Scripts
| afp-showmount |
Shows AFP shares and ACLs |
| asn-query |
Maps IP addresses to autonomous system (AS) numbers. |
| auth-owners |
Attempts to find the owner of an open TCP port by querying an auth (identd - port 113) daemon which must also be open on the target system. |
| auth-spoof |
Checks for an identd (auth) server which is spoofing its replies. |
| banner |
A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds. |
| citrix-enum-apps |
Extract published applications from the ICA Browser service |
| citrix-enum-apps-xml |
Extracts a list of applications, acls and settings from Citrix XML service |
| citrix-enum-servers |
Extract a list of Citrix servers from the ICA Browser service |
| citrix-enum-servers-xml |
Extracts the name of the server farm and member severs from Citrix XML service |
| couchdb-databases |
Gets database tables from a CouchDB database For more info about the CouchDB HTTP Api, see http://wiki.apache.org/couchdb/HTTP_database_API |
| couchdb-stats |
Gets database statistics from a CouchDB database For more info about the CouchDB HTTP Api, see http://wiki.apache.org/couchdb/Runtime_Statistics and http://wiki.apache.org/couchdb/HTTP_database_API |
| daap-get-library |
Retrieves a list of music from a DAAP server including the name of the artist, album and songs |
| daytime |
Retrieves the day and time from the UDP Daytime service. |
| db2-das-info |
Connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request. The script will also set the port product and version if a version scan is requested. |
| db2-info |
Attempts to extract information from IBM DB2 Server instances. The script sends a DB2 EXCSAT (exchange server attributes) command packet and parses the response. |
| dns-service-discovery |
Attempts to discover a hosts services using the DNS Service Discovery protocol. |
| finger |
Attempts to retrieve a list of usernames using the finger service. |
| ftp-anon |
Checks if an FTP server allows anonymous logins. |
| html-title |
Shows the title of the default page of a web server. |
| http-date |
Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT. |
| http-favicon |
Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed. |
| http-headers |
Performs a GET request for the root folder ("/") of a web server and displays the HTTP headers returned. |
| http-malware-host |
Looks for signature of known server compromises. Currently, the only signature it looks for is the one discussed here: <http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/> |
| http-methods |
Connects to an HTTP server and sends an OPTIONS request to see which HTTP methods are allowed on this server. Optionally tests each method individually to see if they are subject to e.g. IP address restrictions. |
| http-trace |
Sends an HTTP TRACE request and shows header fields that were modified in the response. |
| http-vmware-path-vuln |
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse (justin.morehouse[at)gmail.com) and Tony Flick (tony.flick(at]fyrmassociates.com), and presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html). |
| imap-capabilities |
Retrieves IMAP email server capabilities. |
| ipidseq |
Classifies a host's IP ID sequence (e.g. test for Idle Scan suitability). |
| irc-info |
Gathers information from an IRC server. |
| ldap-rootdse |
Retrieves the LDAP root DSA-specific Entry (DSE) |
| lexmark-config |
Retrieve Lexmark S300-S400 Configuration |
| mongodb-databases |
Attempts to get tables from a MongoDB |
| mongodb-info |
Attempts to get build info and server status from a MongoDB |
| mysql-info |
Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt. |
| nbstat |
Attempts to retrieve the target's NetBIOS names and MAC address. |
| nfs-showmount |
Shows NFS exports, like the |
| ntp-info |
Gets the time and configuration variables from an NTP server. We send two
requests: a time request and a "read variables" (opcode 2) control message.
Without verbosity, the script shows the time and the value of the
|
| p2p-conficker |
Check if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication. |
| pop3-capabilities |
Retrieves POP3 email server capabilities. |
| realvnc-auth-bypass |
Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369). |
| robots.txt |
Checks for disallowed entries in |
| rpcinfo |
Connects to portmapper and fetches a list of all registered programs. |
| smb-os-discovery |
Attempts to determine the operating system, computer name, domain, and current
time over the SMB protocol (ports 445 or 139 -- for more information, see
|
| smb-security-mode |
Returns information about the SMB security level determined by SMB. |
| smbv2-enabled |
Check whether or not a server is running the SMBv2 protocol. |
| smtp-commands |
Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server. |
| smtp-strangeport |
Checks if SMTP is running on a non-standard port. |
| snmp-netstat |
Attempts to query SNMP for a netstat like output |
| snmp-processes |
Attempts to enumerate running processes through SNMP |
| snmp-sysdescr |
Attempts to extract system information from an SNMP version 1 service. |
| snmp-win32-services |
Attempts to enumerate Windows Services through SNMP |
| snmp-win32-shares |
Attempts to enumerate Windows Shares through SNMP |
| snmp-win32-software |
Attempts to enumerate installed software through SNMP |
| snmp-win32-users |
Attempts to enumerate User Accounts through SNMP |
| ssh-hostkey |
Shows SSH hostkeys. |
| sshv1 |
Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1. |
| ssl-cert |
Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject. |
| sslv2 |
Determines whether the server supports obsolete and less secure SSL-v2, and discovers which ciphers it supports. |
| upnp-info |
Attempts to extract system information from the UPnP service. |
| whois |
Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address. |
| x11-access |
Checks if you're allowed to connect to the X server |




