Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).

Attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp.

Sends a DHCP request to the broadcast address (255.255.255.255) and reports the results. The script uses a static MAC address (DE:AD:CO:DE:CA:FE) while doing so in order to prevent scope exhaustion.

Sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address. It parses the response and extracts the address along with any options returned by the server.

Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.

Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more.

Sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more information.

Discovers Microsoft SQL servers in the same broadcast domain.

Attempts to discover master browsers and the domains they manage.

Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers.

Sends a special broadcast probe to discover PC-Anywhere hosts running on a LAN

Discovers PC-DUO remote control hosts and gateways running on the LAN

Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes, but they can be configured to do so.

Discovers PPPoE servers using the PPPoE Discovery protocol (PPPoED) The PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery. If no interface is specified, requests are sent out on all available interfaces.

Discovers hosts and routing information from devices running RIPv2 on the LAN. It does so by sending a RIPv2 Request command and collects the responses from all devices responding to the request.

Discovers hosts and routing information from devices running RIPng on the LAN. It does so by sending a RIPng Request command and collects the responses from all devices responding to the request.

Discovers Sybase Anywhere servers on the LAN by sending broadcast discovery messages.

Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses.

Wakes a remote system up from sleep by sending a Wake-On-Lan packet.

Retrieves a list of proxy servers on the LAN using the Web Proxy Autodiscovery Protocol (WPAD). It implements both the DHCP and DNS methods of doing so and starts by querying DHCP to get the address. DHCP discovery requires nmap to be running in privileged mode and will be skipped when this is not the case. DNS discovery relies on the script being able to resolve the local domain either through a script argument or by attempting to reverse resolve the local IP.

Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).

Discovers servers running the X Display Manager Control Protocol (XDMCP) by sending a XDMCP broadcast request to the LAN. Display managers allowing access are marked using the keyword Willing in the result.

Uses the Microsoft LLTD protocol to discover hosts on a local network.

Sends an ICMPv6 echo request packet to the all-nodes link-local multicast address (ff02::1) to discover responsive hosts on a LAN without needing to individually ping each IPv6 address.

Sends an ICMPv6 packet with an invalid extension header to the all-nodes link-local multicast address (ff02::1) to discover (some) available hosts on the LAN. This works because some hosts will respond to this probe with an ICMPv6 Parameter Problem packet.

Performs IPv6 host discovery by triggering stateless address auto-configuration (SLAAC).

Sniffs the local network for a configurable amount of time (10 seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue.