607 matches found
ftp-vsftpd-backdoor NSE Script
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 CVE-2011-2523. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments. References: Script Arguments...
ftp-vuln-cve2010-4221 NSE Script
Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNETIAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code with...
http-barracuda-dir-traversal NSE Script
Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at . This vulnerability is in the "locale" parameter of "/cgi-mod/viewhelp.cgi" or "/cgi-bin/viewhelp.cgi", allowing the information to be...
creds-summary NSE Script
Lists all discovered credentials e.g. from brute force and default password checking scripts at end of scan. Script Arguments creds.service, creds.global See the documentation for the creds library. Example Usage nmap -sV -sC Script Output | creds-summary: | 10.10.10.10 | 22/ssh | lisbon:jane -...
http-majordomo2-dir-traversal NSE Script
Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. CVE-2011-0049. Vulnerability originally discovered by Michael Brooks. For more information about this vulnerability: Script Arguments http-majordomo2-dir-traversal.rfile Remote file to download. Default:...
smtp-vuln-cve2010-4344 NSE Script
Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 CVE-2010-4344 and a privilege escalation vulnerability in Exim 4.72 and prior CVE-2010-4345. The heap overflow vulnerability allows remote attackers to execute arbitrary code with the privileges of the Exim...
ip-geolocation-ipinfodb NSE Script
Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service . There is no limit on requests to this service. However, the API key needs to be obtained through free registration for this service: http://ipinfodb.com/login.php See also:...
ip-geolocation-geoplugin NSE Script
Tries to identify the physical location of an IP address using the Geoplugin geolocation web service . There is no limit on lookups using this service. See also: ip-geolocation-ipinfodb.nse ip-geolocation-map-bing.nse ip-geolocation-map-google.nse ip-geolocation-map-kml.nse...
ip-geolocation-maxmind NSE Script
Tries to identify the physical location of an IP address using a Geolocation Maxmind database file available from . This script supports queries using all Maxmind databases that are supported by their API including the commercial ones. See also: ip-geolocation-geoplugin.nse...
broadcast-netbios-master-browser NSE Script
Attempts to discover master browsers and the domains they manage. Example Usage nmap --script=broadcast-netbios-master-browser Script Output | broadcast-netbios-master-browser: | ip server domain |10.0.200.156 WIN2K3-EPI-1 WORKGROUP Requires netbios nmap stdnse tab local netbios = require "netbio...
smb-mbenum NSE Script
Queries information managed by the Windows Master Browser. Script Arguments smb-mbenum.format optional if set, changes the format of the result returned by the script. There are three possible formats: 1. Ordered by type horizontally 2. Ordered by type vertically 3. Ordered by type vertically...
mysql-audit NSE Script
Audits MySQL database server security configuration against parts of the CIS MySQL v1.0.2 benchmark the engine can be used for other MySQL audits by creating appropriate audit files. Script Arguments mysql-audit.password the password with which to connect to the database mysql-audit.username the...
broadcast-novell-locate NSE Script
Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol NCP servers. Example Usage nmap -sV --script=broadcast-novell-locate Script Output Pre-scan script results: | broadcast-novell-locate: | Tree name: CQURE-LABTREE | Server name: linux-l84t | Addresses |...
ncp-enum-users NSE Script
Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol NCP service. Example Usage nmap -sV --script=ncp-enum-users Script Output PORT STATE SERVICE REASON 524/tcp open ncp syn-ack | ncp-enum-users: | CN=admin.O=cqure | CN=cawi.OU=finance.O=cqure | CN=linux-l84tadmin.O=cqur...
ncp-serverinfo NSE Script
Retrieves eDirectory server information OS version, server name, mounts, etc. from the Novell NetWare Core Protocol NCP service. Example Usage nmap -sV -sC Script Output PORT STATE SERVICE 524/tcp open ncp | ncp-serverinfo: | Server name: LINUX-L84T | Tree Name: IIT-LABTREE | OS Version: 5.70 rev...
ldap-novell-getpass NSE Script
Universal Password enables advanced password policies, including extended characters in passwords, synchronization of passwords from eDirectory to other systems, and a single password for all access to eDirectory. In case the password policy permits administrators to retrieve user passwords "Allo...
http-cakephp-version NSE Script
Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework. This script queries the files 'vendors.php', 'cake.generic.css', 'cake.icon.png' and 'cake.icon.gif' to try to obtain the version of the CakePHP...
smtp-vuln-cve2011-1720 NSE Script
Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms CVE-2011-1720. This vulnerability can allow denial of service and possibly remote code execution. Reference: Script Arguments smtp.domain See the documentation for the smtp library...
backorifice-brute NSE Script
Performs brute force password auditing against the BackOrifice service. The backorifice-brute.ports script argument is mandatory it specifies ports to run the script against. Script Arguments backorifice-brute.ports mandatory List of UDP ports to run the script against separated with "," ex...
sip-brute NSE Script
Performs brute force password auditing against Session Initiation Protocol SIP accounts. This protocol is most commonly associated with VoIP sessions. Script Arguments sip.timeout See the documentation for the sip library. creds.service, creds.global See the documentation for the creds library...
sip-enum-users NSE Script
Enumerates a SIP server's valid extensions users. The script works by sending REGISTER SIP requests to the server with the specified extension and checking for the response status code in order to know if an extension is valid. If a response status code is 401 or 407, it means that the extension ...
broadcast-avahi-dos NSE Script
Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service CVE-2011-1002. The broadcast-avahi-dos.wait script argument specifies how many number of...
omp2-brute NSE Script
Performs brute force password auditing against the OpenVAS manager using OMPv2. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library...
omp2-enum-targets NSE Script
Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server. The script authenticates on the manager using provided or previously cracked credentials and gets the list of defined targets for each account. These targets will be added to the scanning queue in case...
backorifice-info NSE Script
Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself. The extracted host information includes basic system setup, list of running processes, network resources and shares. Information about the service includes enabled port redirections,...
afp-ls NSE Script
Attempts to get useful information about files from AFP volumes. The output is intended to resemble the output of ls. Script Arguments afp.password, afp.username See the documentation for the afp library. ls.checksum, ls.empty, ls.errors, ls.human, ls.maxdepth, ls.maxfiles See the documentation f...
targets-sniffer NSE Script
Sniffs the local network for a configurable amount of time 10 seconds by default and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue. Requires root privileges. Either the targets-sniffer.iface script argument or -e Nmap optio...
epmd-info NSE Script
Connects to Erlang Port Mapper Daemon epmd and retrieves a list of nodes with their respective port numbers. Example Usage nmap -p 4369 --script epmd-info Script Output PORT STATE SERVICE 4369/tcp open epmd | epmd-info.nse: | epmdport: 4369 | nodes: | rabbit: 36804 | ejabberd: 46540 Requires nmap...
http-affiliate-id NSE Script
Grabs affiliate network IDs e.g. Google AdSense or Analytics, Amazon Associates, etc. from a web page. These can be used to identify pages with the same owner. If there is more than one target using an ID, the postrule of this script shows the ID along with a list of the targets using it. Support...
dns-nsec-enum NSE Script
Enumerates DNS names using the DNSSEC NSEC-walking technique. Output is arranged by domain. Within a domain, subzones are shown with increased indentation. The NSEC response record in DNSSEC is used to give negative answers to queries, but it has the side effect of allowing enumeration of all...
ssl-known-key NSE Script
Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys. The only databases currently checked are the LittleBlackBox 0.1 database of compromised keys from various devices, some keys reportedly used by the Chinese state-sponsored...
nping-brute NSE Script
Performs brute force password auditing against an Nping Echo service. See for Echo Mode documentation. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the cred...
dns-brute NSE Script
Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records. Wildcard records are listed as "A" and "AAAA" for IPv4 and IPv6 respectively. See also: dns-nsec3-enum.nse...
ovs-agent-version NSE Script
Detects the version of an Oracle Virtual Server Agent by fingerprinting responses to an HTTP GET request and an XML-RPC method call. Version 2.2 of Virtual Server Agent returns a distinctive string in response to an HTTP GET request. However versions 3.0 and 3.0.1 return a generic response that...
dpap-brute NSE Script
Performs brute force password auditing against an iPhoto Library. Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. creds.service, creds.global See the documentation for the creds library. brute.credfile, brute.dela...
quake3-master-getservers NSE Script
Queries Quake3-style master servers for game servers many games other than Quake 3 use this same protocol. Script Arguments quake3-master-getservers.outputlimit If set, limits the amount of hosts returned by the script. All discovered hosts are still stored in the registry for other scripts to us...
snmp-ios-config NSE Script
Attempts to downloads Cisco router IOS configuration files using SNMP RW v1 and display or save them. Script Arguments snmp-ios-config.tftproot If set, specifies to what directory the downloaded config should be saved snmp.version See the documentation for the snmp library. creds.service,...
servicetags NSE Script
Attempts to extract system information OS, hardware, etc. from the Sun Service Tags service agent UDP port 6481. Based on protocol specs from Example Usage nmap -sU -p 6481 --script=servicetags Script Output | servicetags: | URN: urn:st:3bf76681-5e68-415b-f980-abcdef123456 | System: SunOS |...
dns-update NSE Script
Attempts to perform a dynamic DNS update without authentication. Either the test or both the hostname and ip script arguments are required. Note that the test function will probably fail due to using a static zone name that is not the zone configured on your target. Script Arguments dns-update.te...
broadcast-dropbox-listener NSE Script
Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more. If the newtargets script argument is given, all discovered Dropbox clients will be...
nrpe-enum NSE Script
Queries Nagios Remote Plugin Executor NRPE daemons to obtain information such as load averages, process counts, logged in user information, etc. This script attempts to execute the stock list of commands that are enabled. User-supplied arguments are not supported. Script Arguments nrpe-enum.cmds ...
gopher-ls NSE Script
Lists files and directories at the root of a gopher service. Script Arguments gopher-ls.maxfiles If set, limits the amount of files returned by the script. If set to 0 or less, all files are shown. The default value is 10. Example Usage nmap -p 70 --script gopher-ls --script-args...
modbus-discover NSE Script
Enumerates SCADA Modbus slave ids sids and collects their device information. Modbus is one of the popular SCADA protocols. This script does Modbus device information disclosure. It tries to find legal sids slave ids of Modbus devices and to get additional information about the vendor and firmwar...
http-domino-enum-passwords NSE Script
Attempts to enumerate the hashed Domino Internet Passwords that are by default accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. Passwords are presented in a form suitable for running in John the Ripper. The passwords may be...
netbus-version NSE Script
Extends version detection to detect NetBuster, a honeypot service that mimes NetBus. Example Usage nmap -sV -p 12345 --script netbus-version Script Output 12345/tcp open netbus Netbuster honeypot Requires nmap shortport stdnse local nmap = require "nmap" local shortport = require "shortport" loca...
netbus-auth-bypass NSE Script
Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password. For example a server running on TCP port 12345 on localhost with this vulnerability is accessible to anyone. An attacker could simply form a connection to the...
netbus-info NSE Script
Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself. The extracted host information includes a list of running applications, and the hosts sound volume settings. The extracted service information includes its access control list acl, server...
netbus-brute NSE Script
Performs brute force password auditing against the Netbus backdoor "remote administration" service. See also: netbus-auth-bypass.nse Script Arguments passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb See the documentation for the unpwdb library. Example Usage nmap -p 12345...
stuxnet-detect NSE Script
Detects whether a host is infected with the Stuxnet worm . An executable version of the Stuxnet infection will be downloaded if a format for the filename is given on the command line. See also: smb-vuln-ms10-061.nse Script Arguments stuxnet-detect.save Path to save Stuxnet executable under, with ...
iscsi-info NSE Script
Collects and displays information from remote iSCSI targets. Example Usage nmap -sV -sC Script Output PORT STATE SERVICE 3260/tcp open iscsi | iscsi-info: | iqn.2006-01.com.openfiler:tsn.c8c08cad469d | Address: 192.168.56.5:3260,1 | Authentication: NOT required |...