publicly accessible, which means this can be...

smb-vuln-cve-2017-7494 NSE Script

Checks if target machines are vulnerable to the arbitrary shared library load vulnerability CVE-2017-7494. Unpatched versions of Samba from 3.5.0 to 4.4.13, and versions prior to 4.5.10 and 4.6.4 are affected by a vulnerability that allows remote code execution, allowing a malicious client to...

http-security-headers NSE Script

Checks for the HTTP response headers related to security given in OWASP Secure Headers Project and gives a brief description of the header and its configuration value. The script requests the server for the header with http.head and parses it to list headers founds with their configurations. The...

http-vuln-cve2017-1001000 NSE Script

Attempts to detect a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 that allows unauthenticated users to inject content in posts. The script connects to the Wordpress REST API to obtain the list of published posts and grabs the user id and date from there. Then it attempts to...

smb-vuln-ms17-010 NSE Script

Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability ms17-010, a.k.a. EternalBlue. The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware. The script connects to the $IPC tree, executes a transaction on FID 0 and...

http-vuln-cve2017-5689 NSE Script

Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability CVE2017-5689. This script determines if a target is vulnerable by attempting to perform digest authentication with a blank response parameter. If the authentication...

vmware-version NSE Script

Queries VMware server vCenter, ESX, ESXi SOAP API to extract the version information. The same script as VMware Fingerprinter from VASTO created by Claudio Criscione, Paolo Canaletti Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size,...

smb-double-pulsar-backdoor NSE Script

Checks if the target machine is running the Double Pulsar SMB backdoor. Based on the python detection script by Luke Jennings of Countercept. See also: smb-vuln-ms17-010.nse Script Arguments smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth...

broadcast-ospf2-discover NSE Script

Discover IPv4 networks using Open Shortest Path First version 2OSPFv2 protocol. The script works by listening for OSPF Hello packets from the 224.0.0.5 multicast address. The script then replies and attempts to create a neighbor relationship, in order to discover network database. If no interface...

http-vuln-cve2017-5638 NSE Script

Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability CVE-2017-5638. Script Arguments http-vuln-cve2017-5638.path The URL path to request. The default path is "/". http-vuln-cve2017-5638.method The HTTP method for the request. The default method ...

impress-remote-discover NSE Script

Tests for the presence of the LibreOffice Impress Remote server. Checks if a PIN is valid if provided and will bruteforce the PIN if requested. When a remote first contacts Impress and sends a client name and PIN, the user must open the "Slide Show - Impress Remote" menu and enter the matching PI...

cics-user-brute NSE Script

CICS User ID brute forcing script for the CESL login screen. Script Arguments cics-user-brute.commands Commands in a semi-colon separated list needed to access CICS. Defaults to CICS. brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly,...

cics-info NSE Script

Using the CICS transaction CEMT, this script attempts to gather information about the current CICS transaction server region. It gathers OS information, Datasets files, transactions and user ids. Based on CICSpwn script by Ayoub ELAASSAL. Script Arguments cics-info.trans Instead of gathering all...