Performs password guessing against Apple Filing Protocol (AFP)

Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.

Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example Macmini or MacBookPro).

Shows AFP shares and ACLs.

Maps IP addresses to autonomous system (AS) numbers.

Attempts to find the owner of an open TCP port by querying an auth daemon which must also be open on the target system. The auth service, also known as identd, normally runs on port 113.

Checks for an identd (auth) server which is spoofing its replies.

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

Attempts to guess valid credentials for the Citrix PN Web Agent XML Service. The XML service authenticates against the local Windows server or the Active Directory.

Extracts a list of published applications from the ICA Browser service.

Extracts a list of applications, ACLs, and settings from the Citrix XML service.

Extracts a list of Citrix servers from the ICA Browser service.

Extracts the name of the server farm and member servers from Citrix XML service.

Gets database tables from a CouchDB database.

Gets database statistics from a CouchDB database.

Retrieves a list of music from a DAAP server. The list includes artist names and album and song titles.

Retrieves the day and time from the Daytime service.

Connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request.

Sends a DHCPDISCOVER request to a host on UDP port 67. The response comes back to UDP port 68, and is read using pcap (due to the inability for a script to choose its source port at the moment).

Performs DNS cache snooping against a DNS server.

This script launches a DNS fuzzing attack against any DNS server.

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers.

Attempts to discover a hosts services using the DNS Service Discovery protocol.

Requests a zone transfer (AXFR) from a DNS server.

Performs password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby

Attempts to extract information from database servers supporting the DRDA protocol. The script sends a DRDA EXCSAT (exchange server attributes) command packet and parses the response.

Attempts to retrieve a list of usernames using the finger service.

Checks if an FTP server allows anonymous logins.

Checks to see if an FTP server allows port scanning using the FTP bounce method.

Tries to get FTP login credentials by guessing usernames and passwords.

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki. See the advisory at http://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.

Shows the title of the default page of a web server.

Retrieves the authentication scheme and realm of a web service that requires authentication.

Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT.

Enumerates directories used by popular web applications and servers.

Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed.

Performs a GET request for the root folder ("/") of a web server and displays the HTTP headers returned.

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, http://nmap.org/r/ms09-020.

Looks for signature of known server compromises.

Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. Optionally tests each method individually to see if they are subject to e.g. IP address restrictions.

Checks if an HTTP proxy is open.

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini using various traversal methods such as requesting ../../../../etc/passwd.

Attempts to retrieve the PHP version from a web server. PHP has a number of magic queries that return images or text that can vary with the PHP version. This script uses the following queries:

• /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: gets a GIF logo, which changes on April Fool's Day.
• /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: gets an HTML credits page.

Sends an HTTP TRACE request and shows header fields that were modified in the response.

Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.

Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).

Detects the UDP IAX2 service.

Retrieves IMAP email server capabilities.

Classifies a host's IP ID sequence (test for susceptibility to idle scan).

Gathers information from an IRC server.

Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.

Detects the Java Debug Wire Protocol. This protocol is used by Java programs to be debugged via the network. It should not be open to the public Internet, as it does not provide any security against malicious attackers who can inject their own bytecode into the debugged process.

Attempts to brute-force LDAP authentication. By default it uses the built-in username and password lists. In order to use your own lists use the userdb and passdb script arguments.

Retrieves the LDAP root DSA-specific Entry (DSE)

Attempts to perform an LDAP search and returns all matches.

Retrieves configuration information from a Lexmark S300-S400 printer.

Attempts to get a list of tables from a MongoDB database.

Attempts to get build info and server status from a MongoDB database.

Performs password guessing against Microsoft SQL Server (ms-sql).

Queries Microsoft SQL Server (ms-sql) for a list of databases, linked servers, and configuration settings.

Attempts to authenticate using an empty password for the sysadmin (sa) account.

Queries Microsoft SQL Server (ms-sql) for a list of databases a user has access to.

Attempts to extract information from Microsoft SQL Server instances.

Runs a query against Microsoft SQL Server (ms-sql).

Queries Microsoft SQL Server (ms-sql) for a list of tables per database.

Attempts to run a command using the command shell of Microsoft SQL Server (ms-sql).

Performs password guessing against MySQL

Attempts to list all databases on a MySQL server.

Checks for MySQL servers with an empty password for root or anonymous.

Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.

Attempts to list all users on a MySQL server.

Attempts to show all variables on a MySQL server.

Attempts to retrieve the target's NetBIOS names and MAC address.

Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of ls.

Shows NFS exports, like the showmount -e command.

Retrieves disk space statistics and information from a remote NFS share. The output is intended to resemble the output of df.

Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" (opcode 2) control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all variables are shown.

Obtains and prints an NTP server's monitor data.

Guesses Oracle instance/SID names against the TNS-listener.

Checks if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication.

Performs password guessing against PostgreSQL.

Retrieves or sets the ready message on printers that support the Printer Job Language. This includes most PostScript printers that listen on port 9100. Without an argument, displays the current ready message. With the pjl_ready_message script argument, displays the old ready message and changes it to the message given.

Tries to log into a POP3 account by guessing usernames and passwords.

Retrieves POP3 email server capabilities.

Attempts to extract system information from the point-to-point tunneling protocol (PPTP) service.

Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or "families") may be due to network mechanisms such as port forwarding to machines behind a NAT.

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

Checks for disallowed entries in robots.txt.

Connects to portmapper and fetches a list of all registered programs.

Detects the Skype version 2 service.

Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them. When a username is discovered, besides being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That means that if you're going to run smb-brute.nse, you should run other smb scripts you want. This checks passwords in a case-insensitive way, determining case after a password is found, for Windows versions before Vista.

Checks for vulnerabilities:

• MS08-067, a Windows RPC vulnerability
• Conficker, an infection by the Conficker worm
• Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000
• SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
• MS06-025, a Windows Ras RPC service vulnerability
• MS07-029, a Windows Dns Server RPC service vulnerability

Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" domain is generally displayed. Windows returns this in the list of domains, but its policies don't appear to be used anywhere.

Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum.exe with the /G switch.

Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator privileges.

Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. Nmap's connection will also show up, and is generally identified by the one that connected "0 seconds ago".

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

Attempts to determine the operating system, computer name, domain, and current time over the SMB protocol (ports 445 or 139). This is done by starting a session with the anonymous account (or with a proper user account, if one is given; it likely doesn't make a difference); in response to a session starting, the server will send back all this information.

This script implements remote process execution similar to the Sysinternals' psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a collection of computers.

Returns information about the SMB security level determined by SMB.

Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139.

Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, although a user account will still get a lot of it. Guest probably won't get any, nor will anonymous. This goes for all operating systems, including Windows 2000.

Checks whether or not a server is running the SMBv2 protocol.

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.

Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.

Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying.

Checks if SMTP is running on a non-standard port.

Checks if a target on a local Ethernet has its network card in promiscuous mode.

Attempts to find an SNMP community string by brute force guessing.

Attempts to enumerate network interfaces through SNMP.

Attempts to query SNMP for a netstat like output.

Attempts to enumerate running processes through SNMP.

Attempts to extract system information from an SNMP version 1 service.

Attempts to enumerate Windows services through SNMP.

Attempts to enumerate Windows Shares through SNMP.

Attempts to enumerate installed software through SNMP.

Attempts to enumerate Windows user accounts through SNMP

Checks if an open socks proxy is running on the target.

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack.

Shows SSH hostkeys.

Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.

Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.

This script repeatedly initiates SSL/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphers and compressors that a server accepts.

Determines whether the server supports obsolete and less secure SSLv2, and discovers which ciphers it supports.

Tries to get Telnet login credentials by guessing usernames and passwords.

Attempts to extract system information from the UPnP service.

Performs password guessing against VNC

Queries a VNC server for the supported security types

Gathers information from a Wind DeBug Agent on VxWorks

Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

Checks if you're allowed to connect to the X server.