netbus-info NSE Script

Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself. The extracted host information includes a list of running applications, and the hosts sound volume settings. The extracted service information includes its access control list acl, server...

ms-sql-config NSE Script

Queries Microsoft SQL Server ms-sql instances for a list of databases, linked servers, and configuration settings. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all,...

icap-info NSE Script

Tests a list of known ICAP service names and prints information about any it detects. The Internet Content Adaptation Protocol ICAP is used to extend transparent proxy servers and is generally used for content filtering and antivirus scanning. Example Usage nmap -p 1344 --script icap-info Script...

ipv6-multicast-mld-list NSE Script

Uses Multicast Listener Discovery to list the multicast addresses subscribed to by IPv6 multicast listeners on the link-local scope. Addresses in the IANA IPv6 Multicast Address Space Registry have their descriptions listed. Script Arguments ipv6-multicast-mld-list.timeout timeout to wait for...

pcanywhere-brute NSE Script

Performs brute force password auditing against the pcAnywhere remote access protocol. Due to certain limitations of the protocol, bruteforcing is limited to single thread at a time. After a valid login pair is guessed the script waits some time until server becomes available again. Script Argumen...

membase-http-info NSE Script

Retrieves information hostname, OS, uptime, etc. from the CouchBase Web Administration port. The information retrieved by this script does not require any credentials. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size,...

http-vuln-cve2009-3960 NSE Script

Exploits cve-2009-3960 also known as Adobe XML External Entity Injection. This vulnerability permits to read local files remotely and is present in BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion...

nessus-brute NSE Script

Performs brute force password auditing against a Nessus vulnerability scanning daemon using the NTP 1.2 protocol. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation f...

cassandra-brute NSE Script

Performs brute force password auditing against the Cassandra database. For more information about Cassandra, see: Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation f...

ms-sql-hasdbaccess NSE Script

Queries Microsoft SQL Server ms-sql instances for a list of databases a user has access to. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all, mssql.instance-name or...

servicetags NSE Script

Attempts to extract system information OS, hardware, etc. from the Sun Service Tags service agent UDP port 6481. Based on protocol specs from Example Usage nmap -sU -p 6481 --script=servicetags Script Output | servicetags: | URN: urn:st:3bf76681-5e68-415b-f980-abcdef123456 | System: SunOS |...

http-vmware-path-vuln NSE Script

Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server CVE-2009-3733. The vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at Shmoocon 2010 . Script Arguments slaxml.debug See the documentation for the slaxml library. http.host,...

smtp-strangeport NSE Script

Checks if SMTP is running on a non-standard port. This may indicate that crackers or script kiddies have set up a backdoor on the system to send spam or control the machine. Example Usage nmap -sV --script=smtp-strangeport Script Output 22/tcp open smtp | smtp-strangeport: Mail server on unusual...

http-adobe-coldfusion-apsa1301 NSE Script

Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator's session cookie. Reference: APSA13-01: See also: http-coldfusion-subzero.nse http-vuln-cve2009-3960.nse http-vuln-cve2010-2861.nse Script Arguments...

iscsi-info NSE Script

Collects and displays information from remote iSCSI targets. Example Usage nmap -sV -sC Script Output PORT STATE SERVICE 3260/tcp open iscsi | iscsi-info: | iqn.2006-01.com.openfiler:tsn.c8c08cad469d | Address: 192.168.56.5:3260,1 | Authentication: NOT required |...

qscan NSE Script

Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups or "families" may be due to network mechanisms...

pcworx-info NSE Script

This NSE script will query and parse pcworx protocol to a remote PLC. The script will send a initial request packets and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. PCWorx is a protocol and Program by...

citrix-enum-servers NSE Script

Extracts a list of Citrix servers from the ICA Browser service. Example Usage sudo ./nmap -sU --script=citrix-enum-servers -p 1604 Script Output PORT STATE SERVICE 1604/udp open unknown | citrix-enum-servers: | CITRIXSRV01 | CITRIXSRV02 Requires nmap shortport stdnse string table local nmap =...

vnc-title NSE Script

Tries to log into a VNC server and get its desktop name. Uses credentials discovered by vnc-brute, or None authentication types. If realvnc-auth-bypass was run and returned VULNERABLE, this script will use that vulnerability to bypass authentication. See also: vnc-brute.nse realvnc-auth-bypass.ns...

http-svn-info NSE Script

Requests information from a Subversion repository. Script Arguments http-svn-info.url This is a URL relative to the scanned host eg. /default.html default: / slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline,...

smb-print-text NSE Script

Attempts to print text on a shared printer by calling Print Spooler Service RPC functions. In order to use the script, at least one printer needs to be shared over SMB. If no printer is specified, script tries to enumerate existing ones by calling LANMAN API which might not be always available...

http-rfi-spider NSE Script

Crawls webservers in search of RFI remote file inclusion vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query. Script Arguments http-rfi-spider.withinhost only spider URLs within the same host. default: true http-rfi-spider.url the url to start...

couchdb-stats NSE Script

Gets database statistics from a CouchDB database. For more info about the CouchDB HTTP API and the statistics, see and . Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...

auth-owners NSE Script

Attempts to find the owner of an open TCP port by querying an auth daemon which must also be open on the target system. The auth service, also known as identd, normally runs on port 113. Example Usage nmap -sV -sC Script Output 21/tcp open ftp ProFTPD 1.3.1 | auth-owners: nobody 22/tcp open ssh...

vtam-enum NSE Script

Many mainframes use VTAM screens to connect to various applications CICS, IMS, TSO, and many more. This script attempts to brute force those VTAM application IDs. This script is based on mainframebrute by Dominic White . However, this script doesn't rely on any third party libraries or tools and...

eppc-enum-processes NSE Script

Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication. Example Usage nmap -p 3031 --script...

ncp-serverinfo NSE Script

Retrieves eDirectory server information OS version, server name, mounts, etc. from the Novell NetWare Core Protocol NCP service. Example Usage nmap -sV -sC Script Output PORT STATE SERVICE 524/tcp open ncp | ncp-serverinfo: | Server name: LINUX-L84T | Tree Name: IIT-LABTREE | OS Version: 5.70 rev...

fcrdns NSE Script

Performs a Forward-confirmed Reverse DNS lookup and reports anomalous results. References: Example Usage nmap -sn -Pn --script fcrdns Script Output Host script results: |fcrdns: FAIL 12.19.29.17, 12.19.20.14, 23.10.13.25 Host script results: |fcrdns: PASS 37.58.100.86-static.reverse.softlayer.com...

rpcap-brute NSE Script

Performs brute force password auditing against the WinPcap Remote Capture Daemon rpcap. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library...

mongodb-info NSE Script

Attempts to get build info and server status from a MongoDB database. Script Arguments mongodb-info.db Database to check. Default: admin mongodb.db See the documentation for the mongodb library. creds.service, creds.global See the documentation for the creds library. Example Usage nmap -p 27017...

tso-brute NSE Script

TSO account brute forcer. This script relies on the NSE TN3270 library which emulates a TN3270 screen for NMAP. TSO user IDs have the following rules: - it cannot begin with a number - only contains alpha-numeric characters and @, , $. - it cannot be longer than 7 chars Script Arguments...

nping-brute NSE Script

Performs brute force password auditing against an Nping Echo service. See for Echo Mode documentation. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the cred...

nat-pmp-info NSE Script

Gets the routers WAN IP using the NAT Port Mapping Protocol NAT-PMP. The NAT-PMP protocol is supported by a broad range of routers including: Apple AirPort Express Apple AirPort Extreme Apple Time Capsule DD-WRT OpenWrt v8.09 or higher, with MiniUPnP daemon pfSense v2.0 Tarifa firmware Linksys...

ajp-request NSE Script

Requests a URI over the Apache JServ Protocol and displays the result or stores it in a file. Different AJP methods such as; GET, HEAD, TRACE, PUT or DELETE may be used. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers. Scri...

smb-server-stats NSE Script

Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139. An administrator account is required to pull these statistics on most versions of Windows, and Vista and above require UAC to be turned down. Some of the numbers returned here don't feel right to me, but...

dns-ip6-arpa-scan NSE Script

Performs a quick reverse DNS lookup of an IPv6 network using a technique which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks. The technique essentially works by adding an octet to a given IPv6 prefix and resolving it. If the add...

targets-ipv6-multicast-slaac NSE Script

Performs IPv6 host discovery by triggering stateless address auto-configuration SLAAC. This script works by sending an ICMPv6 Router Advertisement with a random address prefix, which causes hosts to begin SLAAC and send a solicitation for their newly configured address, as part of duplicate addre...

metasploit-msgrpc-brute NSE Script

Performs brute force username and password auditing against Metasploit msgrpc interface. Script Arguments creds.service, creds.global See the documentation for the creds library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library. passd...

ajp-headers NSE Script

Performs a HEAD or GET request against either the root directory or any optional directory of an Apache JServ Protocol server and returns the server response headers. Script Arguments ajp-headers.path The path to request, such as /index.php. Default /. slaxml.debug See the documentation for the...

ndmp-fs-info NSE Script

Lists remote file systems by querying the remote device using the Network Data Management Protocol ndmp. NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to...

http-axis2-dir-traversal NSE Script

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd BID 40343. By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the userna...

openvas-otp-brute NSE Script

Performs brute force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1.0 protocol. Script Arguments openvas-otp-brute.threads sets the number of threads. Default: 4 passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the...

netbus-version NSE Script

Extends version detection to detect NetBuster, a honeypot service that mimes NetBus. Example Usage nmap -sV -p 12345 --script netbus-version Script Output 12345/tcp open netbus Netbuster honeypot Requires nmap shortport stdnse local nmap = require "nmap" local shortport = require "shortport" loca...

http-vuln-cve2014-8877 NSE Script

Exploits a remote code injection vulnerability CVE-2014-8877 in Wordpress CM Download Manager plugin. Versions = 2.0.0 are known to be affected. CM Download Manager plugin does not correctly sanitise the user input which allows remote attackers to execute arbitrary PHP code via the CMDsearch...

http-vuln-cve2014-2127 NSE Script

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability CVE-2014-2127. See also: http-vuln-cve2014-2126.nse http-vuln-cve2014-2128.nse http-vuln-cve2014-2129.nse Script Arguments tls.servername See the documentation for the tls library...

cups-queue-info NSE Script

Lists currently queued print jobs of the remote CUPS service grouped by printer. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentatio...

dns-client-subnet-scan NSE Script

Performs a domain lookup using the edns-client-subnet option which allows clients to specify the subnet that queries supposedly originate from. The script uses this option to supply a number of geographically distributed locations in an attempt to enumerate as many different address records as...

snmp-win32-shares NSE Script

Attempts to enumerate Windows Shares through SNMP. Script Arguments creds.service, creds.global See the documentation for the creds library. snmp.version See the documentation for the snmp library. Example Usage nmap -sU -p 161 --script=snmp-win32-shares Script Output | snmp-win32-shares: | SYSVO...

allseeingeye-info NSE Script

Detects the All-Seeing Eye service. Provided by some game servers for querying the server's status. The All-Seeing Eye service can listen on a UDP port separate from the main game server port usually game port + 123. On receiving a packet with the payload "s", it replies with various game server...

ganglia-info NSE Script

Retrieves system information OS version, available memory, etc. from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon. Ganglia is a scalable distributed monitoring system for high-performance computing systems such as clusters and Grids. The information retrieved includes HDD size,...