Scripts

acarsd-info
Retrieves information from a listening acarsd daemon. Acarsd
decodes ACARS (Aircraft Communication Addressing and Reporting
System) data in real time. The information retrieved by this
script includes the daemon version, A! version, administrator e-
mail address and listening fre"uency.
address-info
Sho#s e$tra information about !v% addresses, such as embedded
&AC or !v' addresses #hen available.
afp-brute
erforms pass#ord guessing against Apple (iling rotocol (A().
afp-ls
Attempts to get useful information about files from A( volumes.
The output is intended to resemble the output of ls.
afp-path-vuln
)etects the &ac *S + A( directory traversal vulnerability, C,--
./0/-/122.
afp-serverinfo
Sho#s A( server information. This information includes the
server3s hostname, !v' and !v% addresses, and hard#are type
(for e$ample &acmini or &ac4oo5ro).
afp-sho#mount
Sho#s A( shares and AC6s.
a7p-auth
Retrieves the authentication scheme and realm of an A8 service
(Apache 8Serv rotocol) that re"uires authentication.
a7p-brute
erforms brute force pass#ords auditing against the Apache 8Serv
protocol. The Apache 8Serv rotocol is commonly used by #eb
servers to communicate #ith bac5-end 8ava application server
containers.
a7p-headers
erforms a 9-A) or :-T re"uest against either the root directory
or any optional directory of an Apache 8Serv rotocol server and
returns the server response headers.
a7p-methods
)iscovers #hich options are supported by the A8 (Apache 8Serv
rotocol) server by sending an *T!*;S re"uest and lists
potentially ris5y methods.
a7p-re"uest
Re"uests a <R! over the Apache 8Serv rotocol and displays the
result (or stores it in a file). )ifferent A8 methods such as=
:-T, 9-A), TRAC-, <T or )-6-T- may be used.
allseeingeye-info
)etects the All-Seeing -ye service. rovided by some game servers
for "uerying the server3s status.
am"p-info
:athers information (a list of all server properties) from an
A&> (advanced message "ueuing protocol) server.
asn-"uery
&aps ! addresses to autonomous system (AS) numbers.
auth-o#ners
Attempts to find the o#ner of an open TC port by "uerying an
auth daemon #hich must also be open on the target system. The
auth service, also 5no#n as identd, normally runs on port 002.
auth-spoof
Chec5s for an identd (auth) server #hich is spoofing its replies.
bac5orifice-brute
erforms brute force pass#ord auditing against the 4ac5*rifice
service. The bac5orifice-brute.ports script argument is mandatory
(it specifies ports to run the script against).
bac5orifice-info
Connects to a 4ac5*rifice service and gathers information about
the host and the 4ac5*rifice service itself.
banner
A simple banner grabber #hich connects to an open TC port and
prints out anything sent by the listening service #ithin five
seconds.
bitcoin-getaddr
>ueries a 4itcoin server for a list of 5no#n 4itcoin nodes
bitcoin-info
-$tracts version and node information from a 4itcoin server
bitcoinrpc-info
*btains information from a 4itcoin server by calling getinfo on
its 8S*;-RC interface.
bittorrent-discovery
)iscovers bittorrent peers sharing a file based on a user-
supplied torrent file or magnet lin5. eers implement the
4ittorrent protocol and share the torrent, #hereas the nodes
(only sho#n if the include-nodes ;S- argument is given) implement
the )9T protocol and are used to trac5 the peers. The sets of
peers and nodes are not the same, but they usually intersect.
b7np-discover
Retrieves printer or scanner information from a remote device
supporting the 48; protocol. The protocol is 5no#n to be
supported by net#or5 based Canon devices.
broadcast-ataoe-discover
)iscovers servers supporting the ATA over -thernet protocol. ATA
over -thernet is an ethernet protocol developed by the 4rantley
Coile Company and allo#s for simple, high-performance access to
SATA drives over -thernet.
broadcast-avahi-dos
Attempts to discover hosts in the local net#or5 using the );S
Service )iscovery protocol and sends a ;<66 <) pac5et to each
host to test if it is vulnerable to the Avahi ;<66 <) pac5et
denial of service (C,--./00-0//.).
broadcast-b7np-discover
Attempts to discover Canon devices (rinters?Scanners) supporting
the 48; protocol by sending 48; )iscover re"uests to the
net#or5 broadcast address for both ports associated #ith the
protocol.
broadcast-db.-discover
Attempts to discover )4. servers on the net#or5 by sending a
broadcast re"uest to port 1.2?udp.
broadcast-dhcp-discover
Sends a )9C re"uest to the broadcast address (.11..11..11..11)
and reports the results. The script uses a static &AC address
()-@A)@C*@)-@CA@(-) #hile doing so in order to prevent scope
e$haustion.
broadcast-dhcp%-discover
Sends a )9Cv% re"uest (Solicit) to the )9Cv% multicast address,
parses the response, then e$tracts and prints the address along
#ith any options returned by the server.
broadcast-dns-service-discovery
Attempts to discover hosts3 services using the );S Service
)iscovery protocol. !t sends a multicast );S-S) "uery and
collects all the responses.
broadcast-dropbo$-listener
6istens for the 6A; sync information broadcasts that the
)ropbo$.com client broadcasts every ./ seconds, then prints all
the discovered client ! addresses, port numbers, version
numbers, display names, and more.
broadcast-eigrp-discovery
erforms net#or5 discovery and routing information gathering
through Cisco3s -nhanced !nterior :ate#ay Routing rotocol
(-!:R).
broadcast-igmp-discovery
)iscovers targets that have !:& &ulticast memberships and grabs
interesting information.
broadcast-listener
Sniffs the net#or5 for incoming broadcast communication and
attempts to decode the received pac5ets. !t supports protocols
li5e C), 9SR, Spotify, )rop4o$, )9C, AR and a fe# more. See
pac5etdecoders.lua for more information.
broadcast-ms-s"l-discover
)iscovers &icrosoft S>6 servers in the same broadcast domain.
broadcast-netbios-master-bro#ser
Attempts to discover master bro#sers and the domains they manage.
broadcast-net#or5er-discover
)iscovers -&C ;et#or5er bac5up soft#are servers on a 6A; by
sending a net#or5 broadcast "uery.
broadcast-novell-locate
Attempts to use the Service 6ocation rotocol to discover ;ovell
;etAare Core rotocol (;C) servers.
broadcast-pc-any#here
Sends a special broadcast probe to discover C-Any#here hosts
running on a 6A;.
broadcast-pc-duo
)iscovers C-)<* remote control hosts and gate#ays running on a
6A; by sending a special broadcast <) probe.
broadcast-pim-discovery
)iscovers routers that are running !& (rotocol !ndependent
&ulticast).
broadcast-ping
Sends broadcast pings on a selected interface using ra# ethernet
pac5ets and outputs the responding hosts3 ! and &AC addresses or
(if re"uested) adds them as targets. Root privileges on <;!+ are
re"uired to run this script since it uses ra# soc5ets. &ost
operating systems don3t respond to broadcast-ping probes, but
they can be configured to do so.
broadcast-pppoe-discover
)iscovers o- (oint-to-oint rotocol over -thernet) servers
using the o- )iscovery protocol (o-)). o- is an ethernet
based protocol so the script has to 5no# #hat ethernet interface
to use for discovery. !f no interface is specified, re"uests are
sent out on all available interfaces.
broadcast-rip-discover
)iscovers hosts and routing information from devices running
R!v. on the 6A;. !t does so by sending a R!v. Re"uest command
and collects the responses from all devices responding to the
re"uest.
broadcast-ripng-discover
)iscovers hosts and routing information from devices running
R!ng on the 6A; by sending a broadcast R!ng Re"uest command and
collecting any responses.
broadcast-sybase-asa-discover
)iscovers Sybase Any#here servers on the 6A; by sending broadcast
discovery messages.
broadcast-tellstic5-discover
)iscovers Telldus Technologies TellStic5;et devices on the 6A;.
The Telldus TellStic5 is used to #irelessly control electric
devices such as lights, dimmers and electric outlets. (or more
information@ http@??###.telldus.com?
broadcast-upnp-info
Attempts to e$tract system information from the <n service by
sending a multicast "uery, then collecting, parsing, and
displaying all responses.
broadcast-versant-locate
)iscovers ,ersant ob7ect databases using the broadcast srvloc
protocol.
broadcast-#a5e-on-lan
Aa5es a remote system up from sleep by sending a Aa5e-*n-6an
pac5et.
broadcast-#pad-discover
Retrieves a list of pro$y servers on a 6A; using the Aeb ro$y
Autodiscovery rotocol (AA)). !t implements both the )9C and
);S methods of doing so and starts by "uerying )9C to get the
address. )9C discovery re"uires nmap to be running in privileged
mode and #ill be s5ipped #hen this is not the case. );S discovery
relies on the script being able to resolve the local domain
either through a script argument or by attempting to reverse
resolve the local !.
broadcast-#sdd-discover
<ses a multicast "uery to discover devices supporting the Aeb
Services )ynamic )iscovery (AS-)iscovery) protocol. !t also
attempts to locate any published Aindo#s Communication (rame#or5
(AC() #eb services (.;-T './ or later).
broadcast-$dmcp-discover
)iscovers servers running the + )isplay &anager Control rotocol
(+)&C) by sending a +)&C broadcast re"uest to the 6A;. )isplay
managers allo#ing access are mar5ed using the 5ey#ord Ailling in
the result.
cassandra-brute
erforms brute force pass#ord auditing against the Cassandra
database.
cassandra-info
Attempts to get basic info and server status from a Cassandra
database.
cccam-version
)etects the CCcam service (soft#are for sharing subscription T,
among multiple receivers).
citri$-brute-$ml
Attempts to guess valid credentials for the Citri$ ; Aeb Agent
+&6 Service. The +&6 service authenticates against the local
Aindo#s server or the Active )irectory.
citri$-enum-apps
-$tracts a list of published applications from the !CA 4ro#ser
service.
citri$-enum-apps-$ml
-$tracts a list of applications, AC6s, and settings from the
Citri$ +&6 service.
citri$-enum-servers
-$tracts a list of Citri$ servers from the !CA 4ro#ser service.
citri$-enum-servers-$ml
-$tracts the name of the server farm and member servers from
Citri$ +&6 service.
couchdb-databases
:ets database tables from a Couch)4 database.
couchdb-stats
:ets database statistics from a Couch)4 database.
creds-summary
6ists all discovered credentials (e.g. from brute force and
default pass#ord chec5ing scripts) at end of scan.
cups-info
6ists printers managed by the C<S printing service.
cups-"ueue-info
6ists currently "ueued print 7obs of the remote C<S service
grouped by printer.
cvs-brute
erforms brute force pass#ord auditing against C,S pserver
authentication.
cvs-brute-repository
Attempts to guess the name of the C,S repositories hosted on the
remote server. Aith 5no#ledge of the correct repository name,
usernames and pass#ords can be guessed.
daap-get-library
Retrieves a list of music from a )AA server. The list includes
artist names and album and song titles.
daytime
Retrieves the day and time from the )aytime service.
db.-das-info
Connects to the !4& )4. Administration Server ()AS) on TC or <)
port 1.2 and e$ports the server profile. ;o authentication is
re"uired for this re"uest.
db.-discover
Attempts to discover )4. servers on the net#or5 by "uerying open
ibm-db. <) ports (normally port 1.2).
dhcp-discover
Sends a )9C!;(*R& re"uest to a host on <) port %B to obtain all
the local configuration parameters #ithout allocating a ne#
address.
dict-info
Connects to a dictionary server using the )!CT protocol, runs the
S9*A S-R,-R command, and displays the result. The )!CT protocol
is defined in R(C ...C and is a protocol #hich allo#s a client to
"uery a dictionary server for definitions from a set of natural
language dictionary databases.
distcc-cve.//'-.%DB
)etects and e$ploits a remote code e$ecution vulnerability in the
distributed compiler daemon distcc. The vulnerability #as
disclosed in .//., but is still present in modern implementation
due to poor configuration of the service.
dns-blac5list
Chec5s target ! addresses against multiple );S anti-spam and
open pro$y blac5lists and returns a list of services for #hich an
! has been flagged. Chec5s may be limited by service category
(eg@ SA&, R*+E) or to a specific service name.
dns-brute
Attempts to enumerate );S hostnames by brute force guessing of
common subdomains. Aith the dns-brute.srv argument, dns-brute
#ill also try to enumerate common );S SR, records.
dns-cache-snoop
erforms );S cache snooping against a );S server.
dns-chec5-Fone
Chec5s );S Fone configuration against best practices, including
R(C 0C0.. The configuration chec5s are divided into categories
#hich each have a number of different tests.
dns-client-subnet-scan
erforms a domain loo5up using the edns-client-subnet option
#hich allo#s clients to specify the subnet that "ueries
supposedly originate from. The script uses this option to supply
a number of geographically distributed locations in an attempt to
enumerate as many different address records as possible. The
script also supports re"uests using a given subnet.
dns-fuFF
6aunches a );S fuFFing attac5 against );S servers.
dns-ip%-arpa-scan
erforms a "uic5 reverse );S loo5up of an !v% net#or5 using a
techni"ue #hich analyFes );S server response codes to
dramatically reduce the number of "ueries needed to enumerate
large net#or5s.
dns-nsec-enum
-numerates );S names using the );SS-C ;S-C-#al5ing techni"ue.
dns-nsec2-enum
Tries to enumerate domain names from the );S server that supports
);SS-C ;S-C2 records.
dns-nsid
Retrieves information from a );S nameserver by re"uesting its
nameserver !) (nsid) and as5ing for its id.server and
version.bind values. This script performs the same "ueries as the
follo#ing t#o dig commands@ - dig C9 T+T bind.version Gtarget -
dig Hnsid C9 T+T id.server Gtarget
dns-random-srcport
Chec5s a );S server for the predictable-port recursion
vulnerability. redictable source ports can ma5e a );S server
vulnerable to cache poisoning attac5s (see C,--.//D-0''B).
dns-random-t$id
Chec5s a );S server for the predictable-T+!) );S recursion
vulnerability. redictable T+!) values can ma5e a );S server
vulnerable to cache poisoning attac5s (see C,--.//D-0''B).
dns-recursion
Chec5s if a );S server allo#s "ueries for third-party names. !t
is e$pected that recursion #ill be enabled on your o#n internal
nameservers.
dns-service-discovery
Attempts to discover target hosts3 services using the );S Service
)iscovery protocol.
dns-srv-enum
-numerates various common service (SR,) records for a given
domain name. The service records contain the hostname, port and
priority of servers for a given service. The follo#ing services
are enumerated by the script@ - Active )irectory :lobal Catalog -
-$change Autodiscovery - Ierberos I)C Service - Ierberos ass#d
Change Service - 6)A Servers - S! Servers - +& S.S - +& C.S
dns-update
Attempts to perform a dynamic );S update #ithout authentication.
dns-Feustrac5er
Chec5s if the target ! range is part of a Jeus botnet by
"uerying JT);S G abuse.ch. lease revie# the follo#ing
information before you start to scan@
K https@??Feustrac5er.abuse.ch?Ftdns.php
dns-Fone-transfer
Re"uests a Fone transfer (A+(R) from a );S server.
domcon-brute
erforms brute force pass#ord auditing against the 6otus )omino
Console.
domcon-cmd
Runs a console command on the 6otus )omino Console using the
given authentication credentials (see also@ domcon-brute)
domino-enum-users
Attempts to discover valid !4& 6otus )omino users and do#nload
their !) files by e$ploiting the C,--.//%-1D21 vulnerability.
dpap-brute
erforms brute force pass#ord auditing against an ihoto 6ibrary.
drda-brute
erforms pass#ord guessing against databases supporting the !4&
)4. protocol such as !nformi$, )4. and )erby
drda-info
Attempts to e$tract information from database servers supporting
the )R)A protocol. The script sends a )R)A -+CSAT (e$change
server attributes) command pac5et and parses the response.
duplicates
Attempts to discover multihomed systems by analysing and
comparing information collected by other scripts. The information
analyFed currently includes, SS6 certificates, SS9 host 5eys, &AC
addresses, and ;etbios server names.
eap-info
-numerates the authentication methods offered by an -A
(-$tensible Authentication rotocol) authenticator for a given
identity or for the anonymous identity if no argument is passed.
enip-info
This ;S- script is used to send a -ther;et?! pac5et to a remote
device that has TC ''D0D open. The script #ill send a Re"uest
!dentity ac5et and once a response is received, it validates
that it #as a proper response to the command that #as sent, and
then #ill parse out the data. !nformation that is parsed includes
,endor !), )evice Type, roduct name, Serial ;umber, roduct
code, Revision ;umber, as #ell as the )evice !.
epmd-info
Connects to -rlang ort &apper )aemon (epmd) and retrieves a list
of nodes #ith their respective port numbers.
eppc-enum-processes
Attempts to enumerate process info over the Apple Remote -vent
protocol. Ahen accessing an application over the Apple Remote
-vent protocol the service responds #ith the uid and pid of the
application, if it is running, prior to re"uesting
authentication.
finger
Attempts to retrieve a list of usernames using the finger
service.
fire#al5
Tries to discover fire#all rules using an ! TT6 e$piration
techni"ue 5no#n as fire#al5ing.
fire#all-bypass
)etects a vulnerability in netfilter and other fire#alls that use
helpers to dynamically open ports for protocols such as ftp and
sip.
flume-master-info
Retrieves information from (lume master 9TT pages.
freelancer-info
)etects the (reelancer game server ((6Server.e$e) service by
sending a status "uery <) probe.
ftp-anon
Chec5s if an (T server allo#s anonymous logins.
ftp-bounce
Chec5s to see if an (T server allo#s port scanning using the (T
bounce method.
ftp-brute
erforms brute force pass#ord auditing against (T servers.
ftp-libopie
Chec5s if an (Td is prone to C,--./0/-0C2D (*!- off-by-one
stac5 overflo#), a vulnerability discovered by &a5symilian
Arciemo#icF and Adam Lpi2L Jabroc5i. See the advisory at
http@??nmap.org?r?fbsd-sa-opie. 4e advised that, if launched
against a vulnerable host, this script #ill crash the (Td.
ftp-proftpd-bac5door
Tests for the presence of the ro(T) 0.2.2c bac5door reported as
*S,)4-!) %C1%.. This script attempts to e$ploit the bac5door
using the innocuous id command by default, but that can be
changed #ith the ftp-proftpd-bac5door.cmd script argument.
ftp-vsftpd-bac5door
Tests for the presence of the vs(Td ..2.' bac5door reported on
./00-/B-/' (C,--./00-.1.2). This script attempts to e$ploit the
bac5door using the innocuous id command by default, but that can
be changed #ith the e$ploit.cmd or ftp-vsftpd-bac5door.cmd script
arguments.
ftp-vuln-cve./0/-'..0
Chec5s for a stac5-based buffer overflo# in the ro(T) server,
version bet#een 0.2..rc2 and 0.2.2b. 4y sending a large number of
T-6;-TM!AC escape se"uence, the proftpd process miscalculates the
buffer length, and a remote attac5er #ill be able to corrupt the
stac5 and e$ecute arbitrary code #ithin the conte$t of the
proftpd process (C,--./0/-'..0). Authentication is not re"uired
to e$ploit this vulnerability.
ganglia-info
Retrieves system information (*S version, available memory, etc.)
from a listening :anglia &onitoring )aemon or :anglia &eta
)aemon.
giop-info
>ueries a C*R4A naming server for a list of ob7ects.
g5rellm-info
>ueries a :IRell& service for monitoring information. A single
round of collection is made, sho#ing a snapshot of information at
the time of the re"uest.
gopher-ls
6ists files and directories at the root of a gopher service.
gpsd-info
Retrieves :S time, coordinates and speed from the :S) net#or5
daemon.
hadoop-datanode-info
)iscovers information such as log directories from an Apache
9adoop )ata;ode 9TT status page.
hadoop-7obtrac5er-info
Retrieves information from an Apache 9adoop 8obTrac5er 9TT
status page.
hadoop-namenode-info
Retrieves information from an Apache 9adoop ;ame;ode 9TT status
page.
hadoop-secondary-namenode-info
Retrieves information from an Apache 9adoop secondary ;ame;ode
9TT status page.
hadoop-tas5trac5er-info
Retrieves information from an Apache 9adoop Tas5Trac5er 9TT
status page.
hbase-master-info
Retrieves information from an Apache 94ase (9adoop database)
master 9TT status page.
hbase-region-info
Retrieves information from an Apache 94ase (9adoop database)
region server 9TT status page.
hddtemp-info
Reads hard dis5 information (such as brand, model, and sometimes
temperature) from a listening hddtemp service.
hostmap-bf5
)iscovers hostnames that resolve to the target3s ! address by
"uerying the online database at
http@??###.bf5.de?bf5Mdnslogger.html.
hostmap-ip.hosts
(inds hostnames that resolve to the target3s ! address by
"uerying the online database@
K http@??###.ip.hosts.com ( 4ing Search Results )
hostmap-robte$
)iscovers hostnames that resolve to the target3s ! address by
"uerying the online Robte$ service at http@??ip.robte$.com?.
http-adobe-coldfusion-apsa02/0
Attempts to e$ploit an authentication bypass vulnerability in
Adobe Coldfusion servers (ASA02-/0@
http@??###.adobe.com?support?security?advisories?apsa02-/0.html)
to retrieve a valid administrator3s session coo5ie.
http-affiliate-id
:rabs affiliate net#or5 !)s (e.g. :oogle AdSense or Analytics,
AmaFon Associates, etc.) from a #eb page. These can be used to
identify pages #ith the same o#ner.
http-apache-negotiation
Chec5s if the target http server has modMnegotiation enabled.
This feature can be leveraged to find hidden resources and spider
a #eb site using fe#er re"uests.
http-auth
Retrieves the authentication scheme and realm of a #eb service
that re"uires authentication.
http-auth-finder
Spiders a #eb site to find #eb pages re"uiring form-based or
9TT-based authentication. The results are returned in a table
#ith each url and the detected method.
http-a#statstotals-e$ec
-$ploits a remote code e$ecution vulnerability in A#stats Totals
0./ up to 0.0' and possibly other products based on it (C,-@
.//D-2C..).
http-a$is.-dir-traversal
-$ploits a directory traversal vulnerability in Apache A$is.
version 0.'.0 by sending a specially crafted re"uest to the
parameter $sd (*S,)4-1C//0). 4y default it #ill try to retrieve
the configuration file of the A$is. service 3?conf?a$is..$ml3
using the path 3?a$is.?services?3 to return the username and
pass#ord of the admin account.
http-bac5up-finder
Spiders a #ebsite and attempts to identify bac5up copies of
discovered files. !t does so by re"uesting a number of different
combinations of the filename (eg. inde$.ba5, inde$.htmlN, copy of
inde$.html).
http-barracuda-dir-traversal
Attempts to retrieve the configuration settings from a 4arracuda
;et#or5s Spam O ,irus (ire#all device using the directory
traversal vulnerability described at
http@??seclists.org?fulldisclosure?./0/?*ct?00C.
http-brute
erforms brute force pass#ord auditing against http basic
authentication.
http-ca5ephp-version
*btains the Ca5e9 version of a #eb application built #ith the
Ca5e9 frame#or5 by fingerprinting default files shipped #ith
the Ca5e9 frame#or5.
http-chrono
&easures the time a #ebsite ta5es to deliver a #eb page and
returns the ma$imum, minimum and average time it too5 to fetch a
page.
http-coldfusion-subFero
Attempts to retrieve version, absolute path of administration
panel and the file 3pass#ord.properties3 from vulnerable
installations of Cold(usion C and 0/.
http-comments-displayer
-$tracts and outputs 9T&6 and 8avaScript comments from 9TT
responses.
http-config-bac5up
Chec5s for bac5ups and s#ap files of common content management
system and #eb server configuration files.
http-cors
Tests an http server for Cross-*rigin Resource Sharing (C*RS), a
#ay for domains to e$plicitly opt in to having certain methods
invo5ed by another domain.
http-csrf
This script detects Cross Site Re"uest (orgeries (CSR()
vulnerabilities.
http-date
:ets the date from 9TT-li5e services. Also prints ho# much the
date differs from local time. 6ocal time is the time the 9TT
re"uest #as sent, so the difference includes at least the
duration of one RTT.
http-default-accounts
Tests for access #ith default credentials used by a variety of
#eb applications and devices.
http-devframe#or5
http-dlin5-bac5door
)etects a firm#are bac5door on some )-6in5 routers by changing
the <ser-Agent to a LsecretL value. <sing the LsecretL <ser-Agent
bypasses authentication and allo#s admin access to the router.
http-dombased-$ss
!t loo5s for places #here attac5er-controlled information in the
)*& may be used to affect 8avaScript e$ecution in certain #ays.
The attac5 is e$plained here@
http@??###.#ebappsec.org?pro7ects?articles?/B00/1.shtml
http-domino-enum-pass#ords
Attempts to enumerate the hashed )omino !nternet ass#ords that
are (by default) accessible by all authenticated users. This
script can also do#nload any )omino !) (iles attached to the
erson document.
http-drupal-enum-users
-numerates )rupal users by e$ploiting a an information disclosure
vulnerability in ,ie#s, )rupal3s most popular module.
http-drupal-modules
-numerates the installed )rupal modules by using a list of 5no#n
modules.
http-email-harvest
Spiders a #eb site and collects e-mail addresses.
http-enum
-numerates directories used by popular #eb applications and
servers.
http-errors
This script cra#ls through the #ebsite and returns any error
pages.
http-e$if-spider
Spiders a site3s images loo5ing for interesting e$if data
embedded in .7pg files. )isplays the ma5e and model of the
camera, the date the photo #as ta5en, and the embedded geotag
information.
http-favicon
:ets the favicon (Lfavorites iconL) from a #eb page and matches
it against a database of the icons of 5no#n #eb applications. !f
there is a match, the name of the application is printed=
other#ise the &)1 hash of the icon data is printed.
http-feed
This script cra#ls through the #ebsite to find any rss or atom
feeds.
http-fileupload-e$ploiter
-$ploits insecure file upload forms in #eb applications using
various techni"ues li5e changing the Content-type header or
creating valid image files containing the payload in the comment.
http-form-brute
erforms brute force pass#ord auditing against http form-based
authentication.
http-form-fuFFer
erforms a simple form fuFFing against forms found on #ebsites.
Tries strings and numbers of increasing length and attempts to
determine if the fuFFing #as successful.
http-frontpage-login
Chec5s #hether target machines are vulnerable to anonymous
(rontpage login.
http-generator
)isplays the contents of the LgeneratorL meta tag of a #eb page
(default@ ?) if there is one.
http-git
Chec5s for a :it repository found in a #ebsite3s document
root ?.git?PsomethingQ) and retrieves as much repo information as
possible, including language?frame#or5, remotes, last commit
message, and repository description.
http-git#eb-pro7ects-enum
Retrieves a list of :it pro7ects, o#ners and descriptions from a
git#eb (#eb interface to the :it revision control system).
http-google-mal#are
Chec5s if hosts are on :oogle3s blac5list of suspected mal#are
and phishing servers. These lists are constantly updated and are
part of :oogle3s Safe 4ro#sing service.
http-grep
Spiders a #ebsite and attempts to match all pages and urls
against a given string. &atches are counted and grouped per url
under #hich they #ere discovered.
http-headers
erforms a 9-A) re"uest for the root folder (L?L) of a #eb server
and displays the 9TT headers returned.
http-hua#ei-hg1$$-vuln
)etects 9ua#ei modems models 9:12/$, 9:1./$, 9:10/$ (and possibly
others...) vulnerable to a remote credential and information
disclosure vulnerability. !t also e$tracts the o- credentials
and other interesting configuration values.
http-icloud-findmyiphone
Retrieves the locations of all L(ind my ihoneL enabled i*S
devices by "uerying the &obile&e #eb service (authentication
re"uired).
http-icloud-sendmsg
Sends a message to a i*S device through the Apple &obile&e #eb
service. The device has to be registered #ith an Apple !) using
the (ind &y !phone application.
http-iis-short-name-brute
Attempts to brute force the D.2 filenames (commonly 5no#n as
short names) of files and directories in the root folder of
vulnerable !!S servers. This script is an implementation of the
oC Liis shortname scannerL.
http-iis-#ebdav-vuln
Chec5s for a vulnerability in !!S 1.0?%./ that allo#s arbitrary
users to access secured Aeb)A, folders by searching for a
pass#ord-protected folder and attempting to access it. This
vulnerability #as patched in &icrosoft Security 4ulletin &S/C-
/./, http@??nmap.org?r?ms/C-/./.
http-7oomla-brute
erforms brute force pass#ord auditing against 8oomla #eb C&S
installations.
http-litespeed-sourcecode-do#nload
-$ploits a null-byte poisoning vulnerability in 6itespeed Aeb
Servers './.$ before './.01 to retrieve the target script3s
source code by sending a 9TT re"uest #ith a null byte follo#ed
by a .t$t file e$tension (C,--./0/-.222).
http-ma7ordomo.-dir-traversal
-$ploits a directory traversal vulnerability e$isting in
&a7ordomo. to retrieve remote files. (C,--./00-//'C).
http-mal#are-host
6oo5s for signature of 5no#n server compromises.
http-method-tamper
Attempts to bypass pass#ord protected resources (9TT '/0 status)
by performing 9TT verb tampering. !f an array of paths to chec5
is not set, it #ill cra#l the #eb server and perform the chec5
against any pass#ord protected resource that it finds.
http-methods
(inds out #hat options are supported by an 9TT server by sending
an *T!*;S re"uest. 6ists potentially ris5y methods. *ptionally
tests each method individually to see if they are sub7ect to e.g.
! address restrictions.
http-mobileversion-chec5er
Chec5s if the #ebsite holds a mobile version.
http-ntlm-info
This script enumerates information from remote 9TT services #ith
;T6& authentication enabled.
http-open-pro$y
Chec5s if an 9TT pro$y is open.
http-open-redirect
Spiders a #ebsite and attempts to identify open redirects. *pen
redirects are handlers #hich commonly ta5e a <R6 as a parameter
and responds #ith a http redirect (2++) to the target. Ris5s of
open redirects are described at
http@??c#e.mitre.org?data?definitions?%/0.html.
http-pass#d
Chec5s if a #eb server is vulnerable to directory traversal by
attempting to retrieve ?etc?pass#d or Rboot.ini.
http-php-version
Attempts to retrieve the 9 version from a #eb server. 9 has a
number of magic "ueries that return images or te$t that can vary
#ith the 9 version. This script uses the follo#ing "ueries@
K ?ST9-C1%D(2%-)'.D-00d.-AB%C-//AA//0AC('.@ gets a :!( logo,
#hich changes on April (ool3s )ay.
K ?ST94D41(.A/-2CC.-00d2-A2AC-'CB4/DC0////@ gets an 9T&6
credits page.
http-phpmyadmin-dir-traversal
-$ploits a directory traversal vulnerability in php&yAdmin ..%.'-
pl0 (and possibly other versions) to retrieve remote files on the
#eb server.
http-phpself-$ss
Cra#ls a #eb server and attempts to find 9 files vulnerable to
reflected cross site scripting via the variable
UMS-R,-RVL9MS-6(LW.
http-pro$y-brute
erforms brute force pass#ord guessing against 9TT pro$y
servers.
http-put
<ploads a local file to a remote #eb server using the 9TT <T
method. Eou must specify the filename and <R6 path #ith ;S-
arguments.
http-"nap-nas-info
Attempts to retrieve the model, firm#are version, and enabled
services from a >;A ;et#or5 Attached Storage (;AS) device.
http-referer-chec5er
!nforms about cross-domain include of scripts. Aebsites that
include e$ternal 7avascript scripts are delegating part of their
security to third-party entities.
http-rfi-spider
Cra#ls #ebservers in search of R(! (remote file inclusion)
vulnerabilities. !t tests every form field it finds and every
parameter of a <R6 containing a "uery.
http-robots.t$t
Chec5s for disallo#ed entries in ?robots.t$t on a #eb server.
http-robte$-reverse-ip
*btains up to 0// for#ard );S names for a target ! address by
"uerying the Robte$ service (http@??###.robte$.com?ip?).
http-robte$-shared-ns
(inds up to 0// domain names #hich use the same name server as
the target by "uerying the Robte$ service at
http@??###.robte$.com?dns?.
http-server-header
<ses the 9TT Server header for missing version info. This is
currently infeasible #ith version probes because of the need to
match non-9TT services correctly.
http-sitemap-generator
Spiders a #eb server and displays its directory structure along
#ith number and types of files in each folder. ;ote that files
listed as having an 3*ther3 e$tension are ones that have no
e$tension or that are a root document.
http-slo#loris
Tests a #eb server for vulnerability to the Slo#loris )oS attac5
by launching a Slo#loris attac5.
http-slo#loris-chec5
Tests a #eb server for vulnerability to the Slo#loris )oS attac5
#ithout actually launching a )oS attac5.
http-s"l-in7ection
Spiders an 9TT server loo5ing for <R6s containing "ueries
vulnerable to an S>6 in7ection attac5. !t also e$tracts forms
from found #ebsites and tries to identify fields that are
vulnerable.
http-stored-$ss
<nfiltered 3Q3 (greater than sign). An indication of potential
+SS vulnerability.
http-title
Sho#s the title of the default page of a #eb server.
http-tplin5-dir-traversal
-$ploits a directory traversal vulnerability e$isting in several
T-6in5 #ireless routers. Attac5ers may e$ploit this
vulnerability to read any of the configuration and pass#ord files
remotely and #ithout authentication.
http-trace
Sends an 9TT TRAC- re"uest and sho#s if the method TRAC- is
enabled. !f debug is enabled, it returns the header fields that
#ere modified in the response.
http-traceroute
-$ploits the &a$-(or#ards 9TT header to detect the presence of
reverse pro$ies.
http-unsafe-output-escaping
Spiders a #ebsite and attempts to identify output escaping
problems #here content is reflected bac5 to the user. This script
locates all parameters, S$TfooOyTbar and chec5s if the values are
reflected on the page. !f they are indeed reflected, the script
#ill try to insert ghFQhF$LF$c3$cv and chec5 #hich (if any)
characters #ere reflected bac5 onto the page #ithout proper html
escaping. This is an indication of potential +SS vulnerability.
http-useragent-tester
Chec5s if various cra#ling utilities are allo#ed by the host.
http-userdir-enum
Attempts to enumerate valid usernames on #eb servers running #ith
the modMuserdir module or similar enabled.
http-vhosts
Searches for #eb virtual hostnames by ma5ing a large number of
9-A) re"uests against http servers using common hostnames.
http-virustotal
Chec5s #hether a file has been determined as mal#are by
,irustotal. ,irustotal is a service that provides the capability
to scan a file or chec5 a chec5sum against a number of the ma7or
antivirus vendors. The script uses the public A! #hich re"uires
a valid A! 5ey and has a limit on ' "ueries per minute. A 5ey
can be ac"uired by registering as a user on the virustotal #eb
page@
K http@??###.virustotal.com
http-vlcstreamer-ls
Connects to a ,6C Streamer helper service and lists directory
contents. The ,6C Streamer helper service is used by the i*S ,6C
Streamer application to enable streaming of multimedia content
from the remote server to the device.
http-vm#are-path-vuln
Chec5s for a path-traversal vulnerability in ,&Aare -S+, -S+i,
and Server (C,--.//C-2B22).
http-vuln-cve.//%-22C.
-$ploits a file disclosure vulnerability in Aebmin (C,--./0/-
/B2D)
http-vuln-cve.//C-2C%/
-$ploits cve-.//C-2C%/ also 5no#n as Adobe +&6 -$ternal -ntity
!n7ection.
http-vuln-cve./0/-/B2D
Tests #hether a 84oss target is vulnerable to 7m$ console
authentication bypass (C,--./0/-/B2D).
http-vuln-cve./0/-.D%0
-$ecutes a directory traversal attac5 against a Cold(usion server
and tries to grab the pass#ord hash for the administrator user.
!t then uses the salt value (hidden in the #eb page) to create
the S9A0 9&AC hash that the #eb server needs for authentication
as admin. Eou can pass this value to the Cold(usion server as the
admin #ithout crac5ing the pass#ord hash.
http-vuln-cve./00-20C.
)etects a denial of service vulnerability in the #ay the Apache
#eb server handles re"uests for multiple overlapping?simple
ranges of a page.
http-vuln-cve./00-22%D
Tests for the C,--./00-22%D (Reverse ro$y 4ypass) vulnerability
in Apache 9TT server3s reverse pro$y mode. The script #ill run 2
tests@ o the loopbac5 test, #ith 2 payloads to handle different
re#rite rules o the internal hosts test. According to Conte$tis,
#e e$pect a delay before a server error. o The e$ternal #ebsite
test. This does not mean that you can reach a 6A; ip, but this is
a relevant issue any#ay.
http-vuln-cve./0.-0D.2
)etects 9-C:! installations that are vulnerable to C,--./0.-
0D.2, This critical vulnerability allo#s attac5ers to retrieve
source code and e$ecute code remotely.
http-vuln-cve./02-/01%
)etects Ruby on Rails servers vulnerable to ob7ect in7ection,
remote command e$ecutions and denial of service attac5s. (C,--
./02-/01%)
http-vuln-cve./02-B/C0
An / day #as released on the %th )ecember ./02 by rubina00C, and
#as patched in Jimbra B...%.
http-vuln-#nr0///-creds
A vulnerability has been discovered in A;R 0/// series that
allo#s an attac5er to retrieve administrator credentials #ith the
router interface. Tested *n (irm#are ,ersion(s)@
,0./...%/M%/./.D% (6atest) and ,0./...1'M%/./.D.;A
http-#af-detect
Attempts to determine #hether a #eb server is protected by an !S
(!ntrusion revention System), !)S (!ntrusion )etection System)
or AA( (Aeb Application (ire#all) by probing the #eb server #ith
malicious payloads and detecting changes in the response code and
body.
http-#af-fingerprint
Tries to detect the presence of a #eb application fire#all and
its type and version.
http-#ordpress-brute
performs brute force pass#ord auditing against Aordpress C&S?blog
installations.
http-#ordpress-enum
-numerates usernames in Aordpress blog?C&S installations by
e$ploiting an information disclosure vulnerability e$isting in
versions ..%, 2.0, 2.0.0, 2.0.2 and 2..-beta. and possibly
others.
http-#ordpress-plugins
Tries to obtain a list of installed Aordress plugins by brute
force testing for 5no#n plugins.
http-$ssed
This script searches the $ssed.com database and outputs the
result.
ia$.-brute
erforms brute force pass#ord auditing against the Asteris5 !A+.
protocol. :uessing fails #hen a large number of attempts is made
due to the ma$callnumber limit (default ./'D). !n case your
getting L-RR*R@ Too many retries, aborted ...L after a #hile,
this is most li5ely #hat3s happening. !n order to avoid this
problem try@ - reducing the siFe of your dictionary - use the
brute delay option to introduce a delay bet#een guesses - split
the guessing up in chun5s and #ait for a #hile bet#een them
ia$.-version
)etects the <) !A+. service.
icap-info
Tests a list of 5no#n !CA service names and prints information
about any it detects. The !nternet Content Adaptation rotocol
(!CA) is used to e$tend transparent pro$y servers and is
generally used for content filtering and antivirus scanning.
i5e-version
imap-brute
erforms brute force pass#ord auditing against !&A servers using
either 6*:!;, 6A!;, CRA&-&)1, )!:-ST-&)1 or ;T6& authentication.
imap-capabilities
Retrieves !&A email server capabilities.
informi$-brute
erforms brute force pass#ord auditing against !4& !nformi$
)ynamic Server.
informi$-"uery
Runs a "uery against !4& !nformi$ )ynamic Server using the given
authentication credentials (see also@ informi$-brute).
informi$-tables
Retrieves a list of tables and column definitions for each
database on an !nformi$ server.
ip-for#arding
)etects #hether the remote device has ip for#arding or L!nternet
connection sharingL enabled, by sending an !C& echo re"uest to a
given target using the scanned host as default gate#ay.
ip-geolocation-geobytes
Tries to identify the physical location of an ! address using
the :eobytes geolocation #eb service
(http@??###.geobytes.com?iplocator.htm). The limit of loo5ups
using this service is ./ re"uests per hour. *nce the limit is
reached, an nmap.registryVLip-geolocation-geobytesLW.bloc5ed
boolean is set so no further re"uests are made during a scan.
ip-geolocation-geoplugin
Tries to identify the physical location of an ! address using
the :eoplugin geolocation #eb service
(http@??###.geoplugin.com?). There is no limit on loo5ups using
this service.
ip-geolocation-ipinfodb
Tries to identify the physical location of an ! address using
the !!nfo)4 geolocation #eb service
(http@??ipinfodb.com?ipMlocationMapi.php).
ip-geolocation-ma$mind
Tries to identify the physical location of an ! address using a
:eolocation &a$mind database file (available from
http@??###.ma$mind.com?app?ip-location). This script supports
"ueries using all &a$mind databases that are supported by their
A! including the commercial ones.
ipidse"
Classifies a host3s ! !) se"uence (test for susceptibility to
idle scan).
ipv%-node-info
*btains hostnames, !v' and !v% addresses through !v% ;ode
!nformation >ueries.
ipv%-ra-flood
:enerates a flood of Router Advertisements (RA) #ith random
source &AC addresses and !v% prefi$es. Computers, #hich have
stateless autoconfiguration enabled by default (every ma7or *S),
#ill start to compute !v% suffi$ and update their routing table
to reflect the accepted announcement. This #ill cause 0//X C<
usage on Aindo#s and platforms, preventing to process other
application re"uests.
irc-botnet-channels
Chec5s an !RC server for channels that are commonly used by
malicious botnets.
irc-brute
erforms brute force pass#ord auditing against !RC (!nternet
Relay Chat) servers.
irc-info
:athers information from an !RC server.
irc-sasl-brute
erforms brute force pass#ord auditing against !RC (!nternet
Relay Chat) servers supporting SAS6 authentication.
irc-unrealircd-bac5door
Chec5s if an !RC server is bac5doored by running a time-based
command (ping) and chec5ing ho# long it ta5es to respond.
iscsi-brute
erforms brute force pass#ord auditing against iSCS! targets.
iscsi-info
Collects and displays information from remote iSCS! targets.
isns-info
6ists portals and iSCS! nodes registered #ith the !nternet
Storage ;ame Service (iS;S).
7d#p-e$ec
Attempts to e$ploit 7ava3s remote debugging port. Ahen remote
debugging port is left open, it is possible to in7ect 7ava
bytecode and achieve remote code e$ecution. This script abuses
this to in7ect and e$ecute a 8ava class file that e$ecutes the
supplied shell command and returns its output.
7d#p-info
Attempts to e$ploit 7ava3s remote debugging port. Ahen remote
debugging port is left open, it is possible to in7ect 7ava
bytecode and achieve remote code e$ecution. This script in7ects
and e$ecute a 8ava class file that returns remote system
information.
7d#p-in7ect
Attempts to e$ploit 7ava3s remote debugging port. Ahen remote
debugging port is left open, it is possible to in7ect 7ava
bytecode and achieve remote code e$ecution. This script allo#s
in7ection of arbitrary class files.
7d#p-version
)etects the 8ava )ebug Aire rotocol. This protocol is used by
8ava programs to be debugged via the net#or5. !t should not be
open to the public !nternet, as it does not provide any security
against malicious attac5ers #ho can in7ect their o#n bytecode
into the debugged process.
5rb1-enum-users
)iscovers valid usernames by brute force "uerying li5ely
usernames against a Ierberos service. Ahen an invalid username is
re"uested the server #ill respond using the Ierberos error code
IR41I)CM-RRMCMR!;C!A6M<;I;*A;, allo#ing us to determine that
the user name #as invalid. ,alid user names #ill illicit either
the T:T in a AS-R- response or the error
IR41I)CM-RRMR-A<T9MR-><!R-), signaling that the user is re"uired
to perform pre authentication.
ldap-brute
Attempts to brute-force 6)A authentication. 4y default it uses
the built-in username and pass#ord lists. !n order to use your
o#n lists use the userdb and passdb script arguments.
ldap-novell-getpass
<niversal ass#ord enables advanced pass#ord policies, including
e$tended characters in pass#ords, synchroniFation of pass#ords
from e)irectory to other systems, and a single pass#ord for all
access to e)irectory.
ldap-rootdse
Retrieves the 6)A root )SA-specific -ntry ()S-)
ldap-search
Attempts to perform an 6)A search and returns all matches.
le$mar5-config
Retrieves configuration information from a 6e$mar5 S2//-S'//
printer.
llmnr-resolve
Resolves a hostname by using the 66&;R (6in5-6ocal &ulticast ;ame
Resolution) protocol.
lltd-discovery
<ses the &icrosoft 66T) protocol to discover hosts on a local
net#or5.
ma$db-info
Retrieves version and database information from a SA &a$ )4
database.
mcafee-epo-agent
Chec5 if e* agent is running on port D/D0 or port identified as
e* Agent port.
membase-brute
erforms brute force pass#ord auditing against Couchbase &embase
servers.
membase-http-info
Retrieves information (hostname, *S, uptime, etc.) from the
Couch4ase Aeb Administration port. The information retrieved by
this script does not re"uire any credentials.
memcached-info
Retrieves information (including system architecture, process !),
and server time) from distributed memory ob7ect caching system
memcached.
metasploit-info
:athers info from the &etasploit rpc service. !t re"uires a valid
login pair. After authentication it tries to determine &etasploit
version and deduce the *S type. Then it creates a ne# console and
e$ecutes fe# commands to get additional info. References@ K
http@??#i5i.msgpac5.org?display?&S:ACI?(ormatHspecification K
https@??community.rapidB.com?docs?)*C-010% &etasploit RC A!
:uide
metasploit-msgrpc-brute
erforms brute force username and pass#ord auditing against
&etasploit msgrpc interface.
metasploit-$mlrpc-brute
erforms brute force pass#ord auditing against a &etasploit RC
server using the +&6RC protocol.
mmouse-brute
erforms brute force pass#ord auditing against the RA Tech
&obile &ouse servers.
mmouse-e$ec
Connects to an RA Tech &obile &ouse server, starts an
application and sends a se"uence of 5eys to it. Any application
that the user has access to can be started and the 5ey se"uence
is sent to the application after it has been started.
modbus-discover
-numerates SCA)A &odbus slave ids (sids) and collects their
device information.
mongodb-brute
erforms brute force pass#ord auditing against the &ongo)4
database.
mongodb-databases
Attempts to get a list of tables from a &ongo)4 database.
mongodb-info
Attempts to get build info and server status from a &ongo)4
database.
mrinfo
>ueries targets for multicast routing information.
ms-s"l-brute
erforms pass#ord guessing against &icrosoft S>6 Server (ms-s"l).
Aor5s best in con7unction #ith the broadcast-ms-s"l-discover
script.
ms-s"l-config
>ueries &icrosoft S>6 Server (ms-s"l) instances for a list of
databases, lin5ed servers, and configuration settings.
ms-s"l-dac
>ueries the &icrosoft S>6 4ro#ser service for the )AC ()edicated
Admin Connection) port of a given (or all) S>6 Server instance.
The )AC port is used to connect to the database instance #hen
normal connection attempts fail, for e$ample, #hen server is
hanging, out of memory or in other bad states. !n addition, the
)AC port provides an admin #ith access to system ob7ects
other#ise not accessible over normal connections.
ms-s"l-dump-hashes
)umps the pass#ord hashes from an &S-S>6 server in a format
suitable for crac5ing by tools such as 8ohn-the-ripper. !n order
to do so the user needs to have the appropriate )4 privileges.
ms-s"l-empty-pass#ord
Attempts to authenticate to &icrosoft S>6 Servers using an empty
pass#ord for the sysadmin (sa) account.
ms-s"l-hasdbaccess
>ueries &icrosoft S>6 Server (ms-s"l) instances for a list of
databases a user has access to.
ms-s"l-info
Attempts to determine configuration and version information for
&icrosoft S>6 Server instances.
ms-s"l-"uery
Runs a "uery against &icrosoft S>6 Server (ms-s"l).
ms-s"l-tables
>ueries &icrosoft S>6 Server (ms-s"l) for a list of tables per
database.
ms-s"l-$p-cmdshell
Attempts to run a command using the command shell of &icrosoft
S>6 Server (ms-s"l).
msrpc-enum
>ueries an &SRC endpoint mapper for a list of mapped services
and displays the gathered information.
mtrace
>ueries for the multicast path from a source to a destination
host.
murmur-version
)etects the &urmur service (server for the &umble voice
communication client) versions 0...+.
mys"l-audit
Audits &yS>6 database server security configuration against parts
of the C!S &yS>6 v0./.. benchmar5 (the engine can be used for
other &yS>6 audits by creating appropriate audit files).
mys"l-brute
erforms pass#ord guessing against &yS>6.
mys"l-databases
Attempts to list all databases on a &yS>6 server.
mys"l-dump-hashes
)umps the pass#ord hashes from an &yS>6 server in a format
suitable for crac5ing by tools such as 8ohn the Ripper.
Appropriate )4 privileges (root) are re"uired.
mys"l-empty-pass#ord
Chec5s for &yS>6 servers #ith an empty pass#ord for root or
anonymous.
mys"l-enum
erforms valid-user enumeration against &yS>6 server using a bug
discovered and published by Iingcope
(http@??seclists.org?fulldisclosure?./0.?)ec?C).
mys"l-info
Connects to a &yS>6 server and prints information such as the
protocol and version numbers, thread !), status, capabilities,
and the pass#ord salt.
mys"l-"uery
Runs a "uery against a &yS>6 database and returns the results as
a table.
mys"l-users
Attempts to list all users on a &yS>6 server.
mys"l-variables
Attempts to sho# all variables on a &yS>6 server.
mys"l-vuln-cve./0.-.0..
nat-pmp-info
:ets the routers AA; ! using the ;AT ort &apping rotocol (;AT-
&). The ;AT-& protocol is supported by a broad range of
routers including@ - Apple Airort -$press - Apple Airort
-$treme - Apple Time Capsule - ))-ART - *penArt vD./C or higher,
#ith &ini<n daemon - pfSense v../ - Tarifa (firm#are) (6in5sys
ART1':?:6?:S) - Tomato (irm#are v0..' or higher. (6in5sys
ART1':?:6?:S and many more) - eplin5 4alance
nat-pmp-mapport
&aps a AA; port on the router to a local port on the client using
the ;AT ort &apping rotocol (;AT-&). !t supports the
follo#ing operations@ o map - maps a ne# e$ternal port on the
router to an internal port of the re"uesting ! o unmap - unmaps
a previously mapped port for the re"uesting ! o unmapall -
unmaps all previously mapped ports for the re"uesting !
nbstat
Attempts to retrieve the target3s ;et4!*S names and &AC address.
ncp-enum-users
Retrieves a list of all e)irectory users from the ;ovell ;etAare
Core rotocol (;C) service.
ncp-serverinfo
Retrieves e)irectory server information (*S version, server name,
mounts, etc.) from the ;ovell ;etAare Core rotocol (;C)
service.
ndmp-fs-info
6ists remote file systems by "uerying the remote device using the
;et#or5 )ata &anagement rotocol (ndmp). ;)& is a protocol
intended to transport data bet#een a ;AS device and the bac5up
device, removing the need for the data to pass through the bac5up
server. The follo#ing products are 5no#n to support the protocol@
K Amanda
K 4acula
K CA Arcserve
K Comm,ault Simpana
K -&C ;et#or5er
K 9itachi )ata Systems
K !4& Tivoli
K >uest Soft#are ;etvault 4ac5up
K Symantec ;etbac5up
K Symantec 4ac5up -$ec
ndmp-version
Retrieves version information from the remote ;et#or5 )ata
&anagement rotocol (ndmp) service. ;)& is a protocol intended
to transport data bet#een a ;AS device and the bac5up device,
removing the need for the data to pass through the bac5up server.
The follo#ing products are 5no#n to support the protocol@
K Amanda
K 4acula
K CA Arcserve
K Comm,ault Simpana
K -&C ;et#or5er
K 9itachi )ata Systems
K !4& Tivoli
K >uest Soft#are ;etvault 4ac5up
K Symantec ;etbac5up
K Symantec 4ac5up -$ec
nessus-brute
erforms brute force pass#ord auditing against a ;essus
vulnerability scanning daemon using the ;T 0.. protocol.
nessus-$mlrpc-brute
erforms brute force pass#ord auditing against a ;essus
vulnerability scanning daemon using the +&6RC protocol.
netbus-auth-bypass
Chec5s if a ;et4us server is vulnerable to an authentication
bypass vulnerability #hich allo#s full access #ithout 5no#ing the
pass#ord.
netbus-brute
erforms brute force pass#ord auditing against the ;etbus
bac5door (Lremote administrationL) service.
netbus-info
*pens a connection to a ;et4us server and e$tracts information
about the host and the ;et4us service itself.
netbus-version
-$tends version detection to detect ;et4uster, a honeypot service
that mimes ;et4us.
ne$pose-brute
erforms brute force pass#ord auditing against a ;e$pose
vulnerability scanner using the A! 0.0. 4y default it only tries
three guesses per username to avoid target account loc5out.
nfs-ls
Attempts to get useful information about files from ;(S e$ports.
The output is intended to resemble the output of ls.
nfs-sho#mount
Sho#s ;(S e$ports, li5e the sho#mount -e command.
nfs-statfs
Retrieves dis5 space statistics and information from a remote ;(S
share. The output is intended to resemble the output of df.
nping-brute
erforms brute force pass#ord auditing against an ;ping -cho
service.
nrpe-enum
>ueries ;agios Remote lugin -$ecutor (;R-) daemons to obtain
information such as load averages, process counts, logged in user
information, etc.
ntp-info
:ets the time and configuration variables from an ;T server. Ae
send t#o re"uests@ a time re"uest and a Lread variablesL (opcode
.) control message. Aithout verbosity, the script sho#s the time
and the value of the version, processor, system, refid, and
stratum variables. Aith verbosity, all variables are sho#n.
ntp-monlist
*btains and prints an ;T server3s monitor data.
omp.-brute
erforms brute force pass#ord auditing against the *pen,AS
manager using *&v..
omp.-enum-targets
Attempts to retrieve the list of target systems and net#or5s from
an *pen,AS &anager server.
openloo5up-info
arses and displays the banner information of an *pen6oo5up
(net#or5 5ey-value store) server.
openvas-otp-brute
erforms brute force pass#ord auditing against a *pen,AS
vulnerability scanner daemon using the *T 0./ protocol.
oracle-brute
erforms brute force pass#ord auditing against *racle servers.
oracle-brute-stealth
-$ploits the C,--./0.-202B vulnerability, a #ea5ness in *racle3s
*16*:!; authentication scheme. The vulnerability e$ists in *racle
00g R0?R. and allo#s lin5ing the session 5ey to a pass#ord hash.
Ahen initiating an authentication attempt as a valid user the
server #ill respond #ith a session 5ey and salt. *nce received
the script #ill disconnect the connection thereby not recording
the login attempt. The session 5ey and salt can then be used to
brute force the users pass#ord.
oracle-enum-users
Attempts to enumerate valid *racle user names against unpatched
*racle 00g servers (this bug #as fi$ed in *racle3s *ctober .//C
Critical atch <pdate).
oracle-sid-brute
:uesses *racle instance?S!) names against the T;S-listener.
ovs-agent-version
)etects the version of an *racle ,irtual Server Agent by
fingerprinting responses to an 9TT :-T re"uest and an +&6-RC
method call.
p.p-confic5er
Chec5s if a host is infected #ith Confic5er.C or higher, based on
Confic5er3s peer to peer communication.
path-mtu
erforms simple ath &T< )iscovery to target hosts.
pcany#here-brute
erforms brute force pass#ord auditing against the pcAny#here
remote access protocol.
pgs"l-brute
erforms pass#ord guessing against ostgreS>6.
p7l-ready-message
Retrieves or sets the ready message on printers that support the
rinter 8ob 6anguage. This includes most ostScript printers that
listen on port C0//. Aithout an argument, displays the current
ready message. Aith the p7lMreadyMmessage script argument,
displays the old ready message and changes it to the message
given.
pop2-brute
Tries to log into a *2 account by guessing usernames and
pass#ords.
pop2-capabilities
Retrieves *2 email server capabilities.
pptp-version
Attempts to e$tract system information from the point-to-point
tunneling protocol (T) service.
"conn-e$ec
Attempts to identify #hether a listening >;+ >C*;; daemon allo#s
unauthenticated users to e$ecute arbitrary operating system
commands.
"scan
Repeatedly probe open and?or closed ports on a host to obtain a
series of round-trip time values for each port. These values are
used to group collections of ports #hich are statistically
different from other groups. orts being in different groups (or
LfamiliesL) may be due to net#or5 mechanisms such as port
for#arding to machines behind a ;AT.
"ua5e0-info
-$tracts information from >ua5e game servers and other game
servers #hich use the same protocol.
"ua5e2-info
-$tracts information from a >ua5e2 game server and other games
#hich use the same protocol.
"ua5e2-master-getservers
>ueries >ua5e2-style master servers for game servers (many games
other than >ua5e 2 use this same protocol).
rdp-enum-encryption
)etermines #hich Security layer and -ncryption level is supported
by the R) service. !t does so by cycling through all e$isting
protocols and ciphers. Ahen run in debug mode, the script also
returns the protocols and ciphers that fail and any errors that
#ere reported.
rdp-vuln-ms0.-/./
Chec5s if a machine is vulnerable to &S0.-/./ R) vulnerability.
realvnc-auth-bypass
Chec5s if a ,;C server is vulnerable to the Real,;C
authentication bypass (C,--.//%-.2%C).
redis-brute
erforms brute force pass#ords auditing against a Redis 5ey-value
store.
redis-info
Retrieves information (such as version number and architecture)
from a Redis 5ey-value store.
resolveall
Resolves hostnames and adds every address (!v' or !v%,
depending on ;map mode) to ;map3s target list. This differs from
;map3s normal host resolution process, #hich only scans the first
address (A or AAAA record) returned for each host name.
reverse-inde$
Creates a reverse inde$ at the end of scan output sho#ing #hich
hosts run a particular service. This is in addition to ;map3s
normal output listing the services on each host.
re$ec-brute
erforms brute force pass#ord auditing against the classic <;!+
re$ec (remote e$ec) service.
rfcD%D-time
Retrieves the day and time from the Time service.
ria5-http-info
Retrieves information (such as node name and architecture) from a
4asho Ria5 distributed database using the 9TT protocol.
rlogin-brute
erforms brute force pass#ord auditing against the classic <;!+
rlogin (remote login) service. This script must be run in
privileged mode on <;!+ because it must bind to a lo# source port
number.
rmi-dumpregistry
Connects to a remote R&! registry and attempts to dump all of its
ob7ects.
rmi-vuln-classloader
Tests #hether 8ava rmiregistry allo#s class loading. The default
configuration of rmiregistry allo#s loading classes from remote
<R6s, #hich can lead to remote code e$ecution. The vendor
(*racle?Sun) classifies this as a design feature.
rpc-grind
(ingerprints the target RC port to e$tract the target service,
RC number and version.
rpcap-brute
erforms brute force pass#ord auditing against the Aincap Remote
Capture )aemon (rpcap).
rpcap-info
Connects to the rpcap service (provides remote sniffing
capabilities through Aincap) and retrieves interface
information. The service can either be setup to re"uire
authentication or not and also supports ! restrictions.
rpcinfo
Connects to portmapper and fetches a list of all registered
programs. !t then prints out a table including (for each program)
the RC program number, supported version numbers, port number
and protocol, and program name.
rsync-brute
erforms brute force pass#ord auditing against the rsync remote
file syncing protocol.
rsync-list-modules
6ists modules available for rsync (remote file sync)
synchroniFation.
rtsp-methods
)etermines #hich methods are supported by the RTS (real time
streaming protocol) server.
rtsp-url-brute
Attempts to enumerate RTS media <R6S by testing for common paths
on devices such as surveillance ! cameras.
samba-vuln-cve-./0.-00D.
Chec5s if target machines are vulnerable to the Samba heap
overflo# vulnerability C,--./0.-00D..
servicetags
Attempts to e$tract system information (*S, hard#are, etc.) from
the Sun Service Tags service agent (<) port %'D0).
sip-brute
erforms brute force pass#ord auditing against Session !nitiation
rotocol (S! -
http@??en.#i5ipedia.org?#i5i?SessionM!nitiationMrotocol)
accounts. This protocol is most commonly associated #ith ,o!
sessions.
sip-call-spoof
Spoofs a call to a S! phone and detects the action ta5en by the
target (busy, declined, hung up, etc.)
sip-enum-users
-numerates a S! server3s valid e$tensions (users).
sip-methods
-numerates a S! Server3s allo#ed methods (!;,!T-, *T!*;S,
S<4SCR!4-, etc.)
s5ypev.-version
)etects the S5ype version . service.
smb-brute
Attempts to guess username?pass#ord combinations over S&4,
storing discovered combinations for use in other scripts. -very
attempt #ill be made to get a valid list of users and to verify
each username before actually using them. Ahen a username is
discovered, besides being printed, it is also saved in the ;map
registry so other ;map scripts can use it. That means that if
you3re going to run smb-brute.nse, you should run other smb
scripts you #ant. This chec5s pass#ords in a case-insensitive
#ay, determining case after a pass#ord is found, for Aindo#s
versions before ,ista.
smb-chec5-vulns
Chec5s for vulnerabilities@
K &S/D-/%B, a Aindo#s RC vulnerability
K Confic5er, an infection by the Confic5er #orm
K <nnamed regsvc )oS, a denial-of-service vulnerability !
accidentally found in Aindo#s .///
K S&4v. e$ploit (C,--.//C-20/2, &icrosoft Security Advisory
CB1'CB)
K &S/%-/.1, a Aindo#s Ras RC service vulnerability
K &S/B-/.C, a Aindo#s )ns Server RC service vulnerability
smb-enum-domains
Attempts to enumerate domains on a system, along #ith their
policies. This generally re"uires credentials, e$cept against
Aindo#s .///. !n addition to the actual domain, the L4uiltinL
domain is generally displayed. Aindo#s returns this in the list
of domains, but its policies don3t appear to be used any#here.
smb-enum-groups
*btains a list of groups from the remote Aindo#s system, as #ell
as a list of the group3s users. This #or5s similarly to enum.e$e
#ith the ?: s#itch.
smb-enum-processes
ulls a list of processes from the remote server over S&4. This
#ill determine all running processes, their process !)s, and
their parent processes. !t is done by "uerying the remote
registry service, #hich is disabled by default on ,ista= on all
other Aindo#s versions, it re"uires Administrator privileges.
smb-enum-sessions
-numerates the users logged into a system either locally or
through an S&4 share. The local users can be logged on either
physically on the machine, or through a terminal services
session. Connections to a S&4 share are, for e$ample, people
connected to fileshares or ma5ing RC calls. ;map3s connection
#ill also sho# up, and is generally identified by the one that
connected L/ seconds agoL.
smb-enum-shares
Attempts to list shares using the srvsvc.;etShare-numAll &SRC
function and retrieve more information about them using
srvsvc.;etShare:et!nfo. !f access to those functions is denied, a
list of common share names are chec5ed.
smb-enum-users
Attempts to enumerate the users on a remote Aindo#s system, #ith
as much information as possible, through t#o different techni"ues
(both over &SRC, #hich uses port ''1 or 02C= see smb.lua). The
goal of this script is to discover all user accounts that e$ist
on a remote system. This can be helpful for administration, by
seeing #ho has an account on a server, or for penetration testing
or net#or5 footprinting, by determining #hich accounts e$ist on a
system.
smb-flood
-$hausts a remote S&4 server3s connection limit by by opening as
many connections as #e can. &ost implementations of S&4 have a
hard global limit of 00 connections for user accounts and 0/
connections for anonymous. *nce that limit is reached, further
connections are denied. This script e$ploits that limit by ta5ing
up all the connections and holding them.
smb-ls
Attempts to retrieve useful information about files shared on S&4
volumes. The output is intended to resemble the output of the
<;!+ ls command.
smb-mbenum
>ueries information managed by the Aindo#s &aster 4ro#ser.
smb-os-discovery
Attempts to determine the operating system, computer name,
domain, #or5group, and current time over the S&4 protocol (ports
''1 or 02C). This is done by starting a session #ith the
anonymous account (or #ith a proper user account, if one is
given= it li5ely doesn3t ma5e a difference)= in response to a
session starting, the server #ill send bac5 all this information.
smb-print-te$t
Attempts to print te$t on a shared printer by calling rint
Spooler Service RC functions.
smb-pse$ec
!mplements remote process e$ecution similar to the Sysinternals3
pse$ec tool, allo#ing a user to run a series of programs on a
remote machine and read the output. This is great for gathering
information about servers, running the same tool on a range of
system, or even installing a bac5door on a collection of
computers.
smb-security-mode
Returns information about the S&4 security level determined by
S&4.
smb-server-stats
Attempts to grab the server3s statistics over S&4 and &SRC,
#hich uses TC ports ''1 or 02C.
smb-system-info
ulls bac5 information about the remote system from the registry.
:etting all of the information re"uires an administrative
account, although a user account #ill still get a lot of it.
:uest probably #on3t get any, nor #ill anonymous. This goes for
all operating systems, including Aindo#s .///.
smb-vuln-ms0/-/1'
Tests #hether target machines are vulnerable to the ms0/-/1' S&4
remote memory corruption vulnerability.
smb-vuln-ms0/-/%0
Tests #hether target machines are vulnerable to ms0/-/%0 rinter
Spooler impersonation vulnerability.
smbv.-enabled
Chec5s #hether or not a server is running the S&4v. protocol.
smtp-brute
erforms brute force pass#ord auditing against S&T servers using
either 6*:!;, 6A!;, CRA&-&)1, )!:-ST-&)1 or ;T6& authentication.
smtp-commands
Attempts to use -96* and 9-6 to gather the -$tended commands
supported by an S&T server.
smtp-enum-users
Attempts to enumerate the users on a S&T server by issuing the
,R(E, -+; or RCT T* commands. The goal of this script is to
discover all the user accounts in the remote system.
smtp-open-relay
Attempts to relay mail by issuing a predefined combination of
S&T commands. The goal of this script is to tell if a S&T
server is vulnerable to mail relaying.
smtp-strangeport
Chec5s if S&T is running on a non-standard port.
smtp-vuln-cve./0/-'2''
Chec5s for and?or e$ploits a heap overflo# #ithin versions of
-$im prior to version '.%C (C,--./0/-'2'') and a privilege
escalation vulnerability in -$im '.B. and prior (C,--./0/-'2'1).
smtp-vuln-cve./00-0B./
Chec5s for a memory corruption in the ostfi$ S&T server #hen it
uses Cyrus SAS6 library authentication mechanisms (C,--./00-
0B./). This vulnerability can allo# denial of service and
possibly remote code e$ecution.
smtp-vuln-cve./00-0B%'
Chec5s for a format string vulnerability in the -$im S&T server
(version '.B/ through '.B1) #ith )omainIeys !dentified &ail
()I!&) support (C,--./00-0B%'). The )I!& logging mechanism did
not use format string specifiers #hen logging some parts of the
)I!&-Signature header field. A remote attac5er #ho is able to
send emails, can e$ploit this vulnerability and e$ecute arbitrary
code #ith the privileges of the -$im daemon.
sniffer-detect
Chec5s if a target on a local -thernet has its net#or5 card in
promiscuous mode.
snmp-brute
Attempts to find an S;& community string by brute force
guessing.
snmp-hh2c-logins
Attempts to enumerate 9ua#ei ? 9?92C 6ocally )efined <sers
through the hh2c-user.mib *!)
snmp-interfaces
Attempts to enumerate net#or5 interfaces through S;&.
snmp-ios-config
Attempts to do#nloads Cisco router !*S configuration files using
S;& RA (v0) and display or save them.
snmp-netstat
Attempts to "uery S;& for a netstat li5e output. The script can
be used to identify and automatically add ne# targets to the scan
by supplying the ne#targets script argument.
snmp-processes
Attempts to enumerate running processes through S;&.
snmp-sysdescr
Attempts to e$tract system information from an S;& version 0
service.
snmp-#in2.-services
Attempts to enumerate Aindo#s services through S;&.
snmp-#in2.-shares
Attempts to enumerate Aindo#s Shares through S;&.
snmp-#in2.-soft#are
Attempts to enumerate installed soft#are through S;&.
snmp-#in2.-users
Attempts to enumerate Aindo#s user accounts through S;&
soc5s-auth-info
)etermines the supported authentication mechanisms of a remote
S*CIS pro$y server. Starting #ith S*CIS version 1 soc5s servers
may support authentication. The script chec5s for the follo#ing
authentication types@ / - ;o authentication 0 - :SSA! . -
<sername and pass#ord
soc5s-brute
erforms brute force pass#ord auditing against S*CIS 1 pro$y
servers.
soc5s-open-pro$y
Chec5s if an open soc5s pro$y is running on the target.
ssh-host5ey
Sho#s SS9 host5eys.
ssh.-enum-algos
Reports the number of algorithms (for encryption, compression,
etc.) that the target SS9. server offers. !f verbosity is set,
the offered algorithms are each listed by type.
sshv0
Chec5s if an SS9 server supports the obsolete and less secure SS9
rotocol ,ersion 0.
ssl-cert
Retrieves a server3s SS6 certificate. The amount of information
printed about the certificate depends on the verbosity level.
Aith no e$tra verbosity, the script prints the validity period
and the common;ame, organiFation;ame, state*rrovince;ame, and
country;ame of the sub7ect.
ssl-date
Retrieves a target host3s time and date from its T6S Server9ello
response.
ssl-enum-ciphers
This script repeatedly initiates SS6?T6S connections, each time
trying a ne# cipher or compressor #hile recording #hether a host
accepts or re7ects it. The end result is a list of all the
ciphers and compressors that a server accepts.
ssl-google-cert-catalog
>ueries :oogle3s Certificate Catalog for the SS6 certificates
retrieved from target hosts.
ssl-heartbleed
)etects #hether a server is vulnerable to the *penSS6 9eartbleed
bug (C,--./0'-/0%/). The code is based on the ython script
ssltest.py authored by 8ared Stafford (7spenguinG7spenguin.org)
ssl-5no#n-5ey
Chec5s #hether the SS6 certificate used by a host has a
fingerprint that matches an included database of problematic
5eys.
sslv.
)etermines #hether the server supports obsolete and less secure
SS6v., and discovers #hich ciphers it supports.
sstp-discover
Chec5 if the Secure Soc5et Tunneling rotocol is supported. This
is accomplished by trying to establish the 9TTS layer #hich is
used to carry SST traffic as described in@ -
http@??msdn.microsoft.com?en-us?library?cc.'B2%'.asp$
stun-info
Retrieves the e$ternal ! address of a ;AT@ed host using the ST<;
protocol.
stun-version
Sends a binding re"uest to the server and attempts to e$tract
version information from the response, if the server attribute is
present.
stu$net-detect
)etects #hether a host is infected #ith the Stu$net #orm
(http@??en.#i5ipedia.org?#i5i?Stu$net).
svn-brute
erforms brute force pass#ord auditing against Subversion source
code control servers.
targets-asn
roduces a list of ! prefi$es for a given routing AS number
(AS;).
targets-ipv%-multicast-echo
Sends an !C&v% echo re"uest pac5et to the all-nodes lin5-local
multicast address (ff/.@@0) to discover responsive hosts on a 6A;
#ithout needing to individually ping each !v% address.
targets-ipv%-multicast-invalid-dst
Sends an !C&v% pac5et #ith an invalid e$tension header to the
all-nodes lin5-local multicast address (ff/.@@0) to discover
(some) available hosts on the 6A;. This #or5s because some hosts
#ill respond to this probe #ith an !C&v% arameter roblem
pac5et.
targets-ipv%-multicast-mld
Attempts to discover available !v% hosts on the 6A; by sending
an &6) (multicast listener discovery) "uery to the lin5-local
multicast address (ff/.@@0) and listening for any responses. The
"uery3s ma$imum response delay set to / to provo5e hosts to
respond immediately rather than #aiting for other responses from
their multicast group.
targets-ipv%-multicast-slaac
erforms !v% host discovery by triggering stateless address
auto-configuration (S6AAC).
targets-sniffer
Sniffs the local net#or5 for a configurable amount of time (0/
seconds by default) and prints discovered addresses. !f the
ne#targets script argument is set, discovered addresses are added
to the scan "ueue.
targets-traceroute
!nserts traceroute hops into the ;map scanning "ueue. !t only
functions if ;map3s --traceroute option is used and the
ne#targets script argument is given.
teamspea5.-version
)etects the TeamSpea5 . voice communication server and attempts
to determine version and configuration information.
telnet-brute
erforms brute-force pass#ord auditing against telnet servers.
telnet-encryption
)etermines #hether the encryption option is supported on a remote
telnet server. Some systems (including (ree4S) and the 5rb1
telnetd available in many 6inu$ distributions) implement this
option incorrectly, leading to a remote root vulnerability. This
script currently only tests #hether encryption is supported, not
for that particular vulnerability.
tftp-enum
-numerates T(T (trivial file transfer protocol) filenames by
testing for a list of common ones.
tls-ne$tprotoneg
-numerates a T6S server3s supported protocols by using the ne$t
protocol negotiation e$tension.
traceroute-geolocation
6ists the geographic locations of each hop in a traceroute and
optionally saves the results to a I&6 file, plottable on :oogle
earth and maps.
unittest
Runs unit tests on all ;S- libraries.
unusual-port
Compares the detected service on a port against the e$pected
service for that port number (e.g. ssh on .., http on D/) and
reports deviations. The script re"uires that a version scan has
been run in order to be able to discover #hat service is actually
running on each port.
upnp-info
Attempts to e$tract system information from the <n service.
url-snarf
Sniffs an interface for 9TT traffic and dumps any <R6s, and
their originating ! address. Script output differs from other
script as <R6s are #ritten to stdout directly. There is also an
option to log the results to file.
ventrilo-info
)etects the ,entrilo voice communication server service versions
..0.. and above and tries to determine version and configuration
information. Some of the older versions (pre 2././) may not have
the <) service that this probe relies on enabled by default.
versant-info
-$tracts information, including file paths, version and database
names from a ,ersant ob7ect database.
vmauthd-brute
erforms brute force pass#ord auditing against the ,&Aare
Authentication )aemon (vm#are-authd).
vnc-brute
erforms brute force pass#ord auditing against ,;C servers.
vnc-info
>ueries a ,;C server for its protocol version and supported
security types.
voldemort-info
Retrieves cluster and store information from the ,oldemort
distributed 5ey-value store using the ,oldemort ;ative rotocol.
vuFe-dht-info
Retrieves some basic information, including protocol version from
a ,uFe filesharing node.
#db-version
)etects vulnerabilities and gathers information (such as version
numbers and hard#are support) from ,$Aor5s Aind )e4ug agents.
#eblogic-t2-info
)etect the T2 R&! protocol and Aeblogic version
#hois-domain
Attempts to retrieve information about the domain name of the
target
#hois-ip
>ueries the A9*!S services of Regional !nternet Registries (R!R)
and attempts to retrieve information about the ! Address
Assignment #hich contains the Target ! Address.
#sdd-discover
Retrieves and displays information from devices supporting the
Aeb Services )ynamic )iscovery (AS-)iscovery) protocol. !t also
attempts to locate any published Aindo#s Communication (rame#or5
(AC() #eb services (.;-T './ or later).
$00-access
Chec5s if you3re allo#ed to connect to the + server.
$dmcp-discover
Re"uests an +)&C (+ display manager control protocol) session
and lists supported authentication and authoriFation mechanisms.
$mpp-brute
erforms brute force pass#ord auditing against +& (8abber)
instant messaging servers.
$mpp-info
Connects to +& server (port 1...) and collects server
information such as@ supported auth mechanisms, compression
methods, #hether T6S is supported and mandatory, stream
management, language, support of !n-4and registration, server
capabilities. !f possible, studies server vendor