finger NSE Script

Attempts to retrieve a list of usernames using the finger service. Example Usage nmap -sV -sC Script Output PORT STATE SERVICE 79/tcp open finger | finger: | Welcome to Linux version 2.6.31.12-0.2-default at linux-pb94.site ! | 01:14am up 18:54, 4 users, load average: 0.14, 0.08, 0.01 | | Login...

targets-xml NSE Script

Loads addresses from an Nmap XML output file for scanning. Address type IPv4 or IPv6 is determined according to whether -6 is specified to nmap. Script Arguments targets-xml.iX Filename of an Nmap XML file to import targets-xml.state Only hosts with this status will have their addresses input...

mysql-audit NSE Script

Audits MySQL database server security configuration against parts of the CIS MySQL v1.0.2 benchmark the engine can be used for other MySQL audits by creating appropriate audit files. Script Arguments mysql-audit.password the password with which to connect to the database mysql-audit.username the...

fox-info NSE Script

Tridium Niagara Fox is a protocol used within Building Automation Systems. Based off Billy Rios and Terry McCorkle's work this Nmap NSE will collect information from A Tridium Niagara system. Example Usage nmap --script fox-info.nse -p 1911 Script Output 1911/tcp open Niagara Fox | fox-info: |...

ajp-methods NSE Script

Discovers which options are supported by the AJP Apache JServ Protocol server by sending an OPTIONS request and lists potentially risky methods. In this script, "potentially risky" methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may...

nfs-ls NSE Script

Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of ls. The script starts by enumerating and mounting the remote NFS exports. After that it performs an NFS GETATTR procedure call for each mounted point in order to get its ACLs. For eac...

http-vuln-cve2010-2861 NSE Script

Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value hidden in the web page to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the...

targets-asn NSE Script

Produces a list of IP prefixes for a given routing AS number ASN. This script uses a whois server database operated by the Shadowserver Foundation. We thank them for granting us permission to use this in Nmap. Output is in CIDR notation. Script Arguments targets-asn.whoisport The whois port to us...

vmauthd-brute NSE Script

Performs brute force password auditing against the VMWare Authentication Daemon vmware-authd. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library...

ms-sql-tables NSE Script

Queries Microsoft SQL Server ms-sql for a list of tables per database. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all, mssql.instance-name or mssql.instance-port scri...

mtrace NSE Script

Queries for the multicast path from a source to a destination host. This works by sending an IGMP Traceroute Query and listening for IGMP Traceroute responses. The Traceroute Query is sent to the first hop and contains information about source, destination and multicast group addresses. First hop...

domino-enum-users NSE Script

Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability. Script Arguments domino-enum-users.path the location to which any retrieved ID files are stored domino-enum-users.username the name of the user from which to retrieve the I...

supermicro-ipmi-conf NSE Script

Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers. The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file contains users with their passwords ...

smtp-vuln-cve2011-1720 NSE Script

Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms CVE-2011-1720. This vulnerability can allow denial of service and possibly remote code execution. Reference: Script Arguments smtp.domain See the documentation for the smtp library...

mysql-users NSE Script

Attempts to list all users on a MySQL server. Script Arguments mysqluser The username to use for authentication. If unset it attempts to use credentials found by mysql-brute or mysql-empty-password. mysqlpass The password to use for authentication. If unset it attempts to use credentials found by...

hostmap-ip2hosts NSE Script

Finds hostnames that resolve to the target's IP address by querying the online database: http://www.ip2hosts.com Bing Search Results The script is in the "external" category because it sends target IPs to a third party in order to query their database. Script Arguments newtargets If set, add the...

http-git NSE Script

Checks for a Git repository found in a website's document root /.git/something and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description. Script Arguments http-git.root URL path to search for a .git directory. Defaul...

oracle-brute-stealth NSE Script

Exploits the CVE-2012-3137 vulnerability, a weakness in Oracle's O5LOGIN authentication scheme. The vulnerability exists in Oracle 11g R1/R2 and allows linking the session key to a password hash. When initiating an authentication attempt as a valid user the server will respond with a session key...

sip-brute NSE Script

Performs brute force password auditing against Session Initiation Protocol SIP accounts. This protocol is most commonly associated with VoIP sessions. Script Arguments sip.timeout See the documentation for the sip library. creds.service, creds.global See the documentation for the creds library...

http-dlink-backdoor NSE Script

Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a "secret" value. Using the "secret" User-Agent bypasses authentication and allows admin access to the router. The following router models are likely to be vulnerable: DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S,...

http-auth NSE Script

Retrieves the authentication scheme and realm of a web service that requires authentication. See also: http-auth-finder.nse http-brute.nse Script Arguments http-auth.path Define the request path slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size,...

dns-nsec3-enum NSE Script

Tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records. The script queries for nonexistant domains until it exhausts all domain ranges keeping track of hashes. At the end, all hashes are printed along with salt and number of iterations used. This technique is known...

rexec-brute NSE Script

Performs brute force password auditing against the classic UNIX rexec remote exec service. Script Arguments rexec-brute.timeout socket timeout for connecting to rexec default 10s passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library...

lu-enum NSE Script

Attempts to enumerate Logical Units LU of TN3270E servers. When connecting to a TN3270E server you are assigned a Logical Unit LU or you can tell the TN3270E server which LU you'd like to use. Typically TN3270E servers are configured to give you an LU from a pool of LUs. They can also have LUs se...

membase-brute NSE Script

Performs brute force password auditing against Couchbase Membase servers. Script Arguments membase-brute.bucketname if specified, password guessing is performed only against this bucket. creds.service, creds.global See the documentation for the creds library. smbdomain, smbhash, smbnoguest,...

deluge-rpc-brute NSE Script

Performs brute force password auditing against the DelugeRPC daemon. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library. brute.credfile,...

http-generator NSE Script

Displays the contents of the "generator" meta tag of a web page default: / if there is one. Script Arguments http-generator.path Specify the path you want to check for a generator meta tag default to '/'. http-generator.redirects Specify the maximum number of redirects to follow defaults to 3...

p2p-conficker NSE Script

Checks if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication. When Conficker.C or higher infects a system, it opens four ports: two TCP and two UDP. The ports are random, but are seeded with the current week and the IP of the infected host. By determini...

broadcast-hid-discoveryd NSE Script

Discovers HID devices on a LAN by sending a discoveryd network broadcast probe. For more information about HID discoveryd, see: Script Arguments broadcast-hid-discoveryd.timeout socket timeout default: 5s broadcast-hid-discoveryd.address address to which the probe packet is sent. default:...

ms-sql-query NSE Script

Runs a query against Microsoft SQL Server ms-sql. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all, mssql.instance-name or mssql.instance-port script arguments are used...

snmp-hh3c-logins NSE Script

Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the hh3c-user.mib OID For devices running software released pre-Oct 2012 only an SNMP read-only string is required to access the OID. Otherwise a read-write string is required. Output is 'username - password - level: 0|1|2|3'...

nbd-info NSE Script

Displays protocol and block device information from NBD servers. The Network Block Device protocol is used to publish block devices over TCP. This script connects to an NBD server and attempts to pull down a list of exported block devices and their details For additional information: Script...

http-backup-finder NSE Script

Spiders a website and attempts to identify backup copies of discovered files. It does so by requesting a number of different combinations of the filename eg. index.bak, index.html, copy of index.html. Script Arguments http-backup-finder.maxpagecount the maximum amount of pages to visit. A negativ...

http-useragent-tester NSE Script

Checks if various crawling utilities are allowed by the host. Script Arguments http-useragent-tester.useragents A table with more User-Agent headers. Default: nil httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url,...

cics-info NSE Script

Using the CICS transaction CEMT, this script attempts to gather information about the current CICS transaction server region. It gathers OS information, Datasets files, transactions and user ids. Based on CICSpwn script by Ayoub ELAASSAL. Script Arguments cics-info.trans Instead of gathering all...

ldap-novell-getpass NSE Script

Universal Password enables advanced password policies, including extended characters in passwords, synchronization of passwords from eDirectory to other systems, and a single password for all access to eDirectory. In case the password policy permits administrators to retrieve user passwords "Allo...

http-apache-negotiation NSE Script

Checks if the target http server has modnegotiation enabled. This feature can be leveraged to find hidden resources and spider a web site using fewer requests. The script works by sending requests for resources like index and home without specifying the extension. If modnegotiate is enabled defau...

cics-user-brute NSE Script

CICS User ID brute forcing script for the CESL login screen. Script Arguments cics-user-brute.commands Commands in a semi-colon separated list needed to access CICS. Defaults to CICS. brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly,...

mcafee-epo-agent NSE Script

Check if ePO agent is running on port 8081 or port identified as ePO Agent port. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentatio...

svn-brute NSE Script

Performs brute force password auditing against Subversion source code control servers. Script Arguments svn-brute.repo the Subversion repository against which to perform password guessing svn-brute.force force password guessing when service is accessible both anonymously and through authenticatio...

pjl-ready-message NSE Script

Retrieves or sets the ready message on printers that support the Printer Job Language. This includes most PostScript printers that listen on port 9100. Without an argument, displays the current ready message. With the pjlreadymessage script argument, displays the old ready message and changes it...

http-referer-checker NSE Script

Informs about cross-domain include of scripts. Websites that include external javascript scripts are delegating part of their security to third-party entities. Script Arguments slaxml.debug See the documentation for the slaxml library. httpspider.doscraping, httpspider.maxdepth,...

dns-srv-enum NSE Script

Enumerates various common service SRV records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: - Active Directory Global Catalog - Exchange Autodiscovery - Kerberos KDC...

bitcoin-info NSE Script

Extracts version and node information from a Bitcoin server Example Usage nmap -p 8333 --script bitcoin-info Script Output PORT STATE SERVICE 8333/tcp open bitcoin | bitcoin-info: | Timestamp: 2018-03-09T06:25:49 | Network: main | Version: 0.7.0 | Node Id: 26855fa1ac038c12 | Lastblock: 512702 |...

snmp-netstat NSE Script

Attempts to query SNMP for a netstat like output. The script can be used to identify and automatically add new targets to the scan by supplying the newtargets script argument. Script Arguments max-newtargets, newtargets See the documentation for the target library. creds.service, creds.global See...

dns-random-txid NSE Script

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks see CVE-2008-1447. The script works by querying txidtest.dns-oarc.net see . Be aware that any targets against which this script is run will...

broadcast-netbios-master-browser NSE Script

Attempts to discover master browsers and the domains they manage. Example Usage nmap --script=broadcast-netbios-master-browser Script Output | broadcast-netbios-master-browser: | ip server domain |10.0.200.156 WIN2K3-EPI-1 WORKGROUP Requires netbios nmap stdnse tab local netbios = require "netbio...

netbus-brute NSE Script

Performs brute force password auditing against the Netbus backdoor "remote administration" service. See also: netbus-auth-bypass.nse Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. Example Usage nmap -p 12345...

http-malware-host NSE Script

Looks for signature of known server compromises. Currently, the only signature it looks for is the one discussed here: . This is done by requesting the page /ts/in.cgi?open2 and looking for an errant 302 it attempts to detect servers that always return 302. Thanks to Denis from the above link for...

http-vuln-cve2013-6786 NSE Script

Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786. The check is general enough script tag injection via Referer header that some other software may be vulnerable in the same way. See also:...