NSEDoc Reference Portal

Scripts

Retrieves information from a listening acarsd daemon. Acarsd decodes ACARS (Aircraft Communication Addressing and Reporting System) gegevens ter real time. The information retrieved by this script includes the daemon version, API version, administrator e-mail address and listening frequency.

Shows toegevoegd information about IPv6 addresses, such spil embedded MAC or IPv4 addresses when available.

Performs password guessing against Apple Filing Protocol (AFP).

Attempts to get useful information about files from AFP volumes. The output is intended to resemble the output of ls .

Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.

Shows AFP server information. This information includes the server’s hostname, IPv4 and IPv6 addresses, and hardware type (for example Macmini or MacBookPro ).

Shows AFP shares and ACLs.

Retrieves the authentication scheme and area of an AJP service (Apache JServ Protocol) that requires authentication.

Performs brute force passwords auditing against the Apache JServ protocol. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers.

Performs a HEAD or GET request against either the root directory or any optional directory of an Apache JServ Protocol server and comebacks the server response headers.

Detects which options are supported by the AJP (Apache JServ Protocol) server by sending an OPTIONS request and lists potentially risky methods.

Requests a URI overheen the Apache JServ Protocol and displays the result (or stores it ter a opstopping). Different AJP methods such spil, GET, HEAD, TRACE, Waterput or DELETE may be used.

Detects the All-Seeing Eye service. Provided by some spel servers for querying the server’s status.

Gathers information (a list of all server properties) from an AMQP (advanced message queuing protocol) server.

Maps IP addresses to autonomous system (Spil) numbers.

Attempts to find the possessor of an open TCP port by querying an auth daemon which voorwaarde also be open on the target system. The auth service, also known spil identd, normally runs on port 113.

Checks for an identd (auth) server which is spoofing its replies.

Performs brute force password auditing against the BackOrifice service. The backorifice-brute.ports script argument is mandatory (it specifies ports to run the script against).

Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself.

Detects and enumerates BACNet Devices collects device information based off standard requests. Te some cases, devices may not stringently go after the specifications, or may obey with older versions of the specifications, and will result te a BACNET error response. Presence of this error positively identifies the device spil a BACNet device, but no enumeration is possible.

A elementary banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

Queries a Bitcoin server for a list of known Bitcoin knots

Extracts version and knot information from a Bitcoin server

Obtains information from a Bitcoin server by calling getinfo on its JSON-RPC interface.

Detects bittorrent peers sharing a verkeersopstopping based on a user-supplied torrent opstopping or magnet verbinding. Peers implement the Bittorrent protocol and share the torrent, whereas the knots (only shown if the include-nodes NSE argument is given) implement the DHT protocol and are used to track the peers. The sets of peers and knots are not the same, but they usually intersect.

Retrieves printer or scanner information from a remote device supporting the BJNP protocol. The protocol is known to be supported by network based Canon devices.

Detects servers supporting the ATA overheen Ethernet protocol. ATA overheen Ethernet is an ethernet protocol developed by the Brantley Coile Company and permits for plain, high-performance access to SATA drives overheen Ethernet.

Attempts to detect hosts ter the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).

Attempts to detect Canon devices (Printers/Scanners) supporting the BJNP protocol by sending BJNP Detect requests to the network broadcast address for both ports associated with the protocol.

Attempts to detect DB2 servers on the network by sending a broadcast request to port 523/udp.

Sends a DHCP request to the broadcast address (255.255.255.255) and reports the results. The script uses a static MAC address (Den:AD:CO:Den:CA:FE) while doing so ter order to prevent scope exhaustion.

Sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address, parses the response, then extracts and prints the address along with any options returned by the server.

Attempts to detect hosts’ services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.

Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more.

Performs network discovery and routing information gathering through Cisco’s Enhanced Interior Gateway Routing Protocol (EIGRP).

Detects targets that have IGMP Multicast memberships and grabs interesting information.

Sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more information.

Detects Microsoft SQL servers ter the same broadcast domain.

Attempts to detect master browsers and the domains they manage.

Detects EMC Networker backup software servers on a LAN by sending a network broadcast query.

Attempts to use the Service Location Protocol to detect Novell NetWare Core Protocol (NCP) servers.

Detect IPv4 networks using Open Shortest Path Very first version Two(OSPFv2) protocol.

Sends a special broadcast probe to detect PC-Anywhere hosts running on a LAN.

Detects PC-DUO remote control hosts and gateways running on a LAN by sending a special broadcast UDP probe.

Detects routers that are running PIM (Protocol Independent Multicast).

Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts’ IP and MAC addresses or (if requested) adds them spil targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don’t react to broadcast-ping probes, but they can be configured to do so.

Detects PPPoE (Point-to-Point Protocol overheen Ethernet) servers using the PPPoE Discovery protocol (PPPoED). PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery. If no interface is specified, requests are sent out on all available interfaces.

Detects hosts and routing information from devices running RIPv2 on the LAN. It does so by sending a RIPv2 Request directive and collects the responses from all devices responding to the request.

Detects hosts and routing information from devices running RIPng on the LAN by sending a broadcast RIPng Request directive and collecting any responses.

Detects Sonicwall firewalls which are directly fastened (not routed) using the same method spil the manufacturers own ‘SetupTool’. An interface needs to be configured, spil the script broadcasts a UDP packet.

Detects Sybase Anywhere servers on the LAN by sending broadcast discovery messages.

Detects Telldus Technologies TellStickNet devices on the LAN. The Telldus TellStick is used to wirelessly control electrified devices such spil lights, dimmers and electrical outlets. For more information: http://www.telldus.com/

Attempts to samenvatting system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses.

Detects Versant object databases using the broadcast srvloc protocol.

Wakes a remote system up from sleep by sending a Wake-On-Lan packet.

Retrieves a list of proxy servers on a LAN using the Web Proxy Autodiscovery Protocol (WPAD). It implements both the DHCP and DNS methods of doing so and starts by querying DHCP to get the address. DHCP discovery requires nmap to be running ter privileged mode and will be skipped when this is not the case. DNS discovery relies on the script being able to resolve the local domain either through a script argument or by attempting to switch roles resolve the local IP.

Uses a multicast query to detect devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.Netwerken Four.0 or zometeen).

Detects servers running the X Display Manager Control Protocol (XDMCP) by sending a XDMCP broadcast request to the LAN. Display managers permitting access are marked using the keyword Willing te the result.

Performs brute force password auditing against the Cassandra database.

Attempts to get basic informatie and server status from a Cassandra database.

Detects the CCcam service (software for sharing subscription TV among numerous receivers).

CICS transaction ID enumerator for IBM mainframes. This script is based on mainframe_brute by Dominic White (https://github.com/sensepost/mainframe_brute). However, this script doesn’t rely on any third party libraries or implements and instead uses the NSE TN3270 library which emulates a TN3270 screen ter lua.

Using the CICS transaction CEMT, this script attempts to gather information about the current CICS transaction server region. It gathers OS information, Datasets (files), transactions and user ids. Based on CICSpwn script by Ayoub ELAASSAL.

CICS User ID brute forcing script for the CESL login screen.

CICS User ID enumeration script for the CESL/CESN Login screen.

Attempts to guess valid credentials for the Citrix PN Web Juut XML Service. The XML service authenticates against the local Windows server or the Active Directory.

Extracts a list of published applications from the ICA Browser service.

Extracts a list of applications, ACLs, and settings from the Citrix XML service.

Extracts a list of Citrix servers from the ICA Browser service.

Extracts the name of the server farm and member servers from Citrix XML service.

Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.

Analyzes the clock skew inbetween the scanner and various services that report timestamps.

Dumps list of available resources from CoAP endpoints.

Gets database tables from a CouchDB database.

Gets database statistics from a CouchDB database.

Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.

Lists printers managed by the CUPS printing service.

Lists presently queued print jobs of the remote CUPS service grouped by printer.

Performs brute force password auditing against CVS pserver authentication.

Attempts to guess the name of the CVS repositories hosted on the remote server. With skill of the keurig repository name, usernames and passwords can be guessed.

Retrieves a list of music from a DAAP server. The list includes artist names and album and song titles.

Retrieves the day and time from the Daytime service.

Connects to the IBM DB2 Administration Server (Halsdoek) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request.

Performs brute force password auditing against the DelugeRPC daemon.

Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a fresh address.

Connects to a dictionary server using the DICT protocol, runs the Vertoning SERVER instruction, and displays the result. The DICT protocol is defined ter RFC 2229 and is a protocol which permits a client to query a dictionary server for definitions from a set of natural language dictionary databases.

Detects and exploits a remote code execution vulnerability te the distributed compiler daemon distcc. The vulnerability wasgoed disclosed te 2002, but is still present ter modern implementation due to poor configuration of the service.

Checks target IP addresses against numerous DNS anti-spam and open proxy blacklists and comes back a list of services for which an IP has bot flagged. Checks may be limited by service category (eg: SPAM, PROXY) or to a specific service name.

Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also attempt to enumerate common DNS SRV records.

Performs DNS cache snooping against a DNS server.

Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests.

Performs a domain lookup using the edns-client-subnet option which permits clients to specify the subnet that queries supposedly originate from. The script uses this option to supply a number of geographically distributed locations te an attempt to enumerate spil many different address records spil possible. The script also supports requests using a given subnet.

Launches a DNS fuzzing attack against DNS servers.

Performs a quick switch sides DNS lookup of an IPv6 network using a mechanism which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks.

Enumerates DNS names using the DNSSEC NSEC-walking technology.

Attempts to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records.

Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id.server and version.tie values. This script performs the same queries spil the following two dig directives: – dig CH TXT truss.version @target – dig +nsid CH TXT id.server @target

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

Checks if a DNS server permits queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers.

Attempts to detect target hosts’ services using the DNS Service Discovery protocol.

Enumerates various common service (SRV) records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: – Active Directory Global Catalog – Exchange Autodiscovery – Kerberos KDC Service – Kerberos Passwd Switch Service – LDAP Servers – Verdrietig Servers – XMPP S2S – XMPP C2S

Attempts to perform a dynamic DNS update without authentication.

Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ manhandle.ch. Please review the following information before you commence to scan:

  • https://zeustracker.manhandle.ch/ztdns.php

Requests a zone transfer (AXFR) from a DNS server.

Detects the Docker service version.

Performs brute force password auditing against the Lotusbloem Domino Console.

Runs a console guideline on the Lotusbloem Domino Console using the given authentication credentials (see also: domcon-brute)

Attempts to detect valid IBM Lotusbloem Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability.

Performs brute force password auditing against an iPhoto Library.

Performs password guessing against databases supporting the IBM DB2 protocol such spil Informix, DB2 and Derby

Attempts to samenvatting information from database servers supporting the DRDA protocol. The script sends a DRDA EXCSAT (exchange server attributes) guideline packet and parses the response.

Attempts to detect multihomed systems by analysing and comparing information collected by other scripts. The information analyzed presently includes, SSL certificates, SSH host keys, MAC addresses, and Netbios server names.

Enumerates the authentication methods suggested by an EAP (Extensible Authentication Protocol) authenticator for a given identity or for the anonymous identity if no argument is passed.

This NSE script is used to send a EtherNet/IP packet to a remote device that has TCP 44818 open. The script will send a Request Identity Packet and once a response is received, it validates that it wasgoed a zindelijk response to the instruction that wasgoed sent, and then will parse out the gegevens. Information that is parsed includes Vendor ID, Device Type, Product name, Serial Number, Product code, Revision Number, spil well spil the Device IP.

Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of knots with their respective port numbers.

Attempts to enumerate process informatie overheen the Apple Remote Event protocol. When accessing an application overheen the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication.

Performs a Forward-confirmed Switch roles DNS lookup and reports anomalous results.

Attempts to retrieve a list of usernames using the finger service.

Prints the readable strings from service fingerprints of unknown services.

Attempts to detect firewall rules using an IP TTL expiration technology known spil firewalking.

Detects a vulnerability ter netfilter and other firewalls that use helpers to dynamically open ports for protocols such spil ftp and verdrietig.

Retrieves information from Flume master HTTP pages.

Tridium Niagara Fox is a protocol used within Building Automation Systems. Based off Billy Rios and Terry McCorkle’s work this Nmap NSE will collect information from A Tridium Niagara system.

Detects the Freelancer spel server (FLServer.exe) service by sending a status query UDP probe.

Checks if an FTP server permits anonymous logins.

Checks to see if an FTP server permits port scanning using the FTP bounce method.

Performs brute force password auditing against FTP servers.

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam “pi3” Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.

Tests for the presence of the ProFTPD 1.Three.3c backdoor reported spil OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id directive by default, but that can be switched with the ftp-proftpd-backdoor.cmd script argument.

Sends FTP SYST and STAT guidelines and comebacks the result.

Tests for the presence of the vsFTPd Two.Three.Four backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id instruction by default, but that can be switched with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.

Checks for a stack-based buffer overflow ter the ProFTPD server, version inbetween 1.Trio.2rc3 and 1.Trio.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to omkoopbaar the stack and execute arbitrary code within the setting of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.

Retrieves system information (OS version, available memory, etc.) from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon.

Queries a CORBA naming server for a list of objects.

Queries a GKRellM service for monitoring information. A single round of collection is made, showcasing a snapshot of information at the time of the request.

Lists files and directories at the root of a gopher service.

Retrieves GPS time, coordinates and speed from the GPSD network daemon.

Detects information such spil loom directories from an Apache Hadoop DataNode HTTP status pagina.

Retrieves information from an Apache Hadoop JobTracker HTTP status pagina.

Retrieves information from an Apache Hadoop NameNode HTTP status pagina.

Retrieves information from an Apache Hadoop secondary NameNode HTTP status pagina.

Retrieves information from an Apache Hadoop TaskTracker HTTP status pagina.

Retrieves information from an Apache HBase (Hadoop database) master HTTP status pagina.

Retrieves information from an Apache HBase (Hadoop database) region server HTTP status pagina.

Reads hard disk information (such spil brand, specimen, and sometimes temperature) from a listening hddtemp service.

Retrieve hardwares details and configuration information utilizing HNAP, the “Huis Network Administration Protocol”. It is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which permits for remote topology discovery, configuration, and management of devices (routers, cameras, PCs, NAS, etc.)

Detects hostnames that resolve to the target’s IP address by querying the online database at http://www.bfk.den/bfk_dnslogger.html.

Finds subdomains of a web server by querying Google’s Certificate Transparency logs database (https://crt.sh).

Finds hostnames that resolve to the target’s IP address by querying the online database:

  • http://www.ip2hosts.com ( Bing Search Results )

Detects hostnames that resolve to the target’s IP address by querying the online Robtex service at http://ip.robtex.com/.

Attempts to exploit an authentication bypass vulnerability ter Adobe Coldfusion servers to retrieve a valid administrator’s session cookie.

Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon Associates, etc.) from a web pagina. Thesis can be used to identify pages with the same possessor.

Checks if the target http server has mod_negotiation enabled. This feature can be leveraged to find hidden resources and spider a web webpagina using fewer requests.

Attempts to retrieve the server-status pagina for Apache webservers that have mod_status enabled. If the server-status pagina exists and emerges to be from mod_status the script will parse useful information such spil the system uptime, Apache version and latest HTTP requests.

Determines if a ASP.Nipt application has debugging enabled using a HTTP DEBUG request.

Retrieves the authentication scheme and sphere of a web service that requires authentication.

Spiders a web webpagina to find web pages requiring form-based or HTTP-based authentication. The results are returned ter a table with each url and the detected method.

Attempts to enumerate users te Avaya IP Office systems 7.x.

Exploits a remote code execution vulnerability ter Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).

Exploits a directory traversal vulnerability te Apache Axis2 version 1.Four.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will attempt to retrieve the configuration opstopping of the Axis2 service ‘/conf/axis2.xml’ using the path ‘/axis2/services/’ to comeback the username and password of the admin account.

Spiders a webstek and attempts to identify backup copies of discovered files. It does so by requesting a number of different combinations of the filename (eg. index.kattenbak, index.html

, copy of index.html).

Attempts to retrieve the configuration settings from a Barracuda Networks Spam &, Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.

Decodes any unencrypted F5 BIG-IP cookies te the HTTP response. BIG-IP cookies contain information on backend systems such spil internal IP addresses and port numbers. See here for more informatie: https://support.f5.com/csp/article/K6917

Performs brute force password auditing against http basic, digest and ntlm authentication.

Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework.

Measures the time a webstek takes to supply a web pagina and comes back the maximum, ondergrens and average time it took to fetch a pagina.

Connect spil Cisco AnyConnect client to a Cisco SSL VPN and retrieves version and voetgangerstunnel information.

Attempts to retrieve version, absolute path of administration panel and the verkeersopstopping ‘password.properties’ from vulnerable installations of ColdFusion 9 and Ten.

Extracts and outputs HTML and JavaScript comments from HTTP responses.

Checks for backups and exchange files of common content management system and web server configuration files.

Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set overheen SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked te addition to the root.

Tests an http server for Cross-Origin Resource Sharing (CORS), a way for domains to explicitly opt te to having certain methods invoked by another domain.

Checks the cross-domain policy verkeersopstopping (/crossdomain.xml) and the client-acces-policy opstopping (/clientaccesspolicy.xml) ter web applications and lists the trusted domains. Overly permissive settings enable Cross Webpagina Request Forgery attacks and may permit attackers to access sensitive gegevens. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.

This script detects Cross Webpagina Request Forgeries (CSRF) vulnerabilities.

Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request wasgoed sent, so the difference includes at least the duration of one RTT.

Tests for access with default credentials used by a diversity of web applications and devices.

Detects a firmware backdoor on some D-Link routers by switching the User-Agent to a “secret” value. Using the “secret” User-Agent bypasses authentication and permits admin access to the router.

It looks for places where attacker-controlled information te the Onverstandig may be used to affect JavaScript execution te certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml

Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files affixed to the Person document. Passwords are introduced te a form suitable for running te John the Ripper.

Enumerates the installed Drupal modules/themes by using a list of known modules and themes.

Enumerates Drupal users by exploiting an information disclosure vulnerability ter Views, Drupal’s most popular module.

Enumerates directories used by popular web applications and servers.

This script crawls through the webstek and comes back any error pages.

Spiders a webpagina’s photos looking for interesting exif gegevens embedded ter .jpg files. Displays the make and proefje of the camera, the date the photo wasgoed taken, and the embedded geotag information.

Gets the favicon (“favorites icon”) from a web pagina and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed, otherwise the MD5 hash of the icon gegevens is printed.

This script crawls through the webstek to find any rss or atom feeds.

The script is used to fetch files from servers.

Exploits insecure opstopping upload forms ter web applications using various technologies like switching the Content-type header or creating valid picture files containing the payload te the comment.

Performs brute force password auditing against http form-based authentication.

Performs a plain form fuzzing against forms found on websites. Attempts strings and numbers of enlargening length and attempts to determine if the fuzzing wasgoed successful.

Checks whether target machines are vulnerable to anonymous Frontpage login.

Displays the contents of the “generator” meta tag of a web pagina (default: /) if there is one.

Checks for a Git repository found ter a webstek’s document root /.git/<,something>,) and retrieves spil much repo information spil possible, including language/framework, remotes, last commit message, and repository description.

Retrieves a list of Git projects, owners and descriptions from a gitweb (web interface to the Git revision control system).

Checks if hosts are on Google’s blacklist of suspected malware and phishing servers. Thesis lists are permanently updated and are part of Google’s Safe Browsing service.

Spiders a webstek and attempts to match all pages and urls against a given string. Matches are counted and grouped vanaf url under which they were discovered.

Performs a HEAD request for the root folder (“/”) of a web server and displays the HTTP headers returned.

Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others. ) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.

Retrieves the locations of all “Find my iPhone” enabled iOS devices by querying the MobileMe web service (authentication required).

Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application.

Attempts to brute force the 8.Trio filenames (commonly known spil brief names) of files and directories te the root folder of vulnerable IIS servers. This script is an implementation of the PoC “iis shortname scanner”.

Checks for a vulnerability ter IIS Five.1/6.0 that permits arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability wasgoed patched te Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020.

Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.

Performs brute force password auditing against Joomla web CMS installations.

Attempts to detect JSONP endpoints te web servers. JSONP endpoints can be used to bypass Same-origin Policy confinements te web browsers.

Exploits a null-byte poisoning vulnerability ter Litespeed Web Servers Four.0.x before Four.0.15 to retrieve the target script’s source code by sending a HTTP request with a null byte followed by a .txt verkeersopstopping extension (CVE-2010-2333).

Shows the content of an “index” Web pagina.

Exploits a directory traversal vulnerability existing te Majordomo2 to retrieve remote files. (CVE-2011-0049).

Looks for signature of known server compromises.

Checks if the webserver permits mod_cluster management protocol (MCMP) methods.

Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.

Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned te the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not ter the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method.

Checks if the webstek holds a mobile version.

This script enumerates information from remote HTTP services with NTLM authentication enabled.

Checks if an HTTP proxy is open.

Spiders a webstek and attempts to identify open redirects. Open redirects are handlers which commonly take a URL spil a parameter and responds with a HTTP redirect (3XX) to the target. Risks of open redirects are described at http://cwe.mitre.org/gegevens/definitions/601.html.

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini .

Attempts to retrieve the PHP version from a web server. PHP has a number of magic queries that terugwedstrijd pics or text that can vary with the PHP version. This script uses the following queries:

  • /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 : gets a Vergif logo, which switches on April Loser’s Day.
  • /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : gets an HTML credits pagina.

Exploits a directory traversal vulnerability ter phpMyAdmin Two.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.

Crawls a web server and attempts to find PHP files vulnerable to reflected cross webpagina scripting via the variable $_SERVER[“PHP_SELF”] .

Performs brute force password guessing against HTTP proxy servers.

Uploads a local verkeersopstopping to a remote web server using the HTTP Waterput method. You vereiste specify the filename and URL path with NSE arguments.

Attempts to retrieve the prototype, firmware version, and enabled services from a QNAP Network Affixed Storage (NAS) device.

Informs about cross-domain include of scripts. Websites that include outward javascript scripts are delegating part of their security to third-party entities.

Crawls webservers ter search of RFI (remote verkeersopstopping inclusion) vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query.

Checks for disallowed entries ter /robots.txt on a web server.

Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service (https://www.robtex.com/ip-lookup/).

Finds up to 100 domain names which use the same name server spil the target by querying the Robtex service at http://www.robtex.com/dns/.

Checks for the HTTP response headers related to security given te OWASP Secure Headers Project and gives a geschreven description of the header and its configuration value.

Uses the HTTP Server header for missing version informatie. This is presently infeasible with version probes because of the need to match non-HTTP services correctly.

Attempts to exploit the “shellshock” vulnerability (CVE-2014-6271 and CVE-2014-7169) te web applications.

Spiders a web server and displays its directory structure along with number and types of files ter each folder. Note that files listed spil having an ‘Other’ extension are ones that have no extension or that are a root document.

Tests a web server for vulnerability to the Slowloris DoS attack by launching a Slowloris attack.

Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and attempts to identify fields that are vulnerable.

Unfiltered ‘>,’ (greater than sign). An indication of potential XSS vulnerability.

Enumerates users of a Subversion repository by examining logs of most latest commits.

Requests information from a Subversion repository.

Shows the title of the default pagina of a web server.

Exploits a directory traversal vulnerability existing te several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.

Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it comebacks the header fields that were modified ter the response.

Exploits the Max-Forwards HTTP header to detect the presence of switch roles proxies.

Attempts to obtain information from Trane Tracer SC devices. Trane Tracer SC is an slim field panel for communicating with HVAC equipment controllers deployed across several sectors including commercial facilities and others.

Spiders a webstek and attempts to identify output escaping problems where content is reflected back to the user. This script locates all parameters, ?x=foo&,y=caf and checks if the values are reflected on the pagina. If they are indeed reflected, the script will attempt to insert ghz>,hzx”zxc’xcv and check which (if any) characters were reflected back onto the pagina without zindelijk html escaping. This is an indication of potential XSS vulnerability.

Checks if various crawling utilities are permitted by the host.

Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.

Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames.

Checks whether a verkeersopstopping has bot determined spil malware by Virustotal. Virustotal is a service that provides the capability to scan a verkeersopstopping or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on Four queries vanaf minute. A key can be acquired by registering spil a user on the virustotal web pagina:

  • http://www.virustotal.com

Connects to a VLC Streamer helper service and lists directory contents. The VLC Streamer helper service is used by the iOS VLC Streamer application to enable streaming of multimedia content from the remote server to the device.

Checks for a path-traversal vulnerability ter VMWare ESX, ESXi, and Server (CVE-2009-3733).

Exploits a verkeersopstopping disclosure vulnerability te Webmin (CVE-2006-3392)

Exploits cve-2009-3960 also known spil Adobe XML Outer Entity Injection.

Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).

Executes a directory traversal attack against a ColdFusion server and attempts to grab the password hash for the administrator user. It then uses the salt value (hidden ter the web pagina) to create the SHA1 HMAC hash that the web server needs for authentication spil admin. You can pass this value to the ColdFusion server spil the admin without cracking the password hash.

Detects a denial of service vulnerability ter the way the Apache web server treats requests for numerous overlapping/plain ranges of a pagina.

Tests for the CVE-2011-3368 (Switch sides Proxy Bypass) vulnerability te Apache HTTP server’s switch sides proxy mode. The script will run Trio tests:

  • the loopback test, with Trio payloads to treat different rewrite rules
  • the internal hosts test. According to Contextis, wij expect a delay before a server error.
  • The outer webstek test. This does not mean that you can reach a LAN ip, but this is a relevant punt anyway.

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability permits attackers to retrieve source code and execute code remotely.

Detects Ruby on Spoorlijn servers vulnerable to object injection, remote guideline executions and denial of service attacks. (CVE-2013-0156)

Detects a URL redirection and reflected XSS vulnerability ter Allegro RomPager Web server. The vulnerability has bot assigned CVE-2013-6786.

An 0 day wasgoed released on the 6th December 2013 by rubina119, and wasgoed patched ter Zimbra 7.Two.6.

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA Verdrietig Denial of Service Vulnerability (CVE-2014-2129).

Exploits CVE-2014-3704 also known spil ‘Drupageddon’ te Drupal. Versions <, 7.32 of Drupal core are known to be affected.

Exploits a remote code injection vulnerability (CVE-2014-8877) ter WordPress CM Download Manager plugin. Versions <,= Two.0.0 are known to be affected.

This script attempts to detect a vulnerability, CVE-2015-1427, which permits attackers to leverage features of this API to build up unauthenticated remote code execution (RCE).

Checks for a remote code execution vulnerability (MS15-034) te Microsoft Windows systems (CVE2015-2015-1635).

Attempts to detect a privilege escalation vulnerability te WordPress Four.7.0 and Four.7.1 that permits unauthenticated users to inject content te posts.

Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2018-5638).

Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2018-5689).

An SQL Injection vulnerability affecting Joomla! Three.7.x before Three.7.1 permits for unauthenticated users to execute arbitrary SQL instructions. This vulnerability wasgoed caused by a fresh component, com_fields , which wasgoed introduced te version Three.7. This component is publicly accessible, which means this can be exploited by any malicious individual visiting the webpagina.

Detects the RomPager Four.07 Misfortune Cookie vulnerability by securely exploiting it.

A vulnerability has bot discovered te WNR 1000 series that permits an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.Two.60_60.0.86 (Latest) and V1.0.Two.54_60.0.82NA

Attempts to determine whether a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) by probing the web server with malicious payloads and detecting switches te the response code and assets.

Attempts to detect the presence of a web application firewall and its type and version.

A script to detect WebDAV installations. Uses the OPTIONS and PROPFIND methods.

performs brute force password auditing against WordPress CMS/blog installations.

Enumerates themes and plugins of WordPress installations. The script can also detect outdated plugins by comparing version numbers with information pulled from api.wordpress.org.

Enumerates usernames te WordPress blog/CMS installations by exploiting an information disclosure vulnerability existing ter versions Two.6, Three.1, Three.1.1, Trio.1.Three and Trio.2-beta2 and possibly others.

This script searches the xssed.com database and outputs the result.

Performs brute force password auditing against the Asterisk IAX2 protocol. Guessing fails when a large number of attempts is made due to the maxcallnumber limit (default 2048). Ter case your getting “ERROR: Too many retries, aborted . ” after a while, this is most likely what’s happening. Te order to avoid this problem attempt: – reducing the size of your dictionary – use the brute delay option to introduce a delay inbetween guesses – split the guessing up te chunks and wait for a while inbetween them

Detects the UDP IAX2 service.

Tests a list of known ICAP service names and prints information about any it detects. The Internet Content Adaptation Protocol (ICAP) is used to extend see-through proxy servers and is generally used for content filtering and antivirus scanning.

Attempts to identify IEC 60870-5-104 ICS protocol.

Obtains information (such spil vendor and device type where available) from an IKE service by sending four packets to the host. This scripts tests with both Main and Aggressive Mode and sends numerous converts vanaf request.

Performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.

Retrieves IMAP email server capabilities.

This script enumerates information from remote IMAP services with NTLM authentication enabled.

Tests for the presence of the LibreOffice Impress Remote server. Checks if a Speld is valid if provided and will bruteforce the Speld if requested.

Performs brute force password auditing against IBM Informix Dynamic Server.

Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute).

Retrieves a list of tables and katern definitions for each database on an Informix server.

Detects whether the remote device has ip forwarding or “Internet connection sharing” enabled, by sending an ICMP weerklank request to a given target using the scanned host spil default gateway.

Attempts to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). There is no limit on lookups using this service.

Attempts to identify the physical location of an IP address using the IPInfoDB geolocation web service (http://ipinfodb.com/ip_location_api.php).

This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Bing Ordner of markers signifying the targets.

This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Google Schrijfmap of markers indicating the targets.

This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and produces a KML verkeersopstopping of points signifying the targets.

Attempts to identify the physical location of an IP address using a Geolocation Maxmind database opstopping (available from http://www.maxmind.com/app/ip-location). This script supports queries using all Maxmind databases that are supported by their API including the commercial ones.

Checks if the IP overheen HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported.

Classifies a host’s IP ID sequence (test for susceptibility to idle scan).

Performs brute force password auditing against IPMI RPC server.

IPMI Two.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI Two.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.

Performs IPMI Information Discovery through Channel Auth probes.

Uses Multicast Listener Discovery to list the multicast addresses subscribed to by IPv6 multicast listeners on the link-local scope. Addresses te the IANA IPv6 Multicast Address Space Registry have their descriptions listed.

Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Knot Information Queries.

Generates a flood of Router Advertisements (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS), will embark to compute IPv6 suffix and update their routing table to reflect the accepted announcement. This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests.

Checks an IRC server for channels that are commonly used by malicious botnets.

Performs brute force password auditing against IRC (Internet Relay Talk) servers.

Gathers information from an IRC server.

Performs brute force password auditing against IRC (Internet Relay Talk) servers supporting SASL authentication.

Checks if an IRC server is backdoored by running a time-based instruction (ping) and checking how long it takes to react.

Performs brute force password auditing against iSCSI targets.

Collects and displays information from remote iSCSI targets.

Lists portals and iSCSI knots registered with the Internet Storage Name Service (iSNS).

Attempts to exploit java’s remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script manhandles this to inject and execute a Java class verkeersopstopping that executes the supplied shell instruction and comebacks its output.

Attempts to exploit java’s remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script injects and execute a Java class opstopping that comes back remote system information.

Attempts to exploit java’s remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script permits injection of arbitrary class files.

Detects the Java Debug Wire Protocol. This protocol is used by Java programs to be debugged via the network. It should not be open to the public Internet, spil it does not provide any security against malicious attackers who can inject their own bytecode into the debugged process.

Detects KNX gateways by sending a KNX Search Request to the multicast address 224.0.23.12 including a UDP payload with destination port 3671. KNX gateways will react with a KNX Search Response including various information about the gateway, such spil KNX address and supported services.

Identifies a KNX gateway on UDP port 3671 by sending a KNX Description Request.

Detects valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will react using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, permitting us to determine that the user name wasgoed invalid. Valid user names will illicit either the TGT te a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.

Attempts to brute-force LDAP authentication. By default it uses the built-in username and password lists. Ter order to use your own lists use the userdb and passdb script arguments.

Universal Password enables advanced password policies, including extended characters te passwords, synchronization of passwords from eDirectory to other systems, and a single password for all access to eDirectory.

Retrieves the LDAP root DSA-specific Entry (DSE)

Attempts to perform an LDAP search and comebacks all matches.

Retrieves configuration information from a Lexmark S300-S400 printer.

Resolves a hostname by using the LLMNR (Link-Local Multicast Name Resolution) protocol.

Uses the Microsoft LLTD protocol to detect hosts on a local network.

Retrieves version and database information from a Vruchtensap Max DB database.

Check if ePO juut is running on port 8081 or port identified spil ePO Juut port.

Performs brute force password auditing against Couchbase Membase servers.

Retrieves information (hostname, OS, uptime, etc.) from the CouchBase Web Administration port. The information retrieved by this script does not require any credentials.

Retrieves information (including system architecture, process ID, and server time) from distributed memory object caching system memcached.

Gathers informatie from the Metasploit rpc service. It requires a valid login pair. After authentication it attempts to determine Metasploit version and deduce the OS type. Then it creates a fresh console and executes few instructions to get extra informatie.

Performs brute force username and password auditing against Metasploit msgrpc interface.

Performs brute force password auditing against a Metasploit RPC server using the XMLRPC protocol.

Performs brute force password auditing against Mikrotik RouterOS devices with the API RouterOS interface enabled.

Performs brute force password auditing against the RPA Tech Mobile Mouse servers.

Connects to an RPA Tech Mobile Mouse server, starts an application and sends a sequence of keys to it. Any application that the user has access to can be began and the key sequence is sent to the application after it has bot began.

Enumerates SCADA Modbus sub ids (sids) and collects their device information.

Performs brute force password auditing against the MongoDB database.

Attempts to get a list of tables from a MongoDB database.

Attempts to get build informatie and server status from a MongoDB database.

Dumps message traffic from MQTT brokers.

Queries targets for multicast routing information.

Performs password guessing against Microsoft SQL Server (ms-sql). Works best ter conjunction with the broadcast-ms-sql-discover script.

Queries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers, and configuration settings.

Queries the Microsoft SQL Browser service for the DAC (Dedicated Admin Connection) port of a given (or all) SQL Server example. The DAC port is used to connect to the database example when normal connection attempts fail, for example, when server is dangling, out of memory or te other bad states. Ter addition, the DAC port provides an admin with access to system objects otherwise not accessible overheen normal connections.

Dumps the password hashes from an MS-SQL server te a format suitable for cracking by contraptions such spil John-the-ripper. Ter order to do so the user needs to have the suitable DB privileges.

Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.

Attempts to determine configuration and version information for Microsoft SQL Server instances.

This script enumerates information from remote Microsoft SQL services with NTLM authentication enabled.

Runs a query against Microsoft SQL Server (ms-sql).

Queries Microsoft SQL Server (ms-sql) for a list of tables vanaf database.

Attempts to run a instruction using the instruction shell of Microsoft SQL Server (ms-sql).

Queries an MSRPC endpoint mapper for a list of mapped services and displays the gathered information.

Queries for the multicast path from a source to a destination host.

Detects the Murmur service (server for the Mumble voice communication client) versions 1.Two.X.

Audits MySQL database server security configuration against parts of the CIS MySQL v1.0.Two benchmark (the engine can be used for other MySQL audits by creating suitable audit files).

Performs password guessing against MySQL.

Attempts to list all databases on a MySQL server.

Dumps the password hashes from an MySQL server te a format suitable for cracking by implements such spil John the Ripper. Adequate DB privileges (root) are required.

Checks for MySQL servers with an empty password for root or anonymous .

Performs valid-user enumeration against MySQL server using a bug discovered and published by Kingcope (http://seclists.org/fulldisclosure/2012/Dec/9).

Connects to a MySQL server and prints information such spil the protocol and version numbers, thread ID, status, capabilities, and the password salt.

Runs a query against a MySQL database and comebacks the results spil a table.

Attempts to list all users on a MySQL server.

Attempts to voorstelling all variables on a MySQL server.

Gets the routers WAN IP using the Vocht Port Mapping Protocol (NAT-PMP). The NAT-PMP protocol is supported by a broad range of routers including:

  • Apple AirPort Express
  • Apple AirPort Extreme
  • Apple Time Capsule
  • DD-WRT
  • OpenWrt v8.09 or higher, with MiniUPnP daemon
  • pfSense v2.0
  • Tarifa (firmware) (Linksys WRT54G/GL/GS)
  • Tomato Firmware v1.24 or higher. (Linksys WRT54G/GL/GS and many more)
  • Peplink Balance

Maps a WAN port on the router to a local port on the client using the Vloeistof Port Mapping Protocol (NAT-PMP). It supports the following operations:

  • schrijfmap – maps a fresh outer port on the router to an internal port of the requesting IP
  • unmap – unmaps a previously mapped port for the requesting IP
  • unmapall – unmaps all previously mapped ports for the requesting IP

Displays protocol and block device information from NBD servers.

Attempts to retrieve the target’s NetBIOS names and MAC address.

Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service.

Retrieves eDirectory server information (OS version, server name, mounts, etc.) from the Novell NetWare Core Protocol (NCP) service.

Lists remote opstopping systems by querying the remote device using the Network Gegevens Management Protocol (ndmp). NDMP is a protocol intended to vrachtvervoer gegevens inbetween a NAS device and the backup device, removing the need for the gegevens to pass through the backup server. The following products are known to support the protocol:

  • Amanda
  • Bacula
  • CA Arcserve
  • CommVault Simpana
  • EMC Networker
  • Hitachi Gegevens Systems
  • IBM Tivoli
  • Quest Software Netvault Backup
  • Symantec Netbackup
  • Symantec Backup Exec

Retrieves version information from the remote Network Gegevens Management Protocol (ndmp) service. NDMP is a protocol intended to vrachtvervoer gegevens inbetween a NAS device and the backup device, removing the need for the gegevens to pass through the backup server. The following products are known to support the protocol:

  • Amanda
  • Bacula
  • CA Arcserve
  • CommVault Simpana
  • EMC Networker
  • Hitachi Gegevens Systems
  • IBM Tivoli
  • Quest Software Netvault Backup
  • Symantec Netbackup
  • Symantec Backup Exec

Performs brute force password auditing against a Nessus vulnerability scanning daemon using the NTP 1.Two protocol.

Performs brute force password auditing against a Nessus vulnerability scanning daemon using the XMLRPC protocol.

Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which permits total access without knowing the password.

Performs brute force password auditing against the Netbus backdoor (“remote administration”) service.

Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself.

Extends version detection to detect NetBuster, a honeypot service that mimes NetBus.

Performs brute force password auditing against a Nexpose vulnerability scanner using the API 1.1.

Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of ls .

Shows NFS exports, like the showmount -e instruction.

Retrieves disk space statistics and information from a remote NFS share. The output is intended to resemble the output of df .

z/OS JES Network Job Entry (NJE) target knot name brute force.

z/OS JES Network Job Entry (NJE) ‘I record’ password brute forcer.

This script enumerates information from remote NNTP services with NTLM authentication enabled.

Performs brute force password auditing against an Nping Weerklank service.

Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such spil stream averages, process counts, logged ter user information, etc.

Gets the time and configuration variables from an NTP server. Wij send two requests: a time request and a “read variables” (opcode Two) control message. Without verbosity, the script shows the time and the value of the version , processor , system , refid , and stratum variables. With verbosity, all variables are shown.

Obtains and prints an NTP server’s monitor gegevens.

Performs brute force password auditing against the OpenVAS manager using OMPv2.

Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server.

This NSE script is used to send a FINS packet to a remote device. The script will send a Controller Gegevens Read Guideline and once a response is received, it validates that it wasgoed a decent response to the directive that wasgoed sent, and then will parse out the gegevens.

Parses and displays the banner information of an OpenLookup (network key-value store) server.

Performs brute force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1.0 protocol.

OpenWebNet is a communications protocol developed by Bticino since 2000. Retrieves device identifying information and number of connected devices.

Performs brute force password auditing against Oracle servers.

Exploits the CVE-2012-3137 vulnerability, a weakness ter Oracle’s O5LOGIN authentication scheme. The vulnerability exists ter Oracle 11g R1/R2 and permits linking the session key to a password hash. When initiating an authentication attempt spil a valid user the server will react with a session key and salt. Once received the script will disconnect the connection thereby not recording the login attempt. The session key and salt can then be used to brute force the users password.

Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug wasgoed immobilized te Oracle’s October 2009 Critical Patch Update).

Guesses Oracle example/SID names against the TNS-listener.

Decodes the VSNNUM version number from an Oracle TNS listener.

Detects the version of an Oracle Virtual Server Tuut by fingerprinting responses to an HTTP GET request and an XML-RPC method call.

Checks if a host is infected with Conficker.C or higher, based on Conficker’s peer to peer communication.

Performs elementary Path MTU Discovery to target hosts.

Performs brute force password auditing against the pcAnywhere remote access protocol.

This NSE script will query and parse pcworx protocol to a remote PLC. The script will send a initial request packets and once a response is received, it validates that it wasgoed a decent response to the instruction that wasgoed sent, and then will parse out the gegevens. PCWorx is a protocol and Program by Phoenix Voeling.

Performs password guessing against PostgreSQL.

Retrieves or sets the ready message on printers that support the Printer Job Language. This includes most PostScript printers that listen on port 9100. Without an argument, displays the current ready message. With the pjl_ready_message script argument, displays the old ready message and switches it to the message given.

Attempts to loom into a POP3 account by guessing usernames and passwords.

Retrieves POP3 email server capabilities.

This script enumerates information from remote POP3 services with NTLM authentication enabled.

Attempts to samenvatting system information from the point-to-point tunneling protocol (PPTP) service.

Detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, permitting them to impersonate spil a puppet smeris. This can leak the configuration of the agents spil well spil any other sensitive information found te the configuration files.

Attempts to identify whether a listening QNX QCONN daemon permits unauthenticated users to execute arbitrary operating system instructions.

Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. Thesis values are used to group collections of ports which are statistically different from other groups. Ports being ter different groups (or “families”) may be due to network mechanisms such spil port forwarding to machines behind a Vloeistof.

Extracts information from Quake spel servers and other spel servers which use the same protocol.

Extracts information from a Quake3 spel server and other games which use the same protocol.

Queries Quake3-style master servers for spel servers (many games other than Quake Three use this same protocol).

Determines which Security layer and Encryption level is supported by the RDP service. It does so by cycling through all existing protocols and ciphers. When run ter debug mode, the script also comebacks the protocols and ciphers that fail and any errors that were reported.

Checks if a machine is vulnerable to MS12-020 RDP vulnerability.

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

Performs brute force passwords auditing against a Redis key-value store.

Retrieves information (such spil version number and architecture) from a Redis key-value store.

Resolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmap’s target list. This differs from Nmap’s normal host resolution process, which only scans the very first address (A or AAAA record) returned for each host name.

Creates a switch sides index at the end of scan output demonstrating which hosts run a particular service. This is ter addition to Nmap’s normal output listing the services on each host.

Performs brute force password auditing against the classic UNIX rexec (remote exec) service.

Retrieves the day and time from the Time service.

Retrieves information (such spil knot name and architecture) from a Basho Riak distributed database using the HTTP protocol.

Performs brute force password auditing against the classic UNIX rlogin (remote login) service. This script vereiste be run ter privileged mode on UNIX because it voorwaarde truss to a low source port number.

Connects to a remote RMI registry and attempts to dump all of its objects.

Tests whether Java rmiregistry permits class loading. The default configuration of rmiregistry permits loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Zon) classifies this spil a vormgeving feature.

Fingerprints the target RPC port to samenvatting the target service, RPC number and version.

Performs brute force password auditing against the WinPcap Remote Capture Daemon (rpcap).

Connects to the rpcap service (provides remote sniffing capabilities through WinPcap) and retrieves interface information. The service can either be setup to require authentication or not and also supports IP limitations.

Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.

Detects RSA keys vulnerable to Terugwedstrijd Of Coppersmith Attack (ROCA) factorization.

Performs brute force password auditing against the rsync remote verkeersopstopping syncing protocol.

Lists modules available for rsync (remote opstopping sync) synchronization.

Determines which methods are supported by the RTSP (real time streaming protocol) server.

Attempts to enumerate RTSP media URLS by testing for common paths on devices such spil surveillance IP cameras.

Connects to rusersd RPC service and retrieves a list of logged-in users.

Enumerates Siemens S7 PLC Devices and collects their device information. This script is based off PLCScan that wasgoed developed by Positive Research and Scadastrangelove (https://code.google.com/p/plcscan/). This script is meant to provide the same functionality spil PLCScan inwards of Nmap. Some of the information that is collected by PLCScan wasgoed not ported overheen, this information can be parsed out of the packets that are received.

Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.

Attempts to samenvatting system information (OS, hardware, etc.) from the Zon Service Tags service smeris (UDP port 6481).

Queries Shodan API for given targets and produces similar output to a -sV nmap scan. The ShodanAPI key can be set with the ‘apikey’ script argument, or hardcoded ter the .nse verkeersopstopping itself. You can get a free key from https://developer.shodan.io

Performs brute force password auditing against Session Initiation Protocol (Verdrietig) accounts. This protocol is most commonly associated with VoIP sessions.

Spoofs a call to a Teleurgesteld phone and detects the act taken by the target (busy, declined, strung up up, etc.)

Enumerates a Verdrietig server’s valid extensions (users).

Enumerates a Verdrietig Server’s permitted methods (INVITE, OPTIONS, SUBSCRIBE, etc.)

Detects the Skype version Two service.

Attempts to guess username/password combinations overheen SMB, storing discovered combinations for use ter other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them. When a username is discovered, besides being printed, it is also saved te the Nmap registry so other Nmap scripts can use it. That means that if you’re going to run smb-brute.nse , you should run other smb scripts you want. This checks passwords ter a case-insensitive way, determining case after a password is found, for Windows versions before Vista.

Checks if the target machine is running the Dual Pulsar SMB backdoor.

Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. Te addition to the actual domain, the “Builtin” domain is generally displayed. Windows comes back this ter the list of domains, but its policies don’t show up to be used anywhere.

Obtains a list of groups from the remote Windows system, spil well spil a list of the group’s users. This works similarly to enum.exe with the /G switch.

Pulls a list of processes from the remote server overheen SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista, on all other Windows versions, it requires Administrator privileges.

Retrieves the list of services running on a remote Windows system. Each service attribute contains service name, display name and service status of each service.

Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. Nmap’s connection will also display up, and is generally identified by the one that connected “0 seconds ago”.

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo . If access to those functions is denied, a list of common share names are checked.

Attempts to enumerate the users on a remote Windows system, with spil much information spil possible, through two different mechanisms (both overheen MSRPC, which uses port 445 or 139, see smb.lua ). The aim of this script is to detect all user accounts that exist on a remote system. This can be helpful for administration, by witnessing who has an account on a server, or for invasion testing or network footprinting, by determining which accounts exist on a system.

Exhausts a remote SMB server’s connection limit by by opening spil many connections spil wij can. Most implementations of SMB have a hard global limit of 11 connections for user accounts and Ten connections for anonymous. Once that limit is reached, further connections are denied. This script exploits that limit by taking up all the connections and holding them.

Attempts to retrieve useful information about files collective on SMB volumes. The output is intended to resemble the output of the UNIX ls guideline.

Queries information managed by the Windows Master Browser.

Attempts to determine the operating system, pc name, domain, workgroup, and current time overheen the SMB protocol (ports 445 or 139). This is done by embarking a session with the anonymous account (or with a zindelijk user account, if one is given, it likely doesn’t make a difference), te response to a session kicking off, the server will send back all this information.

Attempts to print text on a collective printer by calling Print Spooler Service RPC functions.

Attempts to list the supported protocols and dialects of a SMB server.

Implements remote process execution similar to the Sysinternals’ psexec implement, permitting a user to run a series of programs on a remote machine and read the output. This is superb for gathering information about servers, running the same device on a range of system, or even installing a backdoor on a collection of computers.

Comebacks information about the SMB security level determined by SMB.

Attempts to grab the server’s statistics overheen SMB and MSRPC, which uses TCP ports 445 or 139.

Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, albeit a user account will still get a loterijlot of it. Guest very likely won’t get any, strafgevangenis will anonymous. This goes for all operating systems, including Windows 2000.

Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems.

Checks if target machines are vulnerable to the arbitrary collective library explosion vulnerability CVE-2018-7494.

Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.

Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.

Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.

Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known spil MS08-067. This check is dangerous and it may crash systems.

Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability.

Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.

Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

Checks if a Microsoft Windows 2000 system is vulnerable to a crash te regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.

Attempts to list the supported capabilities ter a SMBv2 server for each enabled flinterdun.

Determines the message signing configuration te SMBv2 servers for all supported dialects.

Attempts to obtain the current system date and the embark date of a SMB2 server.

Attempts to detect missing patches te Windows systems by checking the uptime returned during the SMB2 protocol negotiation.

Performs brute force password auditing against SMTP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.

Attempts to use EHLO and HELP to gather the Extended guidelines supported by an SMTP server.

Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO guidelines. The aim of this script is to detect all the user accounts te the remote system.

This script enumerates information from remote SMTP services with NTLM authentication enabled.

Attempts to relay mail by issuing a predefined combination of SMTP guidelines. The aim of this script is to tell if a SMTP server is vulnerable to mail relaying.

Checks if SMTP is running on a non-standard port.

Checks for and/or exploits a heap overflow within versions of Exim prior to version Four.Sixty nine (CVE-2010-4344) and a privilege escalation vulnerability ter Exim Four.72 and prior (CVE-2010-4345).

Checks for a memory corruption ter the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can permit denial of service and possibly remote code execution.

Checks for a format string vulnerability te the Exim SMTP server (version Four.70 through Four.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.

Checks if a target on a local Ethernet has its network card te promiscuous mode.

Attempts to find an SNMP community string by brute force guessing.

Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the hh3c-user.mib OID

Extracts basic information from an SNMPv3 GET request. The same probe is used here spil te the service version detection scan.

Attempts to enumerate network interfaces through SNMP.

Attempts to downloads Cisco router IOS configuration files using SNMP RW (v1) and display or save them.

Attempts to query SNMP for a netstat like output. The script can be used to identify and automatically add fresh targets to the scan by supplying the newtargets script argument.

Attempts to enumerate running processes through SNMP.

Attempts to samenvatting system information from an SNMP version 1 service.

Attempts to enumerate Windows services through SNMP.

Attempts to enumerate Windows Shares through SNMP.

Attempts to enumerate installed software through SNMP.

Attempts to enumerate Windows user accounts through SNMP

Determines the supported authentication mechanisms of a remote SOCKS proxy server. Kicking off with SOCKS version Five socks servers may support authentication. The script checks for the following authentication types: 0 – No authentication 1 – GSSAPI Two – Username and password

Performs brute force password auditing against SOCKS Five proxy servers.

Checks if an open socks proxy is running on the target.

Comebacks authentication methods that a SSH server supports.

Performs brute-force password guessing against ssh servers.

Shows SSH hostkeys.

This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication. If no keys are given or the known-bad option is given, the script will check if a list of known static public keys are accepted for authentication.

Runs remote instruction on ssh server and comebacks guideline output.

Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers. If verbosity is set, the suggested algorithms are each listed by type.

Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.

Detects whether a server is vulnerable to the SSL/TLS “CCS Injection” vulnerability (CVE-2014-0224), very first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon den C Valle (https://gist.github.com/rcvalle/71f4b027d61a78c42607)

Retrieves a server’s SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no toegevoegd verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.

Reports any private (RFC1918) IPv4 addresses found ter the various fields of an SSL service’s certificate. Thesis will only be reported if the target address itself is not private. Nmap v7.30 or zometeen is required.

Retrieves a target host’s time and date from its TLS ServerHello response.

Powerless ephemeral Diffie-Hellman parameter detection for SSL/TLS services.

This script repeatedly initiates SSLv3/TLS connections, each time attempting a fresh cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts.

Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160). The code is based on the Python script ssltest.py authored by Jared Stafford ([email protected])

Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.

Checks whether SSLv3 CBC ciphers are permitted (POODLE)

Determines whether the server supports obsolete and less secure SSLv2, and detects which ciphers it supports.

Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)

Check if the Secure Socket Tunneling Protocol is supported. This is accomplished by attempting to establish the HTTPS layer which is used to carry SSTP traffic spil described ter: – http://msdn.microsoft.com/en-us/library/cc247364.aspx

Retrieves the outer IP address of a Vocht:ed host using the Numb protocol.

Sends a strapping request to the server and attempts to samenvatting version information from the response, if the server attribute is present.

Detects whether a host is infected with the Stuxnet worm (http://plus.wikipedia.org/wiki/Stuxnet).

Attempts to download an unprotected configuration verkeersopstopping containing plain-text user credentials ter vulnerable Supermicro Onboard IPMI controllers.

Performs brute force password auditing against Subversion source code control servers.

Produces a list of IP prefixes for a given routing Spil number (ASN).

This script runs ter the pre-scanning phase to ordner IPv4 addresses onto IPv6 networks and add them to the scan queue.

Sends an ICMPv6 weerklank request packet to the all-nodes link-local multicast address ( ff02::1 ) to detect responsive hosts on a LAN without needing to individually ping each IPv6 address.

Sends an ICMPv6 packet with an invalid extension header to the all-nodes link-local multicast address ( ff02::1 ) to detect (some) available hosts on the LAN. This works because some hosts will react to this probe with an ICMPv6 Parameter Problem packet.

Attempts to detect available IPv6 hosts on the LAN by sending an MLD (multicast listener discovery) query to the link-local multicast address (ff02::1) and listening for any responses. The query’s maximum response delay set to 1 to provoke hosts to react instantly rather than waiting for other responses from their multicast group.

Performs IPv6 host discovery by triggering stateless address auto-configuration (SLAAC).

Adds IPv6 addresses to the scan queue using a wordlist of hexadecimal “words” that form addresses te a given subnet.

Sniffs the local network for a configurable amount of time (Ten seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue.

Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap’s –traceroute option is used and the newtargets script argument is given.

Explosions addresses from an Nmap XML output verkeersopstopping for scanning.

Detects the TeamSpeak Two voice communication server and attempts to determine version and configuration information.

Performs brute-force password auditing against telnet servers.

Determines whether the encryption option is supported on a remote telnet server. Some systems (including FreeBSD and the krb5 telnetd available ter many Linux distributions) implement this option incorrectly, leading to a remote root vulnerability. This script presently only tests whether encryption is supported, not for that particular vulnerability.

This script enumerates information from remote Microsoft Telnet services with NTLM authentication enabled.

Enumerates TFTP (trivial opstopping transfer protocol) filenames by testing for a list of common ones.

Enumerates a TLS server’s supported application-layer protocols using the ALPN protocol.

Enumerates a TLS server’s supported protocols by using the next protocol negotiation extension.

Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).

Connects to a tn3270 ‘server’ and comebacks the screen.

Checks if a target is a known Tor knot.

Lists the geographic locations of each hop te a traceroute and optionally saves the results to a KML opstopping, plottable on Google earth and maps.

TSO account brute forcer.

TSO User ID enumerator for IBM mainframes (z/OS). The TSO logon panel tells you when a user ID is valid or invalid with the message: IKJ56420I Userid <,user ID>, not authorized to use TSO .

Runs unit tests on all NSE libraries.

Compares the detected service on a port against the expected service for that port number (e.g. ssh on 22, http on 80) and reports deviations. The script requires that a version scan has bot run te order to be able to detect what service is actually running on each port.

Attempts to samenvatting system information from the UPnP service.

Sniffs an interface for HTTP traffic and dumps any URLs, and their originating IP address. Script output differs from other script spil URLs are written to stdout directly. There is also an option to loom the results to opstopping.

Detects the Ventrilo voice communication server service versions Two.1.Two and above and attempts to determine version and configuration information. Some of the older versions (pre Trio.0.0) may not have the UDP service that this probe relies on enabled by default.

Extracts information, including verkeersopstopping paths, version and database names from a Versant object database.

Performs brute force password auditing against the VMWare Authentication Daemon (vmware-authd).

Queries VMware server (vCenter, ESX, ESXi) SOAP API to samenvatting the version information.

Performs brute force password auditing against VNC servers.

Queries a VNC server for its protocol version and supported security types.

Attempts to loom into a VNC server and get its desktop name. Uses credentials discovered by vnc-brute, or None authentication types. If realvnc-auth-bypass wasgoed run and returned VULNERABLE, this script will use that vulnerability to bypass authentication.

Retrieves cluster and store information from the Voldemort distributed key-value store using the Voldemort Native Protocol.

Many mainframes use VTAM screens to connect to various applications (CICS, IMS, TSO, and many more).

Retrieves some basic information, including protocol version from a Vuze filesharing knot.

Detects vulnerabilities and gathers information (such spil version numbers and hardware support) from VxWorks Wind DeBug agents.

Detect the T3 RMI protocol and Weblogic version

Attempts to retrieve information about the domain name of the target

Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.Nipt Four.0 or zometeen).

Checks if you’re permitted to connect to the X server.

Requests an XDMCP (X display manager control protocol) session and lists supported authentication and authorization mechanisms.

Performs XMLRPC Introspection via the system.listMethods method.

Performs brute force password auditing against XMPP (Jabber) instant messaging servers.

Connects to XMPP server (port 5222) and collects server information such spil: supported auth mechanisms, compression methods, whether TLS is supported and mandatory, stream management, language, support of In-Band registration, server capabilities. If possible, studies server vendor.

Libraries

This library wasgoed written by Patrik Karlsson <,[email protected]>, to facilitate communication with the Apple AFP Service. It is not feature finish and still missing several functions.

A basic AJP 1.Three implementation based on documentation available from Apache mod_proxy_ajp, http://httpd.apache.org/docs/Two.Two/mod/mod_proxy_ajp.html

The AMQP library provides some basic functionality for retrieving information about an AMQP server’s properties.

This library implements HTTP requests used by the Cisco AnyConnect VPN Client

Base32 encoding and decoding. Goes after RFC 4648.

Base64 encoding and decoding. Goes after RFC 4648.

Pack and unpack binary gegevens.

Bitwise operations on integers.

This library implements a minimal subset of the BitCoin protocol It presently supports the version handshake and processing Addr responses.

Bit manipulation library.

Bittorrent and DHT protocol library which enables users to read information from a torrent opstopping, decode bencoded (bittorrent encoded) buffers, find peers associated with a certain torrent and retrieve knots discovered during the search for peers.

An implementation of the Canon BJNP protocol used to detect and query Canon network printers and scanner devices.

The brute library is an attempt to create a common framework for performing password guessing against remote services.

Library methods for treating Cassandra Thrift communication spil client

This module wasgoed written by Patrik Karlsson and facilitates communication with the Citrix XML Service. It is not feature finish and is missing several functions and parameters.

Common communication functions for network discovery tasks like banner grabbing and gegevens exchange.

The credential class stores found credentials te the Nmap registry

A minimal CVS (Mededinger Versions System) pserver protocol implementation which presently only supports authentication.

Read and parse some of Nmap’s gegevens files: nmap-protocols , nmap-rpc , nmap-services , and nmap-mac-prefixes .

Functions for dealing with dates and timestamps

Implement a Dynamic Host Configuration Protocol (DHCP) client.

Minimalistic DHCP6 (Dynamic Host Configuration Protocol for IPv6) implementation supporting basic DHCP6 Solicit requests The library is structured around the following classes:

  • DHCP6.Option – DHCP6 options encoders (for requests) and decoders (for responses)
  • DHCP6.Request – DHCP6 request encoder and decoder
  • DHCP6.Response – DHCP6 response encoder and decoder
  • Helper – The helper class, primary script interface

Ordinary DNS library supporting packet creation, encoding, decoding, and querying.

A minimalistic DNS BlackList library implemented to facilitate querying various DNSBL services. The current list of services has bot implemented based on the following compilations of services:

  • http://plusteken.wikipedia.org/wiki/Comparison_of_DNS_blacklists
  • http://www.robtex.com
  • http://www.sdsc.edu/

Library for supporting DNS Service Discovery

DRDA Library supporting a very limited subset of operations.

EAP (Extensible Authentication Protocol) library supporting a limited subset of features.

A library supporting parsing and generating a limited subset of the Cisco’ EIGRP packets.

Formula functions for various calculations.

Consolidation of GeoIP functions.

GIOP Library supporting a very limited subset of operations

A smallish gps parsing module. Presently does GPRMC NMEA decoding

Implements the HTTP client protocol te a standard form that Nmap scripts can take advantage of.

A smallish httpspider library providing basic spidering capabilities It consists of the following classes:

A minimalistic Asterisk IAX2 (Inter-Asterisk eXchange v2) VoIP protocol implementation. The library implements the ondergrens needed to perform brute force password guessing.

Library methods for treating IDNA domains.

A very basic IKE library.

A library implementing a minor subset of the IMAP protocol, presently the CAPABILITY, LOGIN and AUTHENTICATE functions. The library wasgoed originally written by Brandon Enright and straks extended and converted to OO-form by Patrik Karlsson <,[email protected]>,

Informix Library supporting a very limited subset of Informix operations

Utility functions for manipulating and comparing IP addresses.

A puny CUPS ipp (Internet Printing Protocol) library implementation

An iSCSI library implementing written by Patrik Karlsson <,[email protected]>, The library presently supports target discovery and login.

A minimal Internet Storage Name Service (iSNS) implementation

JDWP (Java Debug Wire Protocol) library implementing a set of instructions needed to use remote debugging port and inject java bytecode.

Library methods for treating JSON gegevens. It treats JSON encoding and decoding according to RFC 4627.

Library methods for treating LDAP.

Comebacks a directory iterator listing the contents of the given path

Provides a cording for the libssh2 library.

Utility functions for libssh2.

Functional-style list operations.

Parsing Expression Grammars for Lua

Utility functions for LPeg.

Report verkeersopstopping and directory listings.

Buffered network I/O helper functions.

A smallish implementation of the Couchbase Membase Tapkast protocol Based on the scarce documentation from the Couchbase Wiki:

  • http://www.couchbase.org/wiki/display/membase/SASL+Authentication+Example

A MobileMe web service client that permits discovering Apple devices using the “find my iPhone” functionality.

Library methods for treating MongoDB, creating and parsing packets.

By making intense use of the smb library, this library will call various MSRPC functions. The functions used here can be accessed overheen TCP ports 445 and 139, with an established session. A NULL session (the default) will work for some functions and operating systems (or configurations), but not for others.

This module is designed to parse the PERF_DATA_BLOCK structure, which is stored ter the registry under HKEY_PERFORMANCE_DATA. By querying this structure, you can get a entire lotsbestemming of information about what’s going on.

This module wasgoed written to marshall parameters for Microsoft RPC (MSRPC) calls. The values passed ter and out are based on structs defined by the protocol, and documented by Samba developers. For detailed breakdowns of the types, take a look at Samba Four.0’s .idl files.

MSSQL Library supporting a very limited subset of operations.

Utility functions for sending MLD requests and parsing reports.

Plain MySQL Library supporting a very limited subset of operations.

This library implements the basics of NAT-PMP spil described te the Vloeistof Port Mapping Protocol (NAT-PMP) draft: o http://contraptions.ietf.org/html/draft-cheshire-nat-pmp-03

A lil’ implementation of the Netware Core Protocol (NCP). While NCP wasgoed originally a Netware only protocol it’s now present on both Linux and Windows platforms running Novell eDirectory.

A minimalistic NDMP (Network Gegevens Management Protocol) library

Creates and parses NetBIOS traffic. The primary use for this is to send NetBIOS name requests.

Interface with Nmap internals.

A minimalistic library to support Domino RPC

Debugging functions for Nmap scripts.

This library wasgoed written to ease interaction with OpenVAS Manager servers using OMP (OpenVAS Management Protocol) version Two.

A limited OSPF (Open Shortest Path Very first routing protocol) library, presently supporting IPv4 and the following OSPF message types: HELLO, DB_DESCRIPTION, LS_REQUEST, LS_UPDATE

Facilities for manipulating raw packets.

Perl Compatible Regular Expressions.

PostgreSQL library supporting both version Two and version Trio of the protocol. The library presently contains the nude ondergrens to perform authentication. Authentication is supported with or without SSL enabled and using the plain-text or MD5 authentication mechanisms.

A minimalistic PPPoE (Point-to-point protocol overheen Ethernet) library, implementing basic support for PPPoE Discovery and Configuration requests. The PPPoE protocol is ethernet based and hence does not use any IPs or port numbers.

Functions for proxy testing.

Library methods for treating punycode strings.

A minimal RDP (Remote Desktop Protocol) library. Presently has functionality to determine encryption and cipher support.

Regular Expression functions

A minimalistic Redis (in-memory key-value gegevens store) library.

Library method for communicating overheen RMI (JRMP + java serialization)

RPC Library supporting a very limited subset of operations.

This library implements the fundamentals needed to communicate with the WinPcap Remote Capture Daemon. It presently supports authenticating to the service using either NULL-, or Password-based authentication. Te addition it has the capabilities to list the interfaces that may be used for sniffing.

A minimalist RSYNC (remote opstopping sync) library

This Real Time Streaming Protocol (RTSP) library implements only a minimal subset of the protocol needed by the current scripts.

Ordinary Authentication and Security Layer (SASL).

Functions for building brief portrules.

A Verdrietig library supporting a limited subset of Verdrietig instructions and methods

This is the NSE implementation of SLAXML. SLAXML is a pure-Lua SAX-like streaming XML parser. It is more sturdy than many (simpler) pattern-based parsers that exist, decently supporting code like <,expr test=”Five >, 7″ />, , CDATA knots, comments, namespaces, and processing instructions. It is presently not a truly valid XML parser, however, spil it permits certain XML that is syntactically-invalid (not well-formed) to be parsed without reporting an error. The streaming parser does a ordinary pass through the input and reports what it sees along the way. You can optionally disregard white-space only text knots using the stripWhitespace option. The library contains the parser class and the parseDOM function.

Implements functionality related to Server Message Block (SMB, an extension of CIFS) traffic, which is a Windows protocol.

Implements the Server Message Block (SMB) protocol version Two and Three.

This module takes care of the authentication used te SMB (LM, NTLM, LMv2, NTLMv2).

Plain Mail Transfer Protocol (SMTP) operations.

A smallish SOCKS version Five proxy protocol implementation

A relatively puny implementation of the Service Location Protocol. It wasgoed primarily designed to support requests for discovering Novell NCP servers, but should work for any other service spil well.

Functions for the SSH-1 protocol. This module also contains functions for formatting key fingerprints.

Functions for the SSH-2 protocol.

A library providing functions for collecting SSL certificates and storing them ter the host-based registry.

A library providing functions for doing SSLv2 communications

Standard Nmap Scripting Engine functions. This module contains various handy functions that are too petite to justify modules of their own.

String buffer facilities.

Rigorous announced global library. Checks for undeclared global variables during runtime execution.

A library that implements the basics of the Overwhelm protocol (Session Traversal Utilities for Regenachtig) vanaf RFC3489 and RFC5389. A protocol overview is available at http://plusteken.wikipedia.org/wiki/Numb.

Arrange output into tables.

Utility functions to add fresh discovered targets to Nmap scan queue.

Library implementing a minimal TFTP server

A library providing functions for doing TLS/SSL communications

TN3270 Emulator Library

TNS Library supporting a very limited subset of Oracle operations

Library methods for treating unicode strings.

Unit testing support for NSE libraries.

Username/password database library.

A UPNP library based on code from upnp-info primarily written by Thomas Buchanan. The code wasgoed factored out from upnp-info and partly re-written by Patrik Karlsson <,[email protected]>, ter order to support multicast requests.

URI parsing, composition, and relative URL resolution.

A lil’ library permitting some basic information enumeration from Versant object database software (see http://plus.wikipedia.org/wiki/Versant_Corporation). The code is entirely based on packet dumps captured when using the Versant Management Center administration application.

The VNC library provides some basic functionality needed ter order to communicate with VNC servers, and derivatives such spil Tight- or Ultra- VNC.

Functions for vulnerability management.

A Vuze DHT protocol implementation based on the following documentation: o http://wiki.vuze.com/w/Distributed_hash_table

A library that enables scripts to send Web Service Dynamic Discovery probes and perform some very basic decoding of responses. The library is ter no way a total WSDD implementation it’s rather the result of some packet captures and some creative coding.

Implementation of the XDMCP (X Display Manager Control Protocol) based on: x http://www.xfree86.org/current/xdmcp.pdf

A XMPP (Jabber) library, implementing a minimal subset of the protocol enough to do authentication brute-force.

Leave a Reply