Home page logo
/

NSE Scripts

This is a list of the scripts packaged with Nmap as of this writing. This documentation comes straight from the source code of the scripts thanks to the NSEDoc documentation system, described in the section called “Script Documentation Writing”. For the latest documentation see the online NSE documentation portal at http://nmap.org/nsedoc/.

ASN.nse (AS Numbers)

Categories: discovery, external.

Maps IP addresses to autonomous system (AS) numbers.

The script works by sending DNS TXT queries to a DNS server which in turn queries a third-party service provided by Team Cymru (team-cymru.org) using an in-addr.arpa style zone set up especially for use by Nmap.

The responses to these queries contain both Origin and Peer ASNs and their descriptions, displayed along with the BG Prefix and Country Code.

The script caches results to reduce the number of queries and should perform a single query for all scanned targets in a BG Prefix present in Team Cymru's database.

Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and Team Cymru. In addition your IP address will be sent along with the ASN to a DNS server (your default DNS server, or whichever you specified with the dns script argument).

Script Arguments
dns

The address of a recursive nameserver to use (optional).

Usage
nmap --script ASN.nse [--script-args dns=<DNS server>] <target>
Sample Output
Host script results:
|  AS Numbers:
|  BGP: 64.13.128.0/21 | Country: US
|    Origin AS: 10565 SVCOLO-AS - Silicon Valley Colocation, Inc.
|      Peer AS: 3561 6461
|  BGP: 64.13.128.0/18 | Country: US
|    Origin AS: 10565 SVCOLO-AS - Silicon Valley Colocation, Inc.
|_     Peer AS: 174 2914 6461
HTTPAuth.nse (HTTP Auth)

Categories: default, auth, intrusive.

Gets the authentication scheme and realm of a web service that requires authentication.

Sample Output
|  HTTP Auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = DSL Router
HTTP_open_proxy.nse (Open Proxy Test)

Categories: default, discovery, external, intrusive.

Checks if an HTTP proxy is open.

The script attempts to connect to www.google.com through the proxy and checks for a Server: gws header field in the response.

If the target is an open proxy, this script will cause the target to retrieve a web page from www.google.com.

HTTPpasswd.nse (HTTP directory traversal passwd probe)

Categories: intrusive, vuln.

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd.

HTTPtrace.nse (HTTP TRACE)

Categories: discovery.

Sends an HTTP TRACE request and shows header fields that were modified in the response.

Sample Output
80/tcp open  http
|  HTTP TRACE: Response differs from request.  First 5 additional lines:
|  Cookie: UID=d4287aa38d02f409841b4e0c0050c13148a85d01c0c0a154d4ef56dfc2b4fc1b0
|  Country: us
|  Ip_is_advertise_combined: yes
|  Ip_conntype-Confidence: -1
|_ Ip_line_speed: medium
MSSQLm.nse (MS SQL)

Categories: default, discovery, intrusive.

Attempts to extract information from Microsoft SQL Server.

MySQLinfo.nse (MySQL Server Information)

Categories: default, discovery, safe.

Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.

If service detection is performed and the server appears to be blocking our host or is blocked from too many connections, then we don't bother running this script (see the portrule).

Sample Output
3306/tcp open  mysql
|  MySQL Server Information: Protocol: 10
|  Version: 5.0.51a-3ubuntu5.1
|  Thread ID: 7
|  Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
|  Status: Autocommit
|_ Salt: bYyt\NQ/4V6IN+*3`imj
PPTPversion.nse (PPTP)

Categories: version.

Attempts to extract system information from the PPTP service.

RealVNC_auth_bypass.nse (RealVNC Authentication Bypass)

Categories: default, vuln.

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

SMTP_openrelay_test.nse (Open Relay SMTP)

Categories: demo.

Checks if an SMTP server is an open relay.

SMTPcommands.nse (SMTPcommands)

Categories: default, discovery, safe.

Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.

Sample Output
25/tcp	open	smtp
|  SMTPcommands: EHLO uninvited.example.net Hello root at localhost [127.0.0.1], SIZE 52428800, PIPELINING, 250 HELP
|_ HELP Commands supported:, , AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
SNMPcommunitybrute.nse (SNMPv1-communitybrute)

Categories: intrusive, auth.

Attempts to find an SNMP community string by brute force.

SNMPsysdescr.nse (SNMPv1)

Categories: default, discovery, safe.

Attempts to extract system information from an SNMP version 1 service.

Sample Output
|  SNMPv1: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006
|_   System uptime: 28 days, 17:18:59 (248153900 timeticks)
SQLInject.nse (sql-inject)

Categories: intrusive, vuln.

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack.

The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine crafted SQL commands with susceptible URLs in order to obtain errors. The errors are analysed to see if the url is vulnerable to attack. This uses the most basic form of SQL injection but anything more complication is more suited to a stand alone tool. Both meta and HTTP redirects are supported.

It is not advisable to run this against unknown hosts.

We may not have access to the servers true hostname. This means we cannot access virtually hosted sites and cannot follow absolute links when the hostname is different from the resolved ip address

SSH-hostkey.nse (SSH Hostkey)

Categories: safe, default, intrusive.

Shows SSH hostkeys.

Shows fingerprint or fingerprint and key depending on verbosity level. Puts the found hostkeys in nmap.registry for other scripts to use them. You can control the output with the ssh_hostkey script argument.

Script Arguments
ssh_hostkey

Controls the output format of keys. Multiple values may be given, separated by spaces. Possible values are

  • "full": The entire key, not just the fingerprint.
  • "bubble": Bubble Babble output,
  • "visual": Visual ASCII art representation.
  • "all": All of the above.

Usage
nmap host --script SSH-hostkey --script-args ssh_hostkey=full
nmap host --script SSH-hostkey --script-args ssh_hostkey=all
nmap host --script SSH-hostkey --script-args ssh_hostkey='visual bubble'
Sample Output
22/tcp open  ssh
|  SSH Hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)
22/tcp open  ssh
|  SSH Hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)
|  +--[ RSA 2048]----+
|  |       .E*+      |
|  |        oo       |
|  |      . o .      |
|  |       O . .     |
|  |      o S o .    |
|  |     = o + .     |
|  |    . * o .      |
|  |     = .         |
|  |    o .          |
|_ +-----------------+
22/tcp open  ssh
|  SSH Hostkey: 2048 xuvah-degyp-nabus-zegah-hebur-nopig-bubig-difeg-hisym-rumef-cuxex (RSA)
|_ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ==
SSHv1-support.nse (SSH Protocol Version 1)

Categories: default, safe.

Checks if an SSH server supports SSH Protocol Version 1.

SSLv2-support.nse (SSLv2)

Categories: default, safe.

Determines whether the server (still) supports SSL-v2, and what ciphers it offers.

Sample Output
443/tcp open   https   syn-ack
|  SSLv2: server still supports SSLv2
|       SSL2_RC4_128_WITH_MD5
|       SSL2_DES_192_EDE3_CBC_WITH_MD5
|       SSL2_RC2_CBC_128_CBC_WITH_MD5
|       SSL2_DES_64_CBC_WITH_MD5
|       SSL2_RC4_128_EXPORT40_WITH_MD5
|_      SSL2_RC2_CBC_128_CBC_WITH_MD5
UPnP-info.nse (UPnP)

Categories: default, safe.

Attempts to extract system information from the UPnP service.

Sample Output
|  UPnP:  System/1.0 UPnP/1.0 IGD/1.0
|_ Location: http://192.168.1.1:80/UPnP/IGD.xml
anonFTP.nse (Anonymous FTP)

Categories: default, auth, intrusive.

Checks if an FTP server allows anonymous logins.

Sample Output
|_ Anonymous FTP: Anonymous login allowed
brutePOP3.nse (POP3 brute force)

Categories: intrusive, auth.

Tries to log into a POP3 account by guessing usernames and passwords.

bruteTelnet.nse (bruteforce)

Categories: auth, intrusive.

Tries to get Telnet login credentials by guessing usernames and passwords.

daytimeTest.nse (Daytime)

Categories: discovery.

Retrieves the day and time from the UDP Daytime service.

dns-safe-recursion-port.nse (DNS source port randomness)

Categories: external, intrusive.

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (CVE-2008-1447).

The script works by querying porttest.dns-oarc.net. Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and the porttest server. In addition your IP address will be sent along with the porttest query to the DNS server running on the target.

dns-safe-recursion-txid.nse (DNS TXID randomness)

Categories: external, intrusive.

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (CVE-2008-1447).

The script works by querying txidtest.dns-oarc.net. Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition your IP address will be sent along with the txidtest query to the DNS server running on the target.

dns-test-open-recursion.nse (Nameserver open recursive queries)

Categories: default, intrusive.

Checks if a DNS server allows queries for third-party names.

It is expected that recursion will be enabled on your own internal nameservers.

finger.nse (Finger Results)

Categories: default, discovery.

Attempts to get a list of usernames via the finger service.

ftpbounce.nse (FTP bounce check)

Categories: default, intrusive.

Checks to see if an FTP server allows port scanning using the FTP bounce method.

iax2Detect.nse (IAX2 Service Detection)

Categories: version.

Detects the UDP IAX2 service.

The script sends an IAX Control Frame POKE request and checks for a proper response.

ircServerInfo.nse (IRC Server Info)

Categories: default, discovery.

Gathers information from an IRC server.

It uses STATS, LUSERS, and other queries to obtain this information.

Sample Output
6665/tcp open     irc
|  IRC Server Info: Server: foo.bar.net
|  Version: hyperion-1.0.2b(381). foo.bar.net 
|  Lservers/Lusers: 0/4204
|  Uptime: 106 days, 2:46:30
|  Source host: bar.foo.net
|_ Source ident: OK n=nmap
ircZombieTest.nse (IRC zombie)

Categories: malware.

Checks for an IRC zombie.

If port 113 responds before we ask it then something is fishy. Usually this means that the host is an IRC zombie.

nbstat.nse (NBSTAT)

Categories: default, discovery, safe.

Attempt's to get the target's NetBIOS names and MAC address.

By default, the script displays the name of the computer and the logged-in user; if the verbosity is turned up, it displays all names the system thinks it owns.

For more information on the NetBIOS protocol, see 'nselib/netbios.lua'.

Usage
sudo nmap -sU --script nbstat.nse -p137 <host>
Sample Output
(no verbose)
|_ NBSTAT: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28

(verbose)
|  NBSTAT: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28
|  Name: TEST1<00>            Flags: <unique><active>
|  Name: TEST1<20>            Flags: <unique><active>
|  Name: WORKGROUP<00>        Flags: <group><active>
|  Name: TEST1<03>            Flags: <unique><active>
|  Name: WORKGROUP<1e>        Flags: <group><active>
|  Name: RON<03>              Flags: <unique><active>
|  Name: WORKGROUP<1d>        Flags: <unique><active>
|_ Name: \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
popcapa.nse (POP3 Capabilites)

Categories: default.

Retrieves POP3 server capabilities.

promiscuous.nse (Promiscuous detection)

Categories: discovery.

Checks if a target on a local Ethernet has its network card in promiscuous mode.

The technique is described at http://www.securityfriday.com/promiscuous_detection_01.pdf.

ripeQuery.nse (RIPE query)

Categories: discovery, external.

Connects to the RIPE database and displays the role: entry for the target's IP address.

This script uses an external database. Your IP address and the IP address of the target will be sent to whois.ripe.net.

robots.nse (robots.txt)

Categories: default, safe.

Checks for disallowed entries in robots.txt.

The higher the verbosity or debug level, the more disallowed entries are shown.

Sample Output
80/tcp  open   http    syn-ack
|  robots.txt: has 156 disallowed entries (40 shown)
|  /news?output=xhtml& /search /groups /images /catalogs
|  /catalogues /news /nwshp /news?btcid=*& /news?btaid=*&
|  /setnewsprefs? /index.html? /? /addurl/image? /pagead/ /relpage/
|  /relcontent /sorry/ /imgres /keyword/ /u/ /univ/ /cobrand /custom
|  /advanced_group_search /googlesite /preferences /setprefs /swr /url /default
|  /m? /m/? /m/lcb /m/news? /m/setnewsprefs? /m/search? /wml?
|_ /wml/? /wml/search?
rpcinfo.nse (rpcinfo)

Categories: default, safe, discovery.

Connects to portmapper and fetches a list of all registered programs.

Sample Output
111/tcp open  rpcbind
|  rpcinfo:
|  100000  2        111/udp  rpcbind
|  100005  1,2,3    705/udp  mountd
|  100003  2,3,4   2049/udp  nfs
|  100024  1      32769/udp  status
|  100021  1,3,4  32769/udp  nlockmgr
|  100000  2        111/tcp  rpcbind
|  100005  1,2,3    706/tcp  mountd
|  100003  2,3,4   2049/tcp  nfs
|  100024  1      50468/tcp  status
|_ 100021  1,3,4  50468/tcp  nlockmgr
showHTMLTitle.nse (HTML title)

Categories: default, safe.

Shows the title of the default page of a web server.

The script will follow no more than one HTTP redirect, and only if the redirection leads to the same host. The script may send a DNS query to determine if the host the redirect leads to has the same IP address as the original target.

Sample Output
80/tcp  open   http    syn-ack
|_ HTML title: Foo.
showOwner.nse (Service owner)

Categories: default, safe.

Attempts to find the owner of a scanned port.

The script makes a connection to the auth port (113) and queries the owner of an open port.

showSSHVersion.nse (Stealth SSH version)

Categories: demo.

Connects to an SSH server and retrieves the version banner.

This typically does not result in any logs of the connection being made.

Sample Output
22/tcp  open   ssh
|_ Stealth SSH version: SSH-2.0-OpenSSH_3.9p1
skype_v2-version.nse (Skype v2)

Categories: version.

Detects the Skype version 2 service.

smb-enumdomains.nse (MSRPC: List of domains)

Categories: discovery, intrusive.

Attempts to enumerate domains on a system, along with their policies. This will likely only work without credentials against Windows 2000.

After the initial bind() to SAMR, the sequence of calls is:
Connect4() -- get a connect_handle
EnumDomains() -- get a list of the domains (stop here if you just want the names)
QueryDomain() -- get the sid for the domain
OpenDomain() -- get a handle for each domain
QueryDomainInfo2() -- get the domain information

Usage
nmap --script smb-enumdomains.nse -p445 <host>
sudo nmap -sU -sS --script smb-enumdomains.nse -p U:137,T:139 <host>
Sample Output
Host script results:
|  MSRPC: List of domains:
|  Domain: TEST1
|   |_ SID: S-1-5-21-1060284298-842925246-839522115
|   |_ Users: Administrator, ASPNET, Guest, Ron, test
|   |_ Creation time: 2006-10-17 15:35:07
|   |_ Min password length: 0 characters
|   |_ Max password age: 10675199 days
|   |_ Min password age: 0 days
|   |_ Password history length: 0 passwords
|   |_ Lockout threshold: 0 login attempts
|   |_ Lockout duration: 60 minutes
|   |_ Lockout window: 60 minutes
|   |_ Password properties: 
|     |_  Password complexity requirements do not exist
|_    |_  Administrator account cannot be locked out
smb-enumshares.nse (MSRPC: NetShareEnumAll())

Categories: discovery, intrusive.

Attempts to list shares using the srvsvc.NetShareEnumAll() MSRPC function. This will likely only work anonymously against Windows 2000.

There isn't a whole lot to say about this one. The sequence of calls after the initial bind() is:
NetShareEnumAll()

Since NetShareEnumAll() only works anonymously, if it fails this will check a handful of common shares.

Once it has a list of shares, whether it was pulled over MSRPC or guessed, we attempt to connect to each of them with a standard smb tree_connect request over a null session. We record which ones succeeded and failed (that is, which shares allowed for anonymous access).

Usage
nmap --script smb-enumshares.nse -p445 <host>
sudo nmap -sU -sS --script smb-enumshares.nse -p U:137,T:139 <host>
smb-enumusers.nse (MSRPC: List of user accounts)

Categories: discovery, intrusive.

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through a variety of techniques (over SMB + MSRPC, which uses port 445 or 139).

Will first attempt to call the QueryDisplayInfo() MSRPC function. If NULL sessions are enabled, this will succeed and pull back a detailed list of users. Unfortunately, this likely won't succeed unless we're scanning Windows 2000. When this test is performed, the following MSRPC functions are called:
Bind() -- bind to the SAMR service
Connect4() -- get a connect_handle
EnumDomains() -- get a list of the domains
QueryDomain() -- get the sid for the domain
OpenDomain() -- get a handle for each domain
QueryDisplayInfo() -- get the list of users in the domain
Close() -- Close the domain handle
Close() -- Close the connect handle

Credit goes out to the enum.exe program, the code I wrote for this is largely due to packetlogs I took of its operations.

Regardless of whether or not this succeeds, a second technique is used to pull user accounts. This one is apparently successful against more machines, although I haven't found a machine that this only works against. However, I did find that this will turn up more users for certain systems (although I haven't figured out why).

Each user on a Windows system has an RID. The RID of 500 is the Administrator account (even if it's renamed), 501 is the Guest account, and 1000+ are the user accounts. This technique, which was originally used in the sid2user/user2sid programs, will attempt to convert common RID numbers to names to discover users.

First, the SID of the server has to be determined. This is done by looking up any name present on the server using a technique like user2sid. For this code, we try and convert as many names as we can find -- all we need is one valid name for this to succeed. In this code, I use:
- The computer name / domain name, returned in SMB_COM_NEGOTIATE
- An nbstat query to get the server name and the currently loggeed in user
- Some common names ("administrator", "guest", and "test")

In theory, the computer name should be sufficient for this to always work, and the rest of the names are in there for good measure.

Once that's completed, the RIDs 500 - 505 are requested, and any responses are displayed. Then, starting at 1000, we take small groups of RIDs which are requestd. I break them into smaller groups because if too many are requested at once, we get a STATUS_BUFFER_OVERFLOW error. We try every RID up to 1100, then, as soon as we get an empty group (5 RIDs in a row without a result), we stop.

It might be a good idea to modify this, in the future, with some more intelligence. For example, have it run until it get 5 groups in a row with no results instead of going up to 1100. I performed a test on an old server we have here with a lot of accounts, and I got these results: 500, 501, 1000, 1030, 1031, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1067, 1070, 1075, 1081, 1088, 1090. The jump from 1000 to 1030 is quite large and can easily result in missing accounts.

The disadvantage of using the user2sid/sid2user technique is that less information is returned about the user.

The names and details from both of these techniques are merged and displayed. If the output is verbose, then as many details as possible are displayed, otherwise only the list of usernames are displayed. The names are ordered alphabetically.

Usage
nmap --script smb-enumusers.nse -p445 <host>
sudo nmap -sU -sS --script smb-enumusers.nse -p U:137,T:139 <host>
smb-os-discovery.nse (OS from SMB)

Categories: default, discovery, safe.

Attempts to determine the operating system over the SMB protocol (ports 445 and 139).

See nselib/smb.lua for more information on this protocol.

Usage
nmap --script smb-os-discovery.nse -p445 127.0.0.1
sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1
Sample Output
|  OS from SMB: Windows 2000
|  LAN Manager: Windows 2000 LAN Manager
|  Name: WORKGROUP\TEST1
|_ System time: 2008-09-09 20:55:55 UTC-5

smb-security-mode.nse (SMB Security)

Categories: discovery, safe.

Returns information about the SMB security level determined by SMB.

Here is how to interpret the output:

User-level security: Each user has a separate username/password that is used to log into the system. This is the default setup of pretty much everything these days.
Share-level security: The anonymous account should be used to log in, then the password is given (in plaintext) when a share is accessed. All users who have access to the share use this password. This was the original way of doing things, but isn't commonly seen, now. If a server uses share-level security, it is vulnerable to sniffing.

Challenge/response passwords: If enabled, the server can accept any type of password:

  • Plaintext
  • LM and NTLM
  • LMv2 and NTLMv2

If it isn't set, the server can only accept plaintext passwords. Most servers are configured to use challenge/response these days. If a server is configured to accept plaintext passwords, it is vulnerable to sniffing.

Message signing: If required, all messages between the client and server must sign be signed by a shared key, derived from the password and the server challenge. If supported and not required, message signing is negotiated between clients and servers and used if both support and request it. By default, Windows clients don't sign messages, so if message signing isn't required by the server, messages probably won't be signed; additionally, if performing a man-in-the-middle attack, an attacker can negotiate no message signing. If message signing isn't required, the server is vulnerable to man-in-the-middle attacks.

See nselib/smb.lua for more information on the protocol itself.

Usage
nmap --script smb-security-mode.nse -p445 127.0.0.1
sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1
Sample Output
|  SMB Security: User-level authentication
|  SMB Security: Challenge/response passwords supported
|_ SMB Security: Message signing supported

strangeSMTPport.nse (Unexpected SMTP)

Categories: malware.

Checks if SMTP is running on a non-standard port.

This usually indicates crackers or script kiddies have set up a backdoor on the system to send spam or control your machine.

Sample Output
22/tcp  open   ssh
|_ Warning: smtp is running on a strange port.
whois.nse (Whois)

Categories: discovery, external, safe.

Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

The fields displayed contain information about the assignment and the organisation responsible for managing the address space. When output verbosity is requested on the Nmap command line (-v) extra information about the assignment will be displayed.

To determine which of the RIRs to query for a given Target IP Address this script utilises Assignments Data hosted by IANA. The data is cached locally and then parsed for use as a lookup table. The locally cached files are refreshed periodically to help ensure the data is current. If, for any reason, these files are not available to the script then a default sequence of Whois services are queried in turn until: the desired record is found; or a referral to another (defined) Whois service is found; or until the sequence is exhausted without finding either a referral or the desired record.

The script will recognise a referral to another Whois service if that service is defined in the script and will continue by sending a query to the referred service. A record is assumed to be the desired one if it does not contain a referral.

To reduce the number unecessary queries sent to Whois services a record cache is employed and the entries in the cache can be applied to any targets within the range of addresses represented in the record.

In certain circumstances, the ability to cache responses prevents the discovery of other, smaller IP address assignments applicable to the target because a cached response is accepted in preference to sending a Whois query. When it is important to ensure that the most accurate information about the IP address assignment is retrieved the script argument whodb should be used with a value of "nocache" (see script arguments). This reduces the range of addresses that may use a cached record to a size that helps ensure that smaller assignments will be discovered. This option should be used with caution due to the potential to send large numbers of whois queries and possibly be banned from using the services.

In using this script your IP address will be sent to iana.org. Additionally your address and the address of the target of the scan will be sent to one of the RIRs.

Script Arguments
whodb

Takes any of the the following values, which may be combined:

  • whodb=nofile Prevent the use of IANA assignments data and instead query the default services.
  • whodb=nofollow Ignore referrals and instead display the first record obtained.
  • whodb=nocache Prevent the acceptance of records in the cache when they apply to large ranges of addresses.
  • whodb=[service-ids] Redefine the default services to query. Implies nofile.

Usage
# Basic usage:
nmap target --script whois

# To prevent the use of IANA assignments data supply the nofile value
# to the whodb argument:
nmap target --script whois --script-args whodb=nofile
nmap target --script whois --script-args whois={whodb=nofile}

# Supplying a sequence of whois services will also prevent the use of
# IANA assignments data and override the default sequence:
nmap target --script whois --script-args whodb=arin+ripe+afrinic
nmap target --script whois --script-args whois={whodb=apnic*lacnic}
# The order in which the services are supplied is the order in which
# they will be queried. (N.B. commas or semi-colons should not be
# used to delimit argument values.)

# To return the first record obtained even if it contains a referral
# to another service, supply the nofollow value to whodb:
nmap target --script whois --script-args whodb=nofollow
nmap target --script whois --script-args whois={whodb=nofollow+ripe}
# Note that only one service (the first one supplied) will be used in
# conjunction with nofollow.

# To ensure discovery of smaller assignments even if larger ones
# exist in the cache, supply the nocache value to whodb:
nmap target --script whois --script-args whodb=nocache
nmap target --script whois --script-args whois={whodb=nocache}
Sample Output
Host script results:
|  Whois: Record found at whois.arin.net
|  netrange: 64.13.134.0 - 64.13.134.63
|  netname: NET-64-13-143-0-26
|  orgname: Titan Networks
|  orgid: INSEC
|_ country: US stateprov: CA
xamppDefaultPass.nse (XAMPP default pwd)

Categories: auth, vuln.

Check if an XAMP or XAMPP FTP server uses a default username and password.

XAMP is an Apache distribution designed for easy installation and administration.

Sample Output
21/tcp  open   ftp
|_ Login success with u/p: nobody/xampp
zoneTrans.nse (zone-transfer)

Categories: default, intrusive, discovery.

Requests a zone transfer (AXFR) from a DNS server.

The script sends an AXFR query to a DNS server. The domain to query is determined by examining the name given on the command line, the DNS server's hostname, or it can be specified with the zoneTrans.domain script argument. If the query is successful all domains and domain types are returned along with common type specific data (SOA/MX/NS/PTR/A).

If we don't have the "true" hostname for the DNS server we cannot determine a likely zone to perform the transfer on.

Useful resources

Script Arguments
zoneTrans.domain

Domain to transfer.

Sample Output
53/tcp   open     domain
|  zone-transfer:
|  foo.com.            SOA     ns2.foo.com. piou.foo.com.
|  foo.com.            TXT  
|  foo.com.            NS      ns1.foo.com.               
|  foo.com.            NS      ns2.foo.com.               
|  foo.com.            NS      ns3.foo.com.               
|  foo.com.            A       127.0.0.1                  
|  foo.com.            MX      mail.foo.com.              
|  anansie.foo.com.    A       127.0.0.2                  
|  dhalgren.foo.com.   A       127.0.0.3                  
|  drupal.foo.com.     CNAME
|  goodman.foo.com.    A       127.0.0.4 i                
|  goodman.foo.com.    MX      mail.foo.com.              
|  isaac.foo.com.      A       127.0.0.5                  
|  julie.foo.com.      A       127.0.0.6                  
|  mail.foo.com.       A       127.0.0.7                  
|  ns1.foo.com.        A       127.0.0.7                  
|  ns2.foo.com.        A       127.0.0.8                  
|  ns3.foo.com.        A       127.0.0.9                  
|  stubing.foo.com.    A       127.0.0.10                 
|  vicki.foo.com.      A       127.0.0.11                 
|  votetrust.foo.com.  CNAME
|  www.foo.com.        CNAME
|_ foo.com.            SOA     ns2.foo.com. piou.foo.com.
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]