iscsi-brute NSE Script

Performs brute force password auditing against iSCSI targets. Script Arguments iscsi-brute.target iSCSI target to brute-force. passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for t...

broadcast-ms-sql-discover NSE Script

Discovers Microsoft SQL servers in the same broadcast domain. SQL Server credentials required: No will not benefit from mssql.username & mssql.password. The script attempts to discover SQL Server instances in the same broadcast domain. Any instances found are stored in the Nmap registry for use b...

ftp-proftpd-backdoor NSE Script

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as BID 45150. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument. Script Arguments ftp-proftpd-backdoor.cmd Command to...

http-vhosts NSE Script

Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames. Each HEAD request provides a different Host header. The hostnames come from a built-in default list. Shows the names that return a document. Also shows the location of...

firewalk NSE Script

Tries to discover firewall rules using an IP TTL expiration technique known as firewalking. To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expec...

hddtemp-info NSE Script

Reads hard disk information such as brand, model, and sometimes temperature from a listening hddtemp service. Example Usage nmap -p 7634 -sV -sC Script Output 7634/tcp open hddtemp | hddtemp-info: | /dev/sda: WDC WD2500JS-60MHB1: 38 C Requires comm math shortport string stringaux table local comm...

http-title NSE Script

Shows the title of the default page of a web server. The script will follow up to 5 HTTP redirects, using the default rules in the http library. Script Arguments http-title.url The url to fetch. Default: / slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size,...

broadcast-wsdd-discover NSE Script

Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery WS-Discovery protocol. It also attempts to locate any published Windows Communication Framework WCF web services .NET 4.0 or later. Script Arguments max-newtargets, newtargets See the documentation for the...

wsdd-discover NSE Script

Retrieves and displays information from devices supporting the Web Services Dynamic Discovery WS-Discovery protocol. It also attempts to locate any published Windows Communication Framework WCF web services .NET 4.0 or later. Script Arguments max-newtargets, newtargets See the documentation for t...

broadcast-upnp-info NSE Script

Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline,...

broadcast-dns-service-discovery NSE Script

Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses. The script first sends a query for services.dns-sd.udp.local to get a list of services. It then sends a followup query for each one to try to get more...

rmi-dumpregistry NSE Script

Connects to a remote RMI registry and attempts to dump all of its objects. First it tries to determine the names of all objects bound in the registry, and then it tries to determine information about the objects, such as the the class names of the superclasses and interfaces. This may, depending ...

ssh2-enum-algos NSE Script

Reports the number of algorithms for encryption, compression, etc. that the target SSH2 server offers. If verbosity is set, the offered algorithms are each listed by type. If the "client to server" and "server to client" algorithm lists are identical order specifies preference then the list is...

smb-flood NSE Script

Exhausts a remote SMB server's connection limit by by opening as many connections as we can. Most implementations of SMB have a hard global limit of 11 connections for user accounts and 10 connections for anonymous. Once that limit is reached, further connections are denied. This script exploits...

nat-pmp-info NSE Script

Gets the routers WAN IP using the NAT Port Mapping Protocol NAT-PMP. The NAT-PMP protocol is supported by a broad range of routers including: Apple AirPort Express Apple AirPort Extreme Apple Time Capsule DD-WRT OpenWrt v8.09 or higher, with MiniUPnP daemon pfSense v2.0 Tarifa firmware Linksys...

resolveall NSE Script

NOTE: This script has been replaced by the --resolve-all command-line option in Nmap 7.70 Resolves hostnames and adds every address IPv4 or IPv6, depending on Nmap mode to Nmap's target list. This differs from Nmap's normal host resolution process, which only scans the first address A or AAAA...

targets-traceroute NSE Script

Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's --traceroute option is used and the newtargets script argument is given. Script Arguments newtargets If specified, adds traceroute hops onto Nmap scanning queue. max-newtargets See the documentation for the target...

path-mtu NSE Script

Performs simple Path MTU Discovery to target hosts. TCP or UDP packets are sent to the host with the DF don't fragment bit set and with varying amounts of data. If an ICMP Fragmentation Needed is received, or no reply is received after retransmissions, the amount of data is lowered and another...

giop-info NSE Script

Queries a CORBA naming server for a list of objects. Example Usage nmap -sV -sC Script Output PORT STATE SERVICE REASON 1050/tcp open java-or-OTGfileshare syn-ack | giop-info: | Object: Hello | Context: Test | Object: GoodBye Requires giop shortport stdnse local giop = require "giop" local...

oracle-enum-users NSE Script

Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers this bug was fixed in Oracle's October 2009 Critical Patch Update. Script Arguments oracle-enum-users.sid the instance against which to attempt user enumeration tns.sid See the documentation for the tns library...

oracle-brute NSE Script

Performs brute force password auditing against Oracle servers. Running it in default mode it performs an audit against a list of common Oracle usernames and passwords. The mode can be changed by supplying the argument oracle-brute.nodefault at which point the script will use the username- and...

domino-enum-users NSE Script

Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability. Script Arguments domino-enum-users.path the location to which any retrieved ID files are stored domino-enum-users.username the name of the user from which to retrieve the I...

domcon-brute NSE Script

Performs brute force password auditing against the Lotus Domino Console. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library. brute.credfile,...

domcon-cmd NSE Script

Runs a console command on the Lotus Domino Console using the given authentication credentials see also: domcon-brute Script Arguments domcon-cmd.cmd The command to run on the remote server domcon-cmd.pass The password used to authenticate to the server domcon-cmd.user The user used to authenticat...

informix-brute NSE Script

Performs brute force password auditing against IBM Informix Dynamic Server. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library. brute.credfile,...

informix-tables NSE Script

Retrieves a list of tables and column definitions for each database on an Informix server. Script Arguments informix-tables.username The username used for authentication informix-tables.password The password used for authentication Version 0.1 Created 27/07/2010 - v0.1 - created by Patrik Karlsso...

informix-query NSE Script

Runs a query against IBM Informix Dynamic Server using the given authentication credentials see also: informix-brute. Script Arguments informix-query.query The query to run against the server default: returns hostname and version informix-query.username The username used for authentication...

http-form-brute NSE Script

Performs brute force password auditing against http form-based authentication. This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored in the nmap registry, using the creds library, for other scripts to use. The script automatically attempts...

http-brute NSE Script

Performs brute force password auditing against http basic, digest and ntlm authentication. This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored in the nmap registry, using the creds library, for other scripts to use. Script Arguments...

svn-brute NSE Script

Performs brute force password auditing against Subversion source code control servers. Script Arguments svn-brute.repo the Subversion repository against which to perform password guessing svn-brute.force force password guessing when service is accessible both anonymously and through authenticatio...

wdb-version NSE Script

Detects vulnerabilities and gathers information such as version numbers and hardware support from VxWorks Wind DeBug agents. Wind DeBug is a SunRPC-type service that is enabled by default on many devices that use the popular VxWorks real-time embedded operating system. H.D. Moore of Metasploit ha...

vnc-brute NSE Script

Performs brute force password auditing against VNC servers. See also: realvnc-auth-bypass.nse Script Arguments vnc-brute.bruteusers If set, allows the script to iterate over usernames for auth types that require it plain, Apple Remote Desktop 30, SASL not supported, and ATEN Default: false, since...

vnc-info NSE Script

Queries a VNC server for its protocol version and supported security types. Example Usage nmap -sV -sC Script Output PORT STATE SERVICE 5900/tcp open vnc | vnc-info: | Protocol version: 3.889 | Security types: | Mac OS X security type 30 | Mac OS X security type 35 Requires shortport stdnse strin...

drda-info NSE Script

Attempts to extract information from database servers supporting the DRDA protocol. The script sends a DRDA EXCSAT exchange server attributes command packet and parses the response. Example Usage nmap -sV Script Output PORT STATE SERVICE 50000/tcp open drda | drda-info: DB2 Version: 8.02.9 | Serv...

drda-brute NSE Script

Performs password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby Script Arguments drda-brute.threads the amount of accounts to attempt to brute force in parallel default 10. drda-brute.dbname the database name against which to guess passwords default...

irc-unrealircd-backdoor NSE Script

Checks if an IRC server is backdoored by running a time-based command ping and checking how long it takes to respond. The irc-unrealircd-backdoor.command script argument can be used to run an arbitrary command on the remote system. Because of the nature of this vulnerability the output is never...

ftp-libopie NSE Script

Checks if an FTPd is prone to CVE-2010-1938 OPIE off-by-one stack overflow, a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki. See the advisory at . Be advised that, if launched against a vulnerable host, this script will crash the FTPd. Script Arguments vulns.short,...

http-php-version NSE Script

Attempts to retrieve the PHP version from a web server. PHP has a number of magic queries that return images or text that can vary with the PHP version. This script uses the following queries: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: gets a GIF logo, which changes on April Fool's Day...

nfs-ls NSE Script

Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of ls. The script starts by enumerating and mounting the remote NFS exports. After that it performs an NFS GETATTR procedure call for each mounted point in order to get its ACLs. For eac...

dns-cache-snoop NSE Script

Performs DNS cache snooping against a DNS server. There are two modes of operation, controlled by the dns-cache-snoop.mode script argument. In nonrecursive mode the default, queries are sent to the server with the RD recursion desired flag set to 0. The server should respond positively to these...

ntp-monlist NSE Script

Obtains and prints an NTP server's monitor data. Monitor data is a list of the most recently used MRU having NTP associations with the target. Each record contains information about the most recent NTP packet sent by a host to the target including the source and destination addresses and the NTP...

dns-fuzz NSE Script

Launches a DNS fuzzing attack against DNS servers. The script induces errors into randomly generated but valid DNS packets. The packet template that we use includes one uncompressed and one compressed name. Use the dns-fuzz.timelimit argument to control how long the fuzzing lasts. This script...

ms-sql-hasdbaccess NSE Script

Queries Microsoft SQL Server ms-sql instances for a list of databases a user has access to. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all, mssql.instance-name or...

ms-sql-brute NSE Script

Performs password guessing against Microsoft SQL Server ms-sql. Works best in conjunction with the broadcast-ms-sql-discover script. SQL Server credentials required: No will not benefit from mssql.username & mssql.password. Run criteria: Host script: Will run if the mssql.instance-all,...

ms-sql-config NSE Script

Queries Microsoft SQL Server ms-sql instances for a list of databases, linked servers, and configuration settings. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all,...

ms-sql-empty-password NSE Script

Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin sa account. SQL Server credentials required: No will not benefit from mssql.username & mssql.password. Run criteria: Host script: Will run if the mssql.instance-all, mssql.instance-name or mssql.instance-po...

ms-sql-tables NSE Script

Queries Microsoft SQL Server ms-sql for a list of tables per database. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all, mssql.instance-name or mssql.instance-port scri...

ms-sql-xp-cmdshell NSE Script

Attempts to run a command using the command shell of Microsoft SQL Server ms-sql. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all, mssql.instance-name or...

ms-sql-query NSE Script

Runs a query against Microsoft SQL Server ms-sql. SQL Server credentials required: Yes use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password Run criteria: Host script: Will run if the mssql.instance-all, mssql.instance-name or mssql.instance-port script arguments are used...

afp-serverinfo NSE Script

Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type for example Macmini or MacBookPro. Script Arguments afp.password, afp.username See the documentation for the afp library. Example Usage nmap -sV -sC Script Output PORT STATE...