Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Scripts

afp-serverinfo

Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example Macmini or MacBookPro).

afp-showmount

Shows AFP shares and ACLs.

asn-query

Maps IP addresses to autonomous system (AS) numbers.

banner

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

citrix-enum-apps

Extracts a list of published applications from the ICA Browser service.

citrix-enum-apps-xml

Extracts a list of applications, ACLs, and settings from the Citrix XML service.

citrix-enum-servers

Extracts a list of Citrix servers from the ICA Browser service.

citrix-enum-servers-xml

Extracts the name of the server farm and member servers from Citrix XML service.

couchdb-databases

Gets database tables from a CouchDB database.

couchdb-stats

Gets database statistics from a CouchDB database.

daap-get-library

Retrieves a list of music from a DAAP server. The list includes artist names and album and song titles.

daytime

Retrieves the day and time from the Daytime service.

db2-das-info

Connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request.

dhcp-discover

Sends a DHCPDISCOVER request to a host on UDP port 67. The response comes back to UDP port 68, and is read using pcap (due to the inability for a script to choose its source port at the moment).

dns-cache-snoop

Performs DNS cache snooping against a DNS server.

dns-service-discovery

Attempts to discover a hosts services using the DNS Service Discovery protocol.

dns-zone-transfer

Requests a zone transfer (AXFR) from a DNS server.

drda-info

Attempts to extract information from database servers supporting the DRDA protocol. The script sends a DRDA EXCSAT (exchange server attributes) command packet and parses the response.

finger

Attempts to retrieve a list of usernames using the finger service.

html-title

Shows the title of the default page of a web server.

http-date

Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT.

http-enum

Enumerates directories used by popular web applications and servers.

http-favicon

Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed.

http-headers

Performs a GET request for the root folder ("/") of a web server and displays the HTTP headers returned.

http-open-proxy

Checks if an HTTP proxy is open.

http-php-version

Attempts to retrieve the PHP version from a web server. PHP has a number of magic queries that return images or text that can vary with the PHP version. This script uses the following queries:

  • /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: gets a GIF logo, which changes on April Fool's Day.
  • /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: gets an HTML credits page.

http-trace

Sends an HTTP TRACE request and shows header fields that were modified in the response.

http-userdir-enum

Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.

ipidseq

Classifies a host's IP ID sequence (test for susceptibility to idle scan).

irc-info

Gathers information from an IRC server.

ldap-rootdse

Retrieves the LDAP root DSA-specific Entry (DSE)

ldap-search

Attempts to perform an LDAP search and returns all matches.

lexmark-config

Retrieves configuration information from a Lexmark S300-S400 printer.

mongodb-databases

Attempts to get a list of tables from a MongoDB database.

mongodb-info

Attempts to get build info and server status from a MongoDB database.

ms-sql-config

Queries Microsoft SQL Server (ms-sql) for a list of databases, linked servers, and configuration settings.

ms-sql-hasdbaccess

Queries Microsoft SQL Server (ms-sql) for a list of databases a user has access to.

ms-sql-info

Attempts to extract information from Microsoft SQL Server instances.

ms-sql-query

Runs a query against Microsoft SQL Server (ms-sql).

ms-sql-tables

Queries Microsoft SQL Server (ms-sql) for a list of tables per database.

mysql-databases

Attempts to list all databases on a MySQL server.

mysql-info

Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.

mysql-users

Attempts to list all users on a MySQL server.

mysql-variables

Attempts to show all variables on a MySQL server.

nbstat

Attempts to retrieve the target's NetBIOS names and MAC address.

nfs-ls

Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of ls.

nfs-showmount

Shows NFS exports, like the showmount -e command.

nfs-statfs

Retrieves disk space statistics and information from a remote NFS share. The output is intended to resemble the output of df.

ntp-info

Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" (opcode 2) control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all variables are shown.

ntp-monlist

Obtains and prints an NTP server's monitor data.

pop3-capabilities

Retrieves POP3 email server capabilities.

qscan

Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or "families") may be due to network mechanisms such as port forwarding to machines behind a NAT.

robots.txt

Checks for disallowed entries in robots.txt.

rpcinfo

Connects to portmapper and fetches a list of all registered programs.

smb-enum-domains

Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" domain is generally displayed. Windows returns this in the list of domains, but its policies don't appear to be used anywhere.

smb-enum-groups

Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum.exe with the /G switch.

smb-enum-processes

Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator privileges.

smb-enum-sessions

Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. Nmap's connection will also show up, and is generally identified by the one that connected "0 seconds ago".

smb-enum-shares

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.

smb-enum-users

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

smb-os-discovery

Attempts to determine the operating system, computer name, domain, and current time over the SMB protocol (ports 445 or 139). This is done by starting a session with the anonymous account (or with a proper user account, if one is given; it likely doesn't make a difference); in response to a session starting, the server will send back all this information.

smb-security-mode

Returns information about the SMB security level determined by SMB.

smb-server-stats

Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139.

smb-system-info

Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, although a user account will still get a lot of it. Guest probably won't get any, nor will anonymous. This goes for all operating systems, including Windows 2000.

smtp-commands

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.

smtp-enum-users

Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.

smtp-open-relay

Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying.

sniffer-detect

Checks if a target on a local Ethernet has its network card in promiscuous mode.

snmp-interfaces

Attempts to enumerate network interfaces through SNMP.

snmp-netstat

Attempts to query SNMP for a netstat like output.

snmp-processes

Attempts to enumerate running processes through SNMP.

snmp-sysdescr

Attempts to extract system information from an SNMP version 1 service.

snmp-win32-services

Attempts to enumerate Windows services through SNMP.

snmp-win32-shares

Attempts to enumerate Windows Shares through SNMP.

snmp-win32-software

Attempts to enumerate installed software through SNMP.

snmp-win32-users

Attempts to enumerate Windows user accounts through SNMP

socks-open-proxy

Checks if an open socks proxy is running on the target.

ssh-hostkey

Shows SSH hostkeys.

ssl-cert

Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.

ssl-enum-ciphers

This script repeatedly initiates SSL/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphers and compressors that a server accepts.

vnc-info

Queries a VNC server for the supported security types

wdb-version

Gathers information from a Wind DeBug Agent on VxWorks

whois

Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]