607 matches found
afp-path-vuln NSE Script
Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533. This script attempts to iterate over all AFP shares on the remote host. For each share it attempts to access the parent directory by exploiting the directory traversal vulnerability as described in CVE-2010-0533. The scrip...
afp-brute NSE Script
Performs password guessing against Apple Filing Protocol AFP. Script Arguments afp.password, afp.username See the documentation for the afp library. passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. Example Usage nmap -p 548 --scrip...
qscan NSE Script
Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups or "families" may be due to network mechanisms...
nfs-statfs NSE Script
Retrieves disk space statistics and information from a remote NFS share. The output is intended to resemble the output of df. The script will provide pathconf information of the remote NFS if the version used is NFSv3. Script Arguments nfs-statfs.human If set to 1 or true, shows file sizes in a...
jdwp-version NSE Script
Detects the Java Debug Wire Protocol. This protocol is used by Java programs to be debugged via the network. It should not be open to the public Internet, as it does not provide any security against malicious attackers who can inject their own bytecode into the debugged process. Documentation for...
smtp-enum-users NSE Script
Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system. The script will output the list of user names that were found. The script will stop querying the SMTP server if...
snmp-interfaces NSE Script
Attempts to enumerate network interfaces through SNMP. This script can also be run during Nmap's pre-scanning phase and can attempt to add the SNMP server's interface addresses to the target list. The script argument snmp-interfaces.host is required to know what host to probe. To specify a port f...
pgsql-brute NSE Script
Performs password guessing against PostgreSQL. Script Arguments pgsql.version Force protocol version 2 or 3. pgsql.nossl If set to 1 or true, disables SSL. passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. Example Usage nmap -p 5432...
ldap-search NSE Script
Attempts to perform an LDAP search and returns all matches. If no username and password is supplied to the script the Nmap registry is consulted. If the ldap-brute script has been selected and it found a valid account, this account will be used. If not anonymous bind will be used as a last attemp...
couchdb-stats NSE Script
Gets database statistics from a CouchDB database. For more info about the CouchDB HTTP API and the statistics, see and . Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...
couchdb-databases NSE Script
Gets database tables from a CouchDB database. For more info about the CouchDB HTTP API, see . Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the...
ipidseq NSE Script
Classifies a host's IP ID sequence test for susceptibility to idle scan. Sends six probes to obtain IP IDs from the target and classifies them similarly to Nmap's method. This is useful for finding suitable zombies for Nmap's idle scan -sI as Nmap itself doesn't provide a way to scan for these...
ldap-brute NSE Script
Attempts to brute-force LDAP authentication. By default it uses the built-in username and password lists. In order to use your own lists use the userdb and passdb script arguments. This script does not make any attempt to prevent account lockout! If the number of passwords in the dictionary excee...
ldap-rootdse NSE Script
Retrieves the LDAP root DSA-specific Entry DSE Example Usage nmap -p 389 --script ldap-rootdse Script Output PORT STATE SERVICE 389/tcp open ldap | ldap-rootdse: | currentTime: 20100112092616.0Z | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=cqure,DC=net | dsServiceName: CN=NTDS...
http-vmware-path-vuln NSE Script
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server CVE-2009-3733. The vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at Shmoocon 2010 . Script Arguments slaxml.debug See the documentation for the slaxml library. http.host,...
snmp-win32-shares NSE Script
Attempts to enumerate Windows Shares through SNMP. Script Arguments creds.service, creds.global See the documentation for the creds library. snmp.version See the documentation for the snmp library. Example Usage nmap -sU -p 161 --script=snmp-win32-shares Script Output | snmp-win32-shares: | SYSVO...
snmp-win32-services NSE Script
Attempts to enumerate Windows services through SNMP. Script Arguments creds.service, creds.global See the documentation for the creds library. snmp.version See the documentation for the snmp library. Example Usage nmap -sU -p 161 --script=snmp-win32-services Script Output | snmp-win32-services: |...
snmp-win32-users NSE Script
Attempts to enumerate Windows user accounts through SNMP Script Arguments creds.service, creds.global See the documentation for the creds library. snmp.version See the documentation for the snmp library. Example Usage nmap -sU -p 161 --script=snmp-win32-users Script Output | snmp-win32-users: |...
snmp-win32-software NSE Script
Attempts to enumerate installed software through SNMP. Script Arguments snmp.version See the documentation for the snmp library. creds.service, creds.global See the documentation for the creds library. Example Usage nmap -sU -p 161 --script=snmp-win32-software Script Output | snmp-win32-software:...
snmp-processes NSE Script
Attempts to enumerate running processes through SNMP. Script Arguments creds.service, creds.global See the documentation for the creds library. snmp.version See the documentation for the snmp library. Example Usage nmap -sU -p 161 --script=snmp-processes Script Output | snmp-processes: | 1: | Nam...
snmp-netstat NSE Script
Attempts to query SNMP for a netstat like output. The script can be used to identify and automatically add new targets to the scan by supplying the newtargets script argument. Script Arguments max-newtargets, newtargets See the documentation for the target library. creds.service, creds.global See...
http-methods NSE Script
Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not in the...
mongodb-info NSE Script
Attempts to get build info and server status from a MongoDB database. Script Arguments mongodb-info.db Database to check. Default: admin mongodb.db See the documentation for the mongodb library. creds.service, creds.global See the documentation for the creds library. Example Usage nmap -p 27017...
mongodb-databases NSE Script
Attempts to get a list of tables from a MongoDB database. Script Arguments mongodb.db See the documentation for the mongodb library. creds.service, creds.global See the documentation for the creds library. Example Usage nmap -p 27017 --script mongodb-databases Script Output PORT STATE SERVICE...
lexmark-config NSE Script
Retrieves configuration information from a Lexmark S300-S400 printer. The Lexmark S302 responds to the NTPRequest version probe with its configuration. The response decodes as mDNS, so the request was modified to resemble an mDNS request as close as possible. However, the port 9100/udp is listed ...
db2-das-info NSE Script
Connects to the IBM DB2 Administration Server DAS on TCP or UDP port 523 and exports the server profile. No authentication is required for this request. The script will also set the port product and version if a version scan is requested. Example Usage nmap -sV Script Output PORT STATE SERVICE...
dns-zone-transfer NSE Script
Requests a zone transfer AXFR from a DNS server. The script sends an AXFR query to a DNS server. The domain to query is determined by examining the name given on the command line, the DNS server's hostname, or it can be specified with the dns-zone-transfer.domain script argument. If the query is...
mysql-variables NSE Script
Attempts to show all variables on a MySQL server. Script Arguments mysqluser The username to use for authentication. If unset it attempts to use credentials found by mysql-brute or mysql-empty-password. mysqlpass The password to use for authentication. If unset it attempts to use credentials foun...
mysql-brute NSE Script
Performs password guessing against MySQL. See also: mysql-empty-password.nse Script Arguments mysql-brute.timeout socket timeout for connecting to MySQL default 5s passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service,...
mysql-empty-password NSE Script
Checks for MySQL servers with an empty password for root or anonymous. See also: mysql-brute.nse Example Usage nmap -sV --script=mysql-empty-password Script Output 3306/tcp open mysql | mysql-empty-password: | anonymous account has empty password | root account has empty password Requires mysql...
mysql-users NSE Script
Attempts to list all users on a MySQL server. Script Arguments mysqluser The username to use for authentication. If unset it attempts to use credentials found by mysql-brute or mysql-empty-password. mysqlpass The password to use for authentication. If unset it attempts to use credentials found by...
mysql-databases NSE Script
Attempts to list all databases on a MySQL server. Script Arguments mysqluser The username to use for authentication. If unset it attempts to use credentials found by mysql-brute or mysql-empty-password. mysqlpass The password to use for authentication. If unset it attempts to use credentials foun...
daap-get-library NSE Script
Retrieves a list of music from a DAAP server. The list includes artist names and album and song titles. Output will be capped to 100 items if not otherwise specified in the daapitemlimit script argument. A daapitemlimit below zero outputs the complete contents of the DAAP library. Based on...
dns-service-discovery NSE Script
Attempts to discover target hosts' services using the DNS Service Discovery protocol. The script first sends a query for services.dns-sd.udp.local to get a list of services. It then sends a followup query for each one to try to get more information. Script Arguments max-newtargets, newtargets See...
afp-showmount NSE Script
Shows AFP shares and ACLs. Script Arguments afp.password, afp.username See the documentation for the afp library. Example Usage nmap -sV --script=afp-showmount Script Output PORT STATE SERVICE 548/tcp open afp | afp-showmount: | Yoda's Public Folder | Owner: Search,Read,Write | Group: Search,Read...
oracle-sid-brute NSE Script
Guesses Oracle instance/SID names against the TNS-listener. If the oraclesids script argument is not used to specify an alternate file, the default oracle-sids file will be used. License to use the oracle-sids file was granted by its author, Alexander Kornbrust . Script Arguments oraclesids A fil...
citrix-enum-apps-xml NSE Script
Extracts a list of applications, ACLs, and settings from the Citrix XML service. The script returns more output with higher verbosity. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...
citrix-enum-servers-xml NSE Script
Extracts the name of the server farm and member servers from Citrix XML service. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentatio...
citrix-brute-xml NSE Script
Attempts to guess valid credentials for the Citrix PN Web Agent XML Service. The XML service authenticates against the local Windows server or the Active Directory. This script makes no attempt of preventing account lockout. If the password list contains more passwords than the lockout-threshold...
citrix-enum-servers NSE Script
Extracts a list of Citrix servers from the ICA Browser service. Example Usage sudo ./nmap -sU --script=citrix-enum-servers -p 1604 Script Output PORT STATE SERVICE 1604/udp open unknown | citrix-enum-servers: | CITRIXSRV01 | CITRIXSRV02 Requires nmap shortport stdnse string table local nmap =...
citrix-enum-apps NSE Script
Extracts a list of published applications from the ICA Browser service. Example Usage sudo ./nmap -sU --script=citrix-enum-apps -p 1604 Script Output PORT STATE SERVICE 1604/udp open unknown 1604/udp open unknown | citrix-enum-apps: | Notepad | iexplorer | registry editor Requires nmap shortport...
ntp-info NSE Script
Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" opcode 2 control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all...
nfs-showmount NSE Script
Shows NFS exports, like the showmount -e command. Script Arguments mount.version, nfs.version, rpc.protocol See the documentation for the rpc library. Example Usage nmap -sV --script=nfs-showmount Script Output PORT STATE SERVICE 111/tcp open rpcbind | nfs-showmount: | /home/storage/backup...
ssl-cert NSE Script
Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject. 443/tcp open http...
smb-psexec NSE Script
Implements remote process execution similar to the Sysinternals' psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a...
smb-enum-groups NSE Script
Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum.exe with the /G switch. The following MSRPC functions in SAMR are used to find a list of groups and the RIDs of their users. Keep in mind that MSRPC refers to groups as...
smbv2-enabled NSE Script
Checks whether or not a server is running the SMBv2 protocol. Script Arguments randomseed, smbbasic, smbport, smbsign See the documentation for the smb library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library. Example Usage nmap...
http-malware-host NSE Script
Looks for signature of known server compromises. Currently, the only signature it looks for is the one discussed here: . This is done by requesting the page /ts/in.cgi?open2 and looking for an errant 302 it attempts to detect servers that always return 302. Thanks to Denis from the above link for...
dhcp-discover NSE Script
Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a new address. DHCPINFORM is a DHCP request that returns useful information from a DHCP server, without allocating an IP address. The request sends a list of which fields it wan...
http-favicon NSE Script
Gets the favicon "favorites icon" from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed. If the script argument favicon.uri is given, that relative U...