NSEDoc

• Index
• NSE Documentation

Categories

• auth
• broadcast
• brute
• default
• discovery
• dos
• exploit
• external
• fuzzer
• intrusive
• malware
• safe
• version
• vuln

Scripts (show 380)(380)Scripts (380)

• acarsd-info
• address-info
• afp-brute
• afp-ls
• afp-path-vuln
• afp-serverinfo
• afp-showmount
• ajp-auth
• ajp-brute
• ajp-headers
• ajp-methods
• ajp-request
• amqp-info
• asn-query
• auth-owners
• auth-spoof
• backorifice-brute
• backorifice-info
• banner
• bitcoin-getaddr
• bitcoin-info
• bitcoinrpc-info
• bittorrent-discovery
• broadcast-ataoe-discover
• broadcast-avahi-dos
• broadcast-db2-discover
• broadcast-dhcp-discover
• broadcast-dhcp6-discover
• broadcast-dns-service-discovery
• broadcast-dropbox-listener
• broadcast-listener
• broadcast-ms-sql-discover
• broadcast-netbios-master-browser
• broadcast-networker-discover
• broadcast-novell-locate
• broadcast-pc-anywhere
• broadcast-pc-duo
• broadcast-ping
• broadcast-pppoe-discover
• broadcast-rip-discover
• broadcast-ripng-discover
• broadcast-sybase-asa-discover
• broadcast-tellstick-discover
• broadcast-upnp-info
• broadcast-versant-locate
• broadcast-wake-on-lan
• broadcast-wpad-discover
• broadcast-wsdd-discover
• broadcast-xdmcp-discover
• cccam-version
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• couchdb-databases
• couchdb-stats
• creds-summary
• cups-info
• cups-queue-info
• cvs-brute
• cvs-brute-repository
• daap-get-library
• daytime
• db2-das-info
• db2-discover
• dhcp-discover
• dict-info
• distcc-CVE-2004-2687
• dns-blacklist
• dns-brute
• dns-cache-snoop
• dns-check-zone
• dns-client-subnet-scan
• dns-fuzz
• dns-ip6-arpa-scan
• dns-nsec-enum
• dns-nsid
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-srv-enum
• dns-update
• dns-zeustracker
• dns-zone-transfer
• domcon-brute
• domcon-cmd
• domino-enum-users
• dpap-brute
• drda-brute
• drda-info
• duplicates
• eap-info
• epmd-info
• finger
• firewalk
• ftp-anon
• ftp-bounce
• ftp-brute
• ftp-libopie
• ftp-proftpd-backdoor
• ftp-vsftpd-backdoor
• ftp-vuln-cve2010-4221
• ganglia-info
• giop-info
• gkrellm-info
• gopher-ls
• gpsd-info
• hadoop-datanode-info
• hadoop-jobtracker-info
• hadoop-namenode-info
• hadoop-secondary-namenode-info
• hadoop-tasktracker-info
• hbase-master-info
• hbase-region-info
• hddtemp-info
• hostmap-bfk
• hostmap-robtex
• http-affiliate-id
• http-apache-negotiation
• http-auth
• http-auth-finder
• http-awstatstotals-exec
• http-axis2-dir-traversal
• http-backup-finder
• http-barracuda-dir-traversal
• http-brute
• http-cakephp-version
• http-chrono
• http-config-backup
• http-cors
• http-date
• http-default-accounts
• http-domino-enum-passwords
• http-drupal-enum-users
• http-drupal-modules
• http-email-harvest
• http-enum
• http-favicon
• http-form-brute
• http-generator
• http-gitweb-projects-enum
• http-google-malware
• http-grep
• http-headers
• http-icloud-findmyiphone
• http-icloud-sendmsg
• http-iis-webdav-vuln
• http-joomla-brute
• http-litespeed-sourcecode-download
• http-majordomo2-dir-traversal
• http-malware-host
• http-method-tamper
• http-methods
• http-open-proxy
• http-open-redirect
• http-passwd
• http-php-version
• http-proxy-brute
• http-put
• http-qnap-nas-info
• http-robots.txt
• http-robtex-reverse-ip
• http-robtex-shared-ns
• http-title
• http-trace
• http-traceroute
• http-unsafe-output-escaping
• http-userdir-enum
• http-vhosts
• http-virustotal
• http-vlcstreamer-ls
• http-vmware-path-vuln
• http-vuln-cve2009-3960
• http-vuln-cve2010-2861
• http-vuln-cve2011-3192
• http-vuln-cve2011-3368
• http-vuln-cve2012-1823
• http-waf-detect
• http-wordpress-brute
• http-wordpress-enum
• http-wordpress-plugins
• iax2-brute
• iax2-version
• icap-info
• imap-brute
• imap-capabilities
• informix-brute
• informix-query
• informix-tables
• ip-forwarding
• ip-geolocation-geobytes
• ip-geolocation-geoplugin
• ip-geolocation-ipinfodb
• ip-geolocation-maxmind
• ipidseq
• ipv6-node-info
• irc-botnet-channels
• irc-brute
• irc-info
• irc-unrealircd-backdoor
• iscsi-brute
• iscsi-info
• jdwp-version
• krb5-enum-users
• ldap-brute
• ldap-novell-getpass
• ldap-rootdse
• ldap-search
• lexmark-config
• lltd-discovery
• maxdb-info
• membase-brute
• membase-http-info
• memcached-info
• metasploit-xmlrpc-brute
• mmouse-brute
• mmouse-exec
• modbus-discover
• mongodb-brute
• mongodb-databases
• mongodb-info
• ms-sql-brute
• ms-sql-config
• ms-sql-dump-hashes
• ms-sql-empty-password
• ms-sql-hasdbaccess
• ms-sql-info
• ms-sql-query
• ms-sql-tables
• ms-sql-xp-cmdshell
• mysql-audit
• mysql-brute
• mysql-databases
• mysql-dump-hashes
• mysql-empty-password
• mysql-info
• mysql-query
• mysql-users
• mysql-variables
• nat-pmp-info
• nat-pmp-mapport
• nbstat
• ncp-enum-users
• ncp-serverinfo
• ndmp-fs-info
• ndmp-version
• nessus-brute
• nessus-xmlrpc-brute
• netbus-auth-bypass
• netbus-brute
• netbus-info
• netbus-version
• nexpose-brute
• nfs-ls
• nfs-showmount
• nfs-statfs
• nping-brute
• nrpe-enum
• ntp-info
• ntp-monlist
• omp2-brute
• omp2-enum-targets
• openlookup-info
• openvas-otp-brute
• oracle-brute
• oracle-enum-users
• oracle-sid-brute
• ovs-agent-version
• p2p-conficker
• path-mtu
• pgsql-brute
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• qscan
• quake3-info
• quake3-master-getservers
• rdp-vuln-ms12-020
• realvnc-auth-bypass
• redis-brute
• redis-info
• resolveall
• reverse-index
• rexec-brute
• riak-http-info
• rlogin-brute
• rmi-dumpregistry
• rpcap-brute
• rpcap-info
• rpcinfo
• rsync-brute
• rsync-list-modules
• rtsp-methods
• rtsp-url-brute
• samba-vuln-cve-2012-1182
• servicetags
• sip-brute
• sip-enum-users
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-flood
• smb-mbenum
• smb-os-discovery
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smbv2-enabled
• smtp-brute
• smtp-commands
• smtp-enum-users
• smtp-open-relay
• smtp-strangeport
• smtp-vuln-cve2010-4344
• smtp-vuln-cve2011-1720
• smtp-vuln-cve2011-1764
• sniffer-detect
• snmp-brute
• snmp-interfaces
• snmp-ios-config
• snmp-netstat
• snmp-processes
• snmp-sysdescr
• snmp-win32-services
• snmp-win32-shares
• snmp-win32-software
• snmp-win32-users
• socks-auth-info
• socks-brute
• socks-open-proxy
• sql-injection
• ssh-hostkey
• ssh2-enum-algos
• sshv1
• ssl-cert
• ssl-enum-ciphers
• ssl-google-cert-catalog
• ssl-known-key
• sslv2
• stun-info
• stun-version
• stuxnet-detect
• svn-brute
• targets-asn
• targets-ipv6-multicast-echo
• targets-ipv6-multicast-invalid-dst
• targets-ipv6-multicast-mld
• targets-ipv6-multicast-slaac
• targets-sniffer
• targets-traceroute
• telnet-brute
• telnet-encryption
• tftp-enum
• traceroute-geolocation
• unusual-port
• upnp-info
• url-snarf
• versant-info
• vmauthd-brute
• vnc-brute
• vnc-info
• voldemort-info
• vuze-dht-info
• wdb-version
• whois
• wsdd-discover
• x11-access
• xdmcp-discover
• xmpp-brute
• xmpp-info

Libraries (show 96)(96)Libraries (96)

• afp
• ajp
• amqp
• asn1
• base64
• bin
• bit
• bitcoin
• bittorrent
• brute
• citrixxml
• comm
• creds
• cvs
• datafiles
• dhcp
• dhcp6
• dns
• dnsbl
• dnssd
• drda
• eap
• ftp
• giop
• gps
• http
• httpspider
• iax2
• imap
• informix
• ipOps
• ipp
• iscsi
• json
• ldap
• listop
• match
• membase
• mobileme
• mongodb
• msrpc
• msrpcperformance
• msrpctypes
• mssql
• mysql
• natpmp
• ncp
• ndmp
• netbios
• nmap
• nrpc
• nsedebug
• omp2
• openssl
• packet
• pcre
• pgsql
• pop3
• pppoe
• proxy
• redis
• rmi
• rpc
• rpcap
• rsync
• rtsp
• sasl
• shortport
• sip
• smb
• smbauth
• smtp
• snmp
• socks
• srvloc
• ssh1
• ssh2
• sslcert
• stdnse
• strbuf
• strict
• stun
• tab
• target
• tftp
• tns
• unpwdb
• upnp
• url
• versant
• vnc
• vulns
• vuzedht
• wsdd
• xdmcp
• xmpp

Scripts

afp-path-vuln	Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
distcc-CVE-2004-2687	Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.
ftp-proftpd-backdoor	Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.
ftp-vsftpd-backdoor	Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.
http-awstatstotals-exec	Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
http-axis2-dir-traversal	Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.
http-barracuda-dir-traversal	Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.
http-litespeed-sourcecode-download	Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
http-majordomo2-dir-traversal	Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).
http-vuln-cve2009-3960	Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.
http-vuln-cve2012-1823	Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This vulnerability is critical and it allows attackers to retrieve source code and execute code remotely.
irc-unrealircd-backdoor	Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.
smb-check-vulns	Checks for vulnerabilities: MS08-067, a Windows RPC vulnerability Conficker, an infection by the Conficker worm Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000 SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) MS06-025, a Windows Ras RPC service vulnerability MS07-029, a Windows Dns Server RPC service vulnerability
smtp-vuln-cve2010-4344	Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).