Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Scripts

afp-showmount

Shows AFP shares and ACLs

asn-query

Maps IP addresses to autonomous system (AS) numbers.

auth-owners

Attempts to find the owner of an open TCP port by querying an auth (identd - port 113) daemon which must also be open on the target system.

auth-spoof

Checks for an identd (auth) server which is spoofing its replies.

banner

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

citrix-brute-xml

Attempts to guess valid credentials for the Citrix PN Web Agent XML Service. The XML service authenticates against the local Windows server or the Active Directory.

citrix-enum-apps

Extract published applications from the ICA Browser service

citrix-enum-apps-xml

Extracts a list of applications, acls and settings from Citrix XML service

citrix-enum-servers

Extract a list of Citrix servers from the ICA Browser service

citrix-enum-servers-xml

Extracts the name of the server farm and member severs from Citrix XML service

daap-get-library

Retrieves a list of music from a DAAP server including the name of the artist, album and songs

daytime

Retrieves the day and time from the UDP Daytime service.

db2-info

Attempts to extract information from IBM DB2 Server instances. The script sends a DB2 EXCSAT (exchange server attributes) command packet and parses the response.

dhcp-discover

Sends a DHCPDISCOVER request to a host on UDP port 67. The response come back to UDP port 68, and is read using PCAP (due to the inability for a script to choose its source port at the moment).

dns-random-srcport

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

dns-random-txid

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

dns-recursion

Checks if a DNS server allows queries for third-party names.

dns-service-discovery

Attempts to discover a hosts services using the DNS Service Discovery protocol.

dns-zone-transfer

Requests a zone transfer (AXFR) from a DNS server.

finger

Attempts to retrieve a list of usernames using the finger service.

ftp-anon

Checks if an FTP server allows anonymous logins.

ftp-bounce

Checks to see if an FTP server allows port scanning using the FTP bounce method.

ftp-brute

Tries to get FTP login credentials by guessing usernames and passwords.

html-title

Shows the title of the default page of a web server.

http-auth

Retrieves the authentication scheme and realm of a web service that requires authentication.

http-date

Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT.

http-enum

Enumerates directories used by popular web applications and servers.

http-favicon

Gets the favicon ("favorites icon") from a web page matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed.

http-headers

Performs a GET request for the root folder ("/") of a web server and displays the HTTP headers returned.

http-iis-webdav-vuln

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020 <http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx>.

http-malware-host

Looks for signature of known server compromises. Currently, the only signature it looks for is the one discussed here: <http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/>

http-open-proxy

Checks if an HTTP proxy is open.

http-passwd

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd using various traversal methods such as requesting ../../../../etc/passwd.

http-trace

Sends an HTTP TRACE request and shows header fields that were modified in the response.

http-userdir-enum

Attempts to enumerate valid usernames on webservers running with the mod_userdir module or similar enabled.

iax2-version

Detects the UDP IAX2 service.

imap-capabilities

Retrieves IMAP email server capabilities.

irc-info

Gathers information from an IRC server.

ms-sql-info

Attempts to extract information from Microsoft SQL Server instances.

mysql-brute

Performs password guessing against MySQL

mysql-databases

Attempts to list all databases on the MySQL server

mysql-empty-password

Checks for MySQL servers with an empty root and/or anonymous password

mysql-info

Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.

mysql-users

Attempts to list all users on the MySQL server

mysql-variables

Attempts to show all variables on the MySQL server

nbstat

Attempts to retrieve the target's NetBIOS names and MAC address.

nfs-showmount

Shows NFS exports, like the showmount -e command.

ntp-info

Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" (opcode 2) control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all variables are shown.

oracle-sid-brute

Guesses Oracle instance/sid names against the TNS-listener

p2p-conficker

Check if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication.

pjl-ready-message

Retrieves or sets the ready message on printers that support the Printer Job Language. This includes most PostScript printers that listen on port 9100. Without an argument, displays the current ready message. With the pjl_ready_message script argument, displays the old ready message and changes it to the message given.

pop3-brute

Tries to log into a POP3 account by guessing usernames and passwords.

pop3-capabilities

Retrieves POP3 email server capabilities.

pptp-version

Attempts to extract system information from the point-to-point tunneling protocol (PPTP) service.

realvnc-auth-bypass

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

robots.txt

Checks for disallowed entries in robots.txt.

rpcinfo

Connects to portmapper and fetches a list of all registered programs.

skypev2-version

Detects the Skype version 2 service.

smb-brute

Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them. When a username is discovered, besides being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That means that if you're going to run smb-brute.nse, you should run other smb scripts you want. This checks passwords in a case-insensitive way, determining case after a password is found, for Windows versions before Vista.

smb-check-vulns

Check for vulnerabilities:

  • MS08-067, a Windows RPC vulnerability
  • Conficker, an infection by the Conficker worm
  • Unnamed regsvc DoS, a denial-of-service vulnerability I accidentically found in Windows 2000
  • SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)

smb-enum-domains

Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" domain is generally displayed. Windows returns this in the list of domains, but its policies don't appear to be used anywhere.

smb-enum-groups

Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum.exe with the /G switch.

smb-enum-processes

Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator privileges.

smb-enum-sessions

Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. Nmap's connection will also show up, and is generally identified by the one that connected "0 seconds ago".

smb-enum-shares

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.

smb-enum-users

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

smb-os-discovery

Attempts to determine the operating system, computer name, domain, and current time over the SMB protocol (ports 445 or 139 -- for more information, see smb.lua). This is done by starting a session with the anonymous account (or with a proper user account, if one is given -- likely doesn't make a difference); in response to a session starting, the server will send back all this information.

smb-psexec

This script implements remote process execution similar to the Sysinternals' psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a collection of computers.

smb-security-mode

Returns information about the SMB security level determined by SMB.

smb-server-stats

Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139.

smb-system-info

Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, although a user account will still get a lot of it. Guest probably won't get any, nor will anonymous. This goes for all operating systems, including Windows 2000.

smbv2-enabled

Check whether or not a server is running the SMBv2 protocol.

smtp-commands

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.

smtp-open-relay

Checks if an SMTP server is an open relay.

smtp-strangeport

Checks if SMTP is running on a non-standard port.

sniffer-detect

Checks if a target on a local Ethernet has its network card in promiscuous mode.

snmp-brute

Attempts to find an SNMP community string by brute force guessing.

snmp-sysdescr

Attempts to extract system information from an SNMP version 1 service.

socks-open-proxy

Checks if an open socks proxy is running on the target.

sql-injection

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack.

ssh-hostkey

Shows SSH hostkeys.

sshv1

Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.

ssl-cert

Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.

sslv2

Determines whether the server supports obsolete and less secure SSL-v2, and discovers which ciphers it supports.

telnet-brute

Tries to get Telnet login credentials by guessing usernames and passwords.

upnp-info

Attempts to extract system information from the UPnP service.

whois

Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

x11-access

Checks if you're allowed to connect to the X server

Libraries

afp

This module was written by Patrik Karlsson and facilitates communication with the Apple AFP Service. It is not feature complete and is missing several functions and parameters.

base64

Base64 encoding and decoding. Follows RFC 4648.

bin

Pack and unpack binary data.

bit

Bitwise operations on integers.

citrix

This module was written by Patrik Karlsson and facilitates communication with the Citrix XML Service. It is not feature complete and is missing several functions and parameters.

comm

Common communication functions for network discovery tasks like banner grabbing and data exchange.

datafiles

Read and parse some of Nmap's data files: nmap-protocols, nmap-rpc, and nmap-services.

dns

Simple DNS library supporting packet creation, encoding, decoding, and querying.

http

Client-side HTTP library.

imap

IMAP functions.

ipOps

Utility functions for manipulating and comparing IP addresses.

listop

Functional-style list operations.

match

Buffered network I/O helper functions.

msrpc

By making heavy use of the 'smb' library, this library will call various MSRPC functions. The functions used here can be accessed over TCP ports 445 and 139, with an established session. A NULL session (the default) will work for some functions and operating systems (or configurations), but not for others.

msrpcperformance

This module is designed to parse the PERF_DATA_BLOCK structure, which is stored in the registry under HKEY_PERFORMANCE_DATA. By querying this structure, you can get a whole lot of information about what's going on.

msrpctypes

This module was written to marshall parameters for Microsoft RPC (MSRPC) calls. The values passed in and out are based on structs defined by the protocol, and documented by Samba developers. For detailed breakdowns of the types, take a look at Samba 4.0's .idl files.

mysql

Simple MySQL Library supporting a very limited subset of operations

netbios

Creates and parses NetBIOS traffic. The primary use for this is to send NetBIOS name requests.

nmap

Interface with Nmap internals.

nsedebug

Converts an arbitrary data type into a string. Will recursively convert tables. This can be very useful for debugging.

openssl

OpenSSL bindings.

packet

Facilities for manipulating raw packets.

pcre

Perl Compatible Regular Expressions.

pop3

POP3 functions.

proxy

Functions for proxy testing

shortport

Functions for building short portrules.

smb

Implements functionality related to Server Message Block (SMB, also known as CIFS) traffic, which is a Windows protocol.

smbauth

This module takes care of the authentication used in SMB (LM, NTLM, LMv2, NTLMv2). There is a lot to this functionality, so if you're interested in how it works, read on.

snmp

SNMP functions.

ssh1

Functions for the SSH-1 protocol.

ssh2

Functions for the SSH-2 protocol.

stdnse

Standard Nmap Scripting Engine functions.

strbuf

String buffer facilities.

strict

Strict Declared Global library.

tab

Arrange output into tables.

unpwdb

Username/password database library.

url

URI parsing, composition, and relative URL resolution.

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]