NSEDoc

• Index
• NSE Documentation

Categories

• auth
• default
• discovery
• dos
• exploit
• external
• fuzzer
• intrusive
• malware
• safe
• version
• vuln

Scripts (show 134)(134)Scripts (134)

• afp-brute
• afp-path-vuln
• afp-serverinfo
• afp-showmount
• asn-query
• auth-owners
• auth-spoof
• banner
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• couchdb-databases
• couchdb-stats
• daap-get-library
• daytime
• db2-das-info
• dhcp-discover
• dns-cache-snoop
• dns-fuzz
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-zone-transfer
• drda-brute
• drda-info
• finger
• ftp-anon
• ftp-bounce
• ftp-brute
• ftp-libopie
• html-title
• http-auth
• http-date
• http-enum
• http-favicon
• http-headers
• http-iis-webdav-vuln
• http-malware-host
• http-methods
• http-open-proxy
• http-passwd
• http-php-version
• http-trace
• http-userdir-enum
• http-vmware-path-vuln
• iax2-version
• imap-capabilities
• ipidseq
• irc-info
• irc-unrealircd-backdoor
• jdwp-version
• ldap-brute
• ldap-rootdse
• ldap-search
• lexmark-config
• mongodb-databases
• mongodb-info
• ms-sql-brute
• ms-sql-config
• ms-sql-empty-password
• ms-sql-hasdbaccess
• ms-sql-info
• ms-sql-query
• ms-sql-tables
• ms-sql-xp-cmdshell
• mysql-brute
• mysql-databases
• mysql-empty-password
• mysql-info
• mysql-users
• mysql-variables
• nbstat
• nfs-ls
• nfs-showmount
• nfs-statfs
• ntp-info
• ntp-monlist
• oracle-sid-brute
• p2p-conficker
• pgsql-brute
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• qscan
• realvnc-auth-bypass
• robots.txt
• rpcinfo
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-os-discovery
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smbv2-enabled
• smtp-commands
• smtp-enum-users
• smtp-open-relay
• smtp-strangeport
• sniffer-detect
• snmp-brute
• snmp-interfaces
• snmp-netstat
• snmp-processes
• snmp-sysdescr
• snmp-win32-services
• snmp-win32-shares
• snmp-win32-software
• snmp-win32-users
• socks-open-proxy
• sql-injection
• ssh-hostkey
• sshv1
• ssl-cert
• ssl-enum-ciphers
• sslv2
• telnet-brute
• upnp-info
• vnc-brute
• vnc-info
• wdb-version
• whois
• x11-access

Libraries (show 47)(47)Libraries (47)

• afp
• asn1
• base64
• bin
• bit
• brute
• citrixxml
• comm
• datafiles
• dns
• drda
• http
• imap
• ipOps
• json
• ldap
• listop
• match
• mongodb
• msrpc
• msrpcperformance
• msrpctypes
• mssql
• mysql
• netbios
• nmap
• nsedebug
• openssl
• packet
• pcre
• pgsql
• pop3
• proxy
• rpc
• shortport
• smb
• smbauth
• snmp
• ssh1
• ssh2
• stdnse
• strbuf
• strict
• tab
• unpwdb
• url
• vnc

Library comm

Common communication functions for network discovery tasks like banner grabbing and data exchange.

The functions in this module return values appropriate for use with exception handling via nmap.new_try.

These functions may be passed a table of options, but it's not required. The keys for the options table are "bytes", "lines", "proto", and "timeout". "bytes" sets a minimum number of bytes to read. "lines" does the same for lines. "proto" sets the protocol to communicate with, defaulting to "tcp" if not provided. "timeout" sets the socket timeout (see the socket function set_timeout for details).

If both "bytes" and "lines" are provided, "lines" takes precedence. If neither are given, the functions read as many bytes as possible.

Author:

Kris Katterjohn 04/2008

Copyright© Same as Nmap--See http://nmap.org/book/man-legal.html

Source: http://nmap.org/svn/nselib/comm.lua

Functions

bestoption (port)	This function returns best protocol order for trying to open a conenction based on port and service information
exchange (host, port, data, opts)	This function connects to the specified port number on the specified host, sends data, then waits for and returns the response, if any.
get_banner (host, port, opts)	This function simply connects to the specified port number on the specified host and returns any data received.
is_ssl (port_number)	This function just checks if the provided port number is on a list of ports that usually provide services with ssl
opencon (host, port, protocol, data, opts)	This function opens a connection, sends the first data payload and check if a response is correctly received (what means that the protocol used is fine)
tryssl (host, port, data, opts)	This function tries to open a connection based on the best option about which is the correct protocol

Functions

bestoption (port)

This function returns best protocol order for trying to open a conenction based on port and service information

The first value is the best option, the second is the worst

Parameters

• port: The port table

Return values:

1. Best option ("tcp" or "ssl")
2. Worst option ("tcp" or "ssl")

exchange (host, port, data, opts)

This function connects to the specified port number on the specified host, sends data, then waits for and returns the response, if any.

The first return value is true to signal success or false to signal failure. On success the second return value is the response from the remote host. On failure the second return value is an error message.

Parameters

• host: The host to connect to.
• port: The port on the host.
• data: The data to send initially.
• opts: The options. See the module description.

Return values:

1. Status (true or false).
2. Data (if status is true) or error string (if status is false).

get_banner (host, port, opts)

This function simply connects to the specified port number on the specified host and returns any data received.

The first return value is true to signal success or false to signal failure. On success the second return value is the response from the remote host. On failure the second return value is an error message.

Parameters

• host: The host to connect to.
• port: The port on the host.
• opts: The options. See the module description.

Return values:

1. Status (true or false).
2. Data (if status is true) or error string (if status is false).

is_ssl (port_number)

This function just checks if the provided port number is on a list of ports that usually provide services with ssl

Parameters

• port_number: The number of the port to check

Return value:

bool True if port is usually ssl, otherwise false

opencon (host, port, protocol, data, opts)

This function opens a connection, sends the first data payload and check if a response is correctly received (what means that the protocol used is fine)

Possible options: timeout: generic timeout value connect_timeout: especific timeout for connection request_timeout: especific timeout for requests recv_before: receive data before sending first payload

Default timeout is set to 8000.

Parameters

• host: The destination host IP
• port: The destination host port
• protocol: The protocol for the connection
• data: The first data payload of the connection
• opts:

Return values:

1. sd The socket descriptor, nil if no connection is estabilished
2. response The response received for the payload
3. early_resp If opt recv_before is true, returns the value of the first receive (before sending data)

tryssl (host, port, data, opts)

This function tries to open a connection based on the best option about which is the correct protocol

If the best option fails, the function tries the other option

This function allows writing nse scripts in a way that the API will take care of ssl issues, making failure detection transparent to the programmer

Parameters

• host: The host table
• port: The port table
• data: The first data payload of the connection
• opts: Options, such as timeout

Return values:

1. sd The socket descriptor
2. response The response received for the payload
3. correctOpt Correct option for connection guess
4. earlyResp If opt recv_before is true, returns the value of the first receive (before sending data)