607 matches found
jdwp-inject NSE Script
Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script allows injection of arbitrary class files. After injection, class' run method is executed. Method run has no parameters,...
broadcast-bjnp-discover NSE Script
Attempts to discover Canon devices Printers/Scanners supporting the BJNP protocol by sending BJNP Discover requests to the network broadcast address for both ports associated with the protocol. The script then attempts to retrieve the model, version and some additional information for all...
bjnp-discover NSE Script
Retrieves printer or scanner information from a remote device supporting the BJNP protocol. The protocol is known to be supported by network based Canon devices. Example Usage sudo nmap -sU -p 8611,8612 --script bjnp-discover Script Output PORT STATE SERVICE 8611/udp open canon-bjnp1 |...
smb-print-text NSE Script
Attempts to print text on a shared printer by calling Print Spooler Service RPC functions. In order to use the script, at least one printer needs to be shared over SMB. If no printer is specified, script tries to enumerate existing ones by calling LANMAN API which might not be always available...
mrinfo NSE Script
Queries targets for multicast routing information. This works by sending a DVMRP Ask Neighbors 2 request to the target and listening for DVMRP Neighbors 2 responses that are sent back and which contain local addresses and the multicast neighbors on each interface of the target. If no specific...
ssl-date NSE Script
Retrieves a target host's time and date from its TLS ServerHello response. In many TLS implementations, the first four bytes of server randomness are a Unix timestamp. The script will test whether this is indeed true and report the time only if it passes this test. Original idea by Jacob Appelbau...
smb-vuln-ms10-061 NSE Script
Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability. This vulnerability was used in Stuxnet worm. The script checks for the vuln in a safe way without a possibility of crashing the remote system as this is not a memory corruption vulnerability. In...
http-exif-spider NSE Script
Spiders a site's images looking for interesting exif data embedded in .jpg files. Displays the make and model of the camera, the date the photo was taken, and the embedded geotag information. Script Arguments http-exif-spider.url the url to start spidering. This is a URL relative to the scanned...
smb-vuln-ms10-054 NSE Script
Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability. The vulnerable machine will crash with BSOD. The script requires at least READ access right to a share on a remote machine. Either with guest credentials or with specified username/password...
rdp-enum-encryption NSE Script
Determines which Security layer and Encryption level is supported by the RDP service. It does so by cycling through all existing protocols and ciphers. When run in debug mode, the script also returns the protocols and ciphers that fail and any errors that were reported. The script was inspired by...
flume-master-info NSE Script
Retrieves information from Flume master HTTP pages. Information gathered: Flume version Flume server id Zookeeper/Hbase master servers present in configured flows Java information OS information various other local configurations. If this script is run wth -v, it will output lots more info. Use t...
http-git NSE Script
Checks for a Git repository found in a website's document root /.git/something and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description. Script Arguments http-git.root URL path to search for a .git directory. Defaul...
http-slowloris NSE Script
Tests a web server for vulnerability to the Slowloris DoS attack by launching a Slowloris attack. Slowloris was described at Defcon 17 by RSnake see . This script opens and maintains numerous 'half-HTTP' connections until the server runs out of resources, leading to a denial of service. When a...
ms-sql-dac NSE Script
Queries the Microsoft SQL Browser service for the DAC Dedicated Admin Connection port of a given or all SQL Server instance. The DAC port is used to connect to the database instance when normal connection attempts fail, for example, when server is hanging, out of memory or in other bad states. In...
irc-sasl-brute NSE Script
Performs brute force password auditing against IRC Internet Relay Chat servers supporting SASL authentication. Script Arguments irc-sasl-brute.threads the number of threads to use while brute-forcing. Defaults to 2. passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the...
sip-methods NSE Script
Enumerates a SIP Server's allowed methods INVITE, OPTIONS, SUBSCRIBE, etc. The script works by sending an OPTION request to the server and checking for the value of the Allow header in the response. Script Arguments sip.timeout See the documentation for the sip library. Example Usage nmap...
sip-call-spoof NSE Script
Spoofs a call to a SIP phone and detects the action taken by the target busy, declined, hung up, etc. This works by sending a fake sip invite request to the target phone and checking the responses. A response with status code 180 means that the phone is ringing. The script waits for the next...
metasploit-info NSE Script
Gathers info from the Metasploit rpc service. It requires a valid login pair. After authentication it tries to determine Metasploit version and deduce the OS type. Then it creates a new console and executes few commands to get additional info. References: Metasploit RPC API Guide See also:...
tls-nextprotoneg NSE Script
Enumerates a TLS server's supported protocols by using the next protocol negotiation extension. This works by adding the next protocol negotiation extension in the client hello packet and parsing the returned server hello's NPN extension data. For more information, see: Script Arguments...
http-phpself-xss NSE Script
Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $SERVER"PHPSELF". This script crawls the webserver to create a list of PHP files and then sends an attack vector/probe to identify PHPSELF cross site scripting vulnerabilities. PHPSELF...
http-tplink-dir-traversal NSE Script
Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication. This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but...
http-sitemap-generator NSE Script
Spiders a web server and displays its directory structure along with number and types of files in each folder. Note that files listed as having an 'Other' extension are ones that have no extension or that are a root document. Script Arguments http-sitemap-generator.withindomain only spider URLs...
metasploit-msgrpc-brute NSE Script
Performs brute force username and password auditing against Metasploit msgrpc interface. Script Arguments creds.service, creds.global See the documentation for the creds library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library. passd...
firewall-bypass NSE Script
Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip. The script works by spoofing a packet from the target server asking for opening a related connection to a target port which will be fulfilled by the firewall...
mcafee-epo-agent NSE Script
Check if ePO agent is running on port 8081 or port identified as ePO Agent port. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentatio...
http-sql-injection NSE Script
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable. The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine crafted...
pcanywhere-brute NSE Script
Performs brute force password auditing against the pcAnywhere remote access protocol. Due to certain limitations of the protocol, bruteforcing is limited to single thread at a time. After a valid login pair is guessed the script waits some time until server becomes available again. Script Argumen...
http-rfi-spider NSE Script
Crawls webservers in search of RFI remote file inclusion vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query. Script Arguments http-rfi-spider.withinhost only spider URLs within the same host. default: true http-rfi-spider.url the url to start...
mysql-vuln-cve2012-2122 NSE Script
Attempts to bypass authentication in MySQL and MariaDB servers by exploiting CVE2012-2122. If its vulnerable, it will also attempt to dump the MySQL usernames and password hashes. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable but exploitation depends on whether...
http-waf-fingerprint NSE Script
Tries to detect the presence of a web application firewall and its type and version. This works by sending a number of requests and looking in the responses for known behavior and fingerprints such as Server header, cookies and headers values. Intensive mode works by sending additional WAF specif...
http-form-fuzzer NSE Script
Performs a simple form fuzzing against forms found on websites. Tries strings and numbers of increasing length and attempts to determine if the fuzzing was successful. Script Arguments http-form-fuzzer.minlength the minimum length of a string that will be used for fuzzing, defaults to 300000...
dns-nsec3-enum NSE Script
Tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records. The script queries for nonexistant domains until it exhausts all domain ranges keeping track of hashes. At the end, all hashes are printed along with salt and number of iterations used. This technique is known...
http-frontpage-login NSE Script
Checks whether target machines are vulnerable to anonymous Frontpage login. Older, default configurations of Frontpage extensions allow remote user to login anonymously which may lead to server compromise. Script Arguments http-frontpage-login.path Path prefix to Frontpage directories. Defaults t...
smb-ls NSE Script
Attempts to retrieve useful information about files shared on SMB volumes. The output is intended to resemble the output of the UNIX ls command. Script Arguments smb-ls.path the path, relative to the share to list the contents from default: root of the share smb-ls.pattern the search pattern to...
eppc-enum-processes NSE Script
Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication. Example Usage nmap -p 3031 --script...
isns-info NSE Script
Lists portals and iSCSI nodes registered with the Internet Storage Name Service iSNS. Example Usage nmap -p 3205 --script isns-info Script Output PORT STATE SERVICE 3205/tcp open unknown | isns-info: | Portal | ip port | 192.168.0.1 3260/tcp | 192.168.0.2 3260/tcp | iSCSI Nodes | node type |...
rmi-vuln-classloader NSE Script
Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor Oracle/Sun classifies this as a design feature. Based on original Metasploit module by mihi. References: Scrip...
http-huawei-hg5xx-vuln NSE Script
Detects Huawei modems models HG530x, HG520x, HG510x and possibly others... vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values. Attackers can query the URIs "/Listadeparametros.html" and...
distcc-cve2004-2687 NSE Script
Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service. Script Arguments cmd the command to run at the remote server...
icap-info NSE Script
Tests a list of known ICAP service names and prints information about any it detects. The Internet Content Adaptation Protocol ICAP is used to extend transparent proxy servers and is generally used for content filtering and antivirus scanning. Example Usage nmap -p 1344 --script icap-info Script...
http-traceroute NSE Script
Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies. The script works by sending HTTP requests with values of the Max-Forwards HTTP header varying from 0 to 2 and checking for any anomalies in certain response values such as the status code, Server, Content-Type and...
mysql-query NSE Script
Runs a query against a MySQL database and returns the results as a table. Script Arguments mysql-query.noheaders do not display column headers default: false mysql-query.query the query for which to return the results mysql-query.username optional the username used to authenticate to the database...
mysql-dump-hashes NSE Script
Dumps the password hashes from an MySQL server in a format suitable for cracking by tools such as John the Ripper. Appropriate DB privileges root are required. The username and password arguments take precedence over credentials discovered by the mysql-brute and mysql-empty-password scripts. Scri...
dict-info NSE Script
Connects to a dictionary server using the DICT protocol, runs the SHOW SERVER command, and displays the result. The DICT protocol is defined in RFC 2229 and is a protocol which allows a client to query a dictionary server for definitions from a set of natural language dictionary databases. The SH...
gkrellm-info NSE Script
Queries a GKRellM service for monitoring information. A single round of collection is made, showing a snapshot of information at the time of the request. Example Usage nmap -p 19150 --script gkrellm-info Script Output PORT STATE SERVICE 19150/tcp open gkrellm | gkrellm-info: | Hostname: ubu1110 |...
ajp-request NSE Script
Requests a URI over the Apache JServ Protocol and displays the result or stores it in a file. Different AJP methods such as; GET, HEAD, TRACE, PUT or DELETE may be used. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers. Scri...
ajp-brute NSE Script
Performs brute force passwords auditing against the Apache JServ protocol. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers. Script Arguments ajp-brute.path URL path to request. Default: / creds.service, creds.global See the...
http-vuln-cve2012-1823 NSE Script
Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely. The script works by appending "?-s" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use th...
broadcast-tellstick-discover NSE Script
Discovers Telldus Technologies TellStickNet devices on the LAN. The Telldus TellStick is used to wirelessly control electric devices such as lights, dimmers and electric outlets. For more information: Example Usage nmap --script broadcast-tellstick-discover Script Output |...
ajp-methods NSE Script
Discovers which options are supported by the AJP Apache JServ Protocol server by sending an OPTIONS request and lists potentially risky methods. In this script, "potentially risky" methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may...