607 matches found
broadcast-ping NSE Script
Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or if requested adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to...
http-icloud-sendmsg NSE Script
Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application. Script Arguments http-icloud-sendmsg.username the Apple ID username http-icloud-sendmsg.sound boolean specifying if a loud sound should be...
wsdd-discover NSE Script
Retrieves and displays information from devices supporting the Web Services Dynamic Discovery WS-Discovery protocol. It also attempts to locate any published Windows Communication Framework WCF web services .NET 4.0 or later. Script Arguments max-newtargets, newtargets See the documentation for t...
docker-version NSE Script
Detects the Docker service version. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentation for the http library. smbdomain, smbhash,...
ipmi-cipher-zero NSE Script
IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero. Script Arguments vulns.short, vulns.showall See the documentation for the vulns library. Example Usa...
broadcast-sonicwall-discover NSE Script
Discovers Sonicwall firewalls which are directly attached not routed using the same method as the manufacturers own 'SetupTool'. An interface needs to be configured, as the script broadcasts a UDP packet. The script needs to be run as a privileged user, typically root. References: Script Argument...
impress-remote-discover NSE Script
Tests for the presence of the LibreOffice Impress Remote server. Checks if a PIN is valid if provided and will bruteforce the PIN if requested. When a remote first contacts Impress and sends a client name and PIN, the user must open the "Slide Show - Impress Remote" menu and enter the matching PI...
metasploit-info NSE Script
Gathers info from the Metasploit rpc service. It requires a valid login pair. After authentication it tries to determine Metasploit version and deduce the OS type. Then it creates a new console and executes few commands to get additional info. References: Metasploit RPC API Guide See also:...
http-huawei-hg5xx-vuln NSE Script
Detects Huawei modems models HG530x, HG520x, HG510x and possibly others... vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values. Attackers can query the URIs "/Listadeparametros.html" and...
voldemort-info NSE Script
Retrieves cluster and store information from the Voldemort distributed key-value store using the Voldemort Native Protocol. Example Usage nmap -p 6666 --script voldemort-info Script Output PORT STATE SERVICE 6666/tcp open irc | voldemort-info: | Cluster | Name: mycluster | Id: 0 | Host: localhost...
ipmi-version NSE Script
Performs IPMI Information Discovery through Channel Auth probes. Example Usage nmap -sU --script ipmi-version -p 623 Script Output PORT STATE SERVICE REASON 623/udp open|filtered unknown | ipmi-version: | Version: IPMI-2.0 | UserAuth: password, md5, md2 | PassAuth: nulluser | Level: 1.2,2.0...
knx-gateway-info NSE Script
Identifies a KNX gateway on UDP port 3671 by sending a KNX Description Request. Further information: DIN EN 13321-2 Example Usage nmap -sV -sC Requires nmap shortport ipOps stdnse string knx local nmap = require "nmap" local shortport = require "shortport" local ipOps = require "ipOps" local stdn...
smb-ls NSE Script
Attempts to retrieve useful information about files shared on SMB volumes. The output is intended to resemble the output of the UNIX ls command. Script Arguments smb-ls.path the path, relative to the share to list the contents from default: root of the share smb-ls.pattern the search pattern to...
xdmcp-discover NSE Script
Requests an XDMCP X display manager control protocol session and lists supported authentication and authorization mechanisms. Example Usage nmap -sU -p 177 --script xdmcp-discover Script Output PORT STATE SERVICE 177/udp open|filtered xdmcp | xdmcp-discover: | Session id: 0x0000703E | Authorizati...
ip-geolocation-map-bing NSE Script
This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Bing Map of markers representing the targets. The Bing Maps REST API has a limit of 100 markers, so if more coordinates are found, only the top 100 markers by number of IP...
broadcast-pppoe-discover NSE Script
Discovers PPPoE Point-to-Point Protocol over Ethernet servers using the PPPoE Discovery protocol PPPoED. PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery. If no interface is specified, requests are sent out on all available interfaces. As...
ipv6-node-info NSE Script
Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Node Information Queries. IPv6 Node Information Queries are defined in RFC 4620. There are three useful types of queries: qtype=2: Node Name qtype=3: Node Addresses qtype=4: IPv4 Addresses Some operating systems Mac OS X and OpenBSD return...
http-dombased-xss NSE Script
It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: See also: http-stored-xss.nse http-phpself-xss.nse http-xssed.nse http-unsafe-output-escaping.nse Script Arguments...
irc-info NSE Script
Gathers information from an IRC server. It uses STATS, LUSERS, and other queries to obtain this information. Example Usage nmap -sV -sC Script Output 6665/tcp open irc | irc-info: | server: asimov.freenode.net | version: ircd-seven-1.1.320111112-b71671d1e846,charybdis-3.4-dev. asimov.freenode.net...
http-vuln-cve2014-2128 NSE Script
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability CVE-2014-2128. See also: http-vuln-cve2014-2126.nse http-vuln-cve2014-2127.nse http-vuln-cve2014-2129.nse Script Arguments tls.servername See the documentation for the tls library...
nessus-xmlrpc-brute NSE Script
Performs brute force password auditing against a Nessus vulnerability scanning daemon using the XMLRPC protocol. Script Arguments nessus-xmlrpc-brute.timeout socket timeout for connecting to Nessus default 5s nessus-xmlrpc-brute.threads sets the number of threads. passdb, unpwdb.passlimit,...
broadcast-dns-service-discovery NSE Script
Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses. The script first sends a query for services.dns-sd.udp.local to get a list of services. It then sends a followup query for each one to try to get more...
citrix-enum-apps-xml NSE Script
Extracts a list of applications, ACLs, and settings from the Citrix XML service. The script returns more output with higher verbosity. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...
broadcast-wake-on-lan NSE Script
Wakes a remote system up from sleep by sending a Wake-On-Lan packet. Script Arguments broadcast-wake-on-lan.address The broadcast address to which the WoL packet is sent. broadcast-wake-on-lan.MAC The MAC address of the remote system to wake up Example Usage nmap --script broadcast-wake-on-lan...
http-stored-xss NSE Script
Unfiltered '' greater than sign. An indication of potential XSS vulnerability. See also: http-dombased-xss.nse http-phpself-xss.nse http-xssed.nse http-unsafe-output-escaping.nse Script Arguments http-stored-xss.formpaths The pages that contain the forms to exploit. For example, /upload.php,...
http-barracuda-dir-traversal NSE Script
Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at . This vulnerability is in the "locale" parameter of "/cgi-mod/viewhelp.cgi" or "/cgi-bin/viewhelp.cgi", allowing the information to be...
http-vuln-cve2013-0156 NSE Script
Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. CVE-2013-0156 All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script sends 3 harmless YAML payloa...
smb-enum-domains NSE Script
Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" domain is generally displayed. Windows returns this in the list of domains, but its policies don't appear to be...
openflow-info NSE Script
Queries OpenFlow controllers for information. Newer versions of the OpenFlow protocol 1.3 and greater will return a list of all protocol versions supported by the controller. Versions prior to 1.3 only return their own version number. For additional information: Example Usage nmap -p 6633,6653...
murmur-version NSE Script
Detects the Murmur service server for the Mumble voice communication client versions 1.2.X. The Murmur server listens on a TCP control and a UDP voice port with the same port number. This script activates on both a TCP and UDP port version scan. In both cases probe data is sent only to the UDP po...
broadcast-dhcp6-discover NSE Script
Sends a DHCPv6 request Solicit to the DHCPv6 multicast address, parses the response, then extracts and prints the address along with any options returned by the server. The script requires Nmap to be run in privileged mode as it binds the socket to a privileged port udp/546. See also:...
unusual-port NSE Script
Compares the detected service on a port against the expected service for that port number e.g. ssh on 22, http on 80 and reports deviations. The script requires that a version scan has been run in order to be able to discover what service is actually running on each port. Example Usage nmap...
http-errors NSE Script
This script crawls through the website and returns any error pages. The script will return all pages sorted by error code that respond with an http code equal or above 400. To change this behaviour, please use the errcodes option. The script, by default, spiders and searches within forty pages. F...
ms-sql-dac NSE Script
Queries the Microsoft SQL Browser service for the DAC Dedicated Admin Connection port of a given or all SQL Server instance. The DAC port is used to connect to the database instance when normal connection attempts fail, for example, when server is hanging, out of memory or in other bad states. In...
path-mtu NSE Script
Performs simple Path MTU Discovery to target hosts. TCP or UDP packets are sent to the host with the DF don't fragment bit set and with varying amounts of data. If an ICMP Fragmentation Needed is received, or no reply is received after retransmissions, the amount of data is lowered and another...
http-unsafe-output-escaping NSE Script
Spiders a website and attempts to identify output escaping problems where content is reflected back to the user. This script locates all parameters, ?x=foo&y=bar and checks if the values are reflected on the page. If they are indeed reflected, the script will try to insert ghzhzx"zxc'xcv and chec...
broadcast-wsdd-discover NSE Script
Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery WS-Discovery protocol. It also attempts to locate any published Windows Communication Framework WCF web services .NET 4.0 or later. Script Arguments max-newtargets, newtargets See the documentation for the...
nat-pmp-mapport NSE Script
Maps a WAN port on the router to a local port on the client using the NAT Port Mapping Protocol NAT-PMP. It supports the following operations: map - maps a new external port on the router to an internal port of the requesting IP unmap - unmaps a previously mapped port for the requesting IP unmapa...
snmp-processes NSE Script
Attempts to enumerate running processes through SNMP. Script Arguments creds.service, creds.global See the documentation for the creds library. snmp.version See the documentation for the snmp library. Example Usage nmap -sU -p 161 --script=snmp-processes Script Output | snmp-processes: | 1: | Nam...
gopher-ls NSE Script
Lists files and directories at the root of a gopher service. Script Arguments gopher-ls.maxfiles If set, limits the amount of files returned by the script. If set to 0 or less, all files are shown. The default value is 10. Example Usage nmap -p 70 --script gopher-ls --script-args...
hddtemp-info NSE Script
Reads hard disk information such as brand, model, and sometimes temperature from a listening hddtemp service. Example Usage nmap -p 7634 -sV -sC Script Output 7634/tcp open hddtemp | hddtemp-info: | /dev/sda: WDC WD2500JS-60MHB1: 38 C Requires comm math shortport string stringaux table local comm...
broadcast-upnp-info NSE Script
Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline,...
lltd-discovery NSE Script
Uses the Microsoft LLTD protocol to discover hosts on a local network. For more information on the LLTD protocol please refer to Script Arguments lltd-discovery.interface string specifying which interface to do lltd discovery on. If not specified, all ethernet interfaces are tried...
smb-mbenum NSE Script
Queries information managed by the Windows Master Browser. Script Arguments smb-mbenum.format optional if set, changes the format of the result returned by the script. There are three possible formats: 1. Ordered by type horizontally 2. Ordered by type vertically 3. Ordered by type vertically...
citrix-enum-apps NSE Script
Extracts a list of published applications from the ICA Browser service. Example Usage sudo ./nmap -sU --script=citrix-enum-apps -p 1604 Script Output PORT STATE SERVICE 1604/udp open unknown 1604/udp open unknown | citrix-enum-apps: | Notepad | iexplorer | registry editor Requires nmap shortport...
smb-enum-processes NSE Script
Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator...
mysql-variables NSE Script
Attempts to show all variables on a MySQL server. Script Arguments mysqluser The username to use for authentication. If unset it attempts to use credentials found by mysql-brute or mysql-empty-password. mysqlpass The password to use for authentication. If unset it attempts to use credentials foun...
http-avaya-ipoffice-users NSE Script
Attempts to enumerate users in Avaya IP Office systems 7.x. Avaya IP Office systems allow unauthenticated access to the URI '/system/user/scnuserlist' which returns a XML file containing user information such as display name, full name and extension number. Tested on Avaya IP Office 7.027. Script...
imap-ntlm-info NSE Script
This script enumerates information from remote IMAP services with NTLM authentication enabled. Sending an IMAP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version...
stun-version NSE Script
Sends a binding request to the server and attempts to extract version information from the response, if the server attribute is present. Script Arguments stun.mode See the documentation for the stun library. Example Usage nmap -sU -sV -p 3478 Script Output PORT STATE SERVICE VERSION 3478/udp open...