http-brute NSE Script

Performs brute force password auditing against http basic, digest and ntlm authentication. This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored in the nmap registry, using the creds library, for other scripts to use. Script Arguments...

smb-vuln-ms08-067 NSE Script

Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a vulnerable system is more likely to crash than to survi...

ike-version NSE Script

Obtains information such as vendor and device type where available from an IKE service by sending four packets to the host. This scripts tests with both Main and Aggressive Mode and sends multiple transforms per request. Example Usage nmap -sU -sV -p 500 nmap -sU -p 500 --script ike-version Scrip...

http-iis-short-name-brute NSE Script

Attempts to brute force the 8.3 filenames commonly known as short names of files and directories in the root folder of vulnerable IIS servers. This script is an implementation of the PoC "iis shortname scanner". The script uses ,? and to bruteforce the short name of files present in the IIS...

http-methods NSE Script

Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not in the...

bacnet-info NSE Script

Discovers and enumerates BACNet Devices collects device information based off standard requests. In some cases, devices may not strictly follow the specifications, or may comply with older versions of the specifications, and will result in a BACNET error response. Presence of this error positivel...

sshv1 NSE Script

Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1. Example Usage nmap -sV -sC Script Output PORT STATE SERVICE 22/tcp open ssh |sshv1: Server supports SSHv1 Requires nmap shortport string local nmap = require "nmap" local shortport = require "shortport" local...

smb-os-discovery NSE Script

Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol ports 445 or 139. This is done by starting a session with the anonymous account or with a proper user account, if one is given; it likely doesn't make a difference; in response to ...

dns-nsid NSE Script

Retrieves information from a DNS nameserver by requesting its nameserver ID nsid and asking for its id.server and version.bind values. This script performs the same queries as the following two dig commands: - dig CH TXT bind.version @target - dig +nsid CH TXT id.server @target References: 1 2...

oracle-tns-version NSE Script

Decodes the VSNNUM version number from an Oracle TNS listener. Example Usage nmap -sV Requires shortport nmap comm stdnse string description = Decodes the VSNNUM version number from an Oracle TNS listener. local shortport = require "shortport" local nmap = require "nmap" local comm = require "com...

http-vuln-cve2015-1635 NSE Script

Checks for a remote code execution vulnerability MS15-034 in Microsoft Windows systems CVE2015-2015-1635. The script sends a specially crafted HTTP request with no impact on the system to detect this vulnerability. The affected versions are Windows 7, Windows Server 2008 R2, Windows 8, Windows...

snmp-brute NSE Script

Attempts to find an SNMP community string by brute force guessing. This script opens a sending socket and a sniffing pcap socket in parallel threads. The sending socket sends the SNMP probes with the community strings, while the pcap socket sniffs the network for an answer to the probes. If valid...

http-vuln-cve2014-3704 NSE Script

Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions 7.32 of Drupal core are known to be affected. Vulnerability allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. The script injects new Drupal administrator user via login form and the...

samba-vuln-cve-2012-1182 NSE Script

Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182. Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection. CVE-2012-1182 marks multiple...

giop-info NSE Script

Queries a CORBA naming server for a list of objects. Example Usage nmap -sV -sC Script Output PORT STATE SERVICE REASON 1050/tcp open java-or-OTGfileshare syn-ack | giop-info: | Object: Hello | Context: Test | Object: GoodBye Requires giop shortport stdnse local giop = require "giop" local...

dns-zone-transfer NSE Script

Requests a zone transfer AXFR from a DNS server. The script sends an AXFR query to a DNS server. The domain to query is determined by examining the name given on the command line, the DNS server's hostname, or it can be specified with the dns-zone-transfer.domain script argument. If the query is...

ssh2-enum-algos NSE Script

Reports the number of algorithms for encryption, compression, etc. that the target SSH2 server offers. If verbosity is set, the offered algorithms are each listed by type. If the "client to server" and "server to client" algorithm lists are identical order specifies preference then the list is...

http-favicon NSE Script

Gets the favicon "favorites icon" from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed. If the script argument favicon.uri is given, that relative U...

telnet-brute NSE Script

Performs brute-force password auditing against telnet servers. Script Arguments telnet-brute.autosize Whether to automatically reduce the thread count based on the behavior of the target default: "true" telnet-brute.timeout Connection time-out timespec default: "5s" passdb, unpwdb.passlimit,...

smb-vuln-ms10-061 NSE Script

Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability. This vulnerability was used in Stuxnet worm. The script checks for the vuln in a safe way without a possibility of crashing the remote system as this is not a memory corruption vulnerability. In...

http-internal-ip-disclosure NSE Script

Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header. Some misconfigured web servers leak their internal IP address in the response headers when returning a redirect response. This is a known issue for some versions of Microsoft IIS, bu...

shodan-api NSE Script

Queries Shodan API for given targets and produces similar output to a -sV nmap scan. The ShodanAPI key can be set with the 'apikey' script argument, or hardcoded in the .nse file itself. You can get a free key from N.B if you want this script to run completely passively make sure to include the -...

http-csrf NSE Script

This script detects Cross Site Request Forgeries CSRF vulnerabilities. It will try to detect them by checking each form if it contains an unpredictable token for each user. Without one an attacker may forge malicious requests. To recognize a token in a form, the script will iterate through the...

irc-unrealircd-backdoor NSE Script

Checks if an IRC server is backdoored by running a time-based command ping and checking how long it takes to respond. The irc-unrealircd-backdoor.command script argument can be used to run an arbitrary command on the remote system. Because of the nature of this vulnerability the output is never...

smtp-open-relay NSE Script

Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying. An SMTP server that works as an open relay, is a email server that does not verify if the user is authorised to send email from the...

http-vuln-cve2011-3192 NSE Script

Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page. References: See also: http-slowloris-check.nse http-slowloris.nse Script Arguments http-vuln-cve2011-3192.path Define the request path...

hostmap-bfk NSE Script

Discovers hostnames that resolve to the target's IP address by querying the online database at . The script is in the "external" category because it sends target IPs to a third party in order to query their database. This script was formerly until April 2012 known as hostmap.nse. Script Arguments...

http-waf-detect NSE Script

Attempts to determine whether a web server is protected by an IPS Intrusion Prevention System, IDS Intrusion Detection System or WAF Web Application Firewall by probing the web server with malicious payloads and detecting changes in the response code and body. To do this the script will send a...

smb-vuln-ms10-054 NSE Script

Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability. The vulnerable machine will crash with BSOD. The script requires at least READ access right to a share on a remote machine. Either with guest credentials or with specified username/password...

vmware-version NSE Script

Queries VMware server vCenter, ESX, ESXi SOAP API to extract the version information. The same script as VMware Fingerprinter from VASTO created by Claudio Criscione, Paolo Canaletti Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size,...

http-sql-injection NSE Script

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable. The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine crafted...

ip-forwarding NSE Script

Detects whether the remote device has ip forwarding or "Internet connection sharing" enabled, by sending an ICMP echo request to a given target using the scanned host as default gateway. The given target can be a routed or a LAN host and needs to be able to respond to ICMP requests ping in order...

smtp-commands NSE Script

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server. Script Arguments smtp.domain or smtp-commands.domain Define the domain to be used in the SMTP commands. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbaut...

nfs-showmount NSE Script

Shows NFS exports, like the showmount -e command. Script Arguments mount.version, nfs.version, rpc.protocol See the documentation for the rpc library. Example Usage nmap -sV --script=nfs-showmount Script Output PORT STATE SERVICE 111/tcp open rpcbind | nfs-showmount: | /home/storage/backup...

ip-geolocation-maxmind NSE Script

Tries to identify the physical location of an IP address using a Geolocation Maxmind database file available from . This script supports queries using all Maxmind databases that are supported by their API including the commercial ones. See also: ip-geolocation-geoplugin.nse...

broadcast-avahi-dos NSE Script

Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service CVE-2011-1002. The broadcast-avahi-dos.wait script argument specifies how many number of...

ssh-run NSE Script

Runs remote command on ssh server and returns command output. Script Arguments ssh-run.username Username to authenticate as ssh-run.cmd Command to run on remote server ssh-run.password Password to use if using password authentication ssh-run.privatekey Privatekeyfile to use if using publickey...

ftp-brute NSE Script

Performs brute force password auditing against FTP servers. Based on old ftp-brute.nse script by Diman Todorov, Vlatko Kosturjak and Ron Bowes. See also: ftp-anon.nse Script Arguments ftp-brute.timeout the amount of time to wait for a response on the socket. Lowering this value may result in a...

ftp-proftpd-backdoor NSE Script

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as BID 45150. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument. Script Arguments ftp-proftpd-backdoor.cmd Command to...

rpcinfo NSE Script

Connects to portmapper and fetches a list of all registered programs. It then prints out a table including for each program the RPC program number, supported version numbers, port number and protocol, and program name. See also: rpc-grind.nse Script Arguments mount.version, nfs.version,...

ssl-date NSE Script

Retrieves a target host's time and date from its TLS ServerHello response. In many TLS implementations, the first four bytes of server randomness are a Unix timestamp. The script will test whether this is indeed true and report the time only if it passes this test. Original idea by Jacob Appelbau...

weblogic-t3-info NSE Script

Detect the T3 RMI protocol and Weblogic version Example Usage nmap -sV Requires comm string shortport nmap local comm = require "comm" local string = require "string" local shortport = require "shortport" local nmap = require "nmap" description = "Detect the T3 RMI protocol and Weblogic version"...

xmpp-info NSE Script

Connects to XMPP server port 5222 and collects server information such as: supported auth mechanisms, compression methods, whether TLS is supported and mandatory, stream management, language, support of In-Band registration, server capabilities. If possible, studies server vendor. Script Argument...

netbus-auth-bypass NSE Script

Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password. For example a server running on TCP port 12345 on localhost with this vulnerability is accessible to anyone. An attacker could simply form a connection to the...

sslv2-drown NSE Script

Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 DROWN Script Arguments tls.servername See the documentation for the tls library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the...

vnc-brute NSE Script

Performs brute force password auditing against VNC servers. See also: realvnc-auth-bypass.nse Script Arguments vnc-brute.bruteusers If set, allows the script to iterate over usernames for auth types that require it plain, Apple Remote Desktop 30, SASL not supported, and ATEN Default: false, since...

firewalk NSE Script

Tries to discover firewall rules using an IP TTL expiration technique known as firewalking. To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expec...

http-headers NSE Script

Performs a HEAD request for the root folder "/" of a web server and displays the HTTP headers returned. See also: http-security-headers.nse Script Arguments useget Set to force GET requests instead of HEAD. path The path to request, such as /index.php. Default /. slaxml.debug See the documentatio...

broadcast-dhcp-discover NSE Script

Sends a DHCP request to the broadcast address 255.255.255.255 and reports the results. By default, the script uses a static MAC address DE:AD:CO:DE:CA:FE in order to prevent IP pool exhaustion. The script reads the response using pcap by opening a listening pcap socket on all available ethernet...

http-ntlm-info NSE Script

This script enumerates information from remote HTTP services with NTLM authentication enabled. By sending a HTTP NTLM authentication request with null domain and user credentials passed in the 'Authorization' header, the remote service will respond with a NTLMSSP message encoded within the...