cvs-brute NSE Script

Performs brute force password auditing against CVS pserver authentication. Script Arguments cvs-brute.repo string containing the name of the repository to brute if no repo was given the script checks the registry for any repositories discovered by the cvs-brute-repository script. If the registry...

creds-summary NSE Script

Lists all discovered credentials e.g. from brute force and default password checking scripts at end of scan. Script Arguments creds.service, creds.global See the documentation for the creds library. Example Usage nmap -sV -sC Script Output | creds-summary: | 10.10.10.10 | 22/ssh | lisbon:jane -...

http-traceroute NSE Script

Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies. The script works by sending HTTP requests with values of the Max-Forwards HTTP header varying from 0 to 2 and checking for any anomalies in certain response values such as the status code, Server, Content-Type and...

dpap-brute NSE Script

Performs brute force password auditing against an iPhoto Library. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library. brute.credfile, brute.dela...

http-devframework NSE Script

Tries to find out the technology behind the target website. The script checks for certain defaults that might not have been changed, like common headers or URLs or HTML content. While the script does some guessing, note that overall there's no way to determine what technologies a given site is...

dns-check-zone NSE Script

Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests. Script Arguments dns-check-zone.domain the dns zone to check Example Usage nmap -sn -Pn ns1.example.com --script dns-check-zo...

http-vlcstreamer-ls NSE Script

Connects to a VLC Streamer helper service and lists directory contents. The VLC Streamer helper service is used by the iOS VLC Streamer application to enable streaming of multimedia content from the remote server to the device. Script Arguments http-vlcstreamer-ls.dir directory to list default: /...

quake3-info NSE Script

Extracts information from a Quake3 game server and other games which use the same protocol. Example Usage nmap -sU -sV -Pn --script quake3-info.nse -p Script Output PORT STATE SERVICE VERSION 27960/udp open quake3 Quake 3 dedicated server | quake3-info: | PLAYERS: | 1. cyberix frags: 0/20, ping: ...

broadcast-novell-locate NSE Script

Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol NCP servers. Example Usage nmap -sV --script=broadcast-novell-locate Script Output Pre-scan script results: | broadcast-novell-locate: | Tree name: CQURE-LABTREE | Server name: linux-l84t | Addresses |...

daap-get-library NSE Script

Retrieves a list of music from a DAAP server. The list includes artist names and album and song titles. Output will be capped to 100 items if not otherwise specified in the daapitemlimit script argument. A daapitemlimit below zero outputs the complete contents of the DAAP library. Based on...

cics-user-enum NSE Script

CICS User ID enumeration script for the CESL/CESN Login screen. Script Arguments cics-user-enum.commands Commands in a semi-colon separated list needed to access CICS. Defaults to CICS. idlist Path to list of transaction IDs. Defaults to the list of CICS transactions from IBM...

rpcap-info NSE Script

Connects to the rpcap service provides remote sniffing capabilities through WinPcap and retrieves interface information. The service can either be setup to require authentication or not and also supports IP restrictions. See also: rpcap-brute.nse Script Arguments creds.rpcap username:password to...

hbase-region-info NSE Script

Retrieves information from an Apache HBase Hadoop database region server HTTP status page. Information gathered: HBase version HBase compile date A bunch of metrics about the state of the region server Zookeeper quorum server Script Arguments slaxml.debug See the documentation for the slaxml...

http-svn-enum NSE Script

Enumerates users of a Subversion repository by examining logs of most recent commits. Script Arguments http-svn-enum.url This is a URL relative to the scanned host eg. /default.html default: /. http-svn-enum.count The number of logs to fetch. Defaults to the last 1000 commits. slaxml.debug See th...

couchdb-databases NSE Script

Gets database tables from a CouchDB database. For more info about the CouchDB HTTP API, see . Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the...

http-date NSE Script

Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host,...

dhcp-discover NSE Script

Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a new address. DHCPINFORM is a DHCP request that returns useful information from a DHCP server, without allocating an IP address. The request sends a list of which fields it wan...

iax2-brute NSE Script

Performs brute force password auditing against the Asterisk IAX2 protocol. Guessing fails when a large number of attempts is made due to the maxcallnumber limit default 2048. In case your getting "ERROR: Too many retries, aborted ..." after a while, this is most likely what's happening. In order ...

smb-vuln-ms07-029 NSE Script

Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029. MS07-029 targets the RDnssrvQuery and RDnssrvQuery2 RPC method which isa part of DNS Server RPC interface that serves as a RPC service for configuring and getting information from the DNS Server service. DNS Server RPC...

unittest NSE Script

Runs unit tests on all NSE libraries. Script Arguments unittest.run Run tests. Causes unittest.testing to return true. unittest.tests Run tests from only these libraries defaults to all Example Usage nmap --script unittest --script-args unittest.run Script Output Pre-scan script results: |...

hadoop-namenode-info NSE Script

Retrieves information from an Apache Hadoop NameNode HTTP status page. Information gathered: Date/time the service was started Hadoop version Hadoop compile date Upgrades status Filesystem directory relative to Log directory relative to Associated DataNodes. Script Arguments slaxml.debug See the...

omp2-enum-targets NSE Script

Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server. The script authenticates on the manager using provided or previously cracked credentials and gets the list of defined targets for each account. These targets will be added to the scanning queue in case...

jdwp-inject NSE Script

Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script allows injection of arbitrary class files. After injection, class' run method is executed. Method run has no parameters,...

mmouse-brute NSE Script

Performs brute force password auditing against the RPA Tech Mobile Mouse servers. The Mobile Mouse server runs on OS X, Windows and Linux and enables remote control of the keyboard and mouse from an iOS device. For more information: Script Arguments mmouse-brute.timeout socket timeout for...

broadcast-pc-anywhere NSE Script

Sends a special broadcast probe to discover PC-Anywhere hosts running on a LAN. Script Arguments broadcast-pc-anywhere.timeout specifies the amount of seconds to sniff the network interface. default varies according to timing. -T3 = 5s Example Usage nmap --script broadcast-pc-anywhere Script Outp...

rusers NSE Script

Connects to rusersd RPC service and retrieves a list of logged-in users. Script Arguments mount.version, nfs.version, rpc.protocol See the documentation for the rpc library. Example Usage nmap -sV --script=rusers Script Output | USER ON FROM SINCE IDLE | LOGIN console 2015-11-08T12:03:50 8h55m58s...

skypev2-version NSE Script

Detects the Skype version 2 service. Example Usage nmap -sV Script Output PORT STATE SERVICE VERSION 80/tcp open skype2 Skype Requires comm nmap shortport string local comm = require "comm" local nmap = require "nmap" local shortport = require "shortport" local string = require "string" local U =...

http-vuln-wnr1000-creds NSE Script

A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Versions: V1.0.2.6060.0.86 Latest and V1.0.2.5460.0.82NA Vulnerability discovered by c1ph04. Script Arguments...

broadcast-pim-discovery NSE Script

Discovers routers that are running PIM Protocol Independent Multicast. This works by sending a PIM Hello message to the PIM multicast address 224.0.0.13 and listening for Hello messages from other routers. Script Arguments broadcast-pim-discovery.timeout Time to wait for responses in seconds...

http-gitweb-projects-enum NSE Script

Retrieves a list of Git projects, owners and descriptions from a gitweb web interface to the Git revision control system. Script Arguments http-gitweb-projects-enum.path specifies the location of gitweb default: / slaxml.debug See the documentation for the slaxml library. http.host,...

quake1-info NSE Script

Extracts information from Quake game servers and other game servers which use the same protocol. Quake uses UDP packets, which because of source spoofing can be used to amplify a denial-of-service attack. For each request, the script reports the payload amplification as a ratio. The format used i...

reverse-index NSE Script

Creates a reverse index at the end of scan output showing which hosts run a particular service. This is in addition to Nmap's normal output listing the services on each host. Script Arguments reverse-index.mode the output display mode, can be either horizontal or vertical default: horizontal...

domcon-brute NSE Script

Performs brute force password auditing against the Lotus Domino Console. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library. brute.credfile,...

citrix-enum-servers-xml NSE Script

Extracts the name of the server farm and member servers from Citrix XML service. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentatio...

broadcast-pc-duo NSE Script

Discovers PC-DUO remote control hosts and gateways running on a LAN by sending a special broadcast UDP probe. Script Arguments broadcast-pc-duo.timeout specifies the amount of seconds to sniff the network interface. default varies according to timing. -T3 = 5s Example Usage nmap --script...

broadcast-eigrp-discovery NSE Script

Performs network discovery and routing information gathering through Cisco's Enhanced Interior Gateway Routing Protocol EIGRP. The script works by sending an EIGRP Hello packet with the specified Autonomous System value to the 224.0.0.10 multicast address and listening for EIGRP Update packets. T...

riak-http-info NSE Script

Retrieves information such as node name and architecture from a Basho Riak distributed database using the HTTP protocol. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...

teamspeak2-version NSE Script

Detects the TeamSpeak 2 voice communication server and attempts to determine version and configuration information. A single UDP packet a login request is sent. If the server does not have a password set, the exact version, name, and OS type will also be reported on. Example Usage nmap -sU -sV -p...

coap-resources NSE Script

Dumps list of available resources from CoAP endpoints. This script establishes a connection to a CoAP endpoint and performs a GET request on a resource. The default resource for our request is code/.well-known/core/core, which should contain a list of resources provided by the endpoint. For...

gpsd-info NSE Script

Retrieves GPS time, coordinates and speed from the GPSD network daemon. Script Arguments gpsd-info.timeout timespec defining how long to wait for data default 10s Example Usage nmap -p 2947 --script gpsd-info Script Output PORT STATE SERVICE REASON 2947/tcp open gpsd-ng syn-ack | gpsd-info: | Tim...

omp2-brute NSE Script

Performs brute force password auditing against the OpenVAS manager using OMPv2. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library...

http-affiliate-id NSE Script

Grabs affiliate network IDs e.g. Google AdSense or Analytics, Amazon Associates, etc. from a web page. These can be used to identify pages with the same owner. If there is more than one target using an ID, the postrule of this script shows the ID along with a list of the targets using it. Support...

dict-info NSE Script

Connects to a dictionary server using the DICT protocol, runs the SHOW SERVER command, and displays the result. The DICT protocol is defined in RFC 2229 and is a protocol which allows a client to query a dictionary server for definitions from a set of natural language dictionary databases. The SH...

backorifice-brute NSE Script

Performs brute force password auditing against the BackOrifice service. The backorifice-brute.ports script argument is mandatory it specifies ports to run the script against. Script Arguments backorifice-brute.ports mandatory List of UDP ports to run the script against separated with "," ex...

ip-https-discover NSE Script

Checks if the IP over HTTPS IP-HTTPS Tunneling Protocol 1 is supported. IP-HTTPS sends Teredo related IPv6 packets over an IPv4-based HTTPS session. This indicates that Microsoft DirectAccess 2, which allows remote clients to access intranet resources on a domain basis, is supported. Windows...

http-robtex-reverse-ip NSE Script

Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service . TEMPORARILY DISABLED due to changes in Robtex's API. See Script Arguments http-robtex-reverse-ip.host IPv4 address of the host to lookup slaxml.debug See the documentation for the slaxml library. http.hos...

drda-brute NSE Script

Performs password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby Script Arguments drda-brute.threads the amount of accounts to attempt to brute force in parallel default 10. drda-brute.dbname the database name against which to guess passwords default...

smbv2-enabled NSE Script

Checks whether or not a server is running the SMBv2 protocol. Script Arguments randomseed, smbbasic, smbport, smbsign See the documentation for the smb library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library. Example Usage nmap...

broadcast-ripng-discover NSE Script

Discovers hosts and routing information from devices running RIPng on the LAN by sending a broadcast RIPng Request command and collecting any responses. Script Arguments broadcast-ripng-discover.timeout sets the connection timeout default: 5s Example Usage nmap --script broadcast-ripng-discover...

freelancer-info NSE Script

Detects the Freelancer game server FLServer.exe service by sending a status query UDP probe. When run as a version detection script -sV, the script will report on the server name, current number of players, maximum number of players, and whether it has a password set. When run explicitly --script...