607 matches found
broadcast-xdmcp-discover NSE Script
Discovers servers running the X Display Manager Control Protocol XDMCP by sending a XDMCP broadcast request to the LAN. Display managers allowing access are marked using the keyword Willing in the result. Script Arguments broadcast-xdmcp-discover.timeout socket timeout default: 5s Example Usage...
iax2-brute NSE Script
Performs brute force password auditing against the Asterisk IAX2 protocol. Guessing fails when a large number of attempts is made due to the maxcallnumber limit default 2048. In case your getting "ERROR: Too many retries, aborted ..." after a while, this is most likely what's happening. In order ...
broadcast-dhcp6-discover NSE Script
Sends a DHCPv6 request Solicit to the DHCPv6 multicast address, parses the response, then extracts and prints the address along with any options returned by the server. The script requires Nmap to be run in privileged mode as it binds the socket to a privileged port udp/546. See also:...
dns-srv-enum NSE Script
Enumerates various common service SRV records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: - Active Directory Global Catalog - Exchange Autodiscovery - Kerberos KDC...
nessus-xmlrpc-brute NSE Script
Performs brute force password auditing against a Nessus vulnerability scanning daemon using the XMLRPC protocol. Script Arguments nessus-xmlrpc-brute.timeout socket timeout for connecting to Nessus default 5s nessus-xmlrpc-brute.threads sets the number of threads. passdb, unpwdb.passlimit,...
dns-nsid NSE Script
Retrieves information from a DNS nameserver by requesting its nameserver ID nsid and asking for its id.server and version.bind values. This script performs the same queries as the following two dig commands: - dig CH TXT bind.version @target - dig +nsid CH TXT id.server @target References: 1 2...
broadcast-ripng-discover NSE Script
Discovers hosts and routing information from devices running RIPng on the LAN by sending a broadcast RIPng Request command and collecting any responses. Script Arguments broadcast-ripng-discover.timeout sets the connection timeout default: 5s Example Usage nmap --script broadcast-ripng-discover...
http-generator NSE Script
Displays the contents of the "generator" meta tag of a web page default: / if there is one. Script Arguments http-generator.path Specify the path you want to check for a generator meta tag default to '/'. http-generator.redirects Specify the maximum number of redirects to follow defaults to 3...
broadcast-pppoe-discover NSE Script
Discovers PPPoE Point-to-Point Protocol over Ethernet servers using the PPPoE Discovery protocol PPPoED. PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery. If no interface is specified, requests are sent out on all available interfaces. As...
membase-brute NSE Script
Performs brute force password auditing against Couchbase Membase servers. Script Arguments membase-brute.bucketname if specified, password guessing is performed only against this bucket. creds.service, creds.global See the documentation for the creds library. smbdomain, smbhash, smbnoguest,...
membase-http-info NSE Script
Retrieves information hostname, OS, uptime, etc. from the CouchBase Web Administration port. The information retrieved by this script does not require any credentials. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size,...
http-vuln-cve2009-3960 NSE Script
Exploits cve-2009-3960 also known as Adobe XML External Entity Injection. This vulnerability permits to read local files remotely and is present in BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion...
nat-pmp-mapport NSE Script
Maps a WAN port on the router to a local port on the client using the NAT Port Mapping Protocol NAT-PMP. It supports the following operations: map - maps a new external port on the router to an internal port of the requesting IP unmap - unmaps a previously mapped port for the requesting IP unmapa...
riak-http-info NSE Script
Retrieves information such as node name and architecture from a Basho Riak distributed database using the HTTP protocol. Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline,...
socks-auth-info NSE Script
Determines the supported authentication mechanisms of a remote SOCKS proxy server. Starting with SOCKS version 5 socks servers may support authentication. The script checks for the following authentication types: 0 - No authentication 1 - GSSAPI 2 - Username and password Example Usage nmap -p 108...
memcached-info NSE Script
Retrieves information including system architecture, process ID, and server time from distributed memory object caching system memcached. Example Usage nmap -p 11211 --script memcached-info Script Output 11211/udp open unknown | memcached-info: | Process ID: 18568 | Uptime: 6950 seconds | Server...
redis-info NSE Script
Retrieves information such as version number and architecture from a Redis key-value store. Script Arguments creds.service, creds.global See the documentation for the creds library. Example Usage nmap -p 6379 --script redis-info Script Output PORT STATE SERVICE 6379/tcp open unknown | redis-info:...
redis-brute NSE Script
Performs brute force passwords auditing against a Redis key-value store. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library. brute.credfile,...
http-proxy-brute NSE Script
Performs brute force password guessing against HTTP proxy servers. Script Arguments http-proxy-brute.url sets an alternative URL to use when brute forcing default: http-proxy-brute.method changes the HTTP method to use when performing brute force guessing default: HEAD creds.service, creds.global...
socks-brute NSE Script
Performs brute force password auditing against SOCKS 5 proxy servers. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library. brute.credfile,...
vmauthd-brute NSE Script
Performs brute force password auditing against the VMWare Authentication Daemon vmware-authd. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library...
ssh-hostkey NSE Script
Shows SSH hostkeys. Shows the target SSH server's key fingerprint and with high enough verbosity level the public key itself. It records the discovered host keys in nmap.registry for use by other scripts. Output can be controlled with the sshhostkey script argument. You may also compare the...
broadcast-wpad-discover NSE Script
Retrieves a list of proxy servers on a LAN using the Web Proxy Autodiscovery Protocol WPAD. It implements both the DHCP and DNS methods of doing so and starts by querying DHCP to get the address. DHCP discovery requires nmap to be running in privileged mode and will be skipped when this is not th...
telnet-encryption NSE Script
Determines whether the encryption option is supported on a remote telnet server. Some systems including FreeBSD and the krb5 telnetd available in many Linux distributions implement this option incorrectly, leading to a remote root vulnerability. This script currently only tests whether encryption...
dns-blacklist NSE Script
Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category eg: SPAM, PROXY or to a specific service name. Script Arguments dns-blacklist.services string containing a...
http-open-redirect NSE Script
Spiders a website and attempts to identify open redirects. Open redirects are handlers which commonly take a URL as a parameter and responds with a HTTP redirect 3XX to the target. Risks of open redirects are described at . Only open redirects that are directly linked on the target website can be...
broadcast-pc-duo NSE Script
Discovers PC-DUO remote control hosts and gateways running on a LAN by sending a special broadcast UDP probe. Script Arguments broadcast-pc-duo.timeout specifies the amount of seconds to sniff the network interface. default varies according to timing. -T3 = 5s Example Usage nmap --script...
broadcast-pc-anywhere NSE Script
Sends a special broadcast probe to discover PC-Anywhere hosts running on a LAN. Script Arguments broadcast-pc-anywhere.timeout specifies the amount of seconds to sniff the network interface. default varies according to timing. -T3 = 5s Example Usage nmap --script broadcast-pc-anywhere Script Outp...
broadcast-wake-on-lan NSE Script
Wakes a remote system up from sleep by sending a Wake-On-Lan packet. Script Arguments broadcast-wake-on-lan.address The broadcast address to which the WoL packet is sent. broadcast-wake-on-lan.MAC The MAC address of the remote system to wake up Example Usage nmap --script broadcast-wake-on-lan...
http-unsafe-output-escaping NSE Script
Spiders a website and attempts to identify output escaping problems where content is reflected back to the user. This script locates all parameters, ?x=foo&y=bar and checks if the values are reflected on the page. If they are indeed reflected, the script will try to insert ghzhzx"zxc'xcv and chec...
http-grep NSE Script
Spiders a website and attempts to match all pages and urls against a given string. Matches are counted and grouped per url under which they were discovered. Features built in patterns like email, ip, ssn, discover, amex and more. The script searches for email and ip by default. Script Arguments...
http-backup-finder NSE Script
Spiders a website and attempts to identify backup copies of discovered files. It does so by requesting a number of different combinations of the filename eg. index.bak, index.html, copy of index.html. Script Arguments http-backup-finder.maxpagecount the maximum amount of pages to visit. A negativ...
http-apache-negotiation NSE Script
Checks if the target http server has modnegotiation enabled. This feature can be leveraged to find hidden resources and spider a web site using fewer requests. The script works by sending requests for resources like index and home without specifying the extension. If modnegotiate is enabled defau...
vuze-dht-info NSE Script
Retrieves some basic information, including protocol version from a Vuze filesharing node. As Vuze doesn't have a default port for its DHT service, this script has some difficulties in determining when to run. Most scripts are triggered by either a default port or a fingerprinted service. To get...
reverse-index NSE Script
Creates a reverse index at the end of scan output showing which hosts run a particular service. This is in addition to Nmap's normal output listing the services on each host. Script Arguments reverse-index.mode the output display mode, can be either horizontal or vertical default: horizontal...
unusual-port NSE Script
Compares the detected service on a port against the expected service for that port number e.g. ssh on 22, http on 80 and reports deviations. The script requires that a version scan has been run in order to be able to discover what service is actually running on each port. Example Usage nmap...
broadcast-sybase-asa-discover NSE Script
Discovers Sybase Anywhere servers on the LAN by sending broadcast discovery messages. Example Usage nmap --script broadcast-sybase-asa-discover Script Output Pre-scan script results: | broadcast-sybase-asa-discover: | ip=192.168.0.1; name=mysqlanywhere1; port=2638 | ip=192.168.0.2;...
maxdb-info NSE Script
Retrieves version and database information from a SAP Max DB database. Example Usage nmap -p 7210 --script maxdb-info Script Output PORT STATE SERVICE REASON 7210/tcp open maxdb syn-ack | maxdb-info: | Version: 7.8.02 | Build: DBMServer 7.8.02 Build 021-121-242-175 | OS: UNIX | Instroot:...
nexpose-brute NSE Script
Performs brute force password auditing against a Nexpose vulnerability scanner using the API 1.1. As the Nexpose application enforces account lockout after 4 incorrect login attempts, the script performs only 3 guesses per default. This can be altered by supplying the brute.guesses argument a...
http-vuln-cve2011-3368 NSE Script
Tests for the CVE-2011-3368 Reverse Proxy Bypass vulnerability in Apache HTTP server's reverse proxy mode. The script will run 3 tests: the loopback test, with 3 payloads to handle different rewrite rules the internal hosts test. According to Contextis, we expect a delay before a server error. Th...
metasploit-xmlrpc-brute NSE Script
Performs brute force password auditing against a Metasploit RPC server using the XMLRPC protocol. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds...
openvas-otp-brute NSE Script
Performs brute force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1.0 protocol. Script Arguments openvas-otp-brute.threads sets the number of threads. Default: 4 passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the...
bitcoin-info NSE Script
Extracts version and node information from a Bitcoin server Example Usage nmap -p 8333 --script bitcoin-info Script Output PORT STATE SERVICE 8333/tcp open bitcoin | bitcoin-info: | Timestamp: 2018-03-09T06:25:49 | Network: main | Version: 0.7.0 | Node Id: 26855fa1ac038c12 | Lastblock: 512702 |...
bitcoin-getaddr NSE Script
Queries a Bitcoin server for a list of known Bitcoin nodes Script Arguments max-newtargets, newtargets See the documentation for the target library. Example Usage nmap -p 8333 --script bitcoin-getaddr Script Output PORT STATE SERVICE 8333/tcp open unknown | bitcoin-getaddr: | ip timestamp |...
irc-botnet-channels NSE Script
Checks an IRC server for channels that are commonly used by malicious botnets. Control the list of channel names with the irc-botnet-channels.channels script argument. The default list of channels is loic Agobot Slackbot Mytob Rbot SdBot poebot IRCBot VanBot MPack Storm GTbot Spybot Phatbot Wargb...
http-method-tamper NSE Script
Attempts to bypass password protected resources HTTP 401 status by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds. The script determines if the protected URI is...
hadoop-jobtracker-info NSE Script
Retrieves information from an Apache Hadoop JobTracker HTTP status page. Information gathered: State of the JobTracker. Date/time the service was started Hadoop version Hadoop Compile date JobTracker ID Log directory relative to Associated TaskTrackers Optionally also user activity history Script...
hadoop-secondary-namenode-info NSE Script
Retrieves information from an Apache Hadoop secondary NameNode HTTP status page. Information gathered: Date/time the service was started Hadoop version Hadoop compile date Hostname or IP address and port of the master NameNode server Last time a checkpoint was taken How often checkpoints are take...
hadoop-datanode-info NSE Script
Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page. Information gathered: Log directory relative to Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size, http.max-pipeline,...
hadoop-tasktracker-info NSE Script
Retrieves information from an Apache Hadoop TaskTracker HTTP status page. Information gathered: Hadoop version Hadoop Compile date Log directory relative to Script Arguments slaxml.debug See the documentation for the slaxml library. http.host, http.max-body-size, http.max-cache-size,...