607 matches found
ldap-search NSE Script
Attempts to perform an LDAP search and returns all matches. If no username and password is supplied to the script the Nmap registry is consulted. If the ldap-brute script has been selected and it found a valid account, this account will be used. If not anonymous bind will be used as a last attemp...
imap-brute NSE Script
Performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication. Script Arguments imap-brute.auth authentication mechanism to use LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM passdb, unpwdb.passlimit, unpwdb.timelimit,...
http-vhosts NSE Script
Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames. Each HEAD request provides a different Host header. The hostnames come from a built-in default list. Shows the names that return a document. Also shows the location of...
ssh-publickey-acceptance NSE Script
This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication. If no keys are given or the known-bad option is given, the script will check if a list of known static public keys are...
http-cisco-anyconnect NSE Script
Connect as Cisco AnyConnect client to a Cisco SSL VPN and retrieves version and tunnel information. Script Arguments slaxml.debug See the documentation for the slaxml library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library...
sip-call-spoof NSE Script
Spoofs a call to a SIP phone and detects the action taken by the target busy, declined, hung up, etc. This works by sending a fake sip invite request to the target phone and checking the responses. A response with status code 180 means that the phone is ringing. The script waits for the next...
http-litespeed-sourcecode-download NSE Script
Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension CVE-2010-2333. If the server is not vulnerable it returns an error 400. If index.php i...
mysql-enum NSE Script
Performs valid-user enumeration against MySQL server using a bug discovered and published by Kingcope . Server version 5.x are susceptible to an user enumeration attack due to different messages during login when using old authentication mechanism from versions 4.x and earlier. Script Arguments...
http-proxy-brute NSE Script
Performs brute force password guessing against HTTP proxy servers. Script Arguments http-proxy-brute.url sets an alternative URL to use when brute forcing default: http-proxy-brute.method changes the HTTP method to use when performing brute force guessing default: HEAD creds.service, creds.global...
http-drupal-enum NSE Script
Enumerates the installed Drupal modules/themes by using a list of known modules and themes. The script works by iterating over module/theme names and requesting MODULEPATH/MODULENAME/LICENSE.txt for modules and THEMEPATH/THEMENAME/LICENSE.txt. MODULEPATH/THEMEPATH which is either provided by the...
http-drupal-enum-users NSE Script
Enumerates Drupal users by exploiting an information disclosure vulnerability in Views, Drupal's most popular module. Requests to admin/views/ajax/autocomplete/user/STRING return all usernames that begin with STRING. The script works by iterating STRING over letters to extract all usernames. For...
ms-sql-info NSE Script
Attempts to determine configuration and version information for Microsoft SQL Server instances. SQL Server credentials required: No will not benefit from mssql.username & mssql.password. Run criteria: Host script: Will always run. Port script: N/A NOTE: Unlike previous versions, this script will...
whois-domain NSE Script
Attempts to retrieve information about the domain name of the target See also: whois-ip.nse Example Usage nmap --script whois-domain.nse This script starts by querying the whois.iana.org which is the root of the whois servers. Using some patterns the script can determine if the response represent...
http-grep NSE Script
Spiders a website and attempts to match all pages and urls against a given string. Matches are counted and grouped per url under which they were discovered. Features built in patterns like email, ip, ssn, discover, amex and more. The script searches for email and ip by default. Script Arguments...
rlogin-brute NSE Script
Performs brute force password auditing against the classic UNIX rlogin remote login service. This script must be run in privileged mode on UNIX because it must bind to a low source port number. Script Arguments rlogin-brute.timeout socket timeout for connecting to rlogin default 10s passdb,...
http-fetch NSE Script
The script is used to fetch files from servers. The script supports three different use cases: The paths argument isn't provided, the script spiders the host and downloads files in their respective folders relative to the one provided using "destination". The paths argumenta single item or list i...
sstp-discover NSE Script
Check if the Secure Socket Tunneling Protocol is supported. This is accomplished by trying to establish the HTTPS layer which is used to carry SSTP traffic as described in: - Current SSTP server implementations: - Microsoft Windows Server 2008/Server 2012 - MikroTik RouterOS - SEIL Example...
ip-geolocation-ipinfodb NSE Script
Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service . There is no limit on requests to this service. However, the API key needs to be obtained through free registration for this service: http://ipinfodb.com/login.php See also:...
nrpe-enum NSE Script
Queries Nagios Remote Plugin Executor NRPE daemons to obtain information such as load averages, process counts, logged in user information, etc. This script attempts to execute the stock list of commands that are enabled. User-supplied arguments are not supported. Script Arguments nrpe-enum.cmds ...
distcc-cve2004-2687 NSE Script
Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service. Script Arguments cmd the command to run at the remote server...
smb-webexec-exploit NSE Script
Attempts to run a command via WebExService, using the WebExec vulnerability. Given a Windows account local or domain, this will start an arbitrary executable with SYSTEM privileges over the SMB protocol. The argument webexeccommand will run the command directly. It may or may not start with a GUI...
ldap-rootdse NSE Script
Retrieves the LDAP root DSA-specific Entry DSE Example Usage nmap -p 389 --script ldap-rootdse Script Output PORT STATE SERVICE 389/tcp open ldap | ldap-rootdse: | currentTime: 20100112092616.0Z | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=cqure,DC=net | dsServiceName: CN=NTDS...
http-passwd NSE Script
Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini. The script uses several technique: Generic directory traversal by requesting paths like ../../../../etc/passwd. Known specific traversals of several web servers. Query string traversal...
smb2-vuln-uptime NSE Script
Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation. SMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without...
gkrellm-info NSE Script
Queries a GKRellM service for monitoring information. A single round of collection is made, showing a snapshot of information at the time of the request. Example Usage nmap -p 19150 --script gkrellm-info Script Output PORT STATE SERVICE 19150/tcp open gkrellm | gkrellm-info: | Hostname: ubu1110 |...
telnet-encryption NSE Script
Determines whether the encryption option is supported on a remote telnet server. Some systems including FreeBSD and the krb5 telnetd available in many Linux distributions implement this option incorrectly, leading to a remote root vulnerability. This script currently only tests whether encryption...
smb2-capabilities NSE Script
Attempts to list the supported capabilities in a SMBv2 server for each enabled dialect. The script sends a SMB2COMNEGOTIATE command and parses the response using the SMB dialects: 2.0.2 2.1 3.0 3.0.2 3.1.1 References: Script Arguments randomseed, smbbasic, smbport, smbsign See the documentation f...
http-robtex-shared-ns NSE Script
Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at . The target must be specified by DNS name, not IP address. TEMPORARILY DISABLED due to changes in Robtex's API. See Script Arguments slaxml.debug See the documentation for the slaxml...
ajp-brute NSE Script
Performs brute force passwords auditing against the Apache JServ protocol. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers. Script Arguments ajp-brute.path URL path to request. Default: / creds.service, creds.global See the...
openwebnet-discovery NSE Script
OpenWebNet is a communications protocol developed by Bticino since 2000. Retrieves device identifying information and number of connected devices. References: Example Usage nmap --script openwebnet-discovery Script Output | openwebnet-discover: | IP Address: 192.168.200.35 | Net Mask: 255.255.255...
dns-cache-snoop NSE Script
Performs DNS cache snooping against a DNS server. There are two modes of operation, controlled by the dns-cache-snoop.mode script argument. In nonrecursive mode the default, queries are sent to the server with the RD recursion desired flag set to 0. The server should respond positively to these...
sniffer-detect NSE Script
Checks if a target on a local Ethernet has its network card in promiscuous mode. The techniques used are described at . Example Usage nmap -sV --script=sniffer-detect Script Output Host script results: | sniffer-detect: Likely in promiscuous mode tests: "11111111" Requires nmap stdnse string tabl...
tls-ticketbleed NSE Script
Detects whether a server is vulnerable to the F5 Ticketbleed bug CVE-2016-9244. For additional information: Script Arguments tls-ticketbleed.protocols default tries all TLSv1.0, TLSv1.1, or TLSv1.2 tls.servername See the documentation for the tls library. smbdomain, smbhash, smbnoguest,...
hostmap-crtsh NSE Script
Finds subdomains of a web server by querying Google's Certificate Transparency logs database . The script will run against any target that has a name, either specified on the command line or obtained via reverse-DNS. NSE implementation of ctfr.py by Sheila Berta. References:...
dns-blacklist NSE Script
Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category eg: SPAM, PROXY or to a specific service name. Script Arguments dns-blacklist.services string containing a...
ms-sql-brute NSE Script
Performs password guessing against Microsoft SQL Server ms-sql. Works best in conjunction with the broadcast-ms-sql-discover script. SQL Server credentials required: No will not benefit from mssql.username & mssql.password. Run criteria: Host script: Will run if the mssql.instance-all,...
banner NSE Script
A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds. The banner will be truncated to fit into a single line, but an extra line may be printed for every increase in the level of verbosity requested on the command line...
ms-sql-xp-cmdshell NSE Script
Attempts to run a command using the command shell of Microsoft SQL Server ms-sql. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all, mssql.instance-name or...
sip-methods NSE Script
Enumerates a SIP Server's allowed methods INVITE, OPTIONS, SUBSCRIBE, etc. The script works by sending an OPTION request to the server and checking for the value of the Allow header in the response. Script Arguments sip.timeout See the documentation for the sip library. Example Usage nmap...
mysql-query NSE Script
Runs a query against a MySQL database and returns the results as a table. Script Arguments mysql-query.noheaders do not display column headers default: false mysql-query.query the query for which to return the results mysql-query.username optional the username used to authenticate to the database...
dns-fuzz NSE Script
Launches a DNS fuzzing attack against DNS servers. The script induces errors into randomly generated but valid DNS packets. The packet template that we use includes one uncompressed and one compressed name. Use the dns-fuzz.timelimit argument to control how long the fuzzing lasts. This script...
http-server-header NSE Script
Uses the HTTP Server header for missing version info. This is currently infeasible with version probes because of the need to match non-HTTP services correctly. Example Usage nmap -sV Script Output PORT STATE SERVICE VERSION 80/tcp open http Unidentified Server 1.0 PORT STATE SERVICE VERSION 80/t...
http-vuln-misfortune-cookie NSE Script
Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it. See also: http-vuln-cve2013-6786.nse Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...
mongodb-brute NSE Script
Performs brute force password auditing against the MongoDB database. Script Arguments mongodb-brute.db Database against which to check. Default: admin passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See...
smtp-ntlm-info NSE Script
This script enumerates information from remote SMTP services with NTLM authentication enabled. Sending a SMTP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version...
ms-sql-dump-hashes NSE Script
Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges. Credentials passed as script arguments take precedence over credentials discovered by other scripts. Script...
mqtt-subscribe NSE Script
Dumps message traffic from MQTT brokers. This script establishes a connection to an MQTT broker and subscribes to the requested topics. The default topics have been chosen to receive system information and all messages from other clients. This allows Nmap, to listen to all messages being publishe...
redis-info NSE Script
Retrieves information such as version number and architecture from a Redis key-value store. Script Arguments creds.service, creds.global See the documentation for the creds library. Example Usage nmap -p 6379 --script redis-info Script Output PORT STATE SERVICE 6379/tcp open unknown | redis-info:...
ms-sql-ntlm-info NSE Script
This script enumerates information from remote Microsoft SQL services with NTLM authentication enabled. Sending a MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIO...
dns-update NSE Script
Attempts to perform a dynamic DNS update without authentication. Either the test or both the hostname and ip script arguments are required. Note that the test function will probably fail due to using a static zone name that is not the zone configured on your target. Script Arguments dns-update.te...