Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Scripts

afp-brute

Performs password guessing against Apple Filing Protocol (AFP)

citrix-brute-xml

Attempts to guess valid credentials for the Citrix PN Web Agent XML Service. The XML service authenticates against the local Windows server or the Active Directory.

dhcp-discover

Sends a DHCPDISCOVER request to a host on UDP port 67. The response comes back to UDP port 68, and is read using pcap (due to the inability for a script to choose its source port at the moment).

dns-cache-snoop

Performs DNS cache snooping against a DNS server.

dns-fuzz

This script launches a DNS fuzzing attack against any DNS server.

dns-random-srcport

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

dns-random-txid

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

dns-recursion

Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers.

dns-zone-transfer

Requests a zone transfer (AXFR) from a DNS server.

drda-brute

Performs password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby

ftp-bounce

Checks to see if an FTP server allows port scanning using the FTP bounce method.

ftp-brute

Tries to get FTP login credentials by guessing usernames and passwords.

ftp-libopie

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki. See the advisory at http://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.

http-auth

Retrieves the authentication scheme and realm of a web service that requires authentication.

http-enum

Enumerates directories used by popular web applications and servers.

http-iis-webdav-vuln

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, http://nmap.org/r/ms09-020.

http-open-proxy

Checks if an HTTP proxy is open.

http-passwd

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini using various traversal methods such as requesting ../../../../etc/passwd.

http-userdir-enum

Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.

ldap-brute

Attempts to brute-force LDAP authentication. By default it uses the built-in username and password lists. In order to use your own lists use the userdb and passdb script arguments.

ms-sql-brute

Performs password guessing against Microsoft SQL Server (ms-sql).

ms-sql-empty-password

Attempts to authenticate using an empty password for the sysadmin (sa) account.

ms-sql-info

Attempts to extract information from Microsoft SQL Server instances.

ms-sql-xp-cmdshell

Attempts to run a command using the command shell of Microsoft SQL Server (ms-sql).

mysql-brute

Performs password guessing against MySQL

mysql-databases

Attempts to list all databases on a MySQL server.

mysql-empty-password

Checks for MySQL servers with an empty password for root or anonymous.

mysql-users

Attempts to list all users on a MySQL server.

mysql-variables

Attempts to show all variables on a MySQL server.

ntp-monlist

Obtains and prints an NTP server's monitor data.

oracle-sid-brute

Guesses Oracle instance/SID names against the TNS-listener.

pgsql-brute

Performs password guessing against PostgreSQL.

pjl-ready-message

Retrieves or sets the ready message on printers that support the Printer Job Language. This includes most PostScript printers that listen on port 9100. Without an argument, displays the current ready message. With the pjl_ready_message script argument, displays the old ready message and changes it to the message given.

pop3-brute

Tries to log into a POP3 account by guessing usernames and passwords.

smb-brute

Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them. When a username is discovered, besides being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That means that if you're going to run smb-brute.nse, you should run other smb scripts you want. This checks passwords in a case-insensitive way, determining case after a password is found, for Windows versions before Vista.

smb-check-vulns

Checks for vulnerabilities:

  • MS08-067, a Windows RPC vulnerability
  • Conficker, an infection by the Conficker worm
  • Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000
  • SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
  • MS06-025, a Windows Ras RPC service vulnerability
  • MS07-029, a Windows Dns Server RPC service vulnerability

smb-enum-domains

Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" domain is generally displayed. Windows returns this in the list of domains, but its policies don't appear to be used anywhere.

smb-enum-groups

Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum.exe with the /G switch.

smb-enum-processes

Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator privileges.

smb-enum-sessions

Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. Nmap's connection will also show up, and is generally identified by the one that connected "0 seconds ago".

smb-enum-shares

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.

smb-enum-users

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

smb-psexec

This script implements remote process execution similar to the Sysinternals' psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a collection of computers.

smb-server-stats

Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139.

smb-system-info

Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, although a user account will still get a lot of it. Guest probably won't get any, nor will anonymous. This goes for all operating systems, including Windows 2000.

smtp-enum-users

Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.

smtp-open-relay

Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying.

sniffer-detect

Checks if a target on a local Ethernet has its network card in promiscuous mode.

snmp-brute

Attempts to find an SNMP community string by brute force guessing.

socks-open-proxy

Checks if an open socks proxy is running on the target.

sql-injection

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack.

ssl-enum-ciphers

This script repeatedly initiates SSL/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphers and compressors that a server accepts.

telnet-brute

Tries to get Telnet login credentials by guessing usernames and passwords.

vnc-brute

Performs password guessing against VNC

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]