For a description of this category, see intrusive NSE category in the Nmap documentation.
Scripts
- afp-brute
Performs password guessing against Apple Filing Protocol (AFP).
- afp-path-vuln
Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
- ajp-brute
Performs brute force passwords auditing against the Apache JServ protocol. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers.
- backorifice-brute
Performs brute force password auditing against the BackOrifice service. The
backorifice-brute.portsscript argument is mandatory (it specifies ports to run the script against).- broadcast-avahi-dos
Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).
- cassandra-brute
Performs brute force password auditing against the Cassandra database.
- cics-enum
CICS transaction ID enumerator for IBM mainframes. This script is based on mainframe_brute by Dominic White (https://github.com/sensepost/mainframe_brute). However, this script doesn't rely on any third party libraries or tools and instead uses the NSE TN3270 library which emulates a TN3270 screen in lua.
- cics-user-brute
CICS User ID brute forcing script for the CESL login screen.
- cics-user-enum
CICS User ID enumeration script for the CESL/CESN Login screen.
- citrix-brute-xml
Attempts to guess valid credentials for the Citrix PN Web Agent XML Service. The XML service authenticates against the local Windows server or the Active Directory.
- cvs-brute
Performs brute force password auditing against CVS pserver authentication.
- cvs-brute-repository
Attempts to guess the name of the CVS repositories hosted on the remote server. With knowledge of the correct repository name, usernames and passwords can be guessed.
- deluge-rpc-brute
Performs brute force password auditing against the DelugeRPC daemon.
- distcc-cve2004-2687
Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.
- dns-brute
Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the
dns-brute.srvargument, dns-brute will also try to enumerate common DNS SRV records.- dns-cache-snoop
Performs DNS cache snooping against a DNS server.
- dns-fuzz
Launches a DNS fuzzing attack against DNS servers.
- dns-ip6-arpa-scan
Performs a quick reverse DNS lookup of an IPv6 network using a technique which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks.
- dns-nsec-enum
Enumerates DNS names using the DNSSEC NSEC-walking technique.
- dns-nsec3-enum
Tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records.
- dns-random-srcport
Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
- dns-random-txid
Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
- dns-update
Attempts to perform a dynamic DNS update without authentication.
- dns-zone-transfer
Requests a zone transfer (AXFR) from a DNS server.
- domcon-brute
Performs brute force password auditing against the Lotus Domino Console.
- domcon-cmd
Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute)
- domino-enum-users
Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability.
- dpap-brute
Performs brute force password auditing against an iPhoto Library.
- drda-brute
Performs password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby
- firewall-bypass
Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
- ftp-brute
Performs brute force password auditing against FTP servers.
- ftp-libopie
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
- ftp-proftpd-backdoor
Tests for the presence of the ProFTPD 1.3.3c backdoor reported as BID 45150. This script attempts to exploit the backdoor using the innocuous
idcommand by default, but that can be changed with theftp-proftpd-backdoor.cmdscript argument.- ftp-vsftpd-backdoor
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous
idcommand by default, but that can be changed with theexploit.cmdorftp-vsftpd-backdoor.cmdscript arguments.- ftp-vuln-cve2010-4221
Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.
- http-awstatstotals-exec
Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
- http-axis2-dir-traversal
Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter
xsd(BID 40343). By default it will try to retrieve the configuration file of the Axis2 service'/conf/axis2.xml'using the path'/axis2/services/'to return the username and password of the admin account.- http-barracuda-dir-traversal
Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.
- http-brute
Performs brute force password auditing against http basic, digest and ntlm authentication.
- http-chrono
Measures the time a website takes to deliver a web page and returns the maximum, minimum and average time it took to fetch a page.
- http-config-backup
Checks for backups and swap files of common content management system and web server configuration files.
- http-csrf
This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.
- http-default-accounts
Tests for access with default credentials used by a variety of web applications and devices.
- http-devframework
- http-dombased-xss
It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml
- http-domino-enum-passwords
Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. Passwords are presented in a form suitable for running in John the Ripper.
- http-drupal-enum
Enumerates the installed Drupal modules/themes by using a list of known modules and themes.
- http-drupal-enum-users
Enumerates Drupal users by exploiting an information disclosure vulnerability in Views, Drupal's most popular module.
- http-enum
Enumerates directories used by popular web applications and servers.
- http-errors
This script crawls through the website and returns any error pages.
- http-exif-spider
Spiders a site's images looking for interesting exif data embedded in .jpg files. Displays the make and model of the camera, the date the photo was taken, and the embedded geotag information.
- http-feed
This script crawls through the website to find any rss or atom feeds.
- http-fileupload-exploiter
Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.
- http-form-brute
Performs brute force password auditing against http form-based authentication.
- http-form-fuzzer
Performs a simple form fuzzing against forms found on websites. Tries strings and numbers of increasing length and attempts to determine if the fuzzing was successful.
- http-iis-short-name-brute
Attempts to brute force the 8.3 filenames (commonly known as short names) of files and directories in the root folder of vulnerable IIS servers. This script is an implementation of the PoC "iis shortname scanner".
- http-iis-webdav-vuln
Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020.
- http-joomla-brute
Performs brute force password auditing against Joomla web CMS installations.
- http-litespeed-sourcecode-download
Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
- http-majordomo2-dir-traversal
Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).
- http-open-redirect
Spiders a website and attempts to identify open redirects. Open redirects are handlers which commonly take a URL as a parameter and responds with a HTTP redirect (3XX) to the target. Risks of open redirects are described at http://cwe.mitre.org/data/definitions/601.html.
- http-passwd
Checks if a web server is vulnerable to directory traversal by attempting to retrieve
/etc/passwdor\boot.ini.- http-phpself-xss
Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable
$_SERVER["PHP_SELF"].- http-proxy-brute
Performs brute force password guessing against HTTP proxy servers.
- http-put
Uploads a local file to a remote web server using the HTTP PUT method. You must specify the filename and URL path with NSE arguments.
- http-rfi-spider
Crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query.
- http-shellshock
Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.
- http-sitemap-generator
Spiders a web server and displays its directory structure along with number and types of files in each folder. Note that files listed as having an 'Other' extension are ones that have no extension or that are a root document.
- http-slowloris
Tests a web server for vulnerability to the Slowloris DoS attack by launching a Slowloris attack.
- http-sql-injection
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.
- http-stored-xss
Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.
- http-unsafe-output-escaping
Spiders a website and attempts to identify output escaping problems where content is reflected back to the user. This script locates all parameters, ?x=foo&y=bar and checks if the values are reflected on the page. If they are indeed reflected, the script will try to insert ghz>hzx"zxc'xcv and check which (if any) characters were reflected back onto the page without proper html escaping. This is an indication of potential XSS vulnerability.
- http-userdir-enum
Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.
- http-vhosts
Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames.
- http-vuln-cve2006-3392
Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)
- http-vuln-cve2009-3960
Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.
- http-vuln-cve2010-2861
Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.
- http-vuln-cve2011-3368
Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server's reverse proxy mode. The script will run 3 tests:
- the loopback test, with 3 payloads to handle different rewrite rules
- the internal hosts test. According to Contextis, we expect a delay before a server error.
- The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.
- http-vuln-cve2012-1823
Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.
- http-vuln-cve2013-7091
An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.
- http-vuln-cve2014-3704
Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions < 7.32 of Drupal core are known to be affected.
- http-vuln-cve2014-8877
Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected.
- http-vuln-cve2015-1427
This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).
- http-vuln-cve2017-8917
An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 allows for unauthenticated users to execute arbitrary SQL commands. This vulnerability was caused by a new component,
com_fields, which was introduced in version 3.7. This component is publicly accessible, which means this can be exploited by any malicious individual visiting the site.- http-vuln-misfortune-cookie
Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.
- http-vuln-wnr1000-creds
A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
- http-waf-detect
Attempts to determine whether a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) by probing the web server with malicious payloads and detecting changes in the response code and body.
- http-waf-fingerprint
Tries to detect the presence of a web application firewall and its type and version.
- http-wordpress-brute
performs brute force password auditing against Wordpress CMS/blog installations.
- http-wordpress-enum
Enumerates themes and plugins of Wordpress installations. The script can also detect outdated plugins by comparing version numbers with information pulled from api.wordpress.org.
- http-wordpress-users
Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
- iax2-brute
Performs brute force password auditing against the Asterisk IAX2 protocol. Guessing fails when a large number of attempts is made due to the maxcallnumber limit (default 2048). In case your getting "ERROR: Too many retries, aborted ..." after a while, this is most likely what's happening. In order to avoid this problem try: - reducing the size of your dictionary - use the brute delay option to introduce a delay between guesses - split the guessing up in chunks and wait for a while between them
- iec-identify
Attempts to identify IEC 60870-5-104 ICS protocol.
- imap-brute
Performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.
- impress-remote-discover
Tests for the presence of the LibreOffice Impress Remote server. Checks if a PIN is valid if provided and will bruteforce the PIN if requested.
- informix-brute
Performs brute force password auditing against IBM Informix Dynamic Server.
- informix-query
Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute).
- informix-tables
Retrieves a list of tables and column definitions for each database on an Informix server.
- ipmi-brute
Performs brute force password auditing against IPMI RPC server.
- ipv6-ra-flood
Generates a flood of Router Advertisements (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS), will start to compute IPv6 suffix and update their routing table to reflect the accepted announcement. This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests.
- irc-brute
Performs brute force password auditing against IRC (Internet Relay Chat) servers.
- irc-sasl-brute
Performs brute force password auditing against IRC (Internet Relay Chat) servers supporting SASL authentication.
- irc-unrealircd-backdoor
Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.
- iscsi-brute
Performs brute force password auditing against iSCSI targets.
- jdwp-exec
Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script abuses this to inject and execute a Java class file that executes the supplied shell command and returns its output.
- jdwp-inject
Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script allows injection of arbitrary class files.
- krb5-enum-users
Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.
- ldap-brute
Attempts to brute-force LDAP authentication. By default it uses the built-in username and password lists. In order to use your own lists use the
userdbandpassdbscript arguments.- lu-enum
Attempts to enumerate Logical Units (LU) of TN3270E servers.
- membase-brute
Performs brute force password auditing against Couchbase Membase servers.
- metasploit-info
Gathers info from the Metasploit rpc service. It requires a valid login pair. After authentication it tries to determine Metasploit version and deduce the OS type. Then it creates a new console and executes few commands to get additional info.
- metasploit-msgrpc-brute
Performs brute force username and password auditing against Metasploit msgrpc interface.
- metasploit-xmlrpc-brute
Performs brute force password auditing against a Metasploit RPC server using the XMLRPC protocol.
- mikrotik-routeros-brute
Performs brute force password auditing against Mikrotik RouterOS devices with the API RouterOS interface enabled.
- mmouse-brute
Performs brute force password auditing against the RPA Tech Mobile Mouse servers.
- mmouse-exec
Connects to an RPA Tech Mobile Mouse server, starts an application and sends a sequence of keys to it. Any application that the user has access to can be started and the key sequence is sent to the application after it has been started.
- modbus-discover
Enumerates SCADA Modbus slave ids (sids) and collects their device information.
- mongodb-brute
Performs brute force password auditing against the MongoDB database.
- ms-sql-brute
Performs password guessing against Microsoft SQL Server (ms-sql). Works best in conjunction with the
broadcast-ms-sql-discoverscript.- ms-sql-empty-password
Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.
- ms-sql-xp-cmdshell
Attempts to run a command using the command shell of Microsoft SQL Server (ms-sql).
- mysql-brute
Performs password guessing against MySQL.
- mysql-databases
Attempts to list all databases on a MySQL server.
- mysql-empty-password
Checks for MySQL servers with an empty password for
rootoranonymous.- mysql-enum
Performs valid-user enumeration against MySQL server using a bug discovered and published by Kingcope (http://seclists.org/fulldisclosure/2012/Dec/9).
- mysql-users
Attempts to list all users on a MySQL server.
- mysql-variables
Attempts to show all variables on a MySQL server.
- mysql-vuln-cve2012-2122
- nbd-info
Displays protocol and block device information from NBD servers.
- nessus-brute
Performs brute force password auditing against a Nessus vulnerability scanning daemon using the NTP 1.2 protocol.
- nessus-xmlrpc-brute
Performs brute force password auditing against a Nessus vulnerability scanning daemon using the XMLRPC protocol.
- netbus-brute
Performs brute force password auditing against the Netbus backdoor ("remote administration") service.
- nexpose-brute
Performs brute force password auditing against a Nexpose vulnerability scanner using the API 1.1.
- nje-node-brute
z/OS JES Network Job Entry (NJE) target node name brute force.
- nje-pass-brute
z/OS JES Network Job Entry (NJE) 'I record' password brute forcer.
- nping-brute
Performs brute force password auditing against an Nping Echo service.
- nrpe-enum
Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc.
- ntp-monlist
Obtains and prints an NTP server's monitor data.
- omp2-brute
Performs brute force password auditing against the OpenVAS manager using OMPv2.
- openvas-otp-brute
Performs brute force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1.0 protocol.
- oracle-brute
Performs brute force password auditing against Oracle servers.
- oracle-brute-stealth
Exploits the CVE-2012-3137 vulnerability, a weakness in Oracle's O5LOGIN authentication scheme. The vulnerability exists in Oracle 11g R1/R2 and allows linking the session key to a password hash. When initiating an authentication attempt as a valid user the server will respond with a session key and salt. Once received the script will disconnect the connection thereby not recording the login attempt. The session key and salt can then be used to brute force the users password.
- oracle-enum-users
Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update).
- oracle-sid-brute
Guesses Oracle instance/SID names against the TNS-listener.
- pcanywhere-brute
Performs brute force password auditing against the pcAnywhere remote access protocol.
- pgsql-brute
Performs password guessing against PostgreSQL.
- pjl-ready-message
Retrieves or sets the ready message on printers that support the Printer Job Language. This includes most PostScript printers that listen on port 9100. Without an argument, displays the current ready message. With the
pjl_ready_messagescript argument, displays the old ready message and changes it to the message given.- pop3-brute
Tries to log into a POP3 account by guessing usernames and passwords.
- puppet-naivesigning
Detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, allowing them to impersonate as a puppet agent. This can leak the configuration of the agents as well as any other sensitive information found in the configuration files.
- qconn-exec
Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.
- rdp-vuln-ms12-020
Checks if a machine is vulnerable to MS12-020 RDP vulnerability.
- redis-brute
Performs brute force passwords auditing against a Redis key-value store.
- rexec-brute
Performs brute force password auditing against the classic UNIX rexec (remote exec) service.
- rlogin-brute
Performs brute force password auditing against the classic UNIX rlogin (remote login) service. This script must be run in privileged mode on UNIX because it must bind to a low source port number.
- rmi-vuln-classloader
Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature.
- rpcap-brute
Performs brute force password auditing against the WinPcap Remote Capture Daemon (rpcap).
- rsync-brute
Performs brute force password auditing against the rsync remote file syncing protocol.
- rtsp-url-brute
Attempts to enumerate RTSP media URLS by testing for common paths on devices such as surveillance IP cameras.
- samba-vuln-cve-2012-1182
Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.
- sip-brute
Performs brute force password auditing against Session Initiation Protocol (SIP) accounts. This protocol is most commonly associated with VoIP sessions.
- sip-call-spoof
Spoofs a call to a SIP phone and detects the action taken by the target (busy, declined, hung up, etc.)
- sip-enum-users
Enumerates a SIP server's valid extensions (users).
- smb-brute
Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them. When a username is discovered, besides being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That means that if you're going to run
smb-brute.nse, you should run othersmbscripts you want. This checks passwords in a case-insensitive way, determining case after a password is found, for Windows versions before Vista.- smb-enum-domains
Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" domain is generally displayed. Windows returns this in the list of domains, but its policies don't appear to be used anywhere.
- smb-enum-groups
Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to
enum.exewith the/Gswitch.- smb-enum-processes
Pulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator privileges.
- smb-enum-services
Retrieves the list of services running on a remote Windows system. Each service attribute contains service name, display name and service status of each service.
- smb-enum-sessions
Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. Nmap's connection will also show up, and is generally identified by the one that connected "0 seconds ago".
- smb-enum-shares
Attempts to list shares using the
srvsvc.NetShareEnumAllMSRPC function and retrieve more information about them usingsrvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.- smb-enum-users
Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see
smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.- smb-flood
Exhausts a remote SMB server's connection limit by by opening as many connections as we can. Most implementations of SMB have a hard global limit of 11 connections for user accounts and 10 connections for anonymous. Once that limit is reached, further connections are denied. This script exploits that limit by taking up all the connections and holding them.
- smb-print-text
Attempts to print text on a shared printer by calling Print Spooler Service RPC functions.
- smb-psexec
Implements remote process execution similar to the Sysinternals' psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a collection of computers.
- smb-server-stats
Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP ports 445 or 139.
- smb-system-info
Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, although a user account will still get a lot of it. Guest probably won't get any, nor will anonymous. This goes for all operating systems, including Windows 2000.
- smb-vuln-conficker
Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems.
- smb-vuln-cve-2017-7494
Checks if target machines are vulnerable to the arbitrary shared library load vulnerability CVE-2017-7494.
- smb-vuln-cve2009-3103
Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.
- smb-vuln-ms06-025
Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.
- smb-vuln-ms07-029
Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
- smb-vuln-ms08-067
Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems.
- smb-vuln-ms10-054
Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability.
- smb-vuln-ms10-061
Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.
- smb-vuln-regsvc-dos
Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.
- smb-vuln-webexec
A critical remote code execution vulnerability exists in WebExService (WebExec).
- smb-webexec-exploit
Attempts to run a command via WebExService, using the WebExec vulnerability. Given a Windows account (local or domain), this will start an arbitrary executable with SYSTEM privileges over the SMB protocol.
- smtp-brute
Performs brute force password auditing against SMTP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.
- smtp-enum-users
Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. The goal of this script is to discover all the user accounts in the remote system.
- smtp-open-relay
Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying.
- smtp-vuln-cve2010-4344
Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).
- smtp-vuln-cve2011-1720
Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution.
- smtp-vuln-cve2011-1764
Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.
- sniffer-detect
Checks if a target on a local Ethernet has its network card in promiscuous mode.
- snmp-brute
Attempts to find an SNMP community string by brute force guessing.
- snmp-ios-config
Attempts to downloads Cisco router IOS configuration files using SNMP RW (v1) and display or save them.
- socks-brute
Performs brute force password auditing against SOCKS 5 proxy servers.
- ssh-auth-methods
Returns authentication methods that a SSH server supports.
- ssh-brute
Performs brute-force password guessing against ssh servers.
- ssh-publickey-acceptance
This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication. If no keys are given or the known-bad option is given, the script will check if a list of known static public keys are accepted for authentication.
- ssh-run
Runs remote command on ssh server and returns command output.
- ssl-enum-ciphers
This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts.
- sslv2-drown
Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)
- stuxnet-detect
Detects whether a host is infected with the Stuxnet worm (http://en.wikipedia.org/wiki/Stuxnet).
- svn-brute
Performs brute force password auditing against Subversion source code control servers.
- telnet-brute
Performs brute-force password auditing against telnet servers.
- tftp-enum
Enumerates TFTP (trivial file transfer protocol) filenames by testing for a list of common ones.
- tso-brute
TSO account brute forcer.
- tso-enum
TSO User ID enumerator for IBM mainframes (z/OS). The TSO logon panel tells you when a user ID is valid or invalid with the message:
IKJ56420I Userid <user ID> not authorized to use TSO.- vmauthd-brute
Performs brute force password auditing against the VMWare Authentication Daemon (vmware-authd).
- vnc-brute
Performs brute force password auditing against VNC servers.
- vnc-title
Tries to log into a VNC server and get its desktop name. Uses credentials discovered by vnc-brute, or None authentication types. If
realvnc-auth-bypasswas run and returned VULNERABLE, this script will use that vulnerability to bypass authentication.- vtam-enum
Many mainframes use VTAM screens to connect to various applications (CICS, IMS, TSO, and many more).
- xmpp-brute
Performs brute force password auditing against XMPP (Jabber) instant messaging servers.