For a description of this category, see version NSE category in the Nmap documentation.

Scripts

allseeingeye-info

Detects the All-Seeing Eye service. Provided by some game servers for querying the server's status.

amqp-info

Gathers information (a list of all server properties) from an AMQP (advanced message queuing protocol) server.

bacnet-info

Discovers and enumerates BACNet Devices collects device information based off standard requests. In some cases, devices may not strictly follow the specifications, or may comply with older versions of the specifications, and will result in a BACNET error response. Presence of this error positively identifies the device as a BACNet device, but no enumeration is possible.

cccam-version

Detects the CCcam service (software for sharing subscription TV among multiple receivers).

db2-das-info

Connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request.

docker-version

Detects the Docker service version.

drda-info

Attempts to extract information from database servers supporting the DRDA protocol. The script sends a DRDA EXCSAT (exchange server attributes) command packet and parses the response.

enip-info

This NSE script is used to send a EtherNet/IP packet to a remote device that has TCP 44818 open. The script will send a Request Identity Packet and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. Information that is parsed includes Device Type, Vendor ID, Product name, Serial Number, Product code, Revision Number, status, state, as well as the Device IP.

fingerprint-strings

Prints the readable strings from service fingerprints of unknown services.

fox-info

Tridium Niagara Fox is a protocol used within Building Automation Systems. Based off Billy Rios and Terry McCorkle's work this Nmap NSE will collect information from A Tridium Niagara system.

freelancer-info

Detects the Freelancer game server (FLServer.exe) service by sending a status query UDP probe.

hnap-info

Retrieve hardwares details and configuration information utilizing HNAP, the "Home Network Administration Protocol". It is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which allows for remote topology discovery, configuration, and management of devices (routers, cameras, PCs, NAS, etc.)

http-server-header

Uses the HTTP Server header for missing version info. This is currently infeasible with version probes because of the need to match non-HTTP services correctly.

http-trane-info

Attempts to obtain information from Trane Tracer SC devices. Trane Tracer SC is an intelligent field panel for communicating with HVAC equipment controllers deployed across several sectors including commercial facilities and others.

https-redirect

Check for HTTP services that redirect to the HTTPS on the same port.

iax2-version

Detects the UDP IAX2 service.

ike-version

Obtains information (such as vendor and device type where available) from an IKE service by sending four packets to the host. This scripts tests with both Main and Aggressive Mode and sends multiple transforms per request.

jdwp-version

Detects the Java Debug Wire Protocol. This protocol is used by Java programs to be debugged via the network. It should not be open to the public Internet, as it does not provide any security against malicious attackers who can inject their own bytecode into the debugged process.

maxdb-info

Retrieves version and database information from a SAP Max DB database.

mcafee-epo-agent

Check if ePO agent is running on port 8081 or port identified as ePO Agent port.

mqtt-subscribe

Dumps message traffic from MQTT brokers.

murmur-version

Detects the Murmur service (server for the Mumble voice communication client) versions 1.2.X.

ndmp-version

Retrieves version information from the remote Network Data Management Protocol (ndmp) service. NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to support the protocol:

  • Amanda
  • Bacula
  • CA Arcserve
  • CommVault Simpana
  • EMC Networker
  • Hitachi Data Systems
  • IBM Tivoli
  • Quest Software Netvault Backup
  • Symantec Netbackup
  • Symantec Backup Exec
netbus-version

Extends version detection to detect NetBuster, a honeypot service that mimes NetBus.

omron-info

This NSE script is used to send a FINS packet to a remote device. The script will send a Controller Data Read Command and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data.

openlookup-info

Parses and displays the banner information of an OpenLookup (network key-value store) server.

oracle-tns-version

Decodes the VSNNUM version number from an Oracle TNS listener.

ovs-agent-version

Detects the version of an Oracle Virtual Server Agent by fingerprinting responses to an HTTP GET request and an XML-RPC method call.

pptp-version

Attempts to extract system information from the point-to-point tunneling protocol (PPTP) service.

quake1-info

Extracts information from Quake game servers and other game servers which use the same protocol.

quake3-info

Extracts information from a Quake3 game server and other games which use the same protocol.

rfc868-time

Retrieves the day and time from the Time service.

rpc-grind

Fingerprints the target RPC port to extract the target service, RPC number and version.

rpcinfo

Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.

s7-info

Enumerates Siemens S7 PLC Devices and collects their device information. This script is based off PLCScan that was developed by Positive Research and Scadastrangelove (https://code.google.com/p/plcscan/). This script is meant to provide the same functionality as PLCScan inside of Nmap. Some of the information that is collected by PLCScan was not ported over; this information can be parsed out of the packets that are received.

skypev2-version

Detects the Skype version 2 service.

snmp-info

Extracts basic information from an SNMPv3 GET request. The same probe is used here as in the service version detection scan.

stun-version

Sends a binding request to the server and attempts to extract version information from the response, if the server attribute is present.

teamspeak2-version

Detects the TeamSpeak 2 voice communication server and attempts to determine version and configuration information.

ubiquiti-discovery

Extracts information from Ubiquiti networking devices.

ventrilo-info

Detects the Ventrilo voice communication server service versions 2.1.2 and above and tries to determine version and configuration information. Some of the older versions (pre 3.0.0) may not have the UDP service that this probe relies on enabled by default.

vmware-version

Queries VMware server (vCenter, ESX, ESXi) SOAP API to extract the version information.

wdb-version

Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.

weblogic-t3-info

Detect the T3 RMI protocol and Weblogic version

xmpp-info

Connects to XMPP server (port 5222) and collects server information such as: supported auth mechanisms, compression methods, whether TLS is supported and mandatory, stream management, language, support of In-Band registration, server capabilities. If possible, studies server vendor.