Scripts
| auth-owners |
Attempts to find the owner of an open TCP port by querying an auth daemon which must also be open on the target system. The auth service, also known as identd, normally runs on port 113. |
| dhcp-discover |
Sends a DHCPDISCOVER request to a host on UDP port 67. The response comes back to UDP port 68, and is read using pcap (due to the inability for a script to choose its source port at the moment). |
| dns-recursion |
Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers. |
| dns-service-discovery |
Attempts to discover a hosts services using the DNS Service Discovery protocol. |
| dns-zone-transfer |
Requests a zone transfer (AXFR) from a DNS server. |
| finger |
Attempts to retrieve a list of usernames using the finger service. |
| ftp-anon |
Checks if an FTP server allows anonymous logins. |
| ftp-bounce |
Checks to see if an FTP server allows port scanning using the FTP bounce method. |
| html-title |
Shows the title of the default page of a web server. |
| http-auth |
Retrieves the authentication scheme and realm of a web service that requires authentication. |
| http-favicon |
Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed. |
| http-methods |
Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. Optionally tests each method individually to see if they are subject to e.g. IP address restrictions. |
| http-open-proxy |
Checks if an HTTP proxy is open. |
| http-vmware-path-vuln |
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733). |
| imap-capabilities |
Retrieves IMAP email server capabilities. |
| irc-info |
Gathers information from an IRC server. |
| mongodb-databases |
Attempts to get a list of tables from a MongoDB database. |
| mongodb-info |
Attempts to get build info and server status from a MongoDB database. |
| ms-sql-info |
Attempts to extract information from Microsoft SQL Server instances. |
| mysql-info |
Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt. |
| nbstat |
Attempts to retrieve the target's NetBIOS names and MAC address. |
| ntp-info |
Gets the time and configuration variables from an NTP server. We send two
requests: a time request and a "read variables" (opcode 2) control message.
Without verbosity, the script shows the time and the value of the
|
| p2p-conficker |
Checks if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication. |
| pop3-capabilities |
Retrieves POP3 email server capabilities. |
| realvnc-auth-bypass |
Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369). |
| robots.txt |
Checks for disallowed entries in |
| smb-os-discovery |
Attempts to determine the operating system, computer name, domain, and current time over the SMB protocol (ports 445 or 139). This is done by starting a session with the anonymous account (or with a proper user account, if one is given; it likely doesn't make a difference); in response to a session starting, the server will send back all this information. |
| smbv2-enabled |
Checks whether or not a server is running the SMBv2 protocol. |
| smtp-commands |
Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server. |
| snmp-interfaces |
Attempts to enumerate network interfaces through SNMP. |
| snmp-netstat |
Attempts to query SNMP for a netstat like output. |
| snmp-processes |
Attempts to enumerate running processes through SNMP. |
| snmp-sysdescr |
Attempts to extract system information from an SNMP version 1 service. |
| snmp-win32-services |
Attempts to enumerate Windows services through SNMP. |
| snmp-win32-shares |
Attempts to enumerate Windows Shares through SNMP. |
| snmp-win32-software |
Attempts to enumerate installed software through SNMP. |
| snmp-win32-users |
Attempts to enumerate Windows user accounts through SNMP |
| socks-open-proxy |
Checks if an open socks proxy is running on the target. |
| ssh-hostkey |
Shows SSH hostkeys. |
| sshv1 |
Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1. |
| sslv2 |
Determines whether the server supports obsolete and less secure SSLv2, and discovers which ciphers it supports. |
| upnp-info |
Attempts to extract system information from the UPnP service. |
| wdb-version |
Gathers information from a Wind DeBug Agent on VxWorks |
| x11-access |
Checks if you're allowed to connect to the X server. |




