NSEDoc

• Index
• NSE Documentation

Categories

• auth
• broadcast
• brute
• default
• discovery
• dos
• exploit
• external
• fuzzer
• intrusive
• malware
• safe
• version
• vuln

Scripts (show 437)(437)Scripts (437)

• acarsd-info
• address-info
• afp-brute
• afp-ls
• afp-path-vuln
• afp-serverinfo
• afp-showmount
• ajp-auth
• ajp-brute
• ajp-headers
• ajp-methods
• ajp-request
• amqp-info
• asn-query
• auth-owners
• auth-spoof
• backorifice-brute
• backorifice-info
• banner
• bitcoin-getaddr
• bitcoin-info
• bitcoinrpc-info
• bittorrent-discovery
• bjnp-discover
• broadcast-ataoe-discover
• broadcast-avahi-dos
• broadcast-bjnp-discover
• broadcast-db2-discover
• broadcast-dhcp-discover
• broadcast-dhcp6-discover
• broadcast-dns-service-discovery
• broadcast-dropbox-listener
• broadcast-eigrp-discovery
• broadcast-igmp-discovery
• broadcast-listener
• broadcast-ms-sql-discover
• broadcast-netbios-master-browser
• broadcast-networker-discover
• broadcast-novell-locate
• broadcast-pc-anywhere
• broadcast-pc-duo
• broadcast-pim-discovery
• broadcast-ping
• broadcast-pppoe-discover
• broadcast-rip-discover
• broadcast-ripng-discover
• broadcast-sybase-asa-discover
• broadcast-tellstick-discover
• broadcast-upnp-info
• broadcast-versant-locate
• broadcast-wake-on-lan
• broadcast-wpad-discover
• broadcast-wsdd-discover
• broadcast-xdmcp-discover
• cassandra-brute
• cassandra-info
• cccam-version
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• couchdb-databases
• couchdb-stats
• creds-summary
• cups-info
• cups-queue-info
• cvs-brute
• cvs-brute-repository
• daap-get-library
• daytime
• db2-das-info
• db2-discover
• dhcp-discover
• dict-info
• distcc-cve2004-2687
• dns-blacklist
• dns-brute
• dns-cache-snoop
• dns-check-zone
• dns-client-subnet-scan
• dns-fuzz
• dns-ip6-arpa-scan
• dns-nsec-enum
• dns-nsec3-enum
• dns-nsid
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-srv-enum
• dns-update
• dns-zeustracker
• dns-zone-transfer
• domcon-brute
• domcon-cmd
• domino-enum-users
• dpap-brute
• drda-brute
• drda-info
• duplicates
• eap-info
• epmd-info
• eppc-enum-processes
• finger
• firewalk
• firewall-bypass
• flume-master-info
• ftp-anon
• ftp-bounce
• ftp-brute
• ftp-libopie
• ftp-proftpd-backdoor
• ftp-vsftpd-backdoor
• ftp-vuln-cve2010-4221
• ganglia-info
• giop-info
• gkrellm-info
• gopher-ls
• gpsd-info
• hadoop-datanode-info
• hadoop-jobtracker-info
• hadoop-namenode-info
• hadoop-secondary-namenode-info
• hadoop-tasktracker-info
• hbase-master-info
• hbase-region-info
• hddtemp-info
• hostmap-bfk
• hostmap-robtex
• http-affiliate-id
• http-apache-negotiation
• http-auth
• http-auth-finder
• http-awstatstotals-exec
• http-axis2-dir-traversal
• http-backup-finder
• http-barracuda-dir-traversal
• http-brute
• http-cakephp-version
• http-chrono
• http-config-backup
• http-cors
• http-date
• http-default-accounts
• http-domino-enum-passwords
• http-drupal-enum-users
• http-drupal-modules
• http-email-harvest
• http-enum
• http-exif-spider
• http-favicon
• http-form-brute
• http-form-fuzzer
• http-frontpage-login
• http-generator
• http-git
• http-gitweb-projects-enum
• http-google-malware
• http-grep
• http-headers
• http-huawei-hg5xx-vuln
• http-icloud-findmyiphone
• http-icloud-sendmsg
• http-iis-webdav-vuln
• http-joomla-brute
• http-litespeed-sourcecode-download
• http-majordomo2-dir-traversal
• http-malware-host
• http-method-tamper
• http-methods
• http-open-proxy
• http-open-redirect
• http-passwd
• http-php-version
• http-phpself-xss
• http-proxy-brute
• http-put
• http-qnap-nas-info
• http-rfi-spider
• http-robots.txt
• http-robtex-reverse-ip
• http-robtex-shared-ns
• http-sitemap-generator
• http-slowloris
• http-slowloris-check
• http-sql-injection
• http-title
• http-tplink-dir-traversal
• http-trace
• http-traceroute
• http-unsafe-output-escaping
• http-userdir-enum
• http-vhosts
• http-virustotal
• http-vlcstreamer-ls
• http-vmware-path-vuln
• http-vuln-cve2009-3960
• http-vuln-cve2010-0738
• http-vuln-cve2010-2861
• http-vuln-cve2011-3192
• http-vuln-cve2011-3368
• http-vuln-cve2012-1823
• http-waf-detect
• http-waf-fingerprint
• http-wordpress-brute
• http-wordpress-enum
• http-wordpress-plugins
• iax2-brute
• iax2-version
• icap-info
• ike-version
• imap-brute
• imap-capabilities
• informix-brute
• informix-query
• informix-tables
• ip-forwarding
• ip-geolocation-geobytes
• ip-geolocation-geoplugin
• ip-geolocation-ipinfodb
• ip-geolocation-maxmind
• ipidseq
• ipv6-node-info
• ipv6-ra-flood
• irc-botnet-channels
• irc-brute
• irc-info
• irc-sasl-brute
• irc-unrealircd-backdoor
• iscsi-brute
• iscsi-info
• isns-info
• jdwp-exec
• jdwp-info
• jdwp-inject
• jdwp-version
• krb5-enum-users
• ldap-brute
• ldap-novell-getpass
• ldap-rootdse
• ldap-search
• lexmark-config
• llmnr-resolve
• lltd-discovery
• maxdb-info
• mcafee-epo-agent
• membase-brute
• membase-http-info
• memcached-info
• metasploit-info
• metasploit-msgrpc-brute
• metasploit-xmlrpc-brute
• mmouse-brute
• mmouse-exec
• modbus-discover
• mongodb-brute
• mongodb-databases
• mongodb-info
• mrinfo
• ms-sql-brute
• ms-sql-config
• ms-sql-dac
• ms-sql-dump-hashes
• ms-sql-empty-password
• ms-sql-hasdbaccess
• ms-sql-info
• ms-sql-query
• ms-sql-tables
• ms-sql-xp-cmdshell
• msrpc-enum
• mtrace
• murmur-version
• mysql-audit
• mysql-brute
• mysql-databases
• mysql-dump-hashes
• mysql-empty-password
• mysql-enum
• mysql-info
• mysql-query
• mysql-users
• mysql-variables
• mysql-vuln-cve2012-2122
• nat-pmp-info
• nat-pmp-mapport
• nbstat
• ncp-enum-users
• ncp-serverinfo
• ndmp-fs-info
• ndmp-version
• nessus-brute
• nessus-xmlrpc-brute
• netbus-auth-bypass
• netbus-brute
• netbus-info
• netbus-version
• nexpose-brute
• nfs-ls
• nfs-showmount
• nfs-statfs
• nping-brute
• nrpe-enum
• ntp-info
• ntp-monlist
• omp2-brute
• omp2-enum-targets
• openlookup-info
• openvas-otp-brute
• oracle-brute
• oracle-brute-stealth
• oracle-enum-users
• oracle-sid-brute
• ovs-agent-version
• p2p-conficker
• path-mtu
• pcanywhere-brute
• pgsql-brute
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• qscan
• quake3-info
• quake3-master-getservers
• rdp-enum-encryption
• rdp-vuln-ms12-020
• realvnc-auth-bypass
• redis-brute
• redis-info
• resolveall
• reverse-index
• rexec-brute
• riak-http-info
• rlogin-brute
• rmi-dumpregistry
• rmi-vuln-classloader
• rpc-grind
• rpcap-brute
• rpcap-info
• rpcinfo
• rsync-brute
• rsync-list-modules
• rtsp-methods
• rtsp-url-brute
• samba-vuln-cve-2012-1182
• servicetags
• sip-brute
• sip-call-spoof
• sip-enum-users
• sip-methods
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-flood
• smb-ls
• smb-mbenum
• smb-os-discovery
• smb-print-text
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smb-vuln-ms10-054
• smb-vuln-ms10-061
• smbv2-enabled
• smtp-brute
• smtp-commands
• smtp-enum-users
• smtp-open-relay
• smtp-strangeport
• smtp-vuln-cve2010-4344
• smtp-vuln-cve2011-1720
• smtp-vuln-cve2011-1764
• sniffer-detect
• snmp-brute
• snmp-hh3c-logins
• snmp-interfaces
• snmp-ios-config
• snmp-netstat
• snmp-processes
• snmp-sysdescr
• snmp-win32-services
• snmp-win32-shares
• snmp-win32-software
• snmp-win32-users
• socks-auth-info
• socks-brute
• socks-open-proxy
• ssh-hostkey
• ssh2-enum-algos
• sshv1
• ssl-cert
• ssl-date
• ssl-enum-ciphers
• ssl-google-cert-catalog
• ssl-known-key
• sslv2
• stun-info
• stun-version
• stuxnet-detect
• svn-brute
• targets-asn
• targets-ipv6-multicast-echo
• targets-ipv6-multicast-invalid-dst
• targets-ipv6-multicast-mld
• targets-ipv6-multicast-slaac
• targets-sniffer
• targets-traceroute
• telnet-brute
• telnet-encryption
• tftp-enum
• tls-nextprotoneg
• traceroute-geolocation
• unusual-port
• upnp-info
• url-snarf
• ventrilo-info
• versant-info
• vmauthd-brute
• vnc-brute
• vnc-info
• voldemort-info
• vuze-dht-info
• wdb-version
• whois
• wsdd-discover
• x11-access
• xdmcp-discover
• xmpp-brute
• xmpp-info

Libraries (show 106)(106)Libraries (106)

• afp
• ajp
• amqp
• asn1
• base32
• base64
• bin
• bit
• bitcoin
• bittorrent
• bjnp
• brute
• cassandra
• citrixxml
• comm
• creds
• cvs
• datafiles
• dhcp
• dhcp6
• dns
• dnsbl
• dnssd
• drda
• eap
• eigrp
• ftp
• giop
• gps
• http
• httpspider
• iax2
• ike
• imap
• informix
• ipOps
• ipp
• iscsi
• isns
• jdwp
• json
• ldap
• lfs
• listop
• match
• membase
• mobileme
• mongodb
• msrpc
• msrpcperformance
• msrpctypes
• mssql
• mysql
• natpmp
• ncp
• ndmp
• netbios
• nmap
• nrpc
• nsedebug
• omp2
• openssl
• ospf
• packet
• pcre
• pgsql
• pop3
• pppoe
• proxy
• rdp
• redis
• rmi
• rpc
• rpcap
• rsync
• rtsp
• sasl
• shortport
• sip
• smb
• smbauth
• smtp
• snmp
• socks
• srvloc
• ssh1
• ssh2
• sslcert
• stdnse
• strbuf
• strict
• stun
• tab
• target
• tftp
• tns
• unpwdb
• upnp
• url
• versant
• vnc
• vulns
• vuzedht
• wsdd
• xdmcp
• xmpp

Scripts

ajp-auth	Retrieves the authentication scheme and realm of an AJP service (Apache JServ Protocol) that requires authentication.
creds-summary	Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.
domcon-cmd	Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute)
domino-enum-users	Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability.
ftp-anon	Checks if an FTP server allows anonymous logins.
http-auth	Retrieves the authentication scheme and realm of a web service that requires authentication.
http-barracuda-dir-traversal	Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.
http-config-backup	Checks for backups and swap files of common content management system and web server configuration files.
http-default-accounts	Tests for access with default credentials used by a variety of web applications and devices.
http-domino-enum-passwords	Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document.
http-method-tamper	Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.
http-userdir-enum	Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.
http-vuln-cve2010-0738	Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).
http-wordpress-enum	Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
informix-query	Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute).
informix-tables	Retrieves a list of tables and column definitions for each database on an Informix server.
krb5-enum-users	Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will responde using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.
ms-sql-dump-hashes	Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.
ms-sql-empty-password	Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.
ms-sql-hasdbaccess	Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.
mysql-dump-hashes	Dumps the password hashes from an MySQL server in a format suitable for cracking by tools such as John the Ripper. Appropriate DB privileges (root) are required.
mysql-empty-password	Checks for MySQL servers with an empty password for root or anonymous.
mysql-query	Runs a query against a MySQL database and returns the results as a table.
mysql-users	Attempts to list all users on a MySQL server.
ncp-enum-users	Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service.
netbus-auth-bypass	Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.
oracle-enum-users	Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update).
realvnc-auth-bypass	Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
sip-enum-users	Enumerates a SIP server's valid extensions (users).
smb-enum-users	Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.
smtp-enum-users	Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.
snmp-win32-users	Attempts to enumerate Windows user accounts through SNMP
x11-access	Checks if you're allowed to connect to the X server.