Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


Scripts

acarsd-info

Retrieves information from a listening acarsd daemon. Acarsd decodes ACARS (Aircraft Communication Addressing and Reporting System) data in real time. The information retrieved by this script includes the daemon version, API version, administrator e-mail address and listening frequency.

afp-ls

Attempts to get useful information about files from AFP volumes. The output is intended to resemble the output of ls.

afp-serverinfo

Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example Macmini or MacBookPro).

afp-showmount

Shows AFP shares and ACLs.

ajp-headers

Performs a HEAD or GET request against either the root directory or any optional directory of an Apache JServ Protocol server and returns the server response headers.

ajp-request

Requests a URI over the Apache JServ Protocol and displays the result (or stores it in a file). Different AJP methods such as; GET, HEAD, TRACE, PUT or DELETE may be used.

allseeingeye-info

Detects the All-Seeing Eye service. Provided by some game servers for querying the server's status.

amqp-info

Gathers information (a list of all server properties) from an AMQP (advanced message queuing protocol) server.

asn-query

Maps IP addresses to autonomous system (AS) numbers.

backorifice-info

Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself.

bacnet-info

Discovers and enumerates BACNet Devices collects device information based off standard requests. In some cases, devices may not strictly follow the specifications, or may comply with older versions of the specifications, and will result in a BACNET error response. Presence of this error positively identifies the device as a BACNet device, but no enumeration is possible.

banner

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

bitcoin-getaddr

Queries a Bitcoin server for a list of known Bitcoin nodes

bitcoin-info

Extracts version and node information from a Bitcoin server

bitcoinrpc-info

Obtains information from a Bitcoin server by calling getinfo on its JSON-RPC interface.

bittorrent-discovery

Discovers bittorrent peers sharing a file based on a user-supplied torrent file or magnet link. Peers implement the Bittorrent protocol and share the torrent, whereas the nodes (only shown if the include-nodes NSE argument is given) implement the DHT protocol and are used to track the peers. The sets of peers and nodes are not the same, but they usually intersect.

bjnp-discover

Retrieves printer or scanner information from a remote device supporting the BJNP protocol. The protocol is known to be supported by network based Canon devices.

broadcast-eigrp-discovery

Performs network discovery and routing information gathering through Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP).

broadcast-igmp-discovery

Discovers targets that have IGMP Multicast memberships and grabs interesting information.

broadcast-pim-discovery

Discovers routers that are running PIM (Protocol Independent Multicast).

broadcast-ping

Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes, but they can be configured to do so.

cassandra-info

Attempts to get basic info and server status from a Cassandra database.

citrix-enum-apps

Extracts a list of published applications from the ICA Browser service.

citrix-enum-apps-xml

Extracts a list of applications, ACLs, and settings from the Citrix XML service.

citrix-enum-servers

Extracts a list of Citrix servers from the ICA Browser service.

citrix-enum-servers-xml

Extracts the name of the server farm and member servers from Citrix XML service.

couchdb-databases

Gets database tables from a CouchDB database.

couchdb-stats

Gets database statistics from a CouchDB database.

cups-info

Lists printers managed by the CUPS printing service.

cups-queue-info

Lists currently queued print jobs of the remote CUPS service grouped by printer.

daap-get-library

Retrieves a list of music from a DAAP server. The list includes artist names and album and song titles.

daytime

Retrieves the day and time from the Daytime service.

db2-das-info

Connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request.

dhcp-discover

Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a new address.

dict-info

Connects to a dictionary server using the DICT protocol, runs the SHOW SERVER command, and displays the result. The DICT protocol is defined in RFC 2229 and is a protocol which allows a client to query a dictionary server for definitions from a set of natural language dictionary databases.

dns-brute

Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records.

dns-cache-snoop

Performs DNS cache snooping against a DNS server.

dns-check-zone

Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests.

dns-client-subnet-scan

Performs a domain lookup using the edns-client-subnet option which allows clients to specify the subnet that queries supposedly originate from. The script uses this option to supply a number of geographically distributed locations in an attempt to enumerate as many different address records as possible. The script also supports requests using a given subnet.

dns-ip6-arpa-scan

Performs a quick reverse DNS lookup of an IPv6 network using a technique which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks.

dns-nsec-enum

Enumerates DNS names using the DNSSEC NSEC-walking technique.

dns-nsec3-enum

Tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records.

dns-nsid

Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id.server and version.bind values. This script performs the same queries as the following two dig commands: - dig CH TXT bind.version @target - dig +nsid CH TXT id.server @target

dns-service-discovery

Attempts to discover target hosts' services using the DNS Service Discovery protocol.

dns-srv-enum

Enumerates various common service (SRV) records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: - Active Directory Global Catalog - Exchange Autodiscovery - Kerberos KDC Service - Kerberos Passwd Change Service - LDAP Servers - SIP Servers - XMPP S2S - XMPP C2S

dns-zeustracker

Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan:

dns-zone-transfer

Requests a zone transfer (AXFR) from a DNS server.

drda-info

Attempts to extract information from database servers supporting the DRDA protocol. The script sends a DRDA EXCSAT (exchange server attributes) command packet and parses the response.

enip-info

This NSE script is used to send a EtherNet/IP packet to a remote device that has TCP 44818 open. The script will send a Request Identity Packet and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. Information that is parsed includes Vendor ID, Device Type, Product name, Serial Number, Product code, Revision Number, as well as the Device IP.

epmd-info

Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.

eppc-enum-processes

Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication.

fcrdns

Performs a Forward-confirmed Reverse DNS lookup and reports anomalous results.

finger

Attempts to retrieve a list of usernames using the finger service.

firewalk

Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.

flume-master-info

Retrieves information from Flume master HTTP pages.

freelancer-info

Detects the Freelancer game server (FLServer.exe) service by sending a status query UDP probe.

ganglia-info

Retrieves system information (OS version, available memory, etc.) from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon.

giop-info

Queries a CORBA naming server for a list of objects.

gkrellm-info

Queries a GKRellM service for monitoring information. A single round of collection is made, showing a snapshot of information at the time of the request.

gopher-ls

Lists files and directories at the root of a gopher service.

gpsd-info

Retrieves GPS time, coordinates and speed from the GPSD network daemon.

hadoop-datanode-info

Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page.

hadoop-jobtracker-info

Retrieves information from an Apache Hadoop JobTracker HTTP status page.

hadoop-namenode-info

Retrieves information from an Apache Hadoop NameNode HTTP status page.

hadoop-secondary-namenode-info

Retrieves information from an Apache Hadoop secondary NameNode HTTP status page.

hadoop-tasktracker-info

Retrieves information from an Apache Hadoop TaskTracker HTTP status page.

hbase-master-info

Retrieves information from an Apache HBase (Hadoop database) master HTTP status page.

hbase-region-info

Retrieves information from an Apache HBase (Hadoop database) region server HTTP status page.

hddtemp-info

Reads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service.

hostmap-bfk

Discovers hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html.

hostmap-ip2hosts

Finds hostnames that resolve to the target's IP address by querying the online database:

hostmap-robtex

Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at http://ip.robtex.com/.

http-affiliate-id

Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon Associates, etc.) from a web page. These can be used to identify pages with the same owner.

http-apache-negotiation

Checks if the target http server has mod_negotiation enabled. This feature can be leveraged to find hidden resources and spider a web site using fewer requests.

http-auth-finder

Spiders a web site to find web pages requiring form-based or HTTP-based authentication. The results are returned in a table with each url and the detected method.

http-backup-finder

Spiders a website and attempts to identify backup copies of discovered files. It does so by requesting a number of different combinations of the filename (eg. index.bak, index.html~, copy of index.html).

http-cakephp-version

Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework.

http-chrono

Measures the time a website takes to deliver a web page and returns the maximum, minimum and average time it took to fetch a page.

http-cisco-anyconnect

Connect as Cisco AnyConnect client to a Cisco SSL VPN and retrieves version and tunnel information.

http-comments-displayer

Extracts and outputs HTML and JavaScript comments from HTTP responses.

http-cors

Tests an http server for Cross-Origin Resource Sharing (CORS), a way for domains to explicitly opt in to having certain methods invoked by another domain.

http-date

Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT.

http-default-accounts

Tests for access with default credentials used by a variety of web applications and devices.

http-devframework

http-drupal-enum-users

Enumerates Drupal users by exploiting a an information disclosure vulnerability in Views, Drupal's most popular module.

http-drupal-modules

Enumerates the installed Drupal modules by using a list of known modules.

http-email-harvest

Spiders a web site and collects e-mail addresses.

http-enum

Enumerates directories used by popular web applications and servers.

http-errors

This script crawls through the website and returns any error pages.

http-favicon

Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed.

http-feed

This script crawls through the website to find any rss or atom feeds.

http-generator

Displays the contents of the "generator" meta tag of a web page (default: /) if there is one.

http-gitweb-projects-enum

Retrieves a list of Git projects, owners and descriptions from a gitweb (web interface to the Git revision control system).

http-google-malware

Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.

http-grep

Spiders a website and attempts to match all pages and urls against a given string. Matches are counted and grouped per url under which they were discovered.

http-headers

Performs a HEAD request for the root folder ("/") of a web server and displays the HTTP headers returned.

http-icloud-findmyiphone

Retrieves the locations of all "Find my iPhone" enabled iOS devices by querying the MobileMe web service (authentication required).

http-icloud-sendmsg

Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application.

http-mobileversion-checker

Checks if the website holds a mobile version.

http-ntlm-info

This script enumerates information from remote HTTP services with NTLM authentication enabled.

http-open-proxy

Checks if an HTTP proxy is open.

http-open-redirect

Spiders a website and attempts to identify open redirects. Open redirects are handlers which commonly take a URL as a parameter and responds with a http redirect (3XX) to the target. Risks of open redirects are described at http://cwe.mitre.org/data/definitions/601.html.

http-php-version

Attempts to retrieve the PHP version from a web server. PHP has a number of magic queries that return images or text that can vary with the PHP version. This script uses the following queries:

  • /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: gets a GIF logo, which changes on April Fool's Day.
  • /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: gets an HTML credits page.

http-put

Uploads a local file to a remote web server using the HTTP PUT method. You must specify the filename and URL path with NSE arguments.

http-qnap-nas-info

Attempts to retrieve the model, firmware version, and enabled services from a QNAP Network Attached Storage (NAS) device.

http-referer-checker

Informs about cross-domain include of scripts. Websites that include external javascript scripts are delegating part of their security to third-party entities.

http-robots.txt

Checks for disallowed entries in /robots.txt on a web server.

http-robtex-reverse-ip

Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service (http://www.robtex.com/ip/).

http-robtex-shared-ns

Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at http://www.robtex.com/dns/.

http-sitemap-generator

Spiders a web server and displays its directory structure along with number and types of files in each folder. Note that files listed as having an 'Other' extension are ones that have no extension or that are a root document.

http-title

Shows the title of the default page of a web server.

http-trace

Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.

http-traceroute

Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies.

http-unsafe-output-escaping

Spiders a website and attempts to identify output escaping problems where content is reflected back to the user. This script locates all parameters, ?x=foo&y=bar and checks if the values are reflected on the page. If they are indeed reflected, the script will try to insert ghz>hzx"zxc'xcv and check which (if any) characters were reflected back onto the page without proper html escaping. This is an indication of potential XSS vulnerability.

http-useragent-tester

Checks if various crawling utilities are allowed by the host.

http-vhosts

Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames.

http-vlcstreamer-ls

Connects to a VLC Streamer helper service and lists directory contents. The VLC Streamer helper service is used by the iOS VLC Streamer application to enable streaming of multimedia content from the remote server to the device.

http-waf-detect

Attempts to determine whether a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) by probing the web server with malicious payloads and detecting changes in the response code and body.

http-waf-fingerprint

Tries to detect the presence of a web application firewall and its type and version.

http-wordpress-plugins

Tries to obtain a list of installed WordPress plugins by brute force testing for known plugins.

http-xssed

This script searches the xssed.com database and outputs the result.

icap-info

Tests a list of known ICAP service names and prints information about any it detects. The Internet Content Adaptation Protocol (ICAP) is used to extend transparent proxy servers and is generally used for content filtering and antivirus scanning.

ike-version

ip-forwarding

Detects whether the remote device has ip forwarding or "Internet connection sharing" enabled, by sending an ICMP echo request to a given target using the scanned host as default gateway.

ip-geolocation-geobytes

Tries to identify the physical location of an IP address using the Geobytes geolocation web service (http://www.geobytes.com/iplocator.htm). The limit of lookups using this service is 20 requests per hour. Once the limit is reached, an nmap.registry["ip-geolocation-geobytes"].blocked boolean is set so no further requests are made during a scan.

ip-geolocation-geoplugin

Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). There is no limit on lookups using this service.

ip-geolocation-ipinfodb

Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service (http://ipinfodb.com/ip_location_api.php).

ip-geolocation-maxmind

Tries to identify the physical location of an IP address using a Geolocation Maxmind database file (available from http://www.maxmind.com/app/ip-location). This script supports queries using all Maxmind databases that are supported by their API including the commercial ones.

ipidseq

Classifies a host's IP ID sequence (test for susceptibility to idle scan).

ipv6-node-info

Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Node Information Queries.

irc-botnet-channels

Checks an IRC server for channels that are commonly used by malicious botnets.

irc-info

Gathers information from an IRC server.

iscsi-info

Collects and displays information from remote iSCSI targets.

isns-info

Lists portals and iSCSI nodes registered with the Internet Storage Name Service (iSNS).

jdwp-info

Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script injects and execute a Java class file that returns remote system information.

ldap-novell-getpass

Universal Password enables advanced password policies, including extended characters in passwords, synchronization of passwords from eDirectory to other systems, and a single password for all access to eDirectory.

ldap-rootdse

Retrieves the LDAP root DSA-specific Entry (DSE)

ldap-search

Attempts to perform an LDAP search and returns all matches.

lexmark-config

Retrieves configuration information from a Lexmark S300-S400 printer.

llmnr-resolve

Resolves a hostname by using the LLMNR (Link-Local Multicast Name Resolution) protocol.

lltd-discovery

Uses the Microsoft LLTD protocol to discover hosts on a local network.

membase-http-info

Retrieves information (hostname, OS, uptime, etc.) from the CouchBase Web Administration port. The information retrieved by this script does not require any credentials.

memcached-info

Retrieves information (including system architecture, process ID, and server time) from distributed memory object caching system memcached.

modbus-discover

Enumerates SCADA Modbus slave ids (sids) and collects their device information.

mongodb-databases

Attempts to get a list of tables from a MongoDB database.

mongodb-info

Attempts to get build info and server status from a MongoDB database.

mrinfo

Queries targets for multicast routing information.

ms-sql-config

Queries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers, and configuration settings.

ms-sql-dac

Queries the Microsoft SQL Browser service for the DAC (Dedicated Admin Connection) port of a given (or all) SQL Server instance. The DAC port is used to connect to the database instance when normal connection attempts fail, for example, when server is hanging, out of memory or in other bad states. In addition, the DAC port provides an admin with access to system objects otherwise not accessible over normal connections.

ms-sql-dump-hashes

Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

ms-sql-hasdbaccess

Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.

ms-sql-info

Attempts to determine configuration and version information for Microsoft SQL Server instances.

ms-sql-query

Runs a query against Microsoft SQL Server (ms-sql).

ms-sql-tables

Queries Microsoft SQL Server (ms-sql) for a list of tables per database.

msrpc-enum

Queries an MSRPC endpoint mapper for a list of mapped services and displays the gathered information.

mtrace

Queries for the multicast path from a source to a destination host.

mysql-audit

Audits MySQL database server security configuration against parts of the CIS MySQL v1.0.2 benchmark (the engine can be used for other MySQL audits by creating appropriate audit files).

mysql-databases

Attempts to list all databases on a MySQL server.

mysql-dump-hashes

Dumps the password hashes from an MySQL server in a format suitable for cracking by tools such as John the Ripper. Appropriate DB privileges (root) are required.

mysql-info

Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.

mysql-query

Runs a query against a MySQL database and returns the results as a table.

mysql-variables

Attempts to show all variables on a MySQL server.

mysql-vuln-cve2012-2122

nat-pmp-info

Gets the routers WAN IP using the NAT Port Mapping Protocol (NAT-PMP). The NAT-PMP protocol is supported by a broad range of routers including: - Apple AirPort Express - Apple AirPort Extreme - Apple Time Capsule - DD-WRT - OpenWrt v8.09 or higher, with MiniUPnP daemon - pfSense v2.0 - Tarifa (firmware) (Linksys WRT54G/GL/GS) - Tomato Firmware v1.24 or higher. (Linksys WRT54G/GL/GS and many more) - Peplink Balance

nat-pmp-mapport

Maps a WAN port on the router to a local port on the client using the NAT Port Mapping Protocol (NAT-PMP). It supports the following operations: o map - maps a new external port on the router to an internal port of the requesting IP o unmap - unmaps a previously mapped port for the requesting IP o unmapall - unmaps all previously mapped ports for the requesting IP

nbstat

Attempts to retrieve the target's NetBIOS names and MAC address.

ncp-serverinfo

Retrieves eDirectory server information (OS version, server name, mounts, etc.) from the Novell NetWare Core Protocol (NCP) service.

ndmp-fs-info

Lists remote file systems by querying the remote device using the Network Data Management Protocol (ndmp). NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to support the protocol:

  • Amanda
  • Bacula
  • CA Arcserve
  • CommVault Simpana
  • EMC Networker
  • Hitachi Data Systems
  • IBM Tivoli
  • Quest Software Netvault Backup
  • Symantec Netbackup
  • Symantec Backup Exec

netbus-info

Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself.

nfs-ls

Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of ls.

nfs-showmount

Shows NFS exports, like the showmount -e command.

nfs-statfs

Retrieves disk space statistics and information from a remote NFS share. The output is intended to resemble the output of df.

nrpe-enum

Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc.

ntp-info

Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" (opcode 2) control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all variables are shown.

ntp-monlist

Obtains and prints an NTP server's monitor data.

omp2-enum-targets

Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server.

openlookup-info

Parses and displays the banner information of an OpenLookup (network key-value store) server.

path-mtu

Performs simple Path MTU Discovery to target hosts.

pop3-capabilities

Retrieves POP3 email server capabilities.

qscan

Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or "families") may be due to network mechanisms such as port forwarding to machines behind a NAT.

quake1-info

Extracts information from Quake game servers and other game servers which use the same protocol.

quake3-info

Extracts information from a Quake3 game server and other games which use the same protocol.

quake3-master-getservers

Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol).

rdp-enum-encryption

Determines which Security layer and Encryption level is supported by the RDP service. It does so by cycling through all existing protocols and ciphers. When run in debug mode, the script also returns the protocols and ciphers that fail and any errors that were reported.

redis-info

Retrieves information (such as version number and architecture) from a Redis key-value store.

resolveall

Resolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmap's target list. This differs from Nmap's normal host resolution process, which only scans the first address (A or AAAA record) returned for each host name.

rfc868-time

Retrieves the day and time from the Time service.

riak-http-info

Retrieves information (such as node name and architecture) from a Basho Riak distributed database using the HTTP protocol.

rmi-dumpregistry

Connects to a remote RMI registry and attempts to dump all of its objects.

rpcap-info

Connects to the rpcap service (provides remote sniffing capabilities through WinPcap) and retrieves interface information. The service can either be setup to require authentication or not and also supports IP restrictions.

rpcinfo

Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.

rsync-list-modules

Lists modules available for rsync (remote file sync) synchronization.

s7-info

Enumerates Siemens S7 PLC Devices and collects their device information. This script is based off PLCScan that was developed by Positive Research and Scadastrangelove (https://code.google.com/p/plcscan/). This script is meant to provide the same functionality as PLCScan inside of Nmap. Some of the information that is collected by PLCScan was not ported over; this information can be parsed out of the packets that are received.

servicetags

Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481).

sip-call-spoof

Spoofs a call to a SIP phone and detects the action taken by the target (busy, declined, hung up, etc.)

sip-methods

Enumerates a SIP Server's allowed methods (INVITE, OPTIONS, SUBSCRIBE, etc.)

smb-enum-domains

Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" domain is generally displayed. Windows returns this in the list of domains, but its policies don't appear to be used anywhere.

smb-enum-groups

Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum.exe with the /G switch.

smb-enum-processes

Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator privileges.

smb-enum-sessions

Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. Nmap's connection will also show up, and is generally identified by the one that connected "0 seconds ago".

smb-enum-shares

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.

smb-ls

Attempts to retrieve useful information about files shared on SMB volumes. The output is intended to resemble the output of the UNIX ls command.

smb-mbenum

Queries information managed by the Windows Master Browser.

smb-os-discovery

Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). This is done by starting a session with the anonymous account (or with a proper user account, if one is given; it likely doesn't make a difference); in response to a session starting, the server will send back all this information.

smb-security-mode

Returns information about the SMB security level determined by SMB.

smb-server-stats

Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139.

smb-system-info

Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, although a user account will still get a lot of it. Guest probably won't get any, nor will anonymous. This goes for all operating systems, including Windows 2000.

smtp-commands

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.

smtp-open-relay

Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying.

sniffer-detect

Checks if a target on a local Ethernet has its network card in promiscuous mode.

snmp-hh3c-logins

Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the hh3c-user.mib OID

snmp-interfaces

Attempts to enumerate network interfaces through SNMP.

snmp-netstat

Attempts to query SNMP for a netstat like output. The script can be used to identify and automatically add new targets to the scan by supplying the newtargets script argument.

snmp-processes

Attempts to enumerate running processes through SNMP.

snmp-sysdescr

Attempts to extract system information from an SNMP version 1 service.

snmp-win32-services

Attempts to enumerate Windows services through SNMP.

snmp-win32-shares

Attempts to enumerate Windows Shares through SNMP.

snmp-win32-software

Attempts to enumerate installed software through SNMP.

socks-auth-info

Determines the supported authentication mechanisms of a remote SOCKS proxy server. Starting with SOCKS version 5 socks servers may support authentication. The script checks for the following authentication types: 0 - No authentication 1 - GSSAPI 2 - Username and password

socks-open-proxy

Checks if an open socks proxy is running on the target.

ssh-hostkey

Shows SSH hostkeys.

ssh2-enum-algos

Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers. If verbosity is set, the offered algorithms are each listed by type.

ssl-cert

Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.

ssl-date

Retrieves a target host's time and date from its TLS ServerHello response.

ssl-enum-ciphers

This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphers and compressors that a server accepts.

ssl-google-cert-catalog

Queries Google's Certificate Catalog for the SSL certificates retrieved from target hosts.

ssl-known-key

Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.

sstp-discover

Check if the Secure Socket Tunneling Protocol is supported. This is accomplished by trying to establish the HTTPS layer which is used to carry SSTP traffic as described in: - http://msdn.microsoft.com/en-us/library/cc247364.aspx

stun-info

Retrieves the external IP address of a NAT:ed host using the STUN protocol.

stuxnet-detect

Detects whether a host is infected with the Stuxnet worm (http://en.wikipedia.org/wiki/Stuxnet).

targets-asn

Produces a list of IP prefixes for a given routing AS number (ASN).

targets-ipv6-multicast-echo

Sends an ICMPv6 echo request packet to the all-nodes link-local multicast address (ff02::1) to discover responsive hosts on a LAN without needing to individually ping each IPv6 address.

targets-ipv6-multicast-invalid-dst

Sends an ICMPv6 packet with an invalid extension header to the all-nodes link-local multicast address (ff02::1) to discover (some) available hosts on the LAN. This works because some hosts will respond to this probe with an ICMPv6 Parameter Problem packet.

targets-ipv6-multicast-mld

Attempts to discover available IPv6 hosts on the LAN by sending an MLD (multicast listener discovery) query to the link-local multicast address (ff02::1) and listening for any responses. The query's maximum response delay set to 0 to provoke hosts to respond immediately rather than waiting for other responses from their multicast group.

targets-ipv6-multicast-slaac

Performs IPv6 host discovery by triggering stateless address auto-configuration (SLAAC).

targets-sniffer

Sniffs the local network for a configurable amount of time (10 seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue.

targets-traceroute

Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's --traceroute option is used and the newtargets script argument is given.

telnet-encryption

Determines whether the encryption option is supported on a remote telnet server. Some systems (including FreeBSD and the krb5 telnetd available in many Linux distributions) implement this option incorrectly, leading to a remote root vulnerability. This script currently only tests whether encryption is supported, not for that particular vulnerability.

tftp-enum

Enumerates TFTP (trivial file transfer protocol) filenames by testing for a list of common ones.

tls-nextprotoneg

Enumerates a TLS server's supported protocols by using the next protocol negotiation extension.

traceroute-geolocation

Lists the geographic locations of each hop in a traceroute and optionally saves the results to a KML file, plottable on Google earth and maps.

upnp-info

Attempts to extract system information from the UPnP service.

ventrilo-info

Detects the Ventrilo voice communication server service versions 2.1.2 and above and tries to determine version and configuration information. Some of the older versions (pre 3.0.0) may not have the UDP service that this probe relies on enabled by default.

versant-info

Extracts information, including file paths, version and database names from a Versant object database.

vnc-info

Queries a VNC server for its protocol version and supported security types.

voldemort-info

Retrieves cluster and store information from the Voldemort distributed key-value store using the Voldemort Native Protocol.

vuze-dht-info

Retrieves some basic information, including protocol version from a Vuze filesharing node.

wdb-version

Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.

weblogic-t3-info

Detect the T3 RMI protocol and Weblogic version

whois-domain

Attempts to retrieve information about the domain name of the target

whois-ip

Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

wsdd-discover

Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).

xdmcp-discover

Requests an XDMCP (X display manager control protocol) session and lists supported authentication and authorization mechanisms.

xmpp-info

Connects to XMPP server (port 5222) and collects server information such as: supported auth mechanisms, compression methods, whether TLS is supported and mandatory, stream management, language, support of In-Band registration, server capabilities. If possible, studies server vendor.

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]