Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Scripts

address-info

Shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available.

afp-ls

Attempts to get useful information about files from AFP volumes. The output is intended to resemble the output of ls.

afp-serverinfo

Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example Macmini or MacBookPro).

afp-showmount

Shows AFP shares and ACLs.

amqp-info

Gathers information (a list of all server properties) from an AMQP (advanced message queuing protocol) server.

asn-query

Maps IP addresses to autonomous system (AS) numbers.

auth-owners

Attempts to find the owner of an open TCP port by querying an auth daemon which must also be open on the target system. The auth service, also known as identd, normally runs on port 113.

auth-spoof

Checks for an identd (auth) server which is spoofing its replies.

backorifice-info

Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself.

banner

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

bitcoin-getaddr

Queries a Bitcoin server for a list of known Bitcoin nodes

bitcoin-info

Extracts version and node information from a Bitcoin server

bitcoinrpc-info

Obtains information from a Bitcoin server by calling getinfo on its JSON-RPC interface.

bittorrent-discovery

Discovers bittorrent peers sharing a file based on a user-supplied torrent file or magnet link. Peers implement the Bittorrent protocol and share the torrent, whereas the nodes (only shown if the include-nodes NSE argument is given) implement the DHT protocol and are used to track the peers. The sets of peers and nodes are not the same, but they usually intersect.

broadcast-db2-discover

Attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp.

broadcast-dhcp-discover

Sends a DHCP request to the broadcast address (255.255.255.255) and reports the results. The script uses a static MAC address (DE:AD:CO:DE:CA:FE) while doing so in order to prevent scope exhaustion.

broadcast-dhcp6-discover

Sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address. It parses the response and extracts the address along with any options returned by the server.

broadcast-dns-service-discovery

Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.

broadcast-dropbox-listener

Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more.

broadcast-listener

Sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more information.

broadcast-ms-sql-discover

Discovers Microsoft SQL servers in the same broadcast domain.

broadcast-netbios-master-browser

Attempts to discover master browsers and the domains they manage.

broadcast-novell-locate

Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers.

broadcast-pc-anywhere

Sends a special broadcast probe to discover PC-Anywhere hosts running on a LAN

broadcast-pc-duo

Discovers PC-DUO remote control hosts and gateways running on the LAN

broadcast-ping

Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes, but they can be configured to do so.

broadcast-pppoe-discover

Discovers PPPoE servers using the PPPoE Discovery protocol (PPPoED) The PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery. If no interface is specified, requests are sent out on all available interfaces.

broadcast-rip-discover

Discovers hosts and routing information from devices running RIPv2 on the LAN. It does so by sending a RIPv2 Request command and collects the responses from all devices responding to the request.

broadcast-ripng-discover

Discovers hosts and routing information from devices running RIPng on the LAN. It does so by sending a RIPng Request command and collects the responses from all devices responding to the request.

broadcast-sybase-asa-discover

Discovers Sybase Anywhere servers on the LAN by sending broadcast discovery messages.

broadcast-upnp-info

Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses.

broadcast-wake-on-lan

Wakes a remote system up from sleep by sending a Wake-On-Lan packet.

broadcast-wpad-discover

Retrieves a list of proxy servers on the LAN using the Web Proxy Autodiscovery Protocol (WPAD). It implements both the DHCP and DNS methods of doing so and starts by querying DHCP to get the address. DHCP discovery requires nmap to be running in privileged mode and will be skipped when this is not the case. DNS discovery relies on the script being able to resolve the local domain either through a script argument or by attempting to reverse resolve the local IP.

broadcast-wsdd-discover

Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).

broadcast-xdmcp-discover

Discovers servers running the X Display Manager Control Protocol (XDMCP) by sending a XDMCP broadcast request to the LAN. Display managers allowing access are marked using the keyword Willing in the result.

citrix-enum-apps

Extracts a list of published applications from the ICA Browser service.

citrix-enum-apps-xml

Extracts a list of applications, ACLs, and settings from the Citrix XML service.

citrix-enum-servers

Extracts a list of Citrix servers from the ICA Browser service.

citrix-enum-servers-xml

Extracts the name of the server farm and member servers from Citrix XML service.

couchdb-databases

Gets database tables from a CouchDB database.

couchdb-stats

Gets database statistics from a CouchDB database.

creds-summary

Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.

daap-get-library

Retrieves a list of music from a DAAP server. The list includes artist names and album and song titles.

daytime

Retrieves the day and time from the Daytime service.

db2-das-info

Connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request.

db2-discover

Attempts to discover DB2 servers on the network by querying open ibm-db2 UDP ports (normally port 523).

dhcp-discover

Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a new address.

dns-blacklist

Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services where the IP has been blacklisted. Checks may be limited by service category (eg: SPAM, PROXY) or to a specific service name.

dns-recursion

Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers.

dns-service-discovery

Attempts to discover target hosts' services using the DNS Service Discovery protocol.

dns-srv-enum

Enumerates various common service (SRV) records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: - Active Directory Global Catalog - Exchange Autodiscovery - Kerberos KDC Service - Kerberos Passwd Change Service - LDAP Servers - SIP Servers - XMPP S2S - XMPP C2S

dns-update

Attempts to perform a dynamic DNS update without authentication.

dns-zeustracker

Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan:

drda-info

Attempts to extract information from database servers supporting the DRDA protocol. The script sends a DRDA EXCSAT (exchange server attributes) command packet and parses the response.

epmd-info

Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.

finger

Attempts to retrieve a list of usernames using the finger service.

firewalk

Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.

ftp-anon

Checks if an FTP server allows anonymous logins.

ftp-bounce

Checks to see if an FTP server allows port scanning using the FTP bounce method.

ganglia-info

Retrieves system information (OS version, available memory, etc.) from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon.

giop-info

Queries a CORBA naming server for a list of objects.

gopher-ls

Lists files and directories at the root of a gopher service.

hadoop-datanode-info

Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page.

hadoop-jobtracker-info

Retrieves information from an Apache Hadoop JobTracker HTTP status page.

hadoop-namenode-info

Retrieves information from an Apache Hadoop NameNode HTTP status page.

hadoop-secondary-namenode-info

Retrieves information from an Apache Hadoop secondary NameNode HTTP status page.

hadoop-tasktracker-info

Retrieves information from an Apache Hadoop TaskTracker HTTP status page.

hbase-master-info

Retrieves information from an Apache HBase (Hadoop database) master HTTP status page.

hbase-region-info

Retrieves information from an Apache HBase (Hadoop database) region server HTTP status page.

hddtemp-info

Reads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service.

http-affiliate-id

Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon Associates, etc.) from a web page. These can be used to identify pages with the same owner.

http-apache-negotiation

Checks if the target http server has mod_negotiation enabled. This feature can be leveraged to find hidden resources and spider a web site using fewer requests.

http-auth

Retrieves the authentication scheme and realm of a web service that requires authentication.

http-auth-finder

Spiders a web site to find web pages requiring authentication, either form- based or HTTP-based. The results are returned in a table with each url and the detected method.

http-backup-finder

Spiders a website and attempts to identify backup copies of discovered files. It does so by requesting a number of different combinations of the filename (eg. index.bak, index.html~, copy of index.html).

http-cakephp-version

Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework.

http-cors

Tests an http server for Cross-Origin Resource Sharing (CORS), a way for domains to explicitly opt in to having certain methods invoked by another domain.

http-date

Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT.

http-default-accounts

Tests for access with default credentials used by a variety of web applications and devices.

http-email-harvest

Spiders a web site and collects e-mail addresses.

http-favicon

Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed.

http-generator

Displays the contents of the "generator" meta tag if there is one.

http-google-malware

Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.

http-grep

Spiders a website and attempts to match all pages and urls against a given string. Matches are counted and grouped per url under which they were discovered.

http-headers

Performs a GET request for the root folder ("/") of a web server and displays the HTTP headers returned.

http-malware-host

Looks for signature of known server compromises.

http-method-tamper

Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).

http-methods

Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. Optionally tests each method individually to see if they are subject to e.g. IP address restrictions.

http-open-proxy

Checks if an HTTP proxy is open.

http-php-version

Attempts to retrieve the PHP version from a web server. PHP has a number of magic queries that return images or text that can vary with the PHP version. This script uses the following queries:

  • /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: gets a GIF logo, which changes on April Fool's Day.
  • /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: gets an HTML credits page.

http-qnap-nas-info

Attempts to retrieve the model, firware version, and enabled services from a QNAP Network Attached Storage (NAS) device.

http-robots.txt

Checks for disallowed entries in /robots.txt on a web server.

http-robtex-reverse-ip

Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service (http://www.robtex.com/ip/).

http-title

Shows the title of the default page of a web server.

http-trace

Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.

http-vmware-path-vuln

Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).

http-vuln-cve2011-3192

Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.

imap-capabilities

Retrieves IMAP email server capabilities.

ip-geolocation-geobytes

Tries to identify the physical location of an IP address using the Geobytes geolocation web service (http://www.geobytes.com/iplocator.htm). The limit of lookups using this service is 20 requests per hour. Once the limit is reached, an nmap.registry["ip-geolocation-geobytes"].blocked boolean is set so no further requests are made during a scan.

ip-geolocation-geoplugin

Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). There is no limit on lookups using this service.

ip-geolocation-ipinfodb

Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service (http://ipinfodb.com/ip_location_api.php).

ip-geolocation-maxmind

Tries to identify the physical location of an IP address using a Geolocation Maxmind database file (available from http://www.maxmind.com/app/ip-location). This script supports queries using all Maxmind databases that are supported by their API including the commercial ones.

ipidseq

Classifies a host's IP ID sequence (test for susceptibility to idle scan).

ipv6-node-info

Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Node Information Queries.

irc-botnet-channels

Checks an IRC server for channels that are commonly used by malicious botnets.

irc-info

Gathers information from an IRC server.

iscsi-info

Collects and displays information from remote iSCSI targets.

ldap-novell-getpass

Universal Password enables advanced password policies, including extended characters in passwords, synchronization of passwords from eDirectory to other systems, and a single password for all access to eDirectory.

ldap-rootdse

Retrieves the LDAP root DSA-specific Entry (DSE)

ldap-search

Attempts to perform an LDAP search and returns all matches.

lexmark-config

Retrieves configuration information from a Lexmark S300-S400 printer.

lltd-discovery

Uses the Microsoft LLTD protocol to discover hosts on a local network.

membase-http-info

Retrieves information from the CouchBase Web Administration port. The information retrieved by this script does not require any credentials.

memcached-info

Retrieves information from distributed memory object caching system memcached

mongodb-databases

Attempts to get a list of tables from a MongoDB database.

mongodb-info

Attempts to get build info and server status from a MongoDB database.

ms-sql-config

Queries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers, and configuration settings.

ms-sql-dump-hashes

Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

ms-sql-hasdbaccess

Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.

ms-sql-info

Attempts to determine configuration and version information for Microsoft SQL Server instances.

ms-sql-query

Runs a query against Microsoft SQL Server (ms-sql).

ms-sql-tables

Queries Microsoft SQL Server (ms-sql) for a list of tables per database.

mysql-audit

Audits MySQL database server security configuration against parts of the CIS MySQL v1.0.2 benchmark (the engine can be used for other MySQL audits by creating appropriate audit files).

mysql-info

Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.

nat-pmp-info

Get's the routers WAN IP using the NAT Port Mapping Protocol (NAT-PMP). The NAT-PMP protocol is supported by a broad range of routers including: - Apple AirPort Express - Apple AirPort Extreme - Apple Time Capsule - DD-WRT - OpenWrt v8.09 or higher, with MiniUPnP daemon - pfSense v2.0 - Tarifa (firmware) (Linksys WRT54G/GL/GS) - Tomato Firmware v1.24 or higher. (Linksys WRT54G/GL/GS and many more) - Peplink Balance

nat-pmp-mapport

Maps a WAN port on the router to a local port on the client. The script uses the NAT Port Mapping Protocol (NAT-PMP) to do so and supports the following operations: o map - maps a new external port on the router to an internal port of the requesting IP o unmap - unmaps a previously mapped port for the requesting IP o unmapall - unmaps all previously mapped ports for the requesting IP

nbstat

Attempts to retrieve the target's NetBIOS names and MAC address.

ncp-enum-users

Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service.

ncp-serverinfo

Retrieves eDirectory server information (OS version, server name, mounts, etc.) from the Novell NetWare Core Protocol (NCP) service.

netbus-auth-bypass

Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.

netbus-info

Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself.

nfs-ls

Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of ls.

nfs-showmount

Shows NFS exports, like the showmount -e command.

nfs-statfs

Retrieves disk space statistics and information from a remote NFS share. The output is intended to resemble the output of df.

ntp-info

Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" (opcode 2) control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all variables are shown.

omp2-enum-targets

Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server.

openlookup-info

Parses and displays the banner information of an OpenLookup (network key-value store) server.

p2p-conficker

Checks if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication.

path-mtu

Performs simple Path MTU Discovery to target hosts.

pop3-capabilities

Retrieves POP3 email server capabilities.

qscan

Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or "families") may be due to network mechanisms such as port forwarding to machines behind a NAT.

quake3-info

Extracts information from a Quake3 game server and other games which use the same protocol.

quake3-master-getservers

Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol).

realvnc-auth-bypass

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

redis-info

Gets information from a Redis key-value store

resolveall

Resolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmap's target list. This differs from Nmap's normal host resolution process, which only scans the first address (A or AAAA record) returned for each host name.

reverse-index

Creates a reverse index at the end of scan output showing which hosts run a particular service. This is in addition to Nmap's normal output listing the services on each host.

riak-http-info

Retrieves information from a Basho Riak distributed database using the HTTP protocol.

rmi-dumpregistry

Connects to a remote RMI registry and attempts to dump all of its objects.

rpcinfo

Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.

rtsp-methods

Determines which methods are supported by the RTSP (real time streaming protocol) server.

servicetags

Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481).

smb-mbenum

Queries information managed by the Windows Master Browser.

smb-os-discovery

Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). This is done by starting a session with the anonymous account (or with a proper user account, if one is given; it likely doesn't make a difference); in response to a session starting, the server will send back all this information.

smb-security-mode

Returns information about the SMB security level determined by SMB.

smbv2-enabled

Checks whether or not a server is running the SMBv2 protocol.

smtp-commands

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.

smtp-strangeport

Checks if SMTP is running on a non-standard port.

snmp-interfaces

Attempts to enumerate network interfaces through SNMP.

snmp-netstat

Attempts to query SNMP for a netstat like output.

snmp-processes

Attempts to enumerate running processes through SNMP.

snmp-sysdescr

Attempts to extract system information from an SNMP version 1 service.

snmp-win32-services

Attempts to enumerate Windows services through SNMP.

snmp-win32-shares

Attempts to enumerate Windows Shares through SNMP.

snmp-win32-software

Attempts to enumerate installed software through SNMP.

snmp-win32-users

Attempts to enumerate Windows user accounts through SNMP

socks-auth-info

Determines the supported authentication mechanisms of the remote SOCKS server. Starting with SOCKS version 5 socks servers may support authentication. The script checks for the following authentication types: 0 - No authentication 1 - GSSAPI 2 - Username and password

socks-open-proxy

Checks if an open socks proxy is running on the target.

ssh-hostkey

Shows SSH hostkeys.

ssh2-enum-algos

Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers. If verbosity is set, the offered algorithms are each listed by type.

sshv1

Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.

ssl-cert

Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.

ssl-google-cert-catalog

Queries Google's Certificate Catalog for the SSL certificates retrieved from target hosts.

ssl-known-key

Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.

sslv2

Determines whether the server supports obsolete and less secure SSLv2, and discovers which ciphers it supports.

targets-sniffer

Sniffs the local network for a configurable amount of time (10 seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue.

targets-traceroute

Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's --traceroute option is used and the newtargets script argument is given.

telnet-encryption

Determines whether the encryption option is supported on a remote telnet server. Some systems (including FreeBSD and the krb5 telnetd available in many Linux distributions) implement this option incorrectly, leading to a remote root vulnerability. This script currently only tests whether encryption is supported, not for that particular vulnerability.

unusual-port

Compares the detected service on a port against the expected service for that port number (e.g. ssh on 22, http on 80) and reports deviations. The script requires that a version scan has been run in order to be able to discover what service is actually running on each port.

upnp-info

Attempts to extract system information from the UPnP service.

url-snarf

Sniffs an interface for HTTP traffic and dumps any URLs, and their originating IP. Script output differs from other script as URLs are written to stdout directly. There is also an option to log the results to file.

vnc-info

Queries a VNC server for its protocol version and supported security types.

voldemort-info

Retrieves cluster and store information from the Voldemort distributed key- value store using the Voldemort Native Protocol.

vuze-dht-info

Retrieves some basic information, including protocol version from a Vuze filesharing node.

whois

Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

wsdd-discover

Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).

x11-access

Checks if you're allowed to connect to the X server.

xdmcp-discover

Requests a XDMCP session and lists supported authentication and authorization mechanisms

xmpp-info

Connects to XMPP server (port 5222) and collects server information such as: supported auth mechanisms, compression methods, whether TLS is supported and mandatory, stream management, language, support of In-Band registration, server capabilities. If possible, studies server vendor.

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]