For a description of this category, see auth NSE category in the Nmap documentation.

Scripts

ajp-auth

Retrieves the authentication scheme and realm of an AJP service (Apache JServ Protocol) that requires authentication.

creds-summary

Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.

dicom-brute

Attempts to brute force the Application Entity Title of a DICOM server (DICOM Service Provider).

dicom-ping

Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not.

domcon-cmd

Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute)

domino-enum-users

Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability.

ftp-anon

Checks if an FTP server allows anonymous logins.

http-auth

Retrieves the authentication scheme and realm of a web service that requires authentication.

http-barracuda-dir-traversal

Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.

http-config-backup

Checks for backups and swap files of common content management system and web server configuration files.

http-default-accounts

Tests for access with default credentials used by a variety of web applications and devices.

http-domino-enum-passwords

Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. Passwords are presented in a form suitable for running in John the Ripper.

http-method-tamper

Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.

http-userdir-enum

Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.

http-vuln-cve2010-0738

Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).

http-vuln-cve2017-5689

Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2017-5689).

http-wordpress-users

Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.

informix-query

Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute).

informix-tables

Retrieves a list of tables and column definitions for each database on an Informix server.

krb5-enum-users

Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.

ms-sql-dump-hashes

Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

ms-sql-empty-password

Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

ms-sql-hasdbaccess

Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.

mysql-dump-hashes

Dumps the password hashes from an MySQL server in a format suitable for cracking by tools such as John the Ripper. Appropriate DB privileges (root) are required.

mysql-empty-password

Checks for MySQL servers with an empty password for root or anonymous.

mysql-query

Runs a query against a MySQL database and returns the results as a table.

mysql-users

Attempts to list all users on a MySQL server.

ncp-enum-users

Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service.

netbus-auth-bypass

Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.

oracle-enum-users

Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update).

realvnc-auth-bypass

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

sip-enum-users

Enumerates a SIP server's valid extensions (users).

smb-enum-users

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

smtp-enum-users

Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.

snmp-win32-users

Attempts to enumerate Windows user accounts through SNMP

ssh-auth-methods

Returns authentication methods that a SSH server supports.

ssh-publickey-acceptance

This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication. If no keys are given or the known-bad option is given, the script will check if a list of known static public keys are accepted for authentication.

x11-access

Checks if you're allowed to connect to the X server.