Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Scripts

afp-brute

Performs password guessing against Apple Filing Protocol (AFP).

afp-path-vuln

Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.

backorifice-brute

Performs brute force password auditing against the BackOrifice service. The backorifice-brute.ports script argument is mandatory (it specifies ports to run the script against).

broadcast-avahi-dos

Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).

citrix-brute-xml

Attempts to guess valid credentials for the Citrix PN Web Agent XML Service. The XML service authenticates against the local Windows server or the Active Directory.

cvs-brute

Performs brute force password auditing against CVS pserver authentication.

cvs-brute-repository

Attempts to guess the name of the CVS repositories hosted on the remote server. With knowledge of the correct repository name, usernames and passwords can be guessed.

dns-brute

Attempts to enumerate DNS hostnames by brute force guessing of common subdomains.

dns-cache-snoop

Performs DNS cache snooping against a DNS server.

dns-fuzz

Launches a DNS fuzzing attack against DNS servers.

dns-nsec-enum

Enumerates DNS names using the DNSSEC NSEC-walking technique.

dns-random-srcport

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

dns-random-txid

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

dns-zone-transfer

Requests a zone transfer (AXFR) from a DNS server.

domcon-brute

Performs brute force password auditing against the Lotus Domino Console.

domcon-cmd

Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute)

domino-enum-users

Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability.

dpap-brute

Performs brute force password auditing against an iPhoto Library.

drda-brute

Performs password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby

ftp-brute

Performs brute force password auditing against FTP servers.

ftp-libopie

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki. See the advisory at http://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.

ftp-proftpd-backdoor

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.

ftp-vsftpd-backdoor

Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.

ftp-vuln-cve2010-4221

Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.

hostmap

Tries to find hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html.

http-awstatstotals-exec

Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).

http-axis2-dir-traversal

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.

http-barracuda-dir-traversal

Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.

http-brute

Performs brute force password auditing against http basic authentication.

http-domino-enum-passwords

Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document.

http-enum

Enumerates directories used by popular web applications and servers.

http-form-brute

Performs brute force password auditing against http form-based authentication.

http-iis-webdav-vuln

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, http://nmap.org/r/ms09-020.

http-joomla-brute

Performs brute force password auditing against Joomla web CMS installations.

http-litespeed-sourcecode-download

Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).

http-majordomo2-dir-traversal

Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).

http-open-redirect

Spiders a website and attempts to identify open redirects. Open redirects are handlers which commonly take a URL as a parameter and responds with a http redirect (3XX) to the target.

http-passwd

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.

http-proxy-brute

Performs brute force password guessing against a HTTP proxy server

http-put

Uploads a local file to a remote web server using the HTTP PUT method. You must specify the filename and URL path with NSE arguments.

http-unsafe-output-escaping

Spiders a website and attempts to identify output escaping problems where content is reflected back to the user. This script locates all parameters, ?x=foo&y=bar and checks if the values are reflected on the page. If they are indeed reflected, the script will try to insert ghz>hzx"zxc'xcv and check which (if any) characters were reflected back onto the page without proper html escaping. This is an indication of potential XSS vulnerability.

http-userdir-enum

Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.

http-vhosts

Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames.

http-vuln-cve2009-3960

Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.

http-vuln-cve2011-3368

Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server's reverse proxy mode. The script will run 3 tests: o the loopback test, with 3 payloads to handle different rewrite rules o the internal hosts test. According to Contextis, we expect a delay before a server error. o The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.

http-waf-detect

Attempts to determine whether a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) by probing the web server with malicious payloads and detecting changes in the response code and body.

http-wordpress-brute

performs brute force password auditing against Wordpress CMS/blog installations.

http-wordpress-enum

Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.

http-wordpress-plugins

Tries to obtain a list of installed WordPress plugins by brute force testing for known plugins.

iax2-brute

Performs brute force password guessing against the Asterisk IAX2 protocol. Guessing fails when a large number of attempts is made due to the maxcallnumber limit (default 2048). In case your getting "ERROR: Too many retries, aborted ..." after a while, this is most likely what's happening. In order to avoid this problem try: - reducing the size of your dictionary - use the brute delay option to introduce a delay between guesses - split the guessing up in chunks and wait for a while between them

imap-brute

Performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.

informix-brute

Performs brute force password auditing against IBM Informix Dynamic Server.

informix-query

Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute).

informix-tables

Retrieves a list of tables and column definitions for each database on an Informix server.

irc-brute

Performs brute force password auditing against IRC (Internet Relay Chat) servers.

irc-unrealircd-backdoor

Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.

iscsi-brute

Performs brute force password auditing against iSCSI targets.

krb5-enum-users

Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will responde using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.

ldap-brute

Attempts to brute-force LDAP authentication. By default it uses the built-in username and password lists. In order to use your own lists use the userdb and passdb script arguments.

membase-brute

Performs brute force password guessing against Couchbase Membase servers.

metasploit-xmlrpc-brute

Performs brute force password auditing against a Metasploit RPC server using the XMLRPC protocol.

modbus-discover

Enumerates SCADA Modbus slave ids (sids) and collects their device information.

ms-sql-brute

Performs password guessing against Microsoft SQL Server (ms-sql). Works best in conjunction with the broadcast-ms-sql-discover script.

ms-sql-empty-password

Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

ms-sql-xp-cmdshell

Attempts to run a command using the command shell of Microsoft SQL Server (ms-sql).

mysql-brute

Performs password guessing against MySQL

mysql-databases

Attempts to list all databases on a MySQL server.

mysql-empty-password

Checks for MySQL servers with an empty password for root or anonymous.

mysql-users

Attempts to list all users on a MySQL server.

mysql-variables

Attempts to show all variables on a MySQL server.

nessus-brute

Performs brute force password auditing against a Nessus vulnerability scanning daemon using the NTP 1.2 protocol.

nessus-xmlrpc-brute

Performs brute force password auditing against a Nessus vulnerability scanning daemon using the XMLRPC protocol.

netbus-brute

Performs brute force password auditing against the Netbus backdoor ("remote administration") service.

nexpose-brute

Performs brute force password auditing against a Nexpose vulnerability scanner using the API 1.1. By default it only tries three guesses per username to avoid target account lockout.

nping-brute

Performs brute force password auditing against an Nping Echo service.

nrpe-enum

Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc.

ntp-monlist

Obtains and prints an NTP server's monitor data.

omp2-brute

Performs brute force password auditing against the OpenVAS manager using OMPv2.

openvas-otp-brute

Performs brute force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1.0 protocol.

oracle-brute

Performs brute force password auditing against Oracle servers.

oracle-enum-users

Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update).

oracle-sid-brute

Guesses Oracle instance/SID names against the TNS-listener.

pgsql-brute

Performs password guessing against PostgreSQL.

pjl-ready-message

Retrieves or sets the ready message on printers that support the Printer Job Language. This includes most PostScript printers that listen on port 9100. Without an argument, displays the current ready message. With the pjl_ready_message script argument, displays the old ready message and changes it to the message given.

pop3-brute

Tries to log into a POP3 account by guessing usernames and passwords.

redis-brute

Performs brute force passwords guessing against a Redis key-value store

rexec-brute

Performs brute force password auditing against the classic UNIX rexec (remote exec) service.

rlogin-brute

Performs brute force password auditing against the classic UNIX rlogin (remote login) service. This script must be run in privileged mode on UNIX because it must bind to a low source port number.

rtsp-url-brute

Attempts to enumerate RTSP media URLS by testing for common paths on devices such as surveillance IP cameras.

sip-brute

Performs brute force password auditing against Session Initiation Protocol (SIP - http://en.wikipedia.org/wiki/Session_Initiation_Protocol) accounts. This protocol is most commonly associated with VoIP sessions.

sip-enum-users

Attempts to enumerate valid user account using SIP (Session Initiation Protocol - http://en.wikipedia.org/wiki/Session_Initiation_Protocol). This protocol is most commonly associated with VoIP sessions. Currently only the SIP server Asterisk is supported.

smb-brute

Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them. When a username is discovered, besides being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That means that if you're going to run smb-brute.nse, you should run other smb scripts you want. This checks passwords in a case-insensitive way, determining case after a password is found, for Windows versions before Vista.

smb-check-vulns

Checks for vulnerabilities:

  • MS08-067, a Windows RPC vulnerability
  • Conficker, an infection by the Conficker worm
  • Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000
  • SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
  • MS06-025, a Windows Ras RPC service vulnerability
  • MS07-029, a Windows Dns Server RPC service vulnerability

smb-enum-domains

Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" domain is generally displayed. Windows returns this in the list of domains, but its policies don't appear to be used anywhere.

smb-enum-groups

Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum.exe with the /G switch.

smb-enum-processes

Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator privileges.

smb-enum-sessions

Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. Nmap's connection will also show up, and is generally identified by the one that connected "0 seconds ago".

smb-enum-shares

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.

smb-enum-users

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

smb-flood

Exhausts a remote SMB server's connection limit by by opening as many connections as we can. Most implementations of SMB have a hard global limit of 11 connections for user accounts and 10 connections for anonymous. Once that limit is reached, further connections are denied. This script exploits that limit by taking up all the connections and holding them.

smb-psexec

Implements remote process execution similar to the Sysinternals' psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a collection of computers.

smb-server-stats

Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139.

smb-system-info

Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, although a user account will still get a lot of it. Guest probably won't get any, nor will anonymous. This goes for all operating systems, including Windows 2000.

smtp-brute

Performs brute force password auditing against SMTP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.

smtp-enum-users

Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.

smtp-open-relay

Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying.

smtp-vuln-cve2010-4344

Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).

smtp-vuln-cve2011-1720

Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution.

smtp-vuln-cve2011-1764

Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.

sniffer-detect

Checks if a target on a local Ethernet has its network card in promiscuous mode.

snmp-brute

Attempts to find an SNMP community string by brute force guessing.

snmp-ios-config

Attempts to downloads Cisco router IOS configuration files using SNMP RW (v1) and display or save them.

socks-brute

Performs brute force password guessing against SOCKS 5 servers

sql-injection

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack.

ssl-enum-ciphers

This script repeatedly initiates SSL/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphers and compressors that a server accepts.

stuxnet-detect

Detects whether a host is infected with the Stuxnet worm (http://en.wikipedia.org/wiki/Stuxnet).

svn-brute

Performs brute force password auditing against Subversion source code control servers.

telnet-brute

Tries to get Telnet login credentials by guessing usernames and passwords.

tftp-enum

Enumerates TFTP (trivial file transfer protocol) filenames by testing for a list of common ones.

vmauthd-brute

Performs brute force password guessing against the VMWare Authentication Daemon (vmware-authd)

vnc-brute

Performs brute force password auditing against VNC servers.

xmpp-brute

Performs brute force password auditing against XMPP (Jabber) instant messaging servers.

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]