For a description of this category, see safe NSE category in the Nmap documentation.



Retrieves information from a listening acarsd daemon. Acarsd decodes ACARS (Aircraft Communication Addressing and Reporting System) data in real time. The information retrieved by this script includes the daemon version, API version, administrator e-mail address and listening frequency.


Shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available.


Attempts to get useful information about files from AFP volumes. The output is intended to resemble the output of ls.


Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example Macmini or MacBookPro).


Shows AFP shares and ACLs.


Retrieves the authentication scheme and realm of an AJP service (Apache JServ Protocol) that requires authentication.


Performs a HEAD or GET request against either the root directory or any optional directory of an Apache JServ Protocol server and returns the server response headers.


Discovers which options are supported by the AJP (Apache JServ Protocol) server by sending an OPTIONS request and lists potentially risky methods.


Requests a URI over the Apache JServ Protocol and displays the result (or stores it in a file). Different AJP methods such as; GET, HEAD, TRACE, PUT or DELETE may be used.


Detects the All-Seeing Eye service. Provided by some game servers for querying the server's status.


Gathers information (a list of all server properties) from an AMQP (advanced message queuing protocol) server.


Maps IP addresses to autonomous system (AS) numbers.


Attempts to find the owner of an open TCP port by querying an auth daemon which must also be open on the target system. The auth service, also known as identd, normally runs on port 113.


Checks for an identd (auth) server which is spoofing its replies.


Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself.


A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.


Queries a Bitcoin server for a list of known Bitcoin nodes


Extracts version and node information from a Bitcoin server


Obtains information from a Bitcoin server by calling getinfo on its JSON-RPC interface.


Discovers bittorrent peers sharing a file based on a user-supplied torrent file or magnet link. Peers implement the Bittorrent protocol and share the torrent, whereas the nodes (only shown if the include-nodes NSE argument is given) implement the DHT protocol and are used to track the peers. The sets of peers and nodes are not the same, but they usually intersect.


Retrieves printer or scanner information from a remote device supporting the BJNP protocol. The protocol is known to be supported by network based Canon devices.


Discovers servers supporting the ATA over Ethernet protocol. ATA over Ethernet is an ethernet protocol developed by the Brantley Coile Company and allows for simple, high-performance access to SATA drives over Ethernet.


Attempts to discover Canon devices (Printers/Scanners) supporting the BJNP protocol by sending BJNP Discover requests to the network broadcast address for both ports associated with the protocol.


Attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp.


Sends a DHCP request to the broadcast address ( and reports the results. By default, the script uses a static MAC address (DE:AD:CO:DE:CA:FE) in order to prevent IP pool exhaustion.


Sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address, parses the response, then extracts and prints the address along with any options returned by the server.


Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.


Listens for the LAN sync information broadcasts that the client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more.


Performs network discovery and routing information gathering through Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP).


Discovers HID devices on a LAN by sending a discoveryd network broadcast probe.


Discovers targets that have IGMP Multicast memberships and grabs interesting information.


Discovers Jenkins servers on a LAN by sending a discovery broadcast probe.


Sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more information.


Discovers Microsoft SQL servers in the same broadcast domain.


Attempts to discover master browsers and the domains they manage.


Discovers EMC Networker backup software servers on a LAN by sending a network broadcast query.


Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers.


Discover IPv4 networks using Open Shortest Path First version 2(OSPFv2) protocol.


Sends a special broadcast probe to discover PC-Anywhere hosts running on a LAN.


Discovers PC-DUO remote control hosts and gateways running on a LAN by sending a special broadcast UDP probe.


Discovers routers that are running PIM (Protocol Independent Multicast).


Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes, but they can be configured to do so.


Discovers PPPoE (Point-to-Point Protocol over Ethernet) servers using the PPPoE Discovery protocol (PPPoED). PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery. If no interface is specified, requests are sent out on all available interfaces.


Discovers hosts and routing information from devices running RIPv2 on the LAN. It does so by sending a RIPv2 Request command and collects the responses from all devices responding to the request.


Discovers hosts and routing information from devices running RIPng on the LAN by sending a broadcast RIPng Request command and collecting any responses.


Discovers Sonicwall firewalls which are directly attached (not routed) using the same method as the manufacturers own 'SetupTool'. An interface needs to be configured, as the script broadcasts a UDP packet.


Discovers Sybase Anywhere servers on the LAN by sending broadcast discovery messages.


Discovers Telldus Technologies TellStickNet devices on the LAN. The Telldus TellStick is used to wirelessly control electric devices such as lights, dimmers and electric outlets. For more information:


Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses.


Discovers Versant object databases using the broadcast srvloc protocol.


Wakes a remote system up from sleep by sending a Wake-On-Lan packet.


Retrieves a list of proxy servers on a LAN using the Web Proxy Autodiscovery Protocol (WPAD). It implements both the DHCP and DNS methods of doing so and starts by querying DHCP to get the address. DHCP discovery requires nmap to be running in privileged mode and will be skipped when this is not the case. DNS discovery relies on the script being able to resolve the local domain either through a script argument or by attempting to reverse resolve the local IP.


Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).


Discovers servers running the X Display Manager Control Protocol (XDMCP) by sending a XDMCP broadcast request to the LAN. Display managers allowing access are marked using the keyword Willing in the result.


Attempts to get basic info and server status from a Cassandra database.


Using the CICS transaction CEMT, this script attempts to gather information about the current CICS transaction server region. It gathers OS information, Datasets (files), transactions and user ids. Based on CICSpwn script by Ayoub ELAASSAL.


Extracts a list of published applications from the ICA Browser service.


Extracts a list of applications, ACLs, and settings from the Citrix XML service.


Extracts a list of Citrix servers from the ICA Browser service.


Extracts the name of the server farm and member servers from Citrix XML service.


Analyzes the clock skew between the scanner and various services that report timestamps.


Dumps list of available resources from CoAP endpoints.


Gets database tables from a CouchDB database.


Gets database statistics from a CouchDB database.


Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.


Lists printers managed by the CUPS printing service.


Lists currently queued print jobs of the remote CUPS service grouped by printer.


Retrieves a list of music from a DAAP server. The list includes artist names and album and song titles.


Retrieves the day and time from the Daytime service.


Connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request.


Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a new address.


Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not.


Connects to a dictionary server using the DICT protocol, runs the SHOW SERVER command, and displays the result. The DICT protocol is defined in RFC 2229 and is a protocol which allows a client to query a dictionary server for definitions from a set of natural language dictionary databases.


Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category (eg: SPAM, PROXY) or to a specific service name.


Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests.


Performs a domain lookup using the edns-client-subnet option which allows clients to specify the subnet that queries supposedly originate from. The script uses this option to supply a number of geographically distributed locations in an attempt to enumerate as many different address records as possible. The script also supports requests using a given subnet.


Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id.server and version.bind values. This script performs the same queries as the following two dig commands: - dig CH TXT bind.version @target - dig +nsid CH TXT id.server @target


Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers.


Attempts to discover target hosts' services using the DNS Service Discovery protocol.


Enumerates various common service (SRV) records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: - Active Directory Global Catalog - Exchange Autodiscovery - Kerberos KDC Service - Kerberos Passwd Change Service - LDAP Servers - SIP Servers - XMPP S2S - XMPP C2S


Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ Please review the following information before you start to scan:


Attempts to extract information from database servers supporting the DRDA protocol. The script sends a DRDA EXCSAT (exchange server attributes) command packet and parses the response.


Attempts to discover multihomed systems by analysing and comparing information collected by other scripts. The information analyzed currently includes, SSL certificates, SSH host keys, MAC addresses, and Netbios server names.


Enumerates the authentication methods offered by an EAP (Extensible Authentication Protocol) authenticator for a given identity or for the anonymous identity if no argument is passed.


Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.


Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication.


Performs a Forward-confirmed Reverse DNS lookup and reports anomalous results.


Attempts to retrieve a list of usernames using the finger service.


Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.


Retrieves information from Flume master HTTP pages.


Detects the Freelancer game server (FLServer.exe) service by sending a status query UDP probe.


Checks if an FTP server allows anonymous logins.


Checks to see if an FTP server allows port scanning using the FTP bounce method.


Sends FTP SYST and STAT commands and returns the result.


Retrieves system information (OS version, available memory, etc.) from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon.


Queries a CORBA naming server for a list of objects.


Queries a GKRellM service for monitoring information. A single round of collection is made, showing a snapshot of information at the time of the request.


Lists files and directories at the root of a gopher service.


Retrieves GPS time, coordinates and speed from the GPSD network daemon.


Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page.


Retrieves information from an Apache Hadoop JobTracker HTTP status page.


Retrieves information from an Apache Hadoop NameNode HTTP status page.


Retrieves information from an Apache Hadoop secondary NameNode HTTP status page.


Retrieves information from an Apache Hadoop TaskTracker HTTP status page.


Retrieves information from an Apache HBase (Hadoop database) master HTTP status page.


Retrieves information from an Apache HBase (Hadoop database) region server HTTP status page.


Reads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service.


Retrieve hardwares details and configuration information utilizing HNAP, the "Home Network Administration Protocol". It is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which allows for remote topology discovery, configuration, and management of devices (routers, cameras, PCs, NAS, etc.)


Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at


Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon Associates, etc.) from a web page. These can be used to identify pages with the same owner.


Checks if the target http server has mod_negotiation enabled. This feature can be leveraged to find hidden resources and spider a web site using fewer requests.


Attempts to retrieve the server-status page for Apache webservers that have mod_status enabled. If the server-status page exists and appears to be from mod_status the script will parse useful information such as the system uptime, Apache version and recent HTTP requests.


Retrieves the authentication scheme and realm of a web service that requires authentication.


Spiders a web site to find web pages requiring form-based or HTTP-based authentication. The results are returned in a table with each url and the detected method.


Spiders a website and attempts to identify backup copies of discovered files. It does so by requesting a number of different combinations of the filename (eg. index.bak, index.html~, copy of index.html).


Decodes any unencrypted F5 BIG-IP cookies in the HTTP response. BIG-IP cookies contain information on backend systems such as internal IP addresses and port numbers. See here for more info:


Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework.


Connect as Cisco AnyConnect client to a Cisco SSL VPN and retrieves version and tunnel information.


Extracts and outputs HTML and JavaScript comments from HTTP responses.


Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.


Tests an http server for Cross-Origin Resource Sharing (CORS), a way for domains to explicitly opt in to having certain methods invoked by another domain.


Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.


Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT.


Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed.


The script is used to fetch files from servers.


Checks whether target machines are vulnerable to anonymous Frontpage login.


Displays the contents of the "generator" meta tag of a web page (default: /) if there is one.


Checks for a Git repository found in a website's document root /.git/<something>) and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description.


Retrieves a list of Git projects, owners and descriptions from a gitweb (web interface to the Git revision control system).


Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.


Spiders a website and attempts to match all pages and urls against a given string. Matches are counted and grouped per url under which they were discovered.


Performs a HEAD request for the root folder ("/") of a web server and displays the HTTP headers returned.


Attempts to extract information from HP iLO boards including versions and addresses.


Retrieves the locations of all "Find my iPhone" enabled iOS devices by querying the MobileMe web service (authentication required).


Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application.


Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.


Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers.


Shows the content of an "index" Web page.


Looks for signature of known server compromises.


Checks if the webserver allows mod_cluster management protocol (MCMP) methods.


Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method.


Checks if the website holds a mobile version.


This script enumerates information from remote HTTP services with NTLM authentication enabled.


Checks if an HTTP proxy is open.


Attempts to retrieve the PHP version from a web server. PHP has a number of magic queries that return images or text that can vary with the PHP version. This script uses the following queries:

  • /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: gets a GIF logo, which changes on April Fool's Day.
  • /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: gets an HTML credits page.

Attempts to retrieve the model, firmware version, and enabled services from a QNAP Network Attached Storage (NAS) device.


Informs about cross-domain include of scripts. Websites that include external javascript scripts are delegating part of their security to third-party entities.


Checks for disallowed entries in /robots.txt on a web server.


Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service (


Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at


Detects SAP Netweaver Portal instances that allow anonymous access to the KM unit navigation page. This page leaks file names, ldap users, etc.


Checks for the HTTP response headers related to security given in OWASP Secure Headers Project and gives a brief description of the header and its configuration value.


Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.


Enumerates users of a Subversion repository by examining logs of most recent commits.


Requests information from a Subversion repository.


Shows the title of the default page of a web server.


Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.


Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies.


Attempts to obtain information from Trane Tracer SC devices. Trane Tracer SC is an intelligent field panel for communicating with HVAC equipment controllers deployed across several sectors including commercial facilities and others.


Checks if various crawling utilities are allowed by the host.


Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page:


Connects to a VLC Streamer helper service and lists directory contents. The VLC Streamer helper service is used by the iOS VLC Streamer application to enable streaming of multimedia content from the remote server to the device.


Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).


Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).


Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.


Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).


Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).


Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).


Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).


Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).


Attempts to detect a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 that allows unauthenticated users to inject content in posts.


A script to detect WebDAV installations. Uses the OPTIONS and PROPFIND methods.


This script searches the database and outputs the result.


Tests a list of known ICAP service names and prints information about any it detects. The Internet Content Adaptation Protocol (ICAP) is used to extend transparent proxy servers and is generally used for content filtering and antivirus scanning.


Obtains information (such as vendor and device type where available) from an IKE service by sending four packets to the host. This scripts tests with both Main and Aggressive Mode and sends multiple transforms per request.


Retrieves IMAP email server capabilities.


This script enumerates information from remote IMAP services with NTLM authentication enabled.


Detects whether the remote device has ip forwarding or "Internet connection sharing" enabled, by sending an ICMP echo request to a given target using the scanned host as default gateway.


Tries to identify the physical location of an IP address using the Geoplugin geolocation web service ( There is no limit on lookups using this service.


Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service (


This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Bing Map of markers representing the targets.


This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Google Map of markers representing the targets.


This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and produces a KML file of points representing the targets.


Tries to identify the physical location of an IP address using a Geolocation Maxmind database file (available from This script supports queries using all Maxmind databases that are supported by their API including the commercial ones.


Checks if the IP over HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported.


Classifies a host's IP ID sequence (test for susceptibility to idle scan).


IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.


Performs IPMI Information Discovery through Channel Auth probes.


Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Node Information Queries.


Checks an IRC server for channels that are commonly used by malicious botnets.


Gathers information from an IRC server.


Collects and displays information from remote iSCSI targets.


Lists portals and iSCSI nodes registered with the Internet Storage Name Service (iSNS).


Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script injects and execute a Java class file that returns remote system information.


Discovers KNX gateways by sending a KNX Search Request to the multicast address including a UDP payload with destination port 3671. KNX gateways will respond with a KNX Search Response including various information about the gateway, such as KNX address and supported services.


Identifies a KNX gateway on UDP port 3671 by sending a KNX Description Request.


Universal Password enables advanced password policies, including extended characters in passwords, synchronization of passwords from eDirectory to other systems, and a single password for all access to eDirectory.


Retrieves the LDAP root DSA-specific Entry (DSE)


Attempts to perform an LDAP search and returns all matches.


Retrieves configuration information from a Lexmark S300-S400 printer.


Resolves a hostname by using the LLMNR (Link-Local Multicast Name Resolution) protocol.


Uses the Microsoft LLTD protocol to discover hosts on a local network.


Retrieves version and database information from a SAP Max DB database.


Check if ePO agent is running on port 8081 or port identified as ePO Agent port.


Retrieves information (hostname, OS, uptime, etc.) from the CouchBase Web Administration port. The information retrieved by this script does not require any credentials.


Retrieves information (including system architecture, process ID, and server time) from distributed memory object caching system memcached.


Gathers info from the Metasploit rpc service. It requires a valid login pair. After authentication it tries to determine Metasploit version and deduce the OS type. Then it creates a new console and executes few commands to get additional info.


Attempts to get a list of tables from a MongoDB database.


Attempts to get build info and server status from a MongoDB database.


Dumps message traffic from MQTT brokers.


Queries targets for multicast routing information.


Queries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers, and configuration settings.


Queries the Microsoft SQL Browser service for the DAC (Dedicated Admin Connection) port of a given (or all) SQL Server instance. The DAC port is used to connect to the database instance when normal connection attempts fail, for example, when server is hanging, out of memory or in other bad states. In addition, the DAC port provides an admin with access to system objects otherwise not accessible over normal connections.


Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.


Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.


Attempts to determine configuration and version information for Microsoft SQL Server instances.


This script enumerates information from remote Microsoft SQL services with NTLM authentication enabled.


Runs a query against Microsoft SQL Server (ms-sql).


Queries Microsoft SQL Server (ms-sql) for a list of tables per database.


Queries an MSRPC endpoint mapper for a list of mapped services and displays the gathered information.


Queries for the multicast path from a source to a destination host.


Audits MySQL database server security configuration against parts of the CIS MySQL v1.0.2 benchmark (the engine can be used for other MySQL audits by creating appropriate audit files).


Dumps the password hashes from an MySQL server in a format suitable for cracking by tools such as John the Ripper. Appropriate DB privileges (root) are required.


Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.


Runs a query against a MySQL database and returns the results as a table.


Gets the routers WAN IP using the NAT Port Mapping Protocol (NAT-PMP). The NAT-PMP protocol is supported by a broad range of routers including:

  • Apple AirPort Express
  • Apple AirPort Extreme
  • Apple Time Capsule
  • DD-WRT
  • OpenWrt v8.09 or higher, with MiniUPnP daemon
  • pfSense v2.0
  • Tarifa (firmware) (Linksys WRT54G/GL/GS)
  • Tomato Firmware v1.24 or higher. (Linksys WRT54G/GL/GS and many more)
  • Peplink Balance

Maps a WAN port on the router to a local port on the client using the NAT Port Mapping Protocol (NAT-PMP). It supports the following operations:

  • map - maps a new external port on the router to an internal port of the requesting IP
  • unmap - unmaps a previously mapped port for the requesting IP
  • unmapall - unmaps all previously mapped ports for the requesting IP

Retrieves IP addresses of the target's network interfaces via NetBIOS NS. Additional network interfaces may reveal more information about the target, including finding paths to hidden non-routed networks via multihomed systems.


Attempts to retrieve the target's NetBIOS names and MAC address.


Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service.


Retrieves eDirectory server information (OS version, server name, mounts, etc.) from the Novell NetWare Core Protocol (NCP) service.


Lists remote file systems by querying the remote device using the Network Data Management Protocol (ndmp). NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to support the protocol:

  • Amanda
  • Bacula
  • CA Arcserve
  • CommVault Simpana
  • EMC Networker
  • Hitachi Data Systems
  • IBM Tivoli
  • Quest Software Netvault Backup
  • Symantec Netbackup
  • Symantec Backup Exec

Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.


Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself.


Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of ls.


Shows NFS exports, like the showmount -e command.


Retrieves disk space statistics and information from a remote NFS share. The output is intended to resemble the output of df.


This script enumerates information from remote NNTP services with NTLM authentication enabled.


Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" (opcode 2) control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all variables are shown.


Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server.


Queries OpenFlow controllers for information. Newer versions of the OpenFlow protocol (1.3 and greater) will return a list of all protocol versions supported by the controller. Versions prior to 1.3 only return their own version number.


Parses and displays the banner information of an OpenLookup (network key-value store) server.


OpenWebNet is a communications protocol developed by Bticino since 2000. Retrieves device identifying information and number of connected devices.


Decodes the VSNNUM version number from an Oracle TNS listener.


Checks if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication.


Performs simple Path MTU Discovery to target hosts.


Retrieves POP3 email server capabilities.


This script enumerates information from remote POP3 services with NTLM authentication enabled.


Prints a list of ports found in each state.


Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or "families") may be due to network mechanisms such as port forwarding to machines behind a NAT.


Extracts information from Quake game servers and other game servers which use the same protocol.


Extracts information from a Quake3 game server and other games which use the same protocol.


Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol).


Determines which Security layer and Encryption level is supported by the RDP service. It does so by cycling through all existing protocols and ciphers. When run in debug mode, the script also returns the protocols and ciphers that fail and any errors that were reported.


This script enumerates information from remote RDP services with CredSSP (NLA) authentication enabled.


Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).


Retrieves information (such as version number and architecture) from a Redis key-value store.


NOTE: This script has been replaced by the --resolve-all command-line option in Nmap 7.70


Creates a reverse index at the end of scan output showing which hosts run a particular service. This is in addition to Nmap's normal output listing the services on each host.


Retrieves the day and time from the Time service.


Retrieves information (such as node name and architecture) from a Basho Riak distributed database using the HTTP protocol.


Connects to a remote RMI registry and attempts to dump all of its objects.


Connects to the rpcap service (provides remote sniffing capabilities through WinPcap) and retrieves interface information. The service can either be setup to require authentication or not and also supports IP restrictions.


Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.


Detects RSA keys vulnerable to Return Of Coppersmith Attack (ROCA) factorization.


Lists modules available for rsync (remote file sync) synchronization.


Determines which methods are supported by the RTSP (real time streaming protocol) server.


Connects to rusersd RPC service and retrieves a list of logged-in users.


Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481).


Queries Shodan API for given targets and produces similar output to a -sV nmap scan. The ShodanAPI key can be set with the 'apikey' script argument, or hardcoded in the .nse file itself. You can get a free key from


Enumerates a SIP Server's allowed methods (INVITE, OPTIONS, SUBSCRIBE, etc.)


Checks if the target machine is running the Double Pulsar SMB backdoor.


Retrieves the list of services running on a remote Windows system. Each service attribute contains service name, display name and service status of each service.


Attempts to retrieve useful information about files shared on SMB volumes. The output is intended to resemble the output of the UNIX ls command.


Queries information managed by the Windows Master Browser.


Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). This is done by starting a session with the anonymous account (or with a proper user account, if one is given; it likely doesn't make a difference); in response to a session starting, the server will send back all this information.


Attempts to list the supported protocols and dialects of a SMB server.


Returns information about the SMB security level determined by SMB.


Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.


Attempts to list the supported capabilities in a SMBv2 server for each enabled dialect.


Determines the message signing configuration in SMBv2 servers for all supported dialects.


Attempts to obtain the current system date and the start date of a SMB2 server.


Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation.


Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.


This script enumerates information from remote SMTP services with NTLM authentication enabled.


Checks if SMTP is running on a non-standard port.


Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the hh3c-user.mib OID


Extracts basic information from an SNMPv3 GET request. The same probe is used here as in the service version detection scan.


Attempts to enumerate network interfaces through SNMP.


Attempts to query SNMP for a netstat like output. The script can be used to identify and automatically add new targets to the scan by supplying the newtargets script argument.


Attempts to enumerate running processes through SNMP.


Attempts to extract system information from an SNMP service.


Attempts to enumerate Windows services through SNMP.


Attempts to enumerate Windows Shares through SNMP.


Attempts to enumerate installed software through SNMP.


Attempts to enumerate Windows user accounts through SNMP


Determines the supported authentication mechanisms of a remote SOCKS proxy server. Starting with SOCKS version 5 socks servers may support authentication. The script checks for the following authentication types: 0 - No authentication 1 - GSSAPI 2 - Username and password


Checks if an open socks proxy is running on the target.


Shows SSH hostkeys.


Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers. If verbosity is set, the offered algorithms are each listed by type.


Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.


Detects whether a server is vulnerable to the SSL/TLS "CCS Injection" vulnerability (CVE-2014-0224), first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon de C Valle (


Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.


Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service's certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.


Retrieves a target host's time and date from its TLS ServerHello response.


Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.


Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160). The code is based on the Python script authored by Katie Stafford (


Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.


Checks whether SSLv3 CBC ciphers are allowed (POODLE)


Determines whether the server supports obsolete and less secure SSLv2, and discovers which ciphers it supports.


Check if the Secure Socket Tunneling Protocol is supported. This is accomplished by trying to establish the HTTPS layer which is used to carry SSTP traffic as described in: -


Retrieves the external IP address of a NAT:ed host using the STUN protocol.


Produces a list of IP prefixes for a given routing AS number (ASN).


Sniffs the local network for a configurable amount of time (10 seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue.


Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's --traceroute option is used and the newtargets script argument is given.


Loads addresses from an Nmap XML output file for scanning.


Determines whether the encryption option is supported on a remote telnet server. Some systems (including FreeBSD and the krb5 telnetd available in many Linux distributions) implement this option incorrectly, leading to a remote root vulnerability. This script currently only tests whether encryption is supported, not for that particular vulnerability.


This script enumerates information from remote Microsoft Telnet services with NTLM authentication enabled.


Enumerates a TLS server's supported application-layer protocols using the ALPN protocol.


Enumerates a TLS server's supported protocols by using the next protocol negotiation extension.


Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).


Connects to a tn3270 'server' and returns the screen.


Checks if a target is a known Tor node.


Lists the geographic locations of each hop in a traceroute and optionally saves the results to a KML file, plottable on Google earth and maps.


Extracts information from Ubiquiti networking devices.


Runs unit tests on all NSE libraries.


Compares the detected service on a port against the expected service for that port number (e.g. ssh on 22, http on 80) and reports deviations. The script requires that a version scan has been run in order to be able to discover what service is actually running on each port.


Attempts to extract system information from the UPnP service.


Gets system information from an Idera Uptime Infrastructure Monitor agent.


Sniffs an interface for HTTP traffic and dumps any URLs, and their originating IP address. Script output differs from other script as URLs are written to stdout directly. There is also an option to log the results to file.


Detects the Ventrilo voice communication server service versions 2.1.2 and above and tries to determine version and configuration information. Some of the older versions (pre 3.0.0) may not have the UDP service that this probe relies on enabled by default.


Extracts information, including file paths, version and database names from a Versant object database.


Queries VMware server (vCenter, ESX, ESXi) SOAP API to extract the version information.


Queries a VNC server for its protocol version and supported security types.


Retrieves cluster and store information from the Voldemort distributed key-value store using the Voldemort Native Protocol.


For each available CPE the script prints out known vulns (links to the correspondent info) and correspondent CVSS scores.


Retrieves some basic information, including protocol version from a Vuze filesharing node.


Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.


Detect the T3 RMI protocol and Weblogic version


Attempts to retrieve information about the domain name of the target


Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.


Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).


Checks if you're allowed to connect to the X server.


Requests an XDMCP (X display manager control protocol) session and lists supported authentication and authorization mechanisms.


Performs XMLRPC Introspection via the system.listMethods method.


Connects to XMPP server (port 5222) and collects server information such as: supported auth mechanisms, compression methods, whether TLS is supported and mandatory, stream management, language, support of In-Band registration, server capabilities. If possible, studies server vendor.