Shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available.

Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example Macmini or MacBookPro).

Retrieves the authentication scheme and realm of an AJP service (Apache JServ Protocol) that requires authentication.

Discovers which options are supported by the AJP (Apache JServ Protocol) server by sending an OPTIONS request and lists potentially risky methods.

Gathers information (a list of all server properties) from an AMQP (advanced message queuing protocol) server.

Attempts to find the owner of an open TCP port by querying an auth daemon which must also be open on the target system. The auth service, also known as identd, normally runs on port 113.

Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself.

Obtains information from a Bitcoin server by calling getinfo on its JSON-RPC interface.

Attempts to get basic info and server status from a Cassandra database.

Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.

Attempts to discover DB2 servers on the network by querying open ibm-db2 UDP ports (normally port 523).

Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id.server and version.bind values. This script performs the same queries as the following two dig commands: - dig CH TXT bind.version @target - dig +nsid CH TXT id.server @target

Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers.

Attempts to discover target hosts' services using the DNS Service Discovery protocol.

Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.

Attempts to retrieve a list of usernames using the finger service.

Retrieves information from Flume master HTTP pages.

Checks if an FTP server allows anonymous logins.

Checks to see if an FTP server allows port scanning using the FTP bounce method.

Retrieves system information (OS version, available memory, etc.) from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon.

Queries a CORBA naming server for a list of objects.

Lists files and directories at the root of a gopher service.

Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page.

Retrieves information from an Apache Hadoop JobTracker HTTP status page.

Retrieves information from an Apache Hadoop NameNode HTTP status page.

Retrieves information from an Apache Hadoop secondary NameNode HTTP status page.

Retrieves information from an Apache Hadoop TaskTracker HTTP status page.

Retrieves information from an Apache HBase (Hadoop database) master HTTP status page.

Retrieves information from an Apache HBase (Hadoop database) region server HTTP status page.

Reads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service.

Retrieves the authentication scheme and realm of a web service that requires authentication.

Tests an http server for Cross-Origin Resource Sharing (CORS), a way for domains to explicitly opt in to having certain methods invoked by another domain.

Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed.

Displays the contents of the "generator" meta tag of a web page (default: /) if there is one.

Checks for a Git repository found in a website's document root /.git/<something>) and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description.

Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. Optionally tests each method individually to see if they are subject to e.g. IP address restrictions.

Checks if an HTTP proxy is open.

Checks for disallowed entries in /robots.txt on a web server.

Shows the title of the default page of a web server.

Get information from an IKE service. Tests the service with both Main and Aggressive Mode. Sends multiple transforms in a single request, so currently, only four packets are sent to the host.

Retrieves IMAP email server capabilities.

Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Node Information Queries.

Gathers information from an IRC server.

Collects and displays information from remote iSCSI targets.

Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script injects and execute a Java class file that returns remote system information.

Retrieves version and database information from a SAP Max DB database.

Attempts to get a list of tables from a MongoDB database.

Attempts to get build info and server status from a MongoDB database.

Attempts to determine configuration and version information for Microsoft SQL Server instances.

Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.

Get's the routers WAN IP using the NAT Port Mapping Protocol (NAT-PMP). The NAT-PMP protocol is supported by a broad range of routers including: - Apple AirPort Express - Apple AirPort Extreme - Apple Time Capsule - DD-WRT - OpenWrt v8.09 or higher, with MiniUPnP daemon - pfSense v2.0 - Tarifa (firmware) (Linksys WRT54G/GL/GS) - Tomato Firmware v1.24 or higher. (Linksys WRT54G/GL/GS and many more) - Peplink Balance

Attempts to retrieve the target's NetBIOS names and MAC address.

Retrieves eDirectory server information (OS version, server name, mounts, etc.) from the Novell NetWare Core Protocol (NCP) service.

Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself.

Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" (opcode 2) control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all variables are shown.

Parses and displays the banner information of an OpenLookup (network key-value store) server.

Checks if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication.

Retrieves POP3 email server capabilities.

Extracts information from a Quake3 game server and other games which use the same protocol.

Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol).

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

Connects to a remote RMI registry and attempts to dump all of its objects.

Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.

Determines which methods are supported by the RTSP (real time streaming protocol) server.

Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481).

Enumerates a SIP Server's allowed methods (INVITE, OPTIONS, SUBSCRIBE, etc.)

Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). This is done by starting a session with the anonymous account (or with a proper user account, if one is given; it likely doesn't make a difference); in response to a session starting, the server will send back all this information.

Returns information about the SMB security level determined by SMB.

Checks whether or not a server is running the SMBv2 protocol.

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.

Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the hh3c-user.mib OID

Attempts to enumerate network interfaces through SNMP.

Attempts to query SNMP for a netstat like output. The script can be used to identify and automatically add new targets to the scan by supplying the newtargets script argument.

Attempts to enumerate running processes through SNMP.

Attempts to extract system information from an SNMP version 1 service.

Attempts to enumerate Windows services through SNMP.

Attempts to enumerate Windows Shares through SNMP.

Attempts to enumerate installed software through SNMP.

Attempts to enumerate Windows user accounts through SNMP

Determines the supported authentication mechanisms of a remote SOCKS proxy server. Starting with SOCKS version 5 socks servers may support authentication. The script checks for the following authentication types: 0 - No authentication 1 - GSSAPI 2 - Username and password

Checks if an open socks proxy is running on the target.

Shows SSH hostkeys.

Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.

Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.

Retrieves a target host's time and date from its TLS ServerHello response.

Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.

Determines whether the server supports obsolete and less secure SSLv2, and discovers which ciphers it supports.

Enumerates a TLS server's supported protocols by using the next protocol negotiation extension.

Attempts to extract system information from the UPnP service.

Detects the Ventrilo voice communication server service versions 2.1.2 and above. Some of the older versions (pre 3.0.0) may not have the UDP service this probe relies on enabled by default.

Queries a VNC server for its protocol version and supported security types.

Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.

Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).

Checks if you're allowed to connect to the X server.

Connects to XMPP server (port 5222) and collects server information such as: supported auth mechanisms, compression methods, whether TLS is supported and mandatory, stream management, language, support of In-Band registration, server capabilities. If possible, studies server vendor.