http-enum NSE Script

Enumerates directories used by popular web applications and servers. This parses a fingerprint file that's similar in format to the Nikto Web application scanner. This script, however, takes it one step further by building in advanced pattern matching as well as having the ability to identify...

http-headers NSE Script

Performs a HEAD request for the root folder "/" of a web server and displays the HTTP headers returned. See also: http-security-headers.nse Script Arguments useget Set to force GET requests instead of HEAD. path The path to request, such as /index.php. Default /. slaxml.debug See the documentatio...

http-userdir-enum NSE Script

Attempts to enumerate valid usernames on web servers running with the moduserdir module or similar enabled. The Apache moduserdir module allows user-specific directories to be accessed using the syntax. This script makes http requests in order to discover valid user-specific directories and infer...

x11-access NSE Script

Checks if you're allowed to connect to the X server. If the X server is listening on TCP port 6000+n where n is the display number, it is possible to check if you're able to get connected to the remote display by sending a X11 initial connection request. In reply, the success byte 0x00 or 0x01 wi...

pjl-ready-message NSE Script

Retrieves or sets the ready message on printers that support the Printer Job Language. This includes most PostScript printers that listen on port 9100. Without an argument, displays the current ready message. With the pjlreadymessage script argument, displays the old ready message and changes it...

http-date NSE Script

Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host,...

telnet-brute NSE Script

Performs brute-force password auditing against telnet servers. Script Arguments telnet-brute.autosize Whether to automatically reduce the thread count based on the behavior of the target default: "true" telnet-brute.timeout Connection time-out timespec default: "5s" passdb, unpwdb.passlimit,...

socks-open-proxy NSE Script

Checks if an open socks proxy is running on the target. The script attempts to connect to a proxy server and send socks4 and socks5 payloads. It is considered an open proxy if the script receives a Request Granted response from the target port. The payloads try to open a connection to...

smb-brute NSE Script

Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them. When a username is discovered, besides being printed, it is also sav...

imap-capabilities NSE Script

Retrieves IMAP email server capabilities. IMAP4rev1 capabilities are defined in RFC 3501. The CAPABILITY command allows a client to ask a server what commands it supports and possibly any site-specific policy. Script Arguments smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See...

http-iis-webdav-vuln NSE Script

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, . A list of well known folders almost 900 is use...

p2p-conficker NSE Script

Checks if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication. When Conficker.C or higher infects a system, it opens four ports: two TCP and two UDP. The ports are random, but are seeded with the current week and the IP of the infected host. By determini...

snmp-brute NSE Script

Attempts to find an SNMP community string by brute force guessing. This script opens a sending socket and a sniffing pcap socket in parallel threads. The sending socket sends the SNMP probes with the community strings, while the pcap socket sniffs the network for an answer to the probes. If valid...

ftp-brute NSE Script

Performs brute force password auditing against FTP servers. Based on old ftp-brute.nse script by Diman Todorov, Vlatko Kosturjak and Ron Bowes. See also: ftp-anon.nse Script Arguments ftp-brute.timeout the amount of time to wait for a response on the socket. Lowering this value may result in a...

smb-enum-processes NSE Script

Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator...

banner NSE Script

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds. The banner will be truncated to fit into a single line, but an extra line may be printed for every increase in the level of verbosity requested on the command line...

auth-owners NSE Script

Attempts to find the owner of an open TCP port by querying an auth daemon which must also be open on the target system. The auth service, also known as identd, normally runs on port 113. Example Usage nmap -sV -sC Script Output 21/tcp open ftp ProFTPD 1.3.1 | auth-owners: nobody 22/tcp open ssh...

auth-spoof NSE Script

Checks for an identd auth server which is spoofing its replies. Tests whether an identd auth server responds with an answer before we even send the query. This sort of identd spoofing can be a sign of malware infection, though it can also be used for legitimate privacy reasons. Example Usage nmap...

http-passwd NSE Script

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini. The script uses several technique: Generic directory traversal by requesting paths like ../../../../etc/passwd. Known specific traversals of several web servers. Query string traversal...

smb-enum-shares NSE Script

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked. Finding open shares is useful to a penetration tester because there may ...

http-trace NSE Script

Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response. Script Arguments http-trace.path Path to URI slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size,...

smb-enum-domains NSE Script

Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" domain is generally displayed. Windows returns this in the list of domains, but its policies don't appear to be...

smtp-strangeport NSE Script

Checks if SMTP is running on a non-standard port. This may indicate that crackers or script kiddies have set up a backdoor on the system to send spam or control the machine. Example Usage nmap -sV --script=smtp-strangeport Script Output 22/tcp open smtp | smtp-strangeport: Mail server on unusual...

sslv2 NSE Script

Determines whether the server supports obsolete and less secure SSLv2, and discovers which ciphers it supports. Script Arguments mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username See...

upnp-info NSE Script

Attempts to extract system information from the UPnP service. Script Arguments upnp-info.override Controls whether we override the IP address information returned by the UPNP service for the location of the XML file that describes the device. Defaults to true for unicast hosts. slaxml.debug See t...

asn-query NSE Script

Maps IP addresses to autonomous system AS numbers. The script works by sending DNS TXT queries to a DNS server which in turn queries a third-party service provided by Team Cymru using an in-addr.arpa style zone set up especially for use by Nmap. The responses to these queries contain both Origin...

pptp-version NSE Script

Attempts to extract system information from the point-to-point tunneling protocol PPTP service. Example Usage nmap -sV Script Output PORT STATE SERVICE VERSION 1723/tcp open pptp YAMAHA Corporation Firmware: 32838 Service Info: Host: RT57i Requires comm nmap shortport string local comm = require...

smb-system-info NSE Script

Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, although a user account will still get a lot of it. Guest probably won't get any, nor will anonymous. This goes for all operating systems, including Windows 2000...

smb-server-stats NSE Script

Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139. An administrator account is required to pull these statistics on most versions of Windows, and Vista and above require UAC to be turned down. Some of the numbers returned here don't feel right to me, but...

ftp-bounce NSE Script

Checks to see if an FTP server allows port scanning using the FTP bounce method. Script Arguments ftp-bounce.password Password to log in with. Default IEUser@. ftp-bounce.username Username to log in with. Default anonymous. ftp-bounce.checkhost Host to try connecting to with the PORT command...

daytime NSE Script

Retrieves the day and time from the Daytime service. Example Usage nmap -sV --script=daytime Script Output PORT STATE SERVICE 13/tcp open daytime |daytime: Wed Mar 31 14:48:58 MDT 2010 Requires comm shortport oops local comm = require "comm" local shortport = require "shortport" local oops =...

skypev2-version NSE Script

Detects the Skype version 2 service. Example Usage nmap -sV Script Output PORT STATE SERVICE VERSION 80/tcp open skype2 Skype Requires comm nmap shortport string local comm = require "comm" local nmap = require "nmap" local shortport = require "shortport" local string = require "string" local U =...

http-open-proxy NSE Script

Checks if an HTTP proxy is open. The script attempts to connect to www.google.com through the proxy and checks for a valid HTTP response code. Valid HTTP response codes are 200, 301, and 302. If the target is an open proxy, this script causes the target to retrieve a web page from www.google.com...

http-auth NSE Script

Retrieves the authentication scheme and realm of a web service that requires authentication. See also: http-auth-finder.nse http-brute.nse Script Arguments http-auth.path Define the request path slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size,...

smtp-commands NSE Script

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server. Script Arguments smtp.domain or smtp-commands.domain Define the domain to be used in the SMTP commands. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbaut...

irc-info NSE Script

Gathers information from an IRC server. It uses STATS, LUSERS, and other queries to obtain this information. Example Usage nmap -sV -sC Script Output 6665/tcp open irc | irc-info: | server: asimov.freenode.net | version: ircd-seven-1.1.320111112-b71671d1e846,charybdis-3.4-dev. asimov.freenode.net...

dns-random-txid NSE Script

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks see CVE-2008-1447. The script works by querying txidtest.dns-oarc.net see . Be aware that any targets against which this script is run will...

iax2-version NSE Script

Detects the UDP IAX2 service. The script sends an Inter-Asterisk eXchange IAX Revision 2 Control Frame POKE request and checks for a proper response. This protocol is used to enable VoIP connections between servers as well as client-server communication. Example Usage nmap -sU -sV -p 4569 Script...

mysql-info NSE Script

Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt. If service detection is performed and the server appears to be blocking our host or is blocked because of too many connections, then this script isn'...

smtp-open-relay NSE Script

Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying. An SMTP server that works as an open relay, is a email server that does not verify if the user is authorised to send email from the...

dns-recursion NSE Script

Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers. Example Usage nmap -sU -p 53 --script=dns-recursion Script Output PORT STATE SERVICE REASON 53/udp open domain udp-response |dns-recursion: Recursion appear...

ms-sql-info NSE Script

Attempts to determine configuration and version information for Microsoft SQL Server instances. SQL Server credentials required: No will not benefit from mssql.username & mssql.password. Run criteria: Host script: Will always run. Port script: N/A NOTE: Unlike previous versions, this script will...

realvnc-auth-bypass NSE Script

Checks if a VNC server is vulnerable to the RealVNC authentication bypass CVE-2006-2369. See also: vnc-brute.nse vnc-title.nse Script Arguments vulns.short, vulns.showall See the documentation for the vulns library. Example Usage nmap -sV --script=realvnc-auth-bypass Script Output PORT STATE...

pop3-brute NSE Script

Tries to log into a POP3 account by guessing usernames and passwords. Script Arguments pop3loginmethod The login method to use: "USER" default, "SASL-PLAIN", "SASL-LOGIN", "SASL-CRAM-MD5", or "APOP". Defaults to "USER", passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the...

sniffer-detect NSE Script

Checks if a target on a local Ethernet has its network card in promiscuous mode. The techniques used are described at . Example Usage nmap -sV --script=sniffer-detect Script Output Host script results: | sniffer-detect: Likely in promiscuous mode tests: "11111111" Requires nmap stdnse string tabl...

snmp-sysdescr NSE Script

Attempts to extract system information from an SNMP service. Script Arguments snmp.version See the documentation for the snmp library. creds.service, creds.global See the documentation for the creds library. Example Usage nmap -sU -p 161 --script snmp-sysdescr Script Output | snmp-sysdescr: HP...

smb-enum-users NSE Script

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques both over MSRPC, which uses port 445 or 139; see smb.lua. The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful...

ftp-anon NSE Script

Checks if an FTP server allows anonymous logins. If anonymous is allowed, gets a directory listing of the root directory and highlights writeable files. See also: ftp-brute.nse Script Arguments ftp-anon.maxlist The maximum number of files to return in the directory listing. By default it is 20, o...

sshv1 NSE Script

Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1. Example Usage nmap -sV -sC Script Output PORT STATE SERVICE 22/tcp open ssh |sshv1: Server supports SSHv1 Requires nmap shortport string local nmap = require "nmap" local shortport = require "shortport" local...

dns-random-srcport NSE Script

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks see CVE-2008-1447. The script works by querying porttest.dns-oarc.net see . Be aware that any targets against which this script is run will be...