For a description of this category, see auth NSE category in the Nmap documentation.
Scripts
- ajp-auth
Retrieves the authentication scheme and realm of an AJP service (Apache JServ Protocol) that requires authentication.
- creds-summary
Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.
- dicom-brute
Attempts to brute force the Application Entity Title of a DICOM server (DICOM Service Provider).
- dicom-ping
Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not.
- domcon-cmd
Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute)
- domino-enum-users
Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability.
- ftp-anon
Checks if an FTP server allows anonymous logins.
- http-auth
Retrieves the authentication scheme and realm of a web service that requires authentication.
- http-barracuda-dir-traversal
Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.
- http-config-backup
Checks for backups and swap files of common content management system and web server configuration files.
- http-default-accounts
Tests for access with default credentials used by a variety of web applications and devices.
- http-domino-enum-passwords
Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. Passwords are presented in a form suitable for running in John the Ripper.
- http-method-tamper
Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.
- http-userdir-enum
Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.
- http-vuln-cve2010-0738
Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).
- http-vuln-cve2017-5689
Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2017-5689).
- http-wordpress-users
Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
- informix-query
Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute).
- informix-tables
Retrieves a list of tables and column definitions for each database on an Informix server.
- krb5-enum-users
Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.
- ms-sql-dump-hashes
Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.
- ms-sql-empty-password
Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.
- ms-sql-hasdbaccess
Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.
- mysql-dump-hashes
Dumps the password hashes from an MySQL server in a format suitable for cracking by tools such as John the Ripper. Appropriate DB privileges (root) are required.
- mysql-empty-password
Checks for MySQL servers with an empty password for
rootoranonymous.- mysql-query
Runs a query against a MySQL database and returns the results as a table.
- mysql-users
Attempts to list all users on a MySQL server.
- ncp-enum-users
Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service.
- netbus-auth-bypass
Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.
- oracle-enum-users
Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update).
- realvnc-auth-bypass
Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
- sip-enum-users
Enumerates a SIP server's valid extensions (users).
- smb-enum-users
Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see
smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.- smtp-enum-users
Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.
- snmp-win32-users
Attempts to enumerate Windows user accounts through SNMP
- ssh-auth-methods
Returns authentication methods that a SSH server supports.
- ssh-publickey-acceptance
This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication. If no keys are given or the known-bad option is given, the script will check if a list of known static public keys are accepted for authentication.
- x11-access
Checks if you're allowed to connect to the X server.