For a description of this category, see auth NSE category in the Nmap documentation.



Retrieves the authentication scheme and realm of an AJP service (Apache JServ Protocol) that requires authentication.


Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.


Attempts to brute force the Application Entity Title of a DICOM server (DICOM Service Provider).


Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not.


Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute)


Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability.


Checks if an FTP server allows anonymous logins.


Retrieves the authentication scheme and realm of a web service that requires authentication.


Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at


Checks for backups and swap files of common content management system and web server configuration files.


Tests for access with default credentials used by a variety of web applications and devices.


Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. Passwords are presented in a form suitable for running in John the Ripper.


Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.


Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.


Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).


Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2017-5689).


Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.


Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute).


Retrieves a list of tables and column definitions for each database on an Informix server.


Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.


Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.


Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.


Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.


Dumps the password hashes from an MySQL server in a format suitable for cracking by tools such as John the Ripper. Appropriate DB privileges (root) are required.


Checks for MySQL servers with an empty password for root or anonymous.


Runs a query against a MySQL database and returns the results as a table.


Attempts to list all users on a MySQL server.


Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service.


Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.


Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update).


Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).


Enumerates a SIP server's valid extensions (users).


Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.


Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.


Attempts to enumerate Windows user accounts through SNMP


Returns authentication methods that a SSH server supports.


This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication. If no keys are given or the known-bad option is given, the script will check if a list of known static public keys are accepted for authentication.


Checks if you're allowed to connect to the X server.