607 matches found
smb-vuln-cve2009-3103 NSE Script
Detects Microsoft Windows systems vulnerable to denial of service CVE-2009-3103. This script will crash the service if it is vulnerable. The script performs a denial-of-service against the vulnerability disclosed in CVE-2009-3103. This works against Windows Vista and some versions of Windows 7, a...
smb-vuln-ms08-067 NSE Script
Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a vulnerable system is more likely to crash than to survi...
smb-vuln-conficker NSE Script
Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems. Based loosely on the Simple Conficker Scanner, found here: -- This check was previously part of smb-check-vulns. Script Arguments smbdomain, smbhash, smbnoguest, smbpassword,...
smb-vuln-ms06-025 NSE Script
Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025. MS06-025 targets the RasRpcSumbitRequest RPC method which is a part of RASRPC interface that serves as a RPC service for configuring and getting information from the Remote Access and Routing service. RASRPC can be...
smb-vuln-regsvc-dos NSE Script
Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work. The vulnerability was discovered by Ron Bowes while working on smb-enum-sessions...
knx-gateway-info NSE Script
Identifies a KNX gateway on UDP port 3671 by sending a KNX Description Request. Further information: DIN EN 13321-2 Example Usage nmap -sV -sC Requires nmap shortport ipOps stdnse string knx local nmap = require "nmap" local shortport = require "shortport" local ipOps = require "ipOps" local stdn...
knx-gateway-discover NSE Script
Discovers KNX gateways by sending a KNX Search Request to the multicast address 224.0.23.12 including a UDP payload with destination port 3671. KNX gateways will respond with a KNX Search Response including various information about the gateway, such as KNX address and supported services. Further...
http-ls NSE Script
Shows the content of an "index" Web page. TODO: - add support for more page formats Script Arguments http-ls.url base URL path to use default: / http-ls.checksum compute a checksum for each listed file. Requires OpenSSL. default: false slaxml.debug See the documentation for the slaxml library...
xmlrpc-methods NSE Script
Performs XMLRPC Introspection via the system.listMethods method. If the verbosity is 1 then the script fetches the response of system.methodHelp for each method returned by listMethods. Script Arguments xmlrpc-methods.url The URI path to request. slaxml.debug See the documentation for the slaxml...
http-fetch NSE Script
The script is used to fetch files from servers. The script supports three different use cases: The paths argument isn't provided, the script spiders the host and downloads files in their respective folders relative to the one provided using "destination". The paths argumenta single item or list i...
http-drupal-enum NSE Script
Enumerates the installed Drupal modules/themes by using a list of known modules and themes. The script works by iterating over module/theme names and requesting MODULEPATH/MODULENAME/LICENSE.txt for modules and THEMEPATH/THEMENAME/LICENSE.txt. MODULEPATH/THEMEPATH which is either provided by the...
http-svn-enum NSE Script
Enumerates users of a Subversion repository by examining logs of most recent commits. Script Arguments http-svn-enum.url This is a URL relative to the scanned host eg. /default.html default: /. http-svn-enum.count The number of logs to fetch. Defaults to the last 1000 commits. slaxml.debug See th...
http-svn-info NSE Script
Requests information from a Subversion repository. Script Arguments http-svn-info.url This is a URL relative to the scanned host eg. /default.html default: / slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline,...
http-cross-domain-policy NSE Script
Checks the cross-domain policy file /crossdomain.xml and the client-acces-policy file /clientaccesspolicy.xml in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is...
hnap-info NSE Script
Retrieve hardwares details and configuration information utilizing HNAP, the "Home Network Administration Protocol". It is an HTTP-Simple Object Access Protocol SOAP-based protocol which allows for remote topology discovery, configuration, and management of devices routers, cameras, PCs, NAS, etc...
tor-consensus-checker NSE Script
Checks if a target is a known Tor node. The script works by querying the Tor directory authorities. Initially, the script stores all IPs of Tor nodes in a lookup table to reduce the number of requests and make lookups quicker. Script Arguments slaxml.debug See the documentation for the slaxml...
http-webdav-scan NSE Script
A script to detect WebDAV installations. Uses the OPTIONS and PROPFIND methods. The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal ip addresses by doing pattern...
omron-info NSE Script
This NSE script is used to send a FINS packet to a remote device. The script will send a Controller Data Read Command and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. Example Usage nmap --script omron-info...
http-vuln-misfortune-cookie NSE Script
Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it. See also: http-vuln-cve2013-6786.nse Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...
http-vuln-cve2015-1635 NSE Script
Checks for a remote code execution vulnerability MS15-034 in Microsoft Windows systems CVE2015-2015-1635. The script sends a specially crafted HTTP request with no impact on the system to detect this vulnerability. The affected versions are Windows 7, Windows Server 2008 R2, Windows 8, Windows...
http-vuln-cve2015-1427 NSE Script
This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution RCE. Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have a vulnerability in the Groovy scripting engine. The vulnerability allow...
http-wordpress-users NSE Script
Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others. Original advisory: Script Arguments http-wordpress-users.out If set it saves the username list in this file...
http-shellshock NSE Script
Attempts to exploit the "shellshock" vulnerability CVE-2014-6271 and CVE-2014-7169 in web applications. To detect this vulnerability the script executes a command that prints a random string and then attempts to find it inside the response body. Web apps that don't print back information won't be...
snmp-info NSE Script
Extracts basic information from an SNMPv3 GET request. The same probe is used here as in the service version detection scan. Script Arguments snmp.version See the documentation for the snmp library. creds.service, creds.global See the documentation for the creds library. Example Usage nmap -sV...
targets-ipv6-wordlist NSE Script
Adds IPv6 addresses to the scan queue using a wordlist of hexadecimal "words" that form addresses in a given subnet. Script Arguments targets-ipv6-wordlist.nsegments Number User can indicate exactly how big the word must be on Segments of 16 bits. targets-ipv6-wordlist.fillright With this argumen...
targets-ipv6-map4to6 NSE Script
This script runs in the pre-scanning phase to map IPv4 addresses onto IPv6 networks and add them to the scan queue. The technique is more general than what is technically termed "IPv4-mapped IPv6 addresses." The lower 4 bytes of the IPv6 network address are replaced with the 4 bytes of IPv4...
ssl-poodle NSE Script
Checks whether SSLv3 CBC ciphers are allowed POODLE Run with -sV to use Nmap's service scan to detect SSL/TLS on non-standard ports. Otherwise, ssl-poodle will only run on ports that are commonly used for SSL. POODLE is CVE-2014-3566. All implementations of SSLv3 that accept CBC ciphersuites are...
http-avaya-ipoffice-users NSE Script
Attempts to enumerate users in Avaya IP Office systems 7.x. Avaya IP Office systems allow unauthenticated access to the URI '/system/user/scnuserlist' which returns a XML file containing user information such as display name, full name and extension number. Tested on Avaya IP Office 7.027. Script...
docker-version NSE Script
Detects the Docker service version. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentation for the http library. smbdomain, smbhash,...
supermicro-ipmi-conf NSE Script
Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers. The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file contains users with their passwords ...
ssh-auth-methods NSE Script
Returns authentication methods that a SSH server supports. This is in the "intrusive" category because it starts an authentication with a username which may be invalid. The abandoned connection will likely be logged. Example Usage nmap -p 22 --script ssh-auth-methods --script-args="ssh.user="...
ssh-brute NSE Script
Performs brute-force password guessing against ssh servers. Script Arguments ssh-brute.timeout Connection timeout default: "5s" brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique,...
fcrdns NSE Script
Performs a Forward-confirmed Reverse DNS lookup and reports anomalous results. References: Example Usage nmap -sn -Pn --script fcrdns Script Output Host script results: |fcrdns: FAIL 12.19.29.17, 12.19.20.14, 23.10.13.25 Host script results: |fcrdns: PASS 37.58.100.86-static.reverse.softlayer.com...
mikrotik-routeros-brute NSE Script
Performs brute force password auditing against Mikrotik RouterOS devices with the API RouterOS interface enabled. Additional information: Script Arguments mikrotik-routeros-brute.threads sets the number of threads. Default: 1 brute.credfile, brute.delay, brute.emptypass, brute.firstonly,...
s7-info NSE Script
Enumerates Siemens S7 PLC Devices and collects their device information. This script is based off PLCScan that was developed by Positive Research and Scadastrangelove . This script is meant to provide the same functionality as PLCScan inside of Nmap. Some of the information that is collected by...
ssl-ccs-injection NSE Script
Detects whether a server is vulnerable to the SSL/TLS "CCS Injection" vulnerability CVE-2014-0224, first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon de C Valle In order to exploit the vulnerablity, a MITM attacker would effectively do the...
bacnet-info NSE Script
Discovers and enumerates BACNet Devices collects device information based off standard requests. In some cases, devices may not strictly follow the specifications, or may comply with older versions of the specifications, and will result in a BACNET error response. Presence of this error positivel...
http-cisco-anyconnect NSE Script
Connect as Cisco AnyConnect client to a Cisco SSL VPN and retrieves version and tunnel information. Script Arguments slaxml.debug See the documentation for the slaxml library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library...
http-vuln-cve2014-2129 NSE Script
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability CVE-2014-2129. See also: http-vuln-cve2014-2126.nse http-vuln-cve2014-2127.nse http-vuln-cve2014-2128.nse Script Arguments tls.servername See the documentation for the tls library...
http-vuln-cve2014-2128 NSE Script
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability CVE-2014-2128. See also: http-vuln-cve2014-2126.nse http-vuln-cve2014-2127.nse http-vuln-cve2014-2129.nse Script Arguments tls.servername See the documentation for the tls library...
http-vuln-cve2014-2127 NSE Script
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability CVE-2014-2127. See also: http-vuln-cve2014-2126.nse http-vuln-cve2014-2128.nse http-vuln-cve2014-2129.nse Script Arguments tls.servername See the documentation for the tls library...
http-vuln-cve2014-2126 NSE Script
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability CVE-2014-2126. See also: http-vuln-cve2014-2127.nse http-vuln-cve2014-2128.nse http-vuln-cve2014-2129.nse Script Arguments tls.servername See the documentation for the tls library...
enip-info NSE Script
This NSE script is used to send a EtherNet/IP packet to a remote device that has TCP 44818 open. The script will send a Request Identity Packet and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. Information...
http-vuln-wnr1000-creds NSE Script
A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Versions: V1.0.2.6060.0.86 Latest and V1.0.2.5460.0.82NA Vulnerability discovered by c1ph04. Script Arguments...
http-vuln-cve2013-7091 NSE Script
An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6. The vulnerability is a local file inclusion that can retrieve any file from the server. Currently, we read /etc/passwd and /dev/null, and compare the lengths to determine vulnerability. TODO: Add the...
http-vuln-cve2006-3392 NSE Script
Exploits a file disclosure vulnerability in Webmin CVE-2006-3392 Webmin before 1.290 and Usermin before 1.220 calls the simplifypath function before decoding HTML. This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences to bypass the removal of "../"...
ssl-heartbleed NSE Script
Detects whether a server is vulnerable to the OpenSSL Heartbleed bug CVE-2014-0160. The code is based on the Python script ssltest.py authored by Katie Stafford [email protected] Script Arguments ssl-heartbleed.protocols default tries all TLS 1.0, TLS 1.1, or TLS 1.2 tls.servername See the...
quake1-info NSE Script
Extracts information from Quake game servers and other game servers which use the same protocol. Quake uses UDP packets, which because of source spoofing can be used to amplify a denial-of-service attack. For each request, the script reports the payload amplification as a ratio. The format used i...
http-ntlm-info NSE Script
This script enumerates information from remote HTTP services with NTLM authentication enabled. By sending a HTTP NTLM authentication request with null domain and user credentials passed in the 'Authorization' header, the remote service will respond with a NTLMSSP message encoded within the...
sstp-discover NSE Script
Check if the Secure Socket Tunneling Protocol is supported. This is accomplished by trying to establish the HTTPS layer which is used to carry SSTP traffic as described in: - Current SSTP server implementations: - Microsoft Windows Server 2008/Server 2012 - MikroTik RouterOS - SEIL Example...