607 matches found
dicom-ping NSE Script
Attempts to discover DICOM servers DICOM Service Provider through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not. The script responds with the message "Called AET check enabled" when the association request is rejected due configuration...
broadcast-jenkins-discover NSE Script
Discovers Jenkins servers on a LAN by sending a discovery broadcast probe. For more information about Jenkins auto discovery, see: Script Arguments broadcast-jenkins.address address to which the probe packet is sent. default: 255.255.255.255 broadcast-jenkins.timeout socket timeout default: 5s...
imap-brute NSE Script
Performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication. Script Arguments imap-brute.auth authentication mechanism to use LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM passdb, unpwdb.passlimit, unpwdb.timelimit,...
ldap-search NSE Script
Attempts to perform an LDAP search and returns all matches. If no username and password is supplied to the script the Nmap registry is consulted. If the ldap-brute script has been selected and it found a valid account, this account will be used. If not anonymous bind will be used as a last attemp...
http-vhosts NSE Script
Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames. Each HEAD request provides a different Host header. The hostnames come from a built-in default list. Shows the names that return a document. Also shows the location of...
ssh-publickey-acceptance NSE Script
This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication. If no keys are given or the known-bad option is given, the script will check if a list of known static public keys are...
http-cisco-anyconnect NSE Script
Connect as Cisco AnyConnect client to a Cisco SSL VPN and retrieves version and tunnel information. Script Arguments slaxml.debug See the documentation for the slaxml library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library...
sip-call-spoof NSE Script
Spoofs a call to a SIP phone and detects the action taken by the target busy, declined, hung up, etc. This works by sending a fake sip invite request to the target phone and checking the responses. A response with status code 180 means that the phone is ringing. The script waits for the next...
mysql-enum NSE Script
Performs valid-user enumeration against MySQL server using a bug discovered and published by Kingcope . Server version 5.x are susceptible to an user enumeration attack due to different messages during login when using old authentication mechanism from versions 4.x and earlier. Script Arguments...
http-litespeed-sourcecode-download NSE Script
Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension CVE-2010-2333. If the server is not vulnerable it returns an error 400. If index.php i...
http-proxy-brute NSE Script
Performs brute force password guessing against HTTP proxy servers. Script Arguments http-proxy-brute.url sets an alternative URL to use when brute forcing default: http-proxy-brute.method changes the HTTP method to use when performing brute force guessing default: HEAD creds.service, creds.global...
whois-domain NSE Script
Attempts to retrieve information about the domain name of the target See also: whois-ip.nse Example Usage nmap --script whois-domain.nse This script starts by querying the whois.iana.org which is the root of the whois servers. Using some patterns the script can determine if the response represent...
http-drupal-enum-users NSE Script
Enumerates Drupal users by exploiting an information disclosure vulnerability in Views, Drupal's most popular module. Requests to admin/views/ajax/autocomplete/user/STRING return all usernames that begin with STRING. The script works by iterating STRING over letters to extract all usernames. For...
http-grep NSE Script
Spiders a website and attempts to match all pages and urls against a given string. Matches are counted and grouped per url under which they were discovered. Features built in patterns like email, ip, ssn, discover, amex and more. The script searches for email and ip by default. Script Arguments...
ms-sql-info NSE Script
Attempts to determine configuration and version information for Microsoft SQL Server instances. SQL Server credentials required: No will not benefit from mssql.username & mssql.password. Run criteria: Host script: Will always run. Port script: N/A NOTE: Unlike previous versions, this script will...
http-fetch NSE Script
The script is used to fetch files from servers. The script supports three different use cases: The paths argument isn't provided, the script spiders the host and downloads files in their respective folders relative to the one provided using "destination". The paths argumenta single item or list i...
rlogin-brute NSE Script
Performs brute force password auditing against the classic UNIX rlogin remote login service. This script must be run in privileged mode on UNIX because it must bind to a low source port number. Script Arguments rlogin-brute.timeout socket timeout for connecting to rlogin default 10s passdb,...
sstp-discover NSE Script
Check if the Secure Socket Tunneling Protocol is supported. This is accomplished by trying to establish the HTTPS layer which is used to carry SSTP traffic as described in: - Current SSTP server implementations: - Microsoft Windows Server 2008/Server 2012 - MikroTik RouterOS - SEIL Example...
ip-geolocation-ipinfodb NSE Script
Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service . There is no limit on requests to this service. However, the API key needs to be obtained through free registration for this service: http://ipinfodb.com/login.php See also:...
nrpe-enum NSE Script
Queries Nagios Remote Plugin Executor NRPE daemons to obtain information such as load averages, process counts, logged in user information, etc. This script attempts to execute the stock list of commands that are enabled. User-supplied arguments are not supported. Script Arguments nrpe-enum.cmds ...
distcc-cve2004-2687 NSE Script
Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service. Script Arguments cmd the command to run at the remote server...
smb-webexec-exploit NSE Script
Attempts to run a command via WebExService, using the WebExec vulnerability. Given a Windows account local or domain, this will start an arbitrary executable with SYSTEM privileges over the SMB protocol. The argument webexeccommand will run the command directly. It may or may not start with a GUI...
smb2-vuln-uptime NSE Script
Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation. SMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without...
ldap-rootdse NSE Script
Retrieves the LDAP root DSA-specific Entry DSE Example Usage nmap -p 389 --script ldap-rootdse Script Output PORT STATE SERVICE 389/tcp open ldap | ldap-rootdse: | currentTime: 20100112092616.0Z | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=cqure,DC=net | dsServiceName: CN=NTDS...
http-passwd NSE Script
Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini. The script uses several technique: Generic directory traversal by requesting paths like ../../../../etc/passwd. Known specific traversals of several web servers. Query string traversal...
gkrellm-info NSE Script
Queries a GKRellM service for monitoring information. A single round of collection is made, showing a snapshot of information at the time of the request. Example Usage nmap -p 19150 --script gkrellm-info Script Output PORT STATE SERVICE 19150/tcp open gkrellm | gkrellm-info: | Hostname: ubu1110 |...
telnet-encryption NSE Script
Determines whether the encryption option is supported on a remote telnet server. Some systems including FreeBSD and the krb5 telnetd available in many Linux distributions implement this option incorrectly, leading to a remote root vulnerability. This script currently only tests whether encryption...
smb2-capabilities NSE Script
Attempts to list the supported capabilities in a SMBv2 server for each enabled dialect. The script sends a SMB2COMNEGOTIATE command and parses the response using the SMB dialects: 2.0.2 2.1 3.0 3.0.2 3.1.1 References: Script Arguments randomseed, smbbasic, smbport, smbsign See the documentation f...
http-robtex-shared-ns NSE Script
Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at . The target must be specified by DNS name, not IP address. TEMPORARILY DISABLED due to changes in Robtex's API. See Script Arguments slaxml.debug See the documentation for the slaxml...
ajp-brute NSE Script
Performs brute force passwords auditing against the Apache JServ protocol. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers. Script Arguments ajp-brute.path URL path to request. Default: / creds.service, creds.global See the...
openwebnet-discovery NSE Script
OpenWebNet is a communications protocol developed by Bticino since 2000. Retrieves device identifying information and number of connected devices. References: Example Usage nmap --script openwebnet-discovery Script Output | openwebnet-discover: | IP Address: 192.168.200.35 | Net Mask: 255.255.255...
tls-ticketbleed NSE Script
Detects whether a server is vulnerable to the F5 Ticketbleed bug CVE-2016-9244. For additional information: Script Arguments tls-ticketbleed.protocols default tries all TLSv1.0, TLSv1.1, or TLSv1.2 tls.servername See the documentation for the tls library. smbdomain, smbhash, smbnoguest,...
dns-blacklist NSE Script
Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category eg: SPAM, PROXY or to a specific service name. Script Arguments dns-blacklist.services string containing a...
dns-cache-snoop NSE Script
Performs DNS cache snooping against a DNS server. There are two modes of operation, controlled by the dns-cache-snoop.mode script argument. In nonrecursive mode the default, queries are sent to the server with the RD recursion desired flag set to 0. The server should respond positively to these...
sniffer-detect NSE Script
Checks if a target on a local Ethernet has its network card in promiscuous mode. The techniques used are described at . Example Usage nmap -sV --script=sniffer-detect Script Output Host script results: | sniffer-detect: Likely in promiscuous mode tests: "11111111" Requires nmap stdnse string tabl...
mysql-query NSE Script
Runs a query against a MySQL database and returns the results as a table. Script Arguments mysql-query.noheaders do not display column headers default: false mysql-query.query the query for which to return the results mysql-query.username optional the username used to authenticate to the database...
hostmap-crtsh NSE Script
Finds subdomains of a web server by querying Google's Certificate Transparency logs database . The script will run against any target that has a name, either specified on the command line or obtained via reverse-DNS. NSE implementation of ctfr.py by Sheila Berta. References:...
ms-sql-brute NSE Script
Performs password guessing against Microsoft SQL Server ms-sql. Works best in conjunction with the broadcast-ms-sql-discover script. SQL Server credentials required: No will not benefit from mssql.username & mssql.password. Run criteria: Host script: Will run if the mssql.instance-all,...
sip-methods NSE Script
Enumerates a SIP Server's allowed methods INVITE, OPTIONS, SUBSCRIBE, etc. The script works by sending an OPTION request to the server and checking for the value of the Allow header in the response. Script Arguments sip.timeout See the documentation for the sip library. Example Usage nmap...
http-server-header NSE Script
Uses the HTTP Server header for missing version info. This is currently infeasible with version probes because of the need to match non-HTTP services correctly. Example Usage nmap -sV Script Output PORT STATE SERVICE VERSION 80/tcp open http Unidentified Server 1.0 PORT STATE SERVICE VERSION 80/t...
banner NSE Script
A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds. The banner will be truncated to fit into a single line, but an extra line may be printed for every increase in the level of verbosity requested on the command line...
ms-sql-xp-cmdshell NSE Script
Attempts to run a command using the command shell of Microsoft SQL Server ms-sql. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all, mssql.instance-name or...
dns-fuzz NSE Script
Launches a DNS fuzzing attack against DNS servers. The script induces errors into randomly generated but valid DNS packets. The packet template that we use includes one uncompressed and one compressed name. Use the dns-fuzz.timelimit argument to control how long the fuzzing lasts. This script...
mongodb-brute NSE Script
Performs brute force password auditing against the MongoDB database. Script Arguments mongodb-brute.db Database against which to check. Default: admin passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See...
smtp-ntlm-info NSE Script
This script enumerates information from remote SMTP services with NTLM authentication enabled. Sending a SMTP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version...
redis-info NSE Script
Retrieves information such as version number and architecture from a Redis key-value store. Script Arguments creds.service, creds.global See the documentation for the creds library. Example Usage nmap -p 6379 --script redis-info Script Output PORT STATE SERVICE 6379/tcp open unknown | redis-info:...
http-vuln-misfortune-cookie NSE Script
Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it. See also: http-vuln-cve2013-6786.nse Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...
smb2-time NSE Script
Attempts to obtain the current system date and the start date of a SMB2 server. Script Arguments randomseed, smbbasic, smbport, smbsign See the documentation for the smb library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library. Examp...
http-cross-domain-policy NSE Script
Checks the cross-domain policy file /crossdomain.xml and the client-acces-policy file /clientaccesspolicy.xml in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is...
dns-update NSE Script
Attempts to perform a dynamic DNS update without authentication. Either the test or both the hostname and ip script arguments are required. Note that the test function will probably fail due to using a static zone name that is not the zone configured on your target. Script Arguments dns-update.te...