Maps IP addresses to autonomous system (AS) numbers.

Attempts to find the owner of an open TCP port by querying an auth (identd - port 113) daemon which must also be open on the target system.

Checks for an identd (auth) server which is spoofing its replies.

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

Retrieves the day and time from the UDP Daytime service.

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

Checks if a DNS server allows queries for third-party names.

Requests a zone transfer (AXFR) from a DNS server.

Attempts to retrieve a list of usernames using the finger service.

Checks if an FTP server allows anonymous logins.

Checks to see if an FTP server allows port scanning using the FTP bounce method.

Tries to get FTP login credentials by guessing usernames and passwords.

Shows the title of the default page of a web server.

Retrieves the authentication scheme and realm of a web service that requires authentication.

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020 <http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx>.

Checks if an HTTP proxy is open.

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd using various traversal methods such as requesting ../../../../etc/passwd.

Sends an HTTP TRACE request and shows header fields that were modified in the response.

Detects the UDP IAX2 service.

Retrieves IMAP email server capabilities.

Gathers information from an IRC server.

Attempts to extract information from Microsoft SQL Server instances.

Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.

Attempts to retrieve the target's NetBIOS names and MAC address.

Check if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication.

Tries to log into a POP3 account by guessing usernames and passwords.

Retrieves POP3 email server capabilities.

Attempts to extract system information from the point-to-point tunneling protocol (PPTP) service.

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

Checks for disallowed entries in robots.txt.

Connects to portmapper and fetches a list of all registered programs.

Detects the Skype version 2 service.

Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them. When a username is discovered, besides being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That means that if you're going to run smb-brute.nse, you should run other smb scripts you want. This checks passwords in a case-insensitive way, determining case after a password is found, for Windows versions before Vista.

Check for vulnerabilities:

• MS08-067, a Windows RPC vulnerability
• Conficker, an infection by the Conficker worm
• Unnamed regsvc DoS, a denial-of-service vulnerability I accidentically found in Windows 2000

Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" domain is generally displayed. Windows returns this in the list of domains, but its policies don't appear to be used anywhere.

Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator privilges.

Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. Nmap's connection will also show up, and is generally identified by the one that connected "0 seconds ago".

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

Attempts to determine the operating system, computer name, domain, and current time over the SMB protocol (ports 445 or 139 -- for more information, see smb.lua). This is done by starting a session with the anonymous account (or with a proper user account, if one is given -- likely doesn't make a difference); in response to a session starting, the server will send back all this information.

This script implements the functionality found in pwdump.exe, written by the Foofus group. Essentially, it works by using pwdump6's modules (servpw.exe and lsremora.dll) to dump the password hashes for a remote machine. This currently works against Windows 2000 and Windows 2003.

Returns information about the SMB security level determined by SMB.

Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139.

Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, although a user account will still get a lot of it. Guest probably won't get any, nor will anonymous. This goes for all operating systems, including Windows 2000.

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.

Checks if an SMTP server is an open relay.

Checks if SMTP is running on a non-standard port.

Checks if a target on a local Ethernet has its network card in promiscuous mode.

Attempts to find an SNMP community string by brute force guessing.

Attempts to extract system information from an SNMP version 1 service.

Checks if an open socks proxy is running on the target.

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack.

Shows SSH hostkeys.

Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.

Determines whether the server supports obsolete and less secure SSL-v2, and discovers which ciphers it supports.

Tries to get Telnet login credentials by guessing usernames and passwords.

Attempts to extract system information from the UPnP service.

Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.