For a description of this category, see external NSE category in the Nmap documentation.

Scripts

asn-query

Maps IP addresses to autonomous system (AS) numbers.

dns-blacklist

Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category (eg: SPAM, PROXY) or to a specific service name.

dns-check-zone

Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests.

dns-random-srcport

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

dns-random-txid

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

dns-zeustracker

Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan:

hostmap-bfk

Discovers hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html.

hostmap-crtsh

Finds subdomains of a web server by querying Google's Certificate Transparency logs database (https://crt.sh).

hostmap-robtex

Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at http://ip.robtex.com/.

http-cross-domain-policy

Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.

http-google-malware

Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.

http-icloud-findmyiphone

Retrieves the locations of all "Find my iPhone" enabled iOS devices by querying the MobileMe web service (authentication required).

http-icloud-sendmsg

Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application.

http-open-proxy

Checks if an HTTP proxy is open.

http-proxy-brute

Performs brute force password guessing against HTTP proxy servers.

http-robtex-reverse-ip

Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service (https://www.robtex.com/ip-lookup/).

http-robtex-shared-ns

Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at http://www.robtex.com/dns/.

http-virustotal

Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page:

http-xssed

This script searches the xssed.com database and outputs the result.

ip-geolocation-geoplugin

Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). There is no limit on lookups using this service.

ip-geolocation-ipinfodb

Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service (http://ipinfodb.com/ip_location_api.php).

ip-geolocation-map-bing

This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Bing Map of markers representing the targets.

ip-geolocation-map-google

This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Google Map of markers representing the targets.

ip-geolocation-maxmind

Tries to identify the physical location of an IP address using a Geolocation Maxmind database file (available from http://www.maxmind.com/app/ip-location). This script supports queries using all Maxmind databases that are supported by their API including the commercial ones.

shodan-api

Queries Shodan API for given targets and produces similar output to a -sV nmap scan. The ShodanAPI key can be set with the 'apikey' script argument, or hardcoded in the .nse file itself. You can get a free key from https://developer.shodan.io

smtp-enum-users

Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.

smtp-open-relay

Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying.

socks-open-proxy

Checks if an open socks proxy is running on the target.

targets-asn

Produces a list of IP prefixes for a given routing AS number (ASN).

tor-consensus-checker

Checks if a target is a known Tor node.

traceroute-geolocation

Lists the geographic locations of each hop in a traceroute and optionally saves the results to a KML file, plottable on Google earth and maps.

vulners

For each available CPE the script prints out known vulns (links to the correspondent info) and correspondent CVSS scores.

whois-domain

Attempts to retrieve information about the domain name of the target

whois-ip

Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.