607 matches found
vulners NSE Script
For each available CPE the script prints out known vulns links to the correspondent info and correspondent CVSS scores. Its work is pretty simple: work only when some software version is identified for an open port take all the known CPEs for that software from the standard nmap -sV output make a...
ftp-anon NSE Script
Checks if an FTP server allows anonymous logins. If anonymous is allowed, gets a directory listing of the root directory and highlights writeable files. See also: ftp-brute.nse Script Arguments ftp-anon.maxlist The maximum number of files to return in the directory listing. By default it is 20, o...
ssl-dh-params NSE Script
Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services. This script simulates SSL/TLS handshakes using ciphersuites that have ephemeral Diffie-Hellman as the key exchange algorithm. Diffie-Hellman MODP group parameters are extracted and analyzed for vulnerability to Logjam CVE...
ssh-auth-methods NSE Script
Returns authentication methods that a SSH server supports. This is in the "intrusive" category because it starts an authentication with a username which may be invalid. The abandoned connection will likely be logged. Example Usage nmap -p 22 --script ssh-auth-methods --script-args="ssh.user="...
http-hsts-verify NSE Script
Verify that HTTP Strict Transport Security is enabled. HTTP Strict-Transport-Security HSTS RFC 6797 forces a web browser to communicate with a web server over HTTPS. This script examines HTTP Response Headers to determine whether HSTS is configured. References:...
http-phpmyadmin-dir-traversal NSE Script
Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 and possibly other versions to retrieve remote files on the web server. Reference: Script Arguments http-phpmyadmin-dir-traversal.dir Basepath to the services page. Default: /phpMyAdmin-2.6.4-pl1/...
rdp-enum-encryption NSE Script
Determines which Security layer and Encryption level is supported by the RDP service. It does so by cycling through all existing protocols and ciphers. When run in debug mode, the script also returns the protocols and ciphers that fail and any errors that were reported. The script was inspired by...
http-slowloris-check NSE Script
Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack. Slowloris was described at Defcon 17 by RSnake see . This script opens two connections to the server, each without the final CRLF. After 10 seconds, second connection sends additional header...
rdp-ntlm-info NSE Script
This script enumerates information from remote RDP services with CredSSP NLA authentication enabled. Sending an incomplete CredSSP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and ...
firewall-bypass NSE Script
Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip. The script works by spoofing a packet from the target server asking for opening a related connection to a target port which will be fulfilled by the firewall...
rdp-vuln-ms12-020 NSE Script
Checks if a machine is vulnerable to MS12-020 RDP vulnerability. The Microsoft bulletin MS12-020 patches two vulnerabilities: CVE-2012-0152 which addresses a denial of service vulnerability inside Terminal Server, and CVE-2012-0002 which fixes a vulnerability in Remote Desktop Protocol. Both are...
smb-vuln-regsvc-dos NSE Script
Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work. The vulnerability was discovered by Ron Bowes while working on smb-enum-sessions...
ssh-brute NSE Script
Performs brute-force password guessing against ssh servers. Script Arguments ssh-brute.timeout Connection timeout default: "5s" brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique,...
http-shellshock NSE Script
Attempts to exploit the "shellshock" vulnerability CVE-2014-6271 and CVE-2014-7169 in web applications. To detect this vulnerability the script executes a command that prints a random string and then attempts to find it inside the response body. Web apps that don't print back information won't be...
http-trane-info NSE Script
Attempts to obtain information from Trane Tracer SC devices. Trane Tracer SC is an intelligent field panel for communicating with HVAC equipment controllers deployed across several sectors including commercial facilities and others. The information is obtained from the web server that exposes...
smb-vuln-ms17-010 NSE Script
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability ms17-010, a.k.a. EternalBlue. The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware. The script connects to the $IPC tree, executes a transaction on FID 0 and...
smb-security-mode NSE Script
Returns information about the SMB security level determined by SMB. Here is how to interpret the output: User-level authentication: Each user has a separate username/password that is used to log into the system. This is the default setup of pretty much everything these days. Share-level...
http-apache-server-status NSE Script
Attempts to retrieve the server-status page for Apache webservers that have modstatus enabled. If the server-status page exists and appears to be from modstatus the script will parse useful information such as the system uptime, Apache version and recent HTTP requests. References: Script Argument...
http-php-version NSE Script
Attempts to retrieve the PHP version from a web server. PHP has a number of magic queries that return images or text that can vary with the PHP version. This script uses the following queries: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: gets a GIF logo, which changes on April Fool's Day...
realvnc-auth-bypass NSE Script
Checks if a VNC server is vulnerable to the RealVNC authentication bypass CVE-2006-2369. See also: vnc-brute.nse vnc-title.nse Script Arguments vulns.short, vulns.showall See the documentation for the vulns library. Example Usage nmap -sV --script=realvnc-auth-bypass Script Output PORT STATE...
rtsp-url-brute NSE Script
Attempts to enumerate RTSP media URLS by testing for common paths on devices such as surveillance IP cameras. The script attempts to discover valid RTSP URLs by sending a DESCRIBE request for each URL in the dictionary. It then parses the response, based on which it determines whether the URL is...
smb-vuln-cve2009-3103 NSE Script
Detects Microsoft Windows systems vulnerable to denial of service CVE-2009-3103. This script will crash the service if it is vulnerable. The script performs a denial-of-service against the vulnerability disclosed in CVE-2009-3103. This works against Windows Vista and some versions of Windows 7, a...
ftp-vsftpd-backdoor NSE Script
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 CVE-2011-2523. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments. References: Script Arguments...
smb2-security-mode NSE Script
Determines the message signing configuration in SMBv2 servers for all supported dialects. The script sends a SMB2COMNEGOTIATE request for each SMB2/SMB3 dialect and parses the security mode field to determine the message signing configuration of the SMB server. References: Script Arguments...
http-vuln-cve2017-5638 NSE Script
Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability CVE-2017-5638. Script Arguments http-vuln-cve2017-5638.path The URL path to request. The default path is "/". http-vuln-cve2017-5638.method The HTTP method for the request. The default method ...
ssl-enum-ciphers NSE Script
This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts. Each ciphersuite is shown with a letter grade A through...
enip-info NSE Script
This NSE script is used to send a EtherNet/IP packet to a remote device that has TCP 44818 open. The script will send a Request Identity Packet and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. Information...
http-open-proxy NSE Script
Checks if an HTTP proxy is open. The script attempts to connect to www.google.com through the proxy and checks for a valid HTTP response code. Valid HTTP response codes are 200, 301, and 302. If the target is an open proxy, this script causes the target to retrieve a web page from www.google.com...
http-enum NSE Script
Enumerates directories used by popular web applications and servers. This parses a fingerprint file that's similar in format to the Nikto Web application scanner. This script, however, takes it one step further by building in advanced pattern matching as well as having the ability to identify...
http-vuln-cve2010-0738 NSE Script
Tests whether a JBoss target is vulnerable to jmx console authentication bypass CVE-2010-0738. It works by checking if the target paths require authentication or redirect to a login page that could be bypassed via a HEAD request. RFC 2616 specifies that the HEAD request should be treated exactly...
ssl-poodle NSE Script
Checks whether SSLv3 CBC ciphers are allowed POODLE Run with -sV to use Nmap's service scan to detect SSL/TLS on non-standard ports. Otherwise, ssl-poodle will only run on ports that are commonly used for SSL. POODLE is CVE-2014-3566. All implementations of SSLv3 that accept CBC ciphersuites are...
http-title NSE Script
Shows the title of the default page of a web server. The script will follow up to 5 HTTP redirects, using the default rules in the http library. Script Arguments http-title.url The url to fetch. Default: / slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size,...
xmpp-brute NSE Script
Performs brute force password auditing against XMPP Jabber instant messaging servers. Script Arguments xmpp-brute.servername needed when host name cannot be automatically determined eg. when running against an IP, instead of hostname xmpp-brute.auth authentication mechanism to use LOGIN, PLAIN,...
msrpc-enum NSE Script
Queries an MSRPC endpoint mapper for a list of mapped services and displays the gathered information. As it is using smb library, you can specify optional username and password to use. Script works much like Microsoft's rpcdump tool or dcedump tool from SPIKE fuzzer. Script Arguments randomseed,...
mikrotik-routeros-brute NSE Script
Performs brute force password auditing against Mikrotik RouterOS devices with the API RouterOS interface enabled. Additional information: Script Arguments mikrotik-routeros-brute.threads sets the number of threads. Default: 1 brute.credfile, brute.delay, brute.emptypass, brute.firstonly,...
snmp-info NSE Script
Extracts basic information from an SNMPv3 GET request. The same probe is used here as in the service version detection scan. Script Arguments snmp.version See the documentation for the snmp library. creds.service, creds.global See the documentation for the creds library. Example Usage nmap -sV...
smb-protocols NSE Script
Attempts to list the supported protocols and dialects of a SMB server. The script attempts to initiate a connection using the dialects: NT LM 0.12 SMBv1 2.0.2 SMBv2 2.1 SMBv2 3.0 SMBv3 3.0.2 SMBv3 3.1.1 SMBv3 Additionally if SMBv1 is found enabled, it will mark it as insecure. This script is the...
smtp-vuln-cve2010-4344 NSE Script
Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 CVE-2010-4344 and a privilege escalation vulnerability in Exim 4.72 and prior CVE-2010-4345. The heap overflow vulnerability allows remote attackers to execute arbitrary code with the privileges of the Exim...
http-aspnet-debug NSE Script
Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request. The HTTP DEBUG verb is used within ASP.NET applications to start/stop remote debugging sessions. The script sends a 'stop-debug' command to determine the application's current configuration state but access to R...
ssh-hostkey NSE Script
Shows SSH hostkeys. Shows the target SSH server's key fingerprint and with high enough verbosity level the public key itself. It records the discovered host keys in nmap.registry for use by other scripts. Output can be controlled with the sshhostkey script argument. You may also compare the...
http-cookie-flags NSE Script
Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root. See also: http-enum.nse...
smb-double-pulsar-backdoor NSE Script
Checks if the target machine is running the Double Pulsar SMB backdoor. Based on the python detection script by Luke Jennings of Countercept. See also: smb-vuln-ms17-010.nse Script Arguments smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth...
ldap-brute NSE Script
Attempts to brute-force LDAP authentication. By default it uses the built-in username and password lists. In order to use your own lists use the userdb and passdb script arguments. This script does not make any attempt to prevent account lockout! If the number of passwords in the dictionary excee...
http-security-headers NSE Script
Checks for the HTTP response headers related to security given in OWASP Secure Headers Project and gives a brief description of the header and its configuration value. The script requests the server for the header with http.head and parses it to list headers founds with their configurations. The...
ssl-ccs-injection NSE Script
Detects whether a server is vulnerable to the SSL/TLS "CCS Injection" vulnerability CVE-2014-0224, first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon de C Valle In order to exploit the vulnerablity, a MITM attacker would effectively do the...
smtp-enum-users NSE Script
Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system. The script will output the list of user names that were found. The script will stop querying the SMTP server if...
smb-vuln-cve-2017-7494 NSE Script
Checks if target machines are vulnerable to the arbitrary shared library load vulnerability CVE-2017-7494. Unpatched versions of Samba from 3.5.0 to 4.4.13, and versions prior to 4.5.10 and 4.6.4 are affected by a vulnerability that allows remote code execution, allowing a malicious client to...
smb-brute NSE Script
Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them. When a username is discovered, besides being printed, it is also sav...
ntp-info NSE Script
Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" opcode 2 control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all...
fingerprint-strings NSE Script
Prints the readable strings from service fingerprints of unknown services. Nmap's service and application version detection engine sends named probes to target services and tries to identify them based on the response. When there is no match, Nmap produces a service fingerprint for submission...