607 matches found
http-cross-domain-policy NSE Script
Checks the cross-domain policy file /crossdomain.xml and the client-acces-policy file /clientaccesspolicy.xml in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is...
pop3-brute NSE Script
Tries to log into a POP3 account by guessing usernames and passwords. Script Arguments pop3loginmethod The login method to use: "USER" default, "SASL-PLAIN", "SASL-LOGIN", "SASL-CRAM-MD5", or "APOP". Defaults to "USER", passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the...
redis-brute NSE Script
Performs brute force passwords auditing against a Redis key-value store. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library. brute.credfile,...
http-vuln-cve2017-8917 NSE Script
An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 allows for unauthenticated users to execute arbitrary SQL commands. This vulnerability was caused by a new component, comfields, which was introduced in version 3.7. This component is publicly accessible, which means this can be...
x11-access NSE Script
Checks if you're allowed to connect to the X server. If the X server is listening on TCP port 6000+n where n is the display number, it is possible to check if you're able to get connected to the remote display by sending a X11 initial connection request. In reply, the success byte 0x00 or 0x01 wi...
snmp-interfaces NSE Script
Attempts to enumerate network interfaces through SNMP. This script can also be run during Nmap's pre-scanning phase and can attempt to add the SNMP server's interface addresses to the target list. The script argument snmp-interfaces.host is required to know what host to probe. To specify a port f...
http-userdir-enum NSE Script
Attempts to enumerate valid usernames on web servers running with the moduserdir module or similar enabled. The Apache moduserdir module allows user-specific directories to be accessed using the syntax. This script makes http requests in order to discover valid user-specific directories and infer...
http-trace NSE Script
Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response. Script Arguments http-trace.path Path to URI slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size,...
url-snarf NSE Script
Sniffs an interface for HTTP traffic and dumps any URLs, and their originating IP address. Script output differs from other script as URLs are written to stdout directly. There is also an option to log the results to file. The script can be limited in time by using the timeout argument or run unt...
rmi-vuln-classloader NSE Script
Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor Oracle/Sun classifies this as a design feature. Based on original Metasploit module by mihi. References: Scrip...
http-qnap-nas-info NSE Script
Attempts to retrieve the model, firmware version, and enabled services from a QNAP Network Attached Storage NAS device. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...
ip-geolocation-geoplugin NSE Script
Tries to identify the physical location of an IP address using the Geoplugin geolocation web service . There is no limit on lookups using this service. See also: ip-geolocation-ipinfodb.nse ip-geolocation-map-bing.nse ip-geolocation-map-google.nse ip-geolocation-map-kml.nse...
uptime-agent-info NSE Script
Gets system information from an Idera Uptime Infrastructure Monitor agent. Example Usage nmap --script uptime-agent-info -p 9998 Script Output 9998/tcp open uptime-agent syn-ack | uptime-agent-info: SYSNAME=system123 | DOMAIN=none | ARCH="Linux system123 3.12.51-60.20-default 1 SMP Fri Dec 11...
http-ls NSE Script
Shows the content of an "index" Web page. TODO: - add support for more page formats Script Arguments http-ls.url base URL path to use default: / http-ls.checksum compute a checksum for each listed file. Requires OpenSSL. default: false slaxml.debug See the documentation for the slaxml library...
smb-enum-shares NSE Script
Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked. Finding open shares is useful to a penetration tester because there may ...
nbstat NSE Script
Attempts to retrieve the target's NetBIOS names and MAC address. By default, the script displays the name of the computer and the logged-in user; if the verbosity is turned up, it displays all names the system thinks it owns. Example Usage sudo nmap -sU --script nbstat.nse -p137 Script Output Hos...
socks-open-proxy NSE Script
Checks if an open socks proxy is running on the target. The script attempts to connect to a proxy server and send socks4 and socks5 payloads. It is considered an open proxy if the script receives a Request Granted response from the target port. The payloads try to open a connection to...
smb-vuln-conficker NSE Script
Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems. Based loosely on the Simple Conficker Scanner, found here: -- This check was previously part of smb-check-vulns. Script Arguments smbdomain, smbhash, smbnoguest, smbpassword,...
snmp-ios-config NSE Script
Attempts to downloads Cisco router IOS configuration files using SNMP RW v1 and display or save them. Script Arguments snmp-ios-config.tftproot If set, specifies to what directory the downloaded config should be saved snmp.version See the documentation for the snmp library. creds.service,...
puppet-naivesigning NSE Script
Detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, allowing them to impersonate as a puppet agent. This can leak the configuration of the agents as well as any other sensitive information found in the...
iec-identify NSE Script
Attempts to identify IEC 60870-5-104 ICS protocol. After probing with a TESTFR test frame message, a STARTDT start data transfer message is sent and general interrogation is used to gather the list of information object addresses stored. Example Usage nmap -sV --script=iec-identify Script Output ...
sip-enum-users NSE Script
Enumerates a SIP server's valid extensions users. The script works by sending REGISTER SIP requests to the server with the specified extension and checking for the response status code in order to know if an extension is valid. If a response status code is 401 or 407, it means that the extension ...
tls-nextprotoneg NSE Script
Enumerates a TLS server's supported protocols by using the next protocol negotiation extension. This works by adding the next protocol negotiation extension in the client hello packet and parsing the returned server hello's NPN extension data. For more information, see: Script Arguments...
bittorrent-discovery NSE Script
Discovers bittorrent peers sharing a file based on a user-supplied torrent file or magnet link. Peers implement the Bittorrent protocol and share the torrent, whereas the nodes only shown if the include-nodes NSE argument is given implement the DHT protocol and are used to track the peers. The se...
http-vuln-cve2006-3392 NSE Script
Exploits a file disclosure vulnerability in Webmin CVE-2006-3392 Webmin before 1.290 and Usermin before 1.220 calls the simplifypath function before decoding HTML. This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences to bypass the removal of "../"...
http-waf-fingerprint NSE Script
Tries to detect the presence of a web application firewall and its type and version. This works by sending a number of requests and looking in the responses for known behavior and fingerprints such as Server header, cookies and headers values. Intensive mode works by sending additional WAF specif...
mysql-dump-hashes NSE Script
Dumps the password hashes from an MySQL server in a format suitable for cracking by tools such as John the Ripper. Appropriate DB privileges root are required. The username and password arguments take precedence over credentials discovered by the mysql-brute and mysql-empty-password scripts. Scri...
mysql-empty-password NSE Script
Checks for MySQL servers with an empty password for root or anonymous. See also: mysql-brute.nse Example Usage nmap -sV --script=mysql-empty-password Script Output 3306/tcp open mysql | mysql-empty-password: | anonymous account has empty password | root account has empty password Requires mysql...
smb-enum-services NSE Script
Retrieves the list of services running on a remote Windows system. Each service attribute contains service name, display name and service status of each service. Note: Modern Windows systems requires a privileged domain account in order to list the services. References: Script Arguments randomsee...
http-iis-webdav-vuln NSE Script
Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, . A list of well known folders almost 900 is use...
smb-enum-sessions NSE Script
Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. Nmap's...
upnp-info NSE Script
Attempts to extract system information from the UPnP service. Script Arguments upnp-info.override Controls whether we override the IP address information returned by the UPNP service for the location of the XML file that describes the device. Defaults to true for unicast hosts. slaxml.debug See t...
rsa-vuln-roca NSE Script
Detects RSA keys vulnerable to Return Of Coppersmith Attack ROCA factorization. SSH hostkeys and SSL/TLS certificates are checked. The checks require recent updates to the openssl NSE library. References: See also: ssl-cert.nse ssh-hostkey.nse Script Arguments mssql.domain, mssql.instance-all,...
https-redirect NSE Script
Check for HTTP services that redirect to the HTTPS on the same port. Example Usage nmap -sV Requires comm string shortport nmap url local comm = require "comm" local string = require "string" local shortport = require "shortport" local nmap = require "nmap" local url = require "url" local U =...
xmlrpc-methods NSE Script
Performs XMLRPC Introspection via the system.listMethods method. If the verbosity is 1 then the script fetches the response of system.methodHelp for each method returned by listMethods. Script Arguments xmlrpc-methods.url The URI path to request. slaxml.debug See the documentation for the slaxml...
amqp-info NSE Script
Gathers information a list of all server properties from an AMQP advanced message queuing protocol server. See for details on the server-properties field. Script Arguments amqp.version See the documentation for the amqp library. Example Usage nmap --script amqp-info -p5672 Script Output 5672/tcp...
dns-service-discovery NSE Script
Attempts to discover target hosts' services using the DNS Service Discovery protocol. The script first sends a query for services.dns-sd.udp.local to get a list of services. It then sends a followup query for each one to try to get more information. Script Arguments max-newtargets, newtargets See...
dns-random-srcport NSE Script
Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks see CVE-2008-1447. The script works by querying porttest.dns-oarc.net see . Be aware that any targets against which this script is run will be...
broadcast-sybase-asa-discover NSE Script
Discovers Sybase Anywhere servers on the LAN by sending broadcast discovery messages. Example Usage nmap --script broadcast-sybase-asa-discover Script Output Pre-scan script results: | broadcast-sybase-asa-discover: | ip=192.168.0.1; name=mysqlanywhere1; port=2638 | ip=192.168.0.2;...
ipidseq NSE Script
Classifies a host's IP ID sequence test for susceptibility to idle scan. Sends six probes to obtain IP IDs from the target and classifies them similarly to Nmap's method. This is useful for finding suitable zombies for Nmap's idle scan -sI as Nmap itself doesn't provide a way to scan for these...
smb2-time NSE Script
Attempts to obtain the current system date and the start date of a SMB2 server. Script Arguments randomseed, smbbasic, smbport, smbsign See the documentation for the smb library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library. Examp...
http-wordpress-brute NSE Script
performs brute force password auditing against Wordpress CMS/blog installations. This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored using the credentials library. Wordpress default uri and form names: Default uri:wp-login.php Default...
nbns-interfaces NSE Script
Retrieves IP addresses of the target's network interfaces via NetBIOS NS. Additional network interfaces may reveal more information about the target, including finding paths to hidden non-routed networks via multihomed systems. Example Usage nmap -sU -p 137 --script nbns-interfaces Script Output...
dns-nsec-enum NSE Script
Enumerates DNS names using the DNSSEC NSEC-walking technique. Output is arranged by domain. Within a domain, subzones are shown with increased indentation. The NSEC response record in DNSSEC is used to give negative answers to queries, but it has the side effect of allowing enumeration of all...
http-sitemap-generator NSE Script
Spiders a web server and displays its directory structure along with number and types of files in each folder. Note that files listed as having an 'Other' extension are ones that have no extension or that are a root document. Script Arguments http-sitemap-generator.withindomain only spider URLs...
ip-geolocation-map-google NSE Script
This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Google Map of markers representing the targets. Additional information for the Google Static Maps API can be found at: - See also: ip-geolocation-geoplugin.nse...
ftp-vuln-cve2010-4221 NSE Script
Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNETIAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code with...
broadcast-igmp-discovery NSE Script
Discovers targets that have IGMP Multicast memberships and grabs interesting information. The scripts works by sending IGMP Membership Query message to the 224.0.0.1 All Hosts multicast address and listening for IGMP Membership Report messages. The script then extracts all the interesting...
smb-vuln-webexec NSE Script
A critical remote code execution vulnerability exists in WebExService WebExec. See also: smb-webexec-exploit.nse Script Arguments smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library. randomseed, smbbasic, smbport, smbsign See the...
http-domino-enum-passwords NSE Script
Attempts to enumerate the hashed Domino Internet Passwords that are by default accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. Passwords are presented in a form suitable for running in John the Ripper. The passwords may be...