NSEDoc

• Index
• NSE Documentation

Categories

• auth
• broadcast
• brute
• default
• discovery
• dos
• exploit
• external
• fuzzer
• intrusive
• malware
• safe
• version
• vuln

Scripts (show 437)(437)Scripts (437)

• acarsd-info
• address-info
• afp-brute
• afp-ls
• afp-path-vuln
• afp-serverinfo
• afp-showmount
• ajp-auth
• ajp-brute
• ajp-headers
• ajp-methods
• ajp-request
• amqp-info
• asn-query
• auth-owners
• auth-spoof
• backorifice-brute
• backorifice-info
• banner
• bitcoin-getaddr
• bitcoin-info
• bitcoinrpc-info
• bittorrent-discovery
• bjnp-discover
• broadcast-ataoe-discover
• broadcast-avahi-dos
• broadcast-bjnp-discover
• broadcast-db2-discover
• broadcast-dhcp-discover
• broadcast-dhcp6-discover
• broadcast-dns-service-discovery
• broadcast-dropbox-listener
• broadcast-eigrp-discovery
• broadcast-igmp-discovery
• broadcast-listener
• broadcast-ms-sql-discover
• broadcast-netbios-master-browser
• broadcast-networker-discover
• broadcast-novell-locate
• broadcast-pc-anywhere
• broadcast-pc-duo
• broadcast-pim-discovery
• broadcast-ping
• broadcast-pppoe-discover
• broadcast-rip-discover
• broadcast-ripng-discover
• broadcast-sybase-asa-discover
• broadcast-tellstick-discover
• broadcast-upnp-info
• broadcast-versant-locate
• broadcast-wake-on-lan
• broadcast-wpad-discover
• broadcast-wsdd-discover
• broadcast-xdmcp-discover
• cassandra-brute
• cassandra-info
• cccam-version
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• couchdb-databases
• couchdb-stats
• creds-summary
• cups-info
• cups-queue-info
• cvs-brute
• cvs-brute-repository
• daap-get-library
• daytime
• db2-das-info
• db2-discover
• dhcp-discover
• dict-info
• distcc-cve2004-2687
• dns-blacklist
• dns-brute
• dns-cache-snoop
• dns-check-zone
• dns-client-subnet-scan
• dns-fuzz
• dns-ip6-arpa-scan
• dns-nsec-enum
• dns-nsec3-enum
• dns-nsid
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-srv-enum
• dns-update
• dns-zeustracker
• dns-zone-transfer
• domcon-brute
• domcon-cmd
• domino-enum-users
• dpap-brute
• drda-brute
• drda-info
• duplicates
• eap-info
• epmd-info
• eppc-enum-processes
• finger
• firewalk
• firewall-bypass
• flume-master-info
• ftp-anon
• ftp-bounce
• ftp-brute
• ftp-libopie
• ftp-proftpd-backdoor
• ftp-vsftpd-backdoor
• ftp-vuln-cve2010-4221
• ganglia-info
• giop-info
• gkrellm-info
• gopher-ls
• gpsd-info
• hadoop-datanode-info
• hadoop-jobtracker-info
• hadoop-namenode-info
• hadoop-secondary-namenode-info
• hadoop-tasktracker-info
• hbase-master-info
• hbase-region-info
• hddtemp-info
• hostmap-bfk
• hostmap-robtex
• http-affiliate-id
• http-apache-negotiation
• http-auth
• http-auth-finder
• http-awstatstotals-exec
• http-axis2-dir-traversal
• http-backup-finder
• http-barracuda-dir-traversal
• http-brute
• http-cakephp-version
• http-chrono
• http-config-backup
• http-cors
• http-date
• http-default-accounts
• http-domino-enum-passwords
• http-drupal-enum-users
• http-drupal-modules
• http-email-harvest
• http-enum
• http-exif-spider
• http-favicon
• http-form-brute
• http-form-fuzzer
• http-frontpage-login
• http-generator
• http-git
• http-gitweb-projects-enum
• http-google-malware
• http-grep
• http-headers
• http-huawei-hg5xx-vuln
• http-icloud-findmyiphone
• http-icloud-sendmsg
• http-iis-webdav-vuln
• http-joomla-brute
• http-litespeed-sourcecode-download
• http-majordomo2-dir-traversal
• http-malware-host
• http-method-tamper
• http-methods
• http-open-proxy
• http-open-redirect
• http-passwd
• http-php-version
• http-phpself-xss
• http-proxy-brute
• http-put
• http-qnap-nas-info
• http-rfi-spider
• http-robots.txt
• http-robtex-reverse-ip
• http-robtex-shared-ns
• http-sitemap-generator
• http-slowloris
• http-slowloris-check
• http-sql-injection
• http-title
• http-tplink-dir-traversal
• http-trace
• http-traceroute
• http-unsafe-output-escaping
• http-userdir-enum
• http-vhosts
• http-virustotal
• http-vlcstreamer-ls
• http-vmware-path-vuln
• http-vuln-cve2009-3960
• http-vuln-cve2010-0738
• http-vuln-cve2010-2861
• http-vuln-cve2011-3192
• http-vuln-cve2011-3368
• http-vuln-cve2012-1823
• http-waf-detect
• http-waf-fingerprint
• http-wordpress-brute
• http-wordpress-enum
• http-wordpress-plugins
• iax2-brute
• iax2-version
• icap-info
• ike-version
• imap-brute
• imap-capabilities
• informix-brute
• informix-query
• informix-tables
• ip-forwarding
• ip-geolocation-geobytes
• ip-geolocation-geoplugin
• ip-geolocation-ipinfodb
• ip-geolocation-maxmind
• ipidseq
• ipv6-node-info
• ipv6-ra-flood
• irc-botnet-channels
• irc-brute
• irc-info
• irc-sasl-brute
• irc-unrealircd-backdoor
• iscsi-brute
• iscsi-info
• isns-info
• jdwp-exec
• jdwp-info
• jdwp-inject
• jdwp-version
• krb5-enum-users
• ldap-brute
• ldap-novell-getpass
• ldap-rootdse
• ldap-search
• lexmark-config
• llmnr-resolve
• lltd-discovery
• maxdb-info
• mcafee-epo-agent
• membase-brute
• membase-http-info
• memcached-info
• metasploit-info
• metasploit-msgrpc-brute
• metasploit-xmlrpc-brute
• mmouse-brute
• mmouse-exec
• modbus-discover
• mongodb-brute
• mongodb-databases
• mongodb-info
• mrinfo
• ms-sql-brute
• ms-sql-config
• ms-sql-dac
• ms-sql-dump-hashes
• ms-sql-empty-password
• ms-sql-hasdbaccess
• ms-sql-info
• ms-sql-query
• ms-sql-tables
• ms-sql-xp-cmdshell
• msrpc-enum
• mtrace
• murmur-version
• mysql-audit
• mysql-brute
• mysql-databases
• mysql-dump-hashes
• mysql-empty-password
• mysql-enum
• mysql-info
• mysql-query
• mysql-users
• mysql-variables
• mysql-vuln-cve2012-2122
• nat-pmp-info
• nat-pmp-mapport
• nbstat
• ncp-enum-users
• ncp-serverinfo
• ndmp-fs-info
• ndmp-version
• nessus-brute
• nessus-xmlrpc-brute
• netbus-auth-bypass
• netbus-brute
• netbus-info
• netbus-version
• nexpose-brute
• nfs-ls
• nfs-showmount
• nfs-statfs
• nping-brute
• nrpe-enum
• ntp-info
• ntp-monlist
• omp2-brute
• omp2-enum-targets
• openlookup-info
• openvas-otp-brute
• oracle-brute
• oracle-brute-stealth
• oracle-enum-users
• oracle-sid-brute
• ovs-agent-version
• p2p-conficker
• path-mtu
• pcanywhere-brute
• pgsql-brute
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• qscan
• quake3-info
• quake3-master-getservers
• rdp-enum-encryption
• rdp-vuln-ms12-020
• realvnc-auth-bypass
• redis-brute
• redis-info
• resolveall
• reverse-index
• rexec-brute
• riak-http-info
• rlogin-brute
• rmi-dumpregistry
• rmi-vuln-classloader
• rpc-grind
• rpcap-brute
• rpcap-info
• rpcinfo
• rsync-brute
• rsync-list-modules
• rtsp-methods
• rtsp-url-brute
• samba-vuln-cve-2012-1182
• servicetags
• sip-brute
• sip-call-spoof
• sip-enum-users
• sip-methods
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-flood
• smb-ls
• smb-mbenum
• smb-os-discovery
• smb-print-text
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smb-vuln-ms10-054
• smb-vuln-ms10-061
• smbv2-enabled
• smtp-brute
• smtp-commands
• smtp-enum-users
• smtp-open-relay
• smtp-strangeport
• smtp-vuln-cve2010-4344
• smtp-vuln-cve2011-1720
• smtp-vuln-cve2011-1764
• sniffer-detect
• snmp-brute
• snmp-hh3c-logins
• snmp-interfaces
• snmp-ios-config
• snmp-netstat
• snmp-processes
• snmp-sysdescr
• snmp-win32-services
• snmp-win32-shares
• snmp-win32-software
• snmp-win32-users
• socks-auth-info
• socks-brute
• socks-open-proxy
• ssh-hostkey
• ssh2-enum-algos
• sshv1
• ssl-cert
• ssl-date
• ssl-enum-ciphers
• ssl-google-cert-catalog
• ssl-known-key
• sslv2
• stun-info
• stun-version
• stuxnet-detect
• svn-brute
• targets-asn
• targets-ipv6-multicast-echo
• targets-ipv6-multicast-invalid-dst
• targets-ipv6-multicast-mld
• targets-ipv6-multicast-slaac
• targets-sniffer
• targets-traceroute
• telnet-brute
• telnet-encryption
• tftp-enum
• tls-nextprotoneg
• traceroute-geolocation
• unusual-port
• upnp-info
• url-snarf
• ventrilo-info
• versant-info
• vmauthd-brute
• vnc-brute
• vnc-info
• voldemort-info
• vuze-dht-info
• wdb-version
• whois
• wsdd-discover
• x11-access
• xdmcp-discover
• xmpp-brute
• xmpp-info

Libraries (show 106)(106)Libraries (106)

• afp
• ajp
• amqp
• asn1
• base32
• base64
• bin
• bit
• bitcoin
• bittorrent
• bjnp
• brute
• cassandra
• citrixxml
• comm
• creds
• cvs
• datafiles
• dhcp
• dhcp6
• dns
• dnsbl
• dnssd
• drda
• eap
• eigrp
• ftp
• giop
• gps
• http
• httpspider
• iax2
• ike
• imap
• informix
• ipOps
• ipp
• iscsi
• isns
• jdwp
• json
• ldap
• lfs
• listop
• match
• membase
• mobileme
• mongodb
• msrpc
• msrpcperformance
• msrpctypes
• mssql
• mysql
• natpmp
• ncp
• ndmp
• netbios
• nmap
• nrpc
• nsedebug
• omp2
• openssl
• ospf
• packet
• pcre
• pgsql
• pop3
• pppoe
• proxy
• rdp
• redis
• rmi
• rpc
• rpcap
• rsync
• rtsp
• sasl
• shortport
• sip
• smb
• smbauth
• smtp
• snmp
• socks
• srvloc
• ssh1
• ssh2
• sslcert
• stdnse
• strbuf
• strict
• stun
• tab
• target
• tftp
• tns
• unpwdb
• upnp
• url
• versant
• vnc
• vulns
• vuzedht
• wsdd
• xdmcp
• xmpp

Scripts

asn-query	Maps IP addresses to autonomous system (AS) numbers.
dns-blacklist	Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category (eg: SPAM, PROXY) or to a specific service name.
dns-check-zone	Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests.
dns-random-srcport	Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
dns-random-txid	Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
dns-zeustracker	Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan: https://zeustracker.abuse.ch/ztdns.php
hostmap-bfk	Discovers hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html.
hostmap-robtex	Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at http://ip.robtex.com/.
http-google-malware	Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.
http-icloud-findmyiphone	Retrieves the locations of all "Find my iPhone" enabled iOS devices by querying the MobileMe web service (authentication required).
http-icloud-sendmsg	Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application.
http-open-proxy	Checks if an HTTP proxy is open.
http-proxy-brute	Performs brute force password guessing against HTTP proxy servers.
http-robtex-reverse-ip	Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service (http://www.robtex.com/ip/).
http-robtex-shared-ns	Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at http://www.robtex.com/dns/.
http-virustotal	Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page: http://www.virustotal.com
ip-geolocation-geobytes	Tries to identify the physical location of an IP address using the Geobytes geolocation web service (http://www.geobytes.com/iplocator.htm). The limit of lookups using this service is 20 requests per hour. Once the limit is reached, an nmap.registry["ip-geolocation-geobytes"].blocked boolean is set so no further requests are made during a scan.
ip-geolocation-geoplugin	Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). There is no limit on lookups using this service.
ip-geolocation-ipinfodb	Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service (http://ipinfodb.com/ip_location_api.php).
ip-geolocation-maxmind	Tries to identify the physical location of an IP address using a Geolocation Maxmind database file (available from http://www.maxmind.com/app/ip-location). This script supports queries using all Maxmind databases that are supported by their API including the commercial ones.
smtp-enum-users	Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.
smtp-open-relay	Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying.
socks-open-proxy	Checks if an open socks proxy is running on the target.
ssl-google-cert-catalog	Queries Google's Certificate Catalog for the SSL certificates retrieved from target hosts.
targets-asn	Produces a list of IP prefixes for a given routing AS number (ASN).
traceroute-geolocation	Lists the geographic locations of each hop in a traceroute and optionally saves the results to a KML file, plottable on Google earth and maps.
whois	Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.