NSEDoc

• Index
• NSE Documentation

Categories

• auth
• broadcast
• brute
• default
• discovery
• dos
• exploit
• external
• fuzzer
• intrusive
• malware
• safe
• version
• vuln

Scripts (show 437)(437)Scripts (437)

• acarsd-info
• address-info
• afp-brute
• afp-ls
• afp-path-vuln
• afp-serverinfo
• afp-showmount
• ajp-auth
• ajp-brute
• ajp-headers
• ajp-methods
• ajp-request
• amqp-info
• asn-query
• auth-owners
• auth-spoof
• backorifice-brute
• backorifice-info
• banner
• bitcoin-getaddr
• bitcoin-info
• bitcoinrpc-info
• bittorrent-discovery
• bjnp-discover
• broadcast-ataoe-discover
• broadcast-avahi-dos
• broadcast-bjnp-discover
• broadcast-db2-discover
• broadcast-dhcp-discover
• broadcast-dhcp6-discover
• broadcast-dns-service-discovery
• broadcast-dropbox-listener
• broadcast-eigrp-discovery
• broadcast-igmp-discovery
• broadcast-listener
• broadcast-ms-sql-discover
• broadcast-netbios-master-browser
• broadcast-networker-discover
• broadcast-novell-locate
• broadcast-pc-anywhere
• broadcast-pc-duo
• broadcast-pim-discovery
• broadcast-ping
• broadcast-pppoe-discover
• broadcast-rip-discover
• broadcast-ripng-discover
• broadcast-sybase-asa-discover
• broadcast-tellstick-discover
• broadcast-upnp-info
• broadcast-versant-locate
• broadcast-wake-on-lan
• broadcast-wpad-discover
• broadcast-wsdd-discover
• broadcast-xdmcp-discover
• cassandra-brute
• cassandra-info
• cccam-version
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• couchdb-databases
• couchdb-stats
• creds-summary
• cups-info
• cups-queue-info
• cvs-brute
• cvs-brute-repository
• daap-get-library
• daytime
• db2-das-info
• db2-discover
• dhcp-discover
• dict-info
• distcc-cve2004-2687
• dns-blacklist
• dns-brute
• dns-cache-snoop
• dns-check-zone
• dns-client-subnet-scan
• dns-fuzz
• dns-ip6-arpa-scan
• dns-nsec-enum
• dns-nsec3-enum
• dns-nsid
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-srv-enum
• dns-update
• dns-zeustracker
• dns-zone-transfer
• domcon-brute
• domcon-cmd
• domino-enum-users
• dpap-brute
• drda-brute
• drda-info
• duplicates
• eap-info
• epmd-info
• eppc-enum-processes
• finger
• firewalk
• firewall-bypass
• flume-master-info
• ftp-anon
• ftp-bounce
• ftp-brute
• ftp-libopie
• ftp-proftpd-backdoor
• ftp-vsftpd-backdoor
• ftp-vuln-cve2010-4221
• ganglia-info
• giop-info
• gkrellm-info
• gopher-ls
• gpsd-info
• hadoop-datanode-info
• hadoop-jobtracker-info
• hadoop-namenode-info
• hadoop-secondary-namenode-info
• hadoop-tasktracker-info
• hbase-master-info
• hbase-region-info
• hddtemp-info
• hostmap-bfk
• hostmap-robtex
• http-affiliate-id
• http-apache-negotiation
• http-auth
• http-auth-finder
• http-awstatstotals-exec
• http-axis2-dir-traversal
• http-backup-finder
• http-barracuda-dir-traversal
• http-brute
• http-cakephp-version
• http-chrono
• http-config-backup
• http-cors
• http-date
• http-default-accounts
• http-domino-enum-passwords
• http-drupal-enum-users
• http-drupal-modules
• http-email-harvest
• http-enum
• http-exif-spider
• http-favicon
• http-form-brute
• http-form-fuzzer
• http-frontpage-login
• http-generator
• http-git
• http-gitweb-projects-enum
• http-google-malware
• http-grep
• http-headers
• http-huawei-hg5xx-vuln
• http-icloud-findmyiphone
• http-icloud-sendmsg
• http-iis-webdav-vuln
• http-joomla-brute
• http-litespeed-sourcecode-download
• http-majordomo2-dir-traversal
• http-malware-host
• http-method-tamper
• http-methods
• http-open-proxy
• http-open-redirect
• http-passwd
• http-php-version
• http-phpself-xss
• http-proxy-brute
• http-put
• http-qnap-nas-info
• http-rfi-spider
• http-robots.txt
• http-robtex-reverse-ip
• http-robtex-shared-ns
• http-sitemap-generator
• http-slowloris
• http-slowloris-check
• http-sql-injection
• http-title
• http-tplink-dir-traversal
• http-trace
• http-traceroute
• http-unsafe-output-escaping
• http-userdir-enum
• http-vhosts
• http-virustotal
• http-vlcstreamer-ls
• http-vmware-path-vuln
• http-vuln-cve2009-3960
• http-vuln-cve2010-0738
• http-vuln-cve2010-2861
• http-vuln-cve2011-3192
• http-vuln-cve2011-3368
• http-vuln-cve2012-1823
• http-waf-detect
• http-waf-fingerprint
• http-wordpress-brute
• http-wordpress-enum
• http-wordpress-plugins
• iax2-brute
• iax2-version
• icap-info
• ike-version
• imap-brute
• imap-capabilities
• informix-brute
• informix-query
• informix-tables
• ip-forwarding
• ip-geolocation-geobytes
• ip-geolocation-geoplugin
• ip-geolocation-ipinfodb
• ip-geolocation-maxmind
• ipidseq
• ipv6-node-info
• ipv6-ra-flood
• irc-botnet-channels
• irc-brute
• irc-info
• irc-sasl-brute
• irc-unrealircd-backdoor
• iscsi-brute
• iscsi-info
• isns-info
• jdwp-exec
• jdwp-info
• jdwp-inject
• jdwp-version
• krb5-enum-users
• ldap-brute
• ldap-novell-getpass
• ldap-rootdse
• ldap-search
• lexmark-config
• llmnr-resolve
• lltd-discovery
• maxdb-info
• mcafee-epo-agent
• membase-brute
• membase-http-info
• memcached-info
• metasploit-info
• metasploit-msgrpc-brute
• metasploit-xmlrpc-brute
• mmouse-brute
• mmouse-exec
• modbus-discover
• mongodb-brute
• mongodb-databases
• mongodb-info
• mrinfo
• ms-sql-brute
• ms-sql-config
• ms-sql-dac
• ms-sql-dump-hashes
• ms-sql-empty-password
• ms-sql-hasdbaccess
• ms-sql-info
• ms-sql-query
• ms-sql-tables
• ms-sql-xp-cmdshell
• msrpc-enum
• mtrace
• murmur-version
• mysql-audit
• mysql-brute
• mysql-databases
• mysql-dump-hashes
• mysql-empty-password
• mysql-enum
• mysql-info
• mysql-query
• mysql-users
• mysql-variables
• mysql-vuln-cve2012-2122
• nat-pmp-info
• nat-pmp-mapport
• nbstat
• ncp-enum-users
• ncp-serverinfo
• ndmp-fs-info
• ndmp-version
• nessus-brute
• nessus-xmlrpc-brute
• netbus-auth-bypass
• netbus-brute
• netbus-info
• netbus-version
• nexpose-brute
• nfs-ls
• nfs-showmount
• nfs-statfs
• nping-brute
• nrpe-enum
• ntp-info
• ntp-monlist
• omp2-brute
• omp2-enum-targets
• openlookup-info
• openvas-otp-brute
• oracle-brute
• oracle-brute-stealth
• oracle-enum-users
• oracle-sid-brute
• ovs-agent-version
• p2p-conficker
• path-mtu
• pcanywhere-brute
• pgsql-brute
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• qscan
• quake3-info
• quake3-master-getservers
• rdp-enum-encryption
• rdp-vuln-ms12-020
• realvnc-auth-bypass
• redis-brute
• redis-info
• resolveall
• reverse-index
• rexec-brute
• riak-http-info
• rlogin-brute
• rmi-dumpregistry
• rmi-vuln-classloader
• rpc-grind
• rpcap-brute
• rpcap-info
• rpcinfo
• rsync-brute
• rsync-list-modules
• rtsp-methods
• rtsp-url-brute
• samba-vuln-cve-2012-1182
• servicetags
• sip-brute
• sip-call-spoof
• sip-enum-users
• sip-methods
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-flood
• smb-ls
• smb-mbenum
• smb-os-discovery
• smb-print-text
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smb-vuln-ms10-054
• smb-vuln-ms10-061
• smbv2-enabled
• smtp-brute
• smtp-commands
• smtp-enum-users
• smtp-open-relay
• smtp-strangeport
• smtp-vuln-cve2010-4344
• smtp-vuln-cve2011-1720
• smtp-vuln-cve2011-1764
• sniffer-detect
• snmp-brute
• snmp-hh3c-logins
• snmp-interfaces
• snmp-ios-config
• snmp-netstat
• snmp-processes
• snmp-sysdescr
• snmp-win32-services
• snmp-win32-shares
• snmp-win32-software
• snmp-win32-users
• socks-auth-info
• socks-brute
• socks-open-proxy
• ssh-hostkey
• ssh2-enum-algos
• sshv1
• ssl-cert
• ssl-date
• ssl-enum-ciphers
• ssl-google-cert-catalog
• ssl-known-key
• sslv2
• stun-info
• stun-version
• stuxnet-detect
• svn-brute
• targets-asn
• targets-ipv6-multicast-echo
• targets-ipv6-multicast-invalid-dst
• targets-ipv6-multicast-mld
• targets-ipv6-multicast-slaac
• targets-sniffer
• targets-traceroute
• telnet-brute
• telnet-encryption
• tftp-enum
• tls-nextprotoneg
• traceroute-geolocation
• unusual-port
• upnp-info
• url-snarf
• ventrilo-info
• versant-info
• vmauthd-brute
• vnc-brute
• vnc-info
• voldemort-info
• vuze-dht-info
• wdb-version
• whois
• wsdd-discover
• x11-access
• xdmcp-discover
• xmpp-brute
• xmpp-info

Libraries (show 106)(106)Libraries (106)

• afp
• ajp
• amqp
• asn1
• base32
• base64
• bin
• bit
• bitcoin
• bittorrent
• bjnp
• brute
• cassandra
• citrixxml
• comm
• creds
• cvs
• datafiles
• dhcp
• dhcp6
• dns
• dnsbl
• dnssd
• drda
• eap
• eigrp
• ftp
• giop
• gps
• http
• httpspider
• iax2
• ike
• imap
• informix
• ipOps
• ipp
• iscsi
• isns
• jdwp
• json
• ldap
• lfs
• listop
• match
• membase
• mobileme
• mongodb
• msrpc
• msrpcperformance
• msrpctypes
• mssql
• mysql
• natpmp
• ncp
• ndmp
• netbios
• nmap
• nrpc
• nsedebug
• omp2
• openssl
• ospf
• packet
• pcre
• pgsql
• pop3
• pppoe
• proxy
• rdp
• redis
• rmi
• rpc
• rpcap
• rsync
• rtsp
• sasl
• shortport
• sip
• smb
• smbauth
• smtp
• snmp
• socks
• srvloc
• ssh1
• ssh2
• sslcert
• stdnse
• strbuf
• strict
• stun
• tab
• target
• tftp
• tns
• unpwdb
• upnp
• url
• versant
• vnc
• vulns
• vuzedht
• wsdd
• xdmcp
• xmpp

File domino-enum-users

Script types: portrule
Categories: intrusive, auth
Download: http://nmap.org/svn/scripts/domino-enum-users.nse

User Summary

Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability.

Script Arguments

domino-id.path

the location to which any retrieved ID files are stored

domino-id.username

the name of the user from which to retrieve the ID. If this parameter is not specified, the unpwdb library will be used to brute force names of users.

For more information see: http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21248026

Credits ------- o Ollie Whitehouse for bringing this to my attention back in the days when it was first discovered and for the c-code on which this is based.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

Example Usage

nmap --script domino-enum-users -p 1352 <host>

Script Output

PORT     STATE SERVICE REASON
1352/tcp open  lotusnotes
| domino-enum-users:
|   User "Patrik Karlsson" found, but not ID file could be downloaded
|   Succesfully stored "FFlintstone" in /tmp/FFlintstone.id
|_  Succesfully stored "MJacksson" in /tmp/MJacksson.id

Requires

• io
• nrpc
• shortport
• stdnse
• table
• unpwdb

---

Author: Patrik Karlsson

License: Same as Nmap--See http://nmap.org/book/man-legal.html