ajp-auth NSE Script

Retrieves the authentication scheme and realm of an AJP service Apache JServ Protocol that requires authentication. Script Arguments ajp-auth.path Define the request path slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size,...

ajp-headers NSE Script

Performs a HEAD or GET request against either the root directory or any optional directory of an Apache JServ Protocol server and returns the server response headers. Script Arguments ajp-headers.path The path to request, such as /index.php. Default /. slaxml.debug See the documentation for the...

mmouse-exec NSE Script

Connects to an RPA Tech Mobile Mouse server, starts an application and sends a sequence of keys to it. Any application that the user has access to can be started and the key sequence is sent to the application after it has been started. The Mobile Mouse server runs on OS X, Windows and Linux and...

mmouse-brute NSE Script

Performs brute force password auditing against the RPA Tech Mobile Mouse servers. The Mobile Mouse server runs on OS X, Windows and Linux and enables remote control of the keyboard and mouse from an iOS device. For more information: Script Arguments mmouse-brute.timeout socket timeout for...

cups-queue-info NSE Script

Lists currently queued print jobs of the remote CUPS service grouped by printer. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentatio...

ip-forwarding NSE Script

Detects whether the remote device has ip forwarding or "Internet connection sharing" enabled, by sending an ICMP echo request to a given target using the scanned host as default gateway. The given target can be a routed or a LAN host and needs to be able to respond to ICMP requests ping in order...

samba-vuln-cve-2012-1182 NSE Script

Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182. Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection. CVE-2012-1182 marks multiple...

dns-check-zone NSE Script

Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests. Script Arguments dns-check-zone.domain the dns zone to check Example Usage nmap -sn -Pn ns1.example.com --script dns-check-zo...

http-gitweb-projects-enum NSE Script

Retrieves a list of Git projects, owners and descriptions from a gitweb web interface to the Git revision control system. Script Arguments http-gitweb-projects-enum.path specifies the location of gitweb default: / slaxml.debug See the documentation for the slaxml library. http.host,...

traceroute-geolocation NSE Script

Lists the geographic locations of each hop in a traceroute and optionally saves the results to a KML file, plottable on Google earth and maps. Script Arguments traceroute-geolocation.kmlfile full path and name of file to write KML data to. The KML file can be used in Google earth or maps to plot...

cups-info NSE Script

Lists printers managed by the CUPS printing service. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentation for the http library...

http-icloud-findmyiphone NSE Script

Retrieves the locations of all "Find my iPhone" enabled iOS devices by querying the MobileMe web service authentication required. Script Arguments http-icloud-findmyiphone.username the Apple Id username http-icloud-findmyiphone.password the Apple Id password slaxml.debug See the documentation for...

http-icloud-sendmsg NSE Script

Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application. Script Arguments http-icloud-sendmsg.username the Apple ID username http-icloud-sendmsg.sound boolean specifying if a loud sound should be...

gpsd-info NSE Script

Retrieves GPS time, coordinates and speed from the GPSD network daemon. Script Arguments gpsd-info.timeout timespec defining how long to wait for data default 10s Example Usage nmap -p 2947 --script gpsd-info Script Output PORT STATE SERVICE REASON 2947/tcp open gpsd-ng syn-ack | gpsd-info: | Tim...

http-robtex-shared-ns NSE Script

Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at . The target must be specified by DNS name, not IP address. TEMPORARILY DISABLED due to changes in Robtex's API. See Script Arguments slaxml.debug See the documentation for the slaxml...

targets-ipv6-multicast-mld NSE Script

Attempts to discover available IPv6 hosts on the LAN by sending an MLD multicast listener discovery query to the link-local multicast address ff02::1 and listening for any responses. The query's maximum response delay set to 1 to provoke hosts to respond immediately rather than waiting for other...

hostmap-bfk NSE Script

Discovers hostnames that resolve to the target's IP address by querying the online database at . The script is in the "external" category because it sends target IPs to a third party in order to query their database. This script was formerly until April 2012 known as hostmap.nse. Script Arguments...

hostmap-robtex NSE Script

Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at . TEMPORARILY DISABLED due to changes in Robtex's API. See Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size,...

http-vlcstreamer-ls NSE Script

Connects to a VLC Streamer helper service and lists directory contents. The VLC Streamer helper service is used by the iOS VLC Streamer application to enable streaming of multimedia content from the remote server to the device. Script Arguments http-vlcstreamer-ls.dir directory to list default: /...

http-virustotal NSE Script

Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries p...

dns-ip6-arpa-scan NSE Script

Performs a quick reverse DNS lookup of an IPv6 network using a technique which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks. The technique essentially works by adding an octet to a given IPv6 prefix and resolving it. If the add...

rdp-vuln-ms12-020 NSE Script

Checks if a machine is vulnerable to MS12-020 RDP vulnerability. The Microsoft bulletin MS12-020 patches two vulnerabilities: CVE-2012-0152 which addresses a denial of service vulnerability inside Terminal Server, and CVE-2012-0002 which fixes a vulnerability in Remote Desktop Protocol. Both are...

targets-asn NSE Script

Produces a list of IP prefixes for a given routing AS number ASN. This script uses a whois server database operated by the Shadowserver Foundation. We thank them for granting us permission to use this in Nmap. Output is in CIDR notation. Script Arguments targets-asn.whoisport The whois port to us...

http-chrono NSE Script

Measures the time a website takes to deliver a web page and returns the maximum, minimum and average time it took to fetch a page. Web pages that take longer time to load could be abused by attackers in DoS or DDoS attacks due to the fact that they are likely to consume more resources on the targ...

http-drupal-enum-users NSE Script

Enumerates Drupal users by exploiting an information disclosure vulnerability in Views, Drupal's most popular module. Requests to admin/views/ajax/autocomplete/user/STRING return all usernames that begin with STRING. The script works by iterating STRING over letters to extract all usernames. For...

broadcast-ataoe-discover NSE Script

Discovers servers supporting the ATA over Ethernet protocol. ATA over Ethernet is an ethernet protocol developed by the Brantley Coile Company and allows for simple, high-performance access to SATA drives over Ethernet. Discovery is performed by sending a Query Config Request to the Ethernet...

stun-version NSE Script

Sends a binding request to the server and attempts to extract version information from the response, if the server attribute is present. Script Arguments stun.mode See the documentation for the stun library. Example Usage nmap -sU -sV -p 3478 Script Output PORT STATE SERVICE VERSION 3478/udp open...

stun-info NSE Script

Retrieves the external IP address of a NAT:ed host using the STUN protocol. Script Arguments stun.mode See the documentation for the stun library. Example Usage nmap -sV -PN -sU -p 3478 --script stun-info Script Output PORT STATE SERVICE 3478/udp open|filtered stun | stun-info: | External IP:...

duplicates NSE Script

Attempts to discover multihomed systems by analysing and comparing information collected by other scripts. The information analyzed currently includes, SSL certificates, SSH host keys, MAC addresses, and Netbios server names. In order for the script to be able to analyze the data it has...

acarsd-info NSE Script

Retrieves information from a listening acarsd daemon. Acarsd decodes ACARS Aircraft Communication Addressing and Reporting System data in real time. The information retrieved by this script includes the daemon version, API version, administrator e-mail address and listening frequency. For more...

eap-info NSE Script

Enumerates the authentication methods offered by an EAP Extensible Authentication Protocol authenticator for a given identity or for the anonymous identity if no argument is passed. Script Arguments eap-info.identity Identity to use for the first step of the authentication methods if omitted...

versant-info NSE Script

Extracts information, including file paths, version and database names from a Versant object database. Example Usage nmap -p 5019 --script versant-info Script Output PORT STATE SERVICE REASON 5019/tcp open versant syn-ack | versant-info: | Hostname: WIN-S6HA7RJFAAR | Root path: C:\Versant\8 |...

broadcast-versant-locate NSE Script

Discovers Versant object databases using the broadcast srvloc protocol. Example Usage nmap --script broadcast-versant-locate Script Output Pre-scan script results: | broadcast-versant-locate: | vod://192.168.200.222:5019 Requires srvloc table local srvloc = require "srvloc" local table = require...

http-config-backup NSE Script

Checks for backups and swap files of common content management system and web server configuration files. When web server files are edited in place, the text editor can leave backup or swap files in a place where the web server can serve them. The script checks for these files: wp-config.php:...

rpcap-info NSE Script

Connects to the rpcap service provides remote sniffing capabilities through WinPcap and retrieves interface information. The service can either be setup to require authentication or not and also supports IP restrictions. See also: rpcap-brute.nse Script Arguments creds.rpcap username:password to...

rpcap-brute NSE Script

Performs brute force password auditing against the WinPcap Remote Capture Daemon rpcap. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library...

mongodb-brute NSE Script

Performs brute force password auditing against the MongoDB database. Script Arguments mongodb-brute.db Database against which to check. Default: admin passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See...

broadcast-networker-discover NSE Script

Discovers EMC Networker backup software servers on a LAN by sending a network broadcast query. Script Arguments mount.version, nfs.version, rpc.protocol See the documentation for the rpc library. Example Usage nmap --script broadcast-networker-discover Script Output Pre-scan script results: |...

ndmp-version NSE Script

Retrieves version information from the remote Network Data Management Protocol ndmp service. NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to support the...

ndmp-fs-info NSE Script

Lists remote file systems by querying the remote device using the Network Data Management Protocol ndmp. NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to...

http-vuln-cve2010-2861 NSE Script

Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value hidden in the web page to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the...

dns-client-subnet-scan NSE Script

Performs a domain lookup using the edns-client-subnet option which allows clients to specify the subnet that queries supposedly originate from. The script uses this option to supply a number of geographically distributed locations in an attempt to enumerate as many different address records as...

rsync-brute NSE Script

Performs brute force password auditing against the rsync remote file syncing protocol. Script Arguments rsync-brute.module - the module against which brute forcing should be performed passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library...

rsync-list-modules NSE Script

Lists modules available for rsync remote file sync synchronization. Example Usage nmap -p 873 --script rsync-list-modules Script Output PORT STATE SERVICE 873/tcp open rsync | rsync-list-modules: | www www directory | log log directory | etc etc directory Requires rsync shortport stdnse local rsy...

voldemort-info NSE Script

Retrieves cluster and store information from the Voldemort distributed key-value store using the Voldemort Native Protocol. Example Usage nmap -p 6666 --script voldemort-info Script Output PORT STATE SERVICE 6666/tcp open irc | voldemort-info: | Cluster | Name: mycluster | Id: 0 | Host: localhost...

http-qnap-nas-info NSE Script

Attempts to retrieve the model, firmware version, and enabled services from a QNAP Network Attached Storage NAS device. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...

url-snarf NSE Script

Sniffs an interface for HTTP traffic and dumps any URLs, and their originating IP address. Script output differs from other script as URLs are written to stdout directly. There is also an option to log the results to file. The script can be limited in time by using the timeout argument or run unt...

http-auth-finder NSE Script

Spiders a web site to find web pages requiring form-based or HTTP-based authentication. The results are returned in a table with each url and the detected method. See also: http-auth.nse http-brute.nse Script Arguments http-auth-finder.url the url to start spidering. This is a URL relative to the...

cccam-version NSE Script

Detects the CCcam service software for sharing subscription TV among multiple receivers. The service normally runs on port 12000. It distinguishes itself by printing 16 random-looking bytes upon receiving a connection. Because the script attempts to detect "random-looking" bytes, it has a small...

xdmcp-discover NSE Script

Requests an XDMCP X display manager control protocol session and lists supported authentication and authorization mechanisms. Example Usage nmap -sU -p 177 --script xdmcp-discover Script Output PORT STATE SERVICE 177/udp open|filtered xdmcp | xdmcp-discover: | Session id: 0x0000703E | Authorizati...