Attempts to guess valid credentials for the Citrix PN Web Agent XML Service. The XML service authenticates against the local Windows server or the Active Directory.

Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.

Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute)

Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability.

Checks if an FTP server allows anonymous logins.

Retrieves the authentication scheme and realm of a web service that requires authentication.

Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.

Tests for access with default credentials used by a variety of web applications and devices.

Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document.

Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).

Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.

Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.

Performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.

Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute).

Retrieves a list of tables and column definitions for each database on an Informix server.

Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will responde using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.

Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.

Checks for MySQL servers with an empty password for root or anonymous.

Attempts to list all users on a MySQL server.

Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service.

Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.

Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update).

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

Attempts to enumerate valid user account using SIP (Session Initiation Protocol - http://en.wikipedia.org/wiki/Session_Initiation_Protocol). This protocol is most commonly associated with VoIP sessions. Currently only the SIP server Asterisk is supported.

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.

Attempts to enumerate Windows user accounts through SNMP

Checks if you're allowed to connect to the X server.