607 matches found
http-cookie-flags NSE Script
Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root. See also: http-enum.nse...
tls-ticketbleed NSE Script
Detects whether a server is vulnerable to the F5 Ticketbleed bug CVE-2016-9244. For additional information: Script Arguments tls-ticketbleed.protocols default tries all TLSv1.0, TLSv1.1, or TLSv1.2 tls.servername See the documentation for the tls library. smbdomain, smbhash, smbnoguest,...
http-hsts-verify NSE Script
Verify that HTTP Strict Transport Security is enabled. HTTP Strict-Transport-Security HSTS RFC 6797 forces a web browser to communicate with a web server over HTTPS. This script examines HTTP Response Headers to determine whether HSTS is configured. References:...
ip-geolocation-map-kml NSE Script
This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and produces a KML file of points representing the targets. See also: ip-geolocation-geoplugin.nse ip-geolocation-ipinfodb.nse ip-geolocation-map-bing.nse ip-geolocation-map-google.nse...
ip-geolocation-map-google NSE Script
This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Google Map of markers representing the targets. Additional information for the Google Static Maps API can be found at: - See also: ip-geolocation-geoplugin.nse...
ip-geolocation-map-bing NSE Script
This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Bing Map of markers representing the targets. The Bing Maps REST API has a limit of 100 markers, so if more coordinates are found, only the top 100 markers by number of IP...
cics-user-enum NSE Script
CICS User ID enumeration script for the CESL/CESN Login screen. Script Arguments cics-user-enum.commands Commands in a semi-colon separated list needed to access CICS. Defaults to CICS. idlist Path to list of transaction IDs. Defaults to the list of CICS transactions from IBM...
cics-enum NSE Script
CICS transaction ID enumerator for IBM mainframes. This script is based on mainframebrute by Dominic White . However, this script doesn't rely on any third party libraries or tools and instead uses the NSE TN3270 library which emulates a TN3270 screen in lua. CICS only allows for 4 byte transacti...
tso-brute NSE Script
TSO account brute forcer. This script relies on the NSE TN3270 library which emulates a TN3270 screen for NMAP. TSO user IDs have the following rules: - it cannot begin with a number - only contains alpha-numeric characters and @, , $. - it cannot be longer than 7 chars Script Arguments...
tso-enum NSE Script
TSO User ID enumerator for IBM mainframes z/OS. The TSO logon panel tells you when a user ID is valid or invalid with the message: IKJ56420I Userid not authorized to use TSO. The TSO logon process can work in two ways: 1 You get prompted with IKJ56700A ENTER USERID - to which you reply with the...
vtam-enum NSE Script
Many mainframes use VTAM screens to connect to various applications CICS, IMS, TSO, and many more. This script attempts to brute force those VTAM application IDs. This script is based on mainframebrute by Dominic White . However, this script doesn't rely on any third party libraries or tools and...
nje-pass-brute NSE Script
z/OS JES Network Job Entry NJE 'I record' password brute forcer. After successfully negotiating an OPEN connection request, NJE requires sending, what IBM calls, an 'I record'. This initialization record may sometimes require a password. This script, provided with a valid OHOST/RHOST for the NJE...
tn3270-screen NSE Script
Connects to a tn3270 'server' and returns the screen. Hidden fields will be listed below the screen with row, col coordinates. Script Arguments tn3270-screen.commands a semi-colon separated list of commands you want to issue before printing the screen tn3270-screen.lu specify a logical unit you...
ssl-cert-intaddr NSE Script
Reports any private RFC1918 IPv4 addresses found in the various fields of an SSL service's certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required. See also: http-internal-ip-disclosure.nse ssl-cert.nse Script Arguments tls.servername...
fingerprint-strings NSE Script
Prints the readable strings from service fingerprints of unknown services. Nmap's service and application version detection engine sends named probes to target services and tries to identify them based on the response. When there is no match, Nmap produces a service fingerprint for submission...
coap-resources NSE Script
Dumps list of available resources from CoAP endpoints. This script establishes a connection to a CoAP endpoint and performs a GET request on a resource. The default resource for our request is code/.well-known/core/core, which should contain a list of resources provided by the endpoint. For...
ipmi-version NSE Script
Performs IPMI Information Discovery through Channel Auth probes. Example Usage nmap -sU --script ipmi-version -p 623 Script Output PORT STATE SERVICE REASON 623/udp open|filtered unknown | ipmi-version: | Version: IPMI-2.0 | UserAuth: password, md5, md2 | PassAuth: nulluser | Level: 1.2,2.0...
ipmi-cipher-zero NSE Script
IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero. Script Arguments vulns.short, vulns.showall See the documentation for the vulns library. Example Usa...
ipmi-brute NSE Script
Performs brute force password auditing against IPMI RPC server. Script Arguments brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass See the documentation for the brute...
mqtt-subscribe NSE Script
Dumps message traffic from MQTT brokers. This script establishes a connection to an MQTT broker and subscribes to the requested topics. The default topics have been chosen to receive system information and all messages from other clients. This allows Nmap, to listen to all messages being publishe...
fox-info NSE Script
Tridium Niagara Fox is a protocol used within Building Automation Systems. Based off Billy Rios and Terry McCorkle's work this Nmap NSE will collect information from A Tridium Niagara system. Example Usage nmap --script fox-info.nse -p 1911 Script Output 1911/tcp open Niagara Fox | fox-info: |...
pcworx-info NSE Script
This NSE script will query and parse pcworx protocol to a remote PLC. The script will send a initial request packets and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. PCWorx is a protocol and Program by...
oracle-tns-version NSE Script
Decodes the VSNNUM version number from an Oracle TNS listener. Example Usage nmap -sV Requires shortport nmap comm stdnse string description = Decodes the VSNNUM version number from an Oracle TNS listener. local shortport = require "shortport" local nmap = require "nmap" local comm = require "com...
clock-skew NSE Script
Analyzes the clock skew between the scanner and various services that report timestamps. At the end of the scan, it will show groups of systems that have similar median clock skew among their services. This can be used to identify targets with similar configurations, such as those that share a...
sslv2-drown NSE Script
Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 DROWN Script Arguments tls.servername See the documentation for the tls library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the...
http-mcmp NSE Script
Checks if the webserver allows modcluster management protocol MCMP methods. The script sends a MCMP PING message to determine protocol support, then issues the DUMP command to dump the current configuration seen by modclustermanager. References: Script Arguments slaxml.debug See the documentation...
clamav-exec NSE Script
Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution. ClamAV server 0.99.2, and possibly other previous versions, allow the execution of dangerous service commands without authentication. Specifically, the command 'SCAN' may be used to list system files and the command...
http-aspnet-debug NSE Script
Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request. The HTTP DEBUG verb is used within ASP.NET applications to start/stop remote debugging sessions. The script sends a 'stop-debug' command to determine the application's current configuration state but access to R...
http-internal-ip-disclosure NSE Script
Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header. Some misconfigured web servers leak their internal IP address in the response headers when returning a redirect response. This is a known issue for some versions of Microsoft IIS, bu...
vnc-title NSE Script
Tries to log into a VNC server and get its desktop name. Uses credentials discovered by vnc-brute, or None authentication types. If realvnc-auth-bypass was run and returned VULNERABLE, this script will use that vulnerability to bypass authentication. See also: vnc-brute.nse realvnc-auth-bypass.ns...
shodan-api NSE Script
Queries Shodan API for given targets and produces similar output to a -sV nmap scan. The ShodanAPI key can be set with the 'apikey' script argument, or hardcoded in the .nse file itself. You can get a free key from N.B if you want this script to run completely passively make sure to include the -...
rusers NSE Script
Connects to rusersd RPC service and retrieves a list of logged-in users. Script Arguments mount.version, nfs.version, rpc.protocol See the documentation for the rpc library. Example Usage nmap -sV --script=rusers Script Output | USER ON FROM SINCE IDLE | LOGIN console 2015-11-08T12:03:50 8h55m58s...
http-apache-server-status NSE Script
Attempts to retrieve the server-status page for Apache webservers that have modstatus enabled. If the server-status page exists and appears to be from modstatus the script will parse useful information such as the system uptime, Apache version and recent HTTP requests. References: Script Argument...
ms-sql-ntlm-info NSE Script
This script enumerates information from remote Microsoft SQL services with NTLM authentication enabled. Sending a MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIO...
nntp-ntlm-info NSE Script
This script enumerates information from remote NNTP services with NTLM authentication enabled. Sending an MS-NNTP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version...
pop3-ntlm-info NSE Script
This script enumerates information from remote POP3 services with NTLM authentication enabled. Sending a POP3 NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version...
telnet-ntlm-info NSE Script
This script enumerates information from remote Microsoft Telnet services with NTLM authentication enabled. Sending a MS-TNAP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS bui...
smtp-ntlm-info NSE Script
This script enumerates information from remote SMTP services with NTLM authentication enabled. Sending a SMTP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version...
imap-ntlm-info NSE Script
This script enumerates information from remote IMAP services with NTLM authentication enabled. Sending an IMAP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version...
http-vuln-cve2013-6786 NSE Script
Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786. The check is general enough script tag injection via Referer header that some other software may be vulnerable in the same way. See also:...
ipv6-multicast-mld-list NSE Script
Uses Multicast Listener Discovery to list the multicast addresses subscribed to by IPv6 multicast listeners on the link-local scope. Addresses in the IANA IPv6 Multicast Address Space Registry have their descriptions listed. Script Arguments ipv6-multicast-mld-list.timeout timeout to wait for...
http-vuln-cve2014-3704 NSE Script
Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions 7.32 of Drupal core are known to be affected. Vulnerability allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. The script injects new Drupal administrator user via login form and the...
targets-xml NSE Script
Loads addresses from an Nmap XML output file for scanning. Address type IPv4 or IPv6 is determined according to whether -6 is specified to nmap. Script Arguments targets-xml.iX Filename of an Nmap XML file to import targets-xml.state Only hosts with this status will have their addresses input...
ssl-dh-params NSE Script
Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services. This script simulates SSL/TLS handshakes using ciphersuites that have ephemeral Diffie-Hellman as the key exchange algorithm. Diffie-Hellman MODP group parameters are extracted and analyzed for vulnerability to Logjam CVE...
nje-node-brute NSE Script
z/OS JES Network Job Entry NJE target node name brute force. NJE node communication is made up of an OHOST and an RHOST. Both fields must be present when conducting the handshake. This script attemtps to determine the target systems NJE node name. To initiate NJE the client sends a 33 byte record...
broadcast-sonicwall-discover NSE Script
Discovers Sonicwall firewalls which are directly attached not routed using the same method as the manufacturers own 'SetupTool'. An interface needs to be configured, as the script broadcasts a UDP packet. The script needs to be run as a privileged user, typically root. References: Script Argument...
http-vuln-cve2014-8877 NSE Script
Exploits a remote code injection vulnerability CVE-2014-8877 in Wordpress CM Download Manager plugin. Versions = 2.0.0 are known to be affected. CM Download Manager plugin does not correctly sanitise the user input which allows remote attackers to execute arbitrary PHP code via the CMDsearch...
ssl-enum-ciphers NSE Script
This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts. Each ciphersuite is shown with a letter grade A through...
ip-https-discover NSE Script
Checks if the IP over HTTPS IP-HTTPS Tunneling Protocol 1 is supported. IP-HTTPS sends Teredo related IPv6 packets over an IPv4-based HTTPS session. This indicates that Microsoft DirectAccess 2, which allows remote clients to access intranet resources on a domain basis, is supported. Windows...
smb-vuln-ms07-029 NSE Script
Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029. MS07-029 targets the RDnssrvQuery and RDnssrvQuery2 RPC method which isa part of DNS Server RPC interface that serves as a RPC service for configuring and getting information from the DNS Server service. DNS Server RPC...