Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Scripts

auth-owners

Attempts to find the owner of an open TCP port by querying an auth (identd - port 113) daemon which must also be open on the target system.

dhcp-discover

Sends a DHCPDISCOVER request to a host on UDP port 67. The response come back to UDP port 68, and is read using PCAP (due to the inability for a script to choose its source port at the moment).

dns-recursion

Checks if a DNS server allows queries for third-party names.

dns-service-discovery

Attempts to discover a hosts services using the DNS Service Discovery protocol.

dns-zone-transfer

Requests a zone transfer (AXFR) from a DNS server.

finger

Attempts to retrieve a list of usernames using the finger service.

ftp-anon

Checks if an FTP server allows anonymous logins.

ftp-bounce

Checks to see if an FTP server allows port scanning using the FTP bounce method.

html-title

Shows the title of the default page of a web server.

http-auth

Retrieves the authentication scheme and realm of a web service that requires authentication.

http-favicon

Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed.

http-methods

Connects to an HTTP server and sends an OPTIONS request to see which HTTP methods are allowed on this server. Optionally tests each method individually to see if they are subject to e.g. IP address restrictions.

http-open-proxy

Checks if an HTTP proxy is open.

http-vmware-path-vuln

Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse (justin.morehouse[at)gmail.com) and Tony Flick (tony.flick(at]fyrmassociates.com), and presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).

imap-capabilities

Retrieves IMAP email server capabilities.

irc-info

Gathers information from an IRC server.

mongodb-databases

Attempts to get tables from a MongoDB

mongodb-info

Attempts to get build info and server status from a MongoDB

ms-sql-info

Attempts to extract information from Microsoft SQL Server instances.

mysql-info

Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.

nbstat

Attempts to retrieve the target's NetBIOS names and MAC address.

ntp-info

Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" (opcode 2) control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all variables are shown.

p2p-conficker

Check if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication.

pop3-capabilities

Retrieves POP3 email server capabilities.

realvnc-auth-bypass

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

robots.txt

Checks for disallowed entries in robots.txt.

rpcinfo

Connects to portmapper and fetches a list of all registered programs.

smb-os-discovery

Attempts to determine the operating system, computer name, domain, and current time over the SMB protocol (ports 445 or 139 -- for more information, see smb.lua). This is done by starting a session with the anonymous account (or with a proper user account, if one is given -- likely doesn't make a difference); in response to a session starting, the server will send back all this information.

smbv2-enabled

Check whether or not a server is running the SMBv2 protocol.

smtp-commands

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.

snmp-netstat

Attempts to query SNMP for a netstat like output

snmp-processes

Attempts to enumerate running processes through SNMP

snmp-sysdescr

Attempts to extract system information from an SNMP version 1 service.

snmp-win32-services

Attempts to enumerate Windows Services through SNMP

snmp-win32-shares

Attempts to enumerate Windows Shares through SNMP

snmp-win32-software

Attempts to enumerate installed software through SNMP

snmp-win32-users

Attempts to enumerate User Accounts through SNMP

socks-open-proxy

Checks if an open socks proxy is running on the target.

ssh-hostkey

Shows SSH hostkeys.

sshv1

Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.

sslv2

Determines whether the server supports obsolete and less secure SSL-v2, and discovers which ciphers it supports.

upnp-info

Attempts to extract system information from the UPnP service.

x11-access

Checks if you're allowed to connect to the X server

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]