For a description of this category, see external NSE category in the Nmap documentation.
Scripts
- asn-query
Maps IP addresses to autonomous system (AS) numbers.
- dns-blacklist
Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category (eg: SPAM, PROXY) or to a specific service name.
- dns-check-zone
Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests.
- dns-random-srcport
Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
- dns-random-txid
Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
- dns-zeustracker
Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan:
- hostmap-bfk
Discovers hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html.
- hostmap-crtsh
Finds subdomains of a web server by querying Google's Certificate Transparency logs database (https://crt.sh).
- hostmap-robtex
Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at http://ip.robtex.com/.
- http-cross-domain-policy
Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.
- http-google-malware
Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.
- http-icloud-findmyiphone
Retrieves the locations of all "Find my iPhone" enabled iOS devices by querying the MobileMe web service (authentication required).
- http-icloud-sendmsg
Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application.
- http-open-proxy
Checks if an HTTP proxy is open.
- http-proxy-brute
Performs brute force password guessing against HTTP proxy servers.
- http-robtex-reverse-ip
Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service (https://www.robtex.com/ip-lookup/).
- http-robtex-shared-ns
Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at http://www.robtex.com/dns/.
- http-virustotal
Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page:
- http-xssed
This script searches the xssed.com database and outputs the result.
- ip-geolocation-geoplugin
Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). There is no limit on lookups using this service.
- ip-geolocation-ipinfodb
Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service (http://ipinfodb.com/ip_location_api.php).
- ip-geolocation-map-bing
This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Bing Map of markers representing the targets.
- ip-geolocation-map-google
This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Google Map of markers representing the targets.
- ip-geolocation-maxmind
Tries to identify the physical location of an IP address using a Geolocation Maxmind database file (available from http://www.maxmind.com/app/ip-location). This script supports queries using all Maxmind databases that are supported by their API including the commercial ones.
- shodan-api
Queries Shodan API for given targets and produces similar output to a -sV nmap scan. The ShodanAPI key can be set with the 'apikey' script argument, or hardcoded in the .nse file itself. You can get a free key from https://developer.shodan.io
- smtp-enum-users
Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.
- smtp-open-relay
Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying.
- socks-open-proxy
Checks if an open socks proxy is running on the target.
- targets-asn
Produces a list of IP prefixes for a given routing AS number (ASN).
- tor-consensus-checker
Checks if a target is a known Tor node.
- traceroute-geolocation
Lists the geographic locations of each hop in a traceroute and optionally saves the results to a KML file, plottable on Google earth and maps.
- vulners
For each available CPE the script prints out known vulns (links to the correspondent info) and correspondent CVSS scores.
- whois-domain
Attempts to retrieve information about the domain name of the target
- whois-ip
Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.