For a description of this category, see broadcast NSE category in the Nmap documentation.

Scripts

broadcast-ataoe-discover

Discovers servers supporting the ATA over Ethernet protocol. ATA over Ethernet is an ethernet protocol developed by the Brantley Coile Company and allows for simple, high-performance access to SATA drives over Ethernet.

broadcast-avahi-dos

Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).

broadcast-bjnp-discover

Attempts to discover Canon devices (Printers/Scanners) supporting the BJNP protocol by sending BJNP Discover requests to the network broadcast address for both ports associated with the protocol.

broadcast-db2-discover

Attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp.

broadcast-dhcp-discover

Sends a DHCP request to the broadcast address (255.255.255.255) and reports the results. By default, the script uses a static MAC address (DE:AD:CO:DE:CA:FE) in order to prevent IP pool exhaustion.

broadcast-dhcp6-discover

Sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address, parses the response, then extracts and prints the address along with any options returned by the server.

broadcast-dns-service-discovery

Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.

broadcast-dropbox-listener

Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more.

broadcast-eigrp-discovery

Performs network discovery and routing information gathering through Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP).

broadcast-hid-discoveryd

Discovers HID devices on a LAN by sending a discoveryd network broadcast probe.

broadcast-igmp-discovery

Discovers targets that have IGMP Multicast memberships and grabs interesting information.

broadcast-jenkins-discover

Discovers Jenkins servers on a LAN by sending a discovery broadcast probe.

broadcast-listener

Sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more information.

broadcast-ms-sql-discover

Discovers Microsoft SQL servers in the same broadcast domain.

broadcast-netbios-master-browser

Attempts to discover master browsers and the domains they manage.

broadcast-networker-discover

Discovers EMC Networker backup software servers on a LAN by sending a network broadcast query.

broadcast-novell-locate

Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers.

broadcast-ospf2-discover

Discover IPv4 networks using Open Shortest Path First version 2(OSPFv2) protocol.

broadcast-pc-anywhere

Sends a special broadcast probe to discover PC-Anywhere hosts running on a LAN.

broadcast-pc-duo

Discovers PC-DUO remote control hosts and gateways running on a LAN by sending a special broadcast UDP probe.

broadcast-pim-discovery

Discovers routers that are running PIM (Protocol Independent Multicast).

broadcast-ping

Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes, but they can be configured to do so.

broadcast-pppoe-discover

Discovers PPPoE (Point-to-Point Protocol over Ethernet) servers using the PPPoE Discovery protocol (PPPoED). PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery. If no interface is specified, requests are sent out on all available interfaces.

broadcast-rip-discover

Discovers hosts and routing information from devices running RIPv2 on the LAN. It does so by sending a RIPv2 Request command and collects the responses from all devices responding to the request.

broadcast-ripng-discover

Discovers hosts and routing information from devices running RIPng on the LAN by sending a broadcast RIPng Request command and collecting any responses.

broadcast-sonicwall-discover

Discovers Sonicwall firewalls which are directly attached (not routed) using the same method as the manufacturers own 'SetupTool'. An interface needs to be configured, as the script broadcasts a UDP packet.

broadcast-sybase-asa-discover

Discovers Sybase Anywhere servers on the LAN by sending broadcast discovery messages.

broadcast-tellstick-discover

Discovers Telldus Technologies TellStickNet devices on the LAN. The Telldus TellStick is used to wirelessly control electric devices such as lights, dimmers and electric outlets. For more information: http://www.telldus.com/

broadcast-upnp-info

Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses.

broadcast-versant-locate

Discovers Versant object databases using the broadcast srvloc protocol.

broadcast-wake-on-lan

Wakes a remote system up from sleep by sending a Wake-On-Lan packet.

broadcast-wpad-discover

Retrieves a list of proxy servers on a LAN using the Web Proxy Autodiscovery Protocol (WPAD). It implements both the DHCP and DNS methods of doing so and starts by querying DHCP to get the address. DHCP discovery requires nmap to be running in privileged mode and will be skipped when this is not the case. DNS discovery relies on the script being able to resolve the local domain either through a script argument or by attempting to reverse resolve the local IP.

broadcast-wsdd-discover

Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).

broadcast-xdmcp-discover

Discovers servers running the X Display Manager Control Protocol (XDMCP) by sending a XDMCP broadcast request to the LAN. Display managers allowing access are marked using the keyword Willing in the result.

eap-info

Enumerates the authentication methods offered by an EAP (Extensible Authentication Protocol) authenticator for a given identity or for the anonymous identity if no argument is passed.

ipv6-multicast-mld-list

Uses Multicast Listener Discovery to list the multicast addresses subscribed to by IPv6 multicast listeners on the link-local scope. Addresses in the IANA IPv6 Multicast Address Space Registry have their descriptions listed.

knx-gateway-discover

Discovers KNX gateways by sending a KNX Search Request to the multicast address 224.0.23.12 including a UDP payload with destination port 3671. KNX gateways will respond with a KNX Search Response including various information about the gateway, such as KNX address and supported services.

llmnr-resolve

Resolves a hostname by using the LLMNR (Link-Local Multicast Name Resolution) protocol.

lltd-discovery

Uses the Microsoft LLTD protocol to discover hosts on a local network.

mrinfo

Queries targets for multicast routing information.

mtrace

Queries for the multicast path from a source to a destination host.

targets-ipv6-multicast-echo

Sends an ICMPv6 echo request packet to the all-nodes link-local multicast address (ff02::1) to discover responsive hosts on a LAN without needing to individually ping each IPv6 address.

targets-ipv6-multicast-invalid-dst

Sends an ICMPv6 packet with an invalid extension header to the all-nodes link-local multicast address (ff02::1) to discover (some) available hosts on the LAN. This works because some hosts will respond to this probe with an ICMPv6 Parameter Problem packet.

targets-ipv6-multicast-mld

Attempts to discover available IPv6 hosts on the LAN by sending an MLD (multicast listener discovery) query to the link-local multicast address (ff02::1) and listening for any responses. The query's maximum response delay set to 1 to provoke hosts to respond immediately rather than waiting for other responses from their multicast group.

targets-ipv6-multicast-slaac

Performs IPv6 host discovery by triggering stateless address auto-configuration (SLAAC).

targets-sniffer

Sniffs the local network for a configurable amount of time (10 seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue.