diff --git a/scripts/asn-query.nse b/scripts/asn-query.nse
index c8c5bf6d4..d314b58e4 100644
--- a/scripts/asn-query.nse
+++ b/scripts/asn-query.nse
@@ -385,8 +385,12 @@ function get_prefix_length( range )
end
---
--- Given an IP address and a prefix length, returns a string representing a valid IP address assignment (size is not checked) which contains
--- the supplied IP address. For example, with ip = "192.168.1.187" and prefix = 24 the return value will be "192.168.1.1-192.168.1.255"
+-- Given an IP address and a prefix length, returns a string representing a
+-- valid IP address assignment (size is not checked) which contains the
+-- supplied IP address. For example, with
+-- ip = "192.168.1.187" and
+-- prefix = 24 the return value will be
+-- "192.168.1.1-192.168.1.255"
-- @param ip String representing an IP address.
-- @param prefix String or number representing a prefix length. Should be of the same address family as ip.
-- @return String representing a range of addresses from the first to the last hosts (or nil in case of an error).
diff --git a/scripts/broadcast-dropbox-listener.nse b/scripts/broadcast-dropbox-listener.nse
index 391d51f16..ccea7669c 100644
--- a/scripts/broadcast-dropbox-listener.nse
+++ b/scripts/broadcast-dropbox-listener.nse
@@ -5,9 +5,13 @@ local tab = require "tab"
local target = require "target"
description = [[
-Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more.
+Listens for the LAN sync information broadcasts that the Dropbox.com client
+broadcasts every 20 seconds, then prints all the discovered client IP
+addresses, port numbers, version numbers, display names, and more.
-If the newtargets script argument is given, all discovered Dropbox clients will be added to the Nmap target list rather than just listed in the output.
+If the newtargets script argument is given, all discovered Dropbox
+clients will be added to the Nmap target list rather than just listed in the
+output.
]]
---
diff --git a/scripts/broadcast-ping.nse b/scripts/broadcast-ping.nse
index 391d6c85b..d2ab1ea3d 100644
--- a/scripts/broadcast-ping.nse
+++ b/scripts/broadcast-ping.nse
@@ -12,8 +12,10 @@ local openssl = stdnse.silent_require "openssl"
description = [[
Sends broadcast pings on a selected interface using raw ethernet packets and
-outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes,
-but they can be configured to do so.
+outputs the responding hosts' IP and MAC addresses or (if requested) adds them
+as targets. Root privileges on UNIX are required to run this script since it
+uses raw sockets. Most operating systems don't respond to broadcast-ping
+probes, but they can be configured to do so.
The interface on which is broadcasted can be specified using the -e Nmap option
or the broadcast-ping.interface script-arg. If no interface is
diff --git a/scripts/firewall-bypass.nse b/scripts/firewall-bypass.nse
index 99005ae35..b477544a5 100644
--- a/scripts/firewall-bypass.nse
+++ b/scripts/firewall-bypass.nse
@@ -5,16 +5,21 @@ local string = require "string"
local packet = require "packet"
description = [[
-Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
+Detects a vulnerability in netfilter and other firewalls that use helpers to
+dynamically open ports for protocols such as ftp and sip.
-The script works by spoofing a packet from the target server asking for opening a related connection to a target port which will be
-fulfilled by the firewall through the adequate protocol helper port. The attacking machine should be on the same network segment as the
-firewall for this to work. The script supports ftp helper on both IPv4 and IPv6. Real path filter is used to prevent such attacks.
+The script works by spoofing a packet from the target server asking for opening
+a related connection to a target port which will be fulfilled by the firewall
+through the adequate protocol helper port. The attacking machine should be on
+the same network segment as the firewall for this to work. The script supports
+ftp helper on both IPv4 and IPv6. Real path filter is used to prevent such
+attacks.
Based on work done by Eric Leblond.
For more information, see:
- * http://home.regit.org/2012/03/playing-with-network-layers-to-bypass-firewalls-filtering-policy/
+
+* http://home.regit.org/2012/03/playing-with-network-layers-to-bypass-firewalls-filtering-policy/
]]
---
diff --git a/scripts/ftp-proftpd-backdoor.nse b/scripts/ftp-proftpd-backdoor.nse
index 07f10d42a..c3b655986 100644
--- a/scripts/ftp-proftpd-backdoor.nse
+++ b/scripts/ftp-proftpd-backdoor.nse
@@ -7,7 +7,10 @@ local stdnse = require "stdnse"
-- vim: set filetype=lua :
description = [[
-Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.
+Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID
+69562. This script attempts to exploit the backdoor using the innocuous
+id command by default, but that can be changed with the
+ftp-proftpd-backdoor.cmd script argument.
]]
---
diff --git a/scripts/ftp-vsftpd-backdoor.nse b/scripts/ftp-vsftpd-backdoor.nse
index 9de7fefde..8e3ab29ed 100644
--- a/scripts/ftp-vsftpd-backdoor.nse
+++ b/scripts/ftp-vsftpd-backdoor.nse
@@ -14,9 +14,10 @@ the exploit.cmd or ftp-vsftpd-backdoor.cmd script
arguments.
References:
- * http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
- * https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
- * http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2011-2523
+
+* http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
+* https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
+* http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2011-2523
]]
---
diff --git a/scripts/hadoop-datanode-info.nse b/scripts/hadoop-datanode-info.nse
index 59f025f6f..ba081c4a9 100644
--- a/scripts/hadoop-datanode-info.nse
+++ b/scripts/hadoop-datanode-info.nse
@@ -4,15 +4,11 @@ local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
-Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page.
+Discovers information such as log directories from an Apache Hadoop DataNode
+HTTP status page.
Information gathered:
- * Log directory (relative to http://host:port/)
-
-For more information about hadoop, see:
- * http://hadoop.apache.org/
- * http://en.wikipedia.org/wiki/Apache_Hadoop
- * http://wiki.apache.org/hadoop/DataNode
+* Log directory (relative to http://host:port/)
]]
---
diff --git a/scripts/hadoop-jobtracker-info.nse b/scripts/hadoop-jobtracker-info.nse
index 1154c9e50..80a304433 100644
--- a/scripts/hadoop-jobtracker-info.nse
+++ b/scripts/hadoop-jobtracker-info.nse
@@ -10,19 +10,14 @@ description = [[
Retrieves information from an Apache Hadoop JobTracker HTTP status page.
Information gathered:
- * State of the JobTracker.
- * Date/time the service was started
- * Hadoop version
- * Hadoop Compile date
- * JobTracker ID
- * Log directory (relative to http://host:port/)
- * Associated TaskTrackers
- * Optionally also user activity history
-
-For more information about Hadoop, see:
- * http://hadoop.apache.org/
- * http://en.wikipedia.org/wiki/Apache_Hadoop
- * http://wiki.apache.org/hadoop/JobTracker
+* State of the JobTracker.
+* Date/time the service was started
+* Hadoop version
+* Hadoop Compile date
+* JobTracker ID
+* Log directory (relative to http://host:port/)
+* Associated TaskTrackers
+* Optionally also user activity history
]]
---
@@ -44,6 +39,7 @@ For more information about Hadoop, see:
-- | Userhistory:
-- | User: bob (Wed Sep 07 12:14:33 CEST 2011)
-- |_ User: bob (Wed Sep 07 12:14:33 CEST 2011)
+--
-- @xmloutput
-- RUNNING
-- Wed May 11 22:33:44 PDT 2011, bob
diff --git a/scripts/hadoop-namenode-info.nse b/scripts/hadoop-namenode-info.nse
index bfab1e157..1b678388a 100644
--- a/scripts/hadoop-namenode-info.nse
+++ b/scripts/hadoop-namenode-info.nse
@@ -11,18 +11,13 @@ description = [[
Retrieves information from an Apache Hadoop NameNode HTTP status page.
Information gathered:
- * Date/time the service was started
- * Hadoop version
- * Hadoop compile date
- * Upgrades status
- * Filesystem directory (relative to http://host:port/)
- * Log directory (relative to http://host:port/)
- * Associated DataNodes.
-
-For more information about Hadoop, see:
- * http://hadoop.apache.org/
- * http://en.wikipedia.org/wiki/Apache_Hadoop
- * http://wiki.apache.org/hadoop/NameNode
+* Date/time the service was started
+* Hadoop version
+* Hadoop compile date
+* Upgrades status
+* Filesystem directory (relative to http://host:port/)
+* Log directory (relative to http://host:port/)
+* Associated DataNodes.
]]
---
diff --git a/scripts/hadoop-secondary-namenode-info.nse b/scripts/hadoop-secondary-namenode-info.nse
index 87f0492fe..b6262862f 100644
--- a/scripts/hadoop-secondary-namenode-info.nse
+++ b/scripts/hadoop-secondary-namenode-info.nse
@@ -10,19 +10,14 @@ description = [[
Retrieves information from an Apache Hadoop secondary NameNode HTTP status page.
Information gathered:
- * Date/time the service was started
- * Hadoop version
- * Hadoop compile date
- * Hostname or IP address and port of the master NameNode server
- * Last time a checkpoint was taken
- * How often checkpoints are taken (in seconds)
- * Log directory (relative to http://host:port/)
- * File size of current checkpoint
-
-For more information about Hadoop, see:
- * http://hadoop.apache.org/
- * http://en.wikipedia.org/wiki/Apache_Hadoop
- * http://wiki.apache.org/hadoop/NameNode
+* Date/time the service was started
+* Hadoop version
+* Hadoop compile date
+* Hostname or IP address and port of the master NameNode server
+* Last time a checkpoint was taken
+* How often checkpoints are taken (in seconds)
+* Log directory (relative to http://host:port/)
+* File size of current checkpoint
]]
---
diff --git a/scripts/hadoop-tasktracker-info.nse b/scripts/hadoop-tasktracker-info.nse
index fd5302f62..fc6b8b47a 100644
--- a/scripts/hadoop-tasktracker-info.nse
+++ b/scripts/hadoop-tasktracker-info.nse
@@ -7,14 +7,9 @@ description = [[
Retrieves information from an Apache Hadoop TaskTracker HTTP status page.
Information gathered:
- * Hadoop version
- * Hadoop Compile date
- * Log directory (relative to http://host:port/)
-
-For more information about Hadoop, see:
- * http://hadoop.apache.org/
- * http://en.wikipedia.org/wiki/Apache_Hadoop
- * http://wiki.apache.org/hadoop/TaskTracker
+* Hadoop version
+* Hadoop Compile date
+* Log directory (relative to http://host:port/)
]]
---
diff --git a/scripts/hbase-master-info.nse b/scripts/hbase-master-info.nse
index 9f29d1b61..31dd3ad62 100644
--- a/scripts/hbase-master-info.nse
+++ b/scripts/hbase-master-info.nse
@@ -10,19 +10,14 @@ description = [[
Retrieves information from an Apache HBase (Hadoop database) master HTTP status page.
Information gathered:
- * Hbase version
- * Hbase compile date
- * Hbase root directory
- * Hadoop version
- * Hadoop compile date
- * Average load
- * Zookeeper quorum server
- * Associated region servers
-
-For more information about Hbase, see:
- * http://hbase.apache.org/
- * http://wiki.apache.org/hadoop/Hbase
- * http://wiki.apache.org/hadoop/TaskTracker
+* Hbase version
+* Hbase compile date
+* Hbase root directory
+* Hadoop version
+* Hadoop compile date
+* Average load
+* Zookeeper quorum server
+* Associated region servers
]]
---
diff --git a/scripts/hbase-region-info.nse b/scripts/hbase-region-info.nse
index d72d1af5d..88ea748a2 100644
--- a/scripts/hbase-region-info.nse
+++ b/scripts/hbase-region-info.nse
@@ -8,14 +8,10 @@ description = [[
Retrieves information from an Apache HBase (Hadoop database) region server HTTP status page.
Information gathered:
- * HBase version
- * HBase compile date
- * A bunch of metrics about the state of the region server
- * Zookeeper quorum server
-
-For more information about Hbase, see:
- * http://hbase.apache.org/
- * http://wiki.apache.org/hadoop/Hbase
+* HBase version
+* HBase compile date
+* A bunch of metrics about the state of the region server
+* Zookeeper quorum server
]]
---
diff --git a/scripts/http-adobe-coldfusion-apsa1301.nse b/scripts/http-adobe-coldfusion-apsa1301.nse
index c42ead1da..d9d3e188b 100644
--- a/scripts/http-adobe-coldfusion-apsa1301.nse
+++ b/scripts/http-adobe-coldfusion-apsa1301.nse
@@ -1,5 +1,9 @@
description = [[
-Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers (APSA13-01: http://www.adobe.com/support/security/advisories/apsa13-01.html) to retrieve a valid administrator's session cookie.
+Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion
+servers to retrieve a valid administrator's session cookie.
+
+Reference:
+* APSA13-01: http://www.adobe.com/support/security/advisories/apsa13-01.html
]]
---
diff --git a/scripts/http-awstatstotals-exec.nse b/scripts/http-awstatstotals-exec.nse
index 764ab1f92..a64287101 100644
--- a/scripts/http-awstatstotals-exec.nse
+++ b/scripts/http-awstatstotals-exec.nse
@@ -7,9 +7,13 @@ local string = require "string"
local table = require "table"
description = [[
-Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
+Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14
+and possibly other products based on it (CVE: 2008-3922).
+
+This vulnerability can be exploited through the GET variable sort.
+The script queries the web server with the command payload encoded using PHP's
+chr() function:
-This vulnerability can be exploited through the GET variable sort. The script queries the web server with the command payload encoded using PHP's chr() function:
?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}
Common paths for Awstats Total:
diff --git a/scripts/http-axis2-dir-traversal.nse b/scripts/http-axis2-dir-traversal.nse
index 0c0ae638b..051243e49 100644
--- a/scripts/http-axis2-dir-traversal.nse
+++ b/scripts/http-axis2-dir-traversal.nse
@@ -8,10 +8,19 @@ local string = require "string"
local table = require "table"
description = [[
-Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.
+Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by
+sending a specially crafted request to the parameter xsd
+(OSVDB-59001). By default it will try to retrieve the configuration file of the
+Axis2 service '/conf/axis2.xml' using the path
+'/axis2/services/' to return the username and password of the
+admin account.
-To exploit this vulnerability we need to detect a valid service running on the installation so we extract it from /listServices before exploiting the directory traversal vulnerability.
-By default it will retrieve the configuration file, if you wish to retrieve other files you need to set the argument http-axis2-dir-traversal.file correctly to traverse to the file's directory. Ex. ../../../../../../../../../etc/issue
+To exploit this vulnerability we need to detect a valid service running on the
+installation so we extract it from /listServices before exploiting
+the directory traversal vulnerability. By default it will retrieve the
+configuration file, if you wish to retrieve other files you need to set the
+argument http-axis2-dir-traversal.file correctly to traverse to
+the file's directory. Ex. ../../../../../../../../../etc/issue
To check the version of an Apache Axis2 installation go to:
http://domain/axis2/services/Version/getVersion
@@ -33,10 +42,6 @@ Reference:
-- @args http-axis2-dir-traversal.file Remote file to retrieve
-- @args http-axis2-dir-traversal.outfile Output file
-- @args http-axis2-dir-traversal.basepath Basepath to the services page. Default: /axis2/services/
---
--- Other useful arguments for this script:
--- @args http.useragent User Agent used in the GET requests
----
author = "Paulino Calderon "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
diff --git a/scripts/http-cakephp-version.nse b/scripts/http-cakephp-version.nse
index 4f5f27497..f0f33c570 100644
--- a/scripts/http-cakephp-version.nse
+++ b/scripts/http-cakephp-version.nse
@@ -1,8 +1,13 @@
description = [[
-Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework.
+Obtains the CakePHP version of a web application built with the CakePHP
+framework by fingerprinting default files shipped with the CakePHP framework.
-This script queries the files 'vendors.php', 'cake.generic.css', 'cake.icon.png' and 'cake.icon.gif' to try to obtain the version of the CakePHP installation.
-Since installations that had been upgraded are prone to false positives due to old files that aren't removed, the script displays 3 different versions:
+This script queries the files 'vendors.php', 'cake.generic.css',
+'cake.icon.png' and 'cake.icon.gif' to try to obtain the version of the CakePHP
+installation.
+
+Since installations that had been upgraded are prone to false positives due to
+old files that aren't removed, the script displays 3 different versions:
* Codebase: Taken from the existence of vendors.php (1.1.x or 1.2.x if it does and 1.3.x otherwise)
* Stylesheet: Taken from cake.generic.css
* Icon: Taken from cake.icon.gif or cake.icon.png
diff --git a/scripts/http-domino-enum-passwords.nse b/scripts/http-domino-enum-passwords.nse
index 7220df20f..8b49459d7 100644
--- a/scripts/http-domino-enum-passwords.nse
+++ b/scripts/http-domino-enum-passwords.nse
@@ -8,36 +8,29 @@ local string = require "string"
local table = require "table"
description = [[
-Attempts to enumerate the hashed Domino Internet Passwords that are
-(by default) accessible by all authenticated users. This script can
-also download any Domino ID Files attached to the Person document.
+Attempts to enumerate the hashed Domino Internet Passwords that are (by
+default) accessible by all authenticated users. This script can also download
+any Domino ID Files attached to the Person document. Passwords are presented
+in a form suitable for running in John the Ripper.
+
+The passwords may be stored in two forms (http://comments.gmane.org/gmane.comp.security.openwall.john.user/785):
+1. Saltless (legacy support?)
+Example: 355E98E7C7B59BD810ED845AD0FD2FC4
+John's format name: lotus5
+2. Salted (also known as "More Secure Internet Password")
+Example: (GKjXibCW2Ml6juyQHUoP)
+John's format name: dominosec
+
+It appears as if form based authentication is enabled, basic authentication
+still works. Therefore the script should work in both scenarios. Valid
+credentials can either be supplied directly using the parameters username
+and password or indirectly from results of http-brute or http-form-brute.
]]
---
-- @usage
-- nmap --script domino-enum-passwords -p 80 --script-args domino-enum-passwords.username='patrik karlsson',domino-enum-passwords.password=secret
--
--- This script attempts to enumerate the password hashes used to authenticate
--- to the Lotus Domino Web interface. By default, these hashes are accessible
--- to every authenticated user. Passwords are presented in a form suitable for
--- running in John the Ripper.
---
--- The format can in two forms (http://comments.gmane.org/gmane.comp.security.openwall.john.user/785):
--- 1. Saltless (legacy support?)
--- Example: 355E98E7C7B59BD810ED845AD0FD2FC4
--- John's format name: lotus5
--- 2. Salted (also known as "More Secure Internet Password")
--- Example: (GKjXibCW2Ml6juyQHUoP)
--- John's format name: dominosec
---
--- In addition the script can be used to download
--- any ID files attached to the Person document.
---
--- It appears as if form based authentication is enabled, basic authentication
--- still works. Therefore the script should work in both scenarios. Valid
--- credentials can either be supplied directly using the parameters username
--- and password or indirectly from results of http-brute or http-form-brute.
---
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
diff --git a/scripts/http-drupal-enum-users.nse b/scripts/http-drupal-enum-users.nse
index 58b39c5c2..739c6c3ed 100644
--- a/scripts/http-drupal-enum-users.nse
+++ b/scripts/http-drupal-enum-users.nse
@@ -5,7 +5,7 @@ local stdnse = require "stdnse"
local table = require "table"
description = [[
-Enumerates Drupal users by exploiting a an information disclosure vulnerability
+Enumerates Drupal users by exploiting an information disclosure vulnerability
in Views, Drupal's most popular module.
Requests to admin/views/ajax/autocomplete/user/STRING return all usernames that
@@ -13,7 +13,7 @@ begin with STRING. The script works by iterating STRING over letters to extract
all usernames.
For more information,see:
- * http://www.madirish.net/node/465
+* http://www.madirish.net/node/465
]]
---
diff --git a/scripts/http-google-malware.nse b/scripts/http-google-malware.nse
index be613b4e6..d594671cd 100644
--- a/scripts/http-google-malware.nse
+++ b/scripts/http-google-malware.nse
@@ -5,9 +5,13 @@ local stdnse = require "stdnse"
local string = require "string"
description = [[
-Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.
+Checks if hosts are on Google's blacklist of suspected malware and phishing
+servers. These lists are constantly updated and are part of Google's Safe
+Browsing service.
-To do this the script queries the Google's Safe Browsing service and you need to have your own API key to access Google's Safe Browsing Lookup services. Sign up for yours at http://code.google.com/apis/safebrowsing/key_signup.html
+To do this the script queries the Google's Safe Browsing service and you need
+to have your own API key to access Google's Safe Browsing Lookup services. Sign
+up for yours at http://code.google.com/apis/safebrowsing/key_signup.html
* To learn more about Google's Safe Browsing:
http://code.google.com/apis/safebrowsing/
diff --git a/scripts/http-huawei-hg5xx-vuln.nse b/scripts/http-huawei-hg5xx-vuln.nse
index 08ce274d5..863835b25 100644
--- a/scripts/http-huawei-hg5xx-vuln.nse
+++ b/scripts/http-huawei-hg5xx-vuln.nse
@@ -1,17 +1,20 @@
description = [[
-Detects Huawei modems models HG530x, HG520x, HG510x (and possibly
-others...) vulnerable to a remote credential and information
-disclosure vulnerability. It also extracts the PPPoE credentials and
-other interesting configuration values.
+Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others...)
+vulnerable to a remote credential and information disclosure vulnerability. It
+also extracts the PPPoE credentials and other interesting configuration values.
-Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information
-including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values.
+Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to
+extract sensitive information including PPPoE credentials, firmware version,
+model, gateway, dns servers and active connections among other values.
-This script exploits two vulnerabilities. One was discovered and reported by Adiaz from Comunidad Underground de Mexico (http://underground.org.mx) and it allows attackers to extract the pppoe password. The configuration disclosure vulnerability was discovered by Pedro Joaquin (http://hakim.ws).
+This script exploits two vulnerabilities. One was discovered and reported by
+Adiaz from Comunidad Underground de Mexico (http://underground.org.mx) and it
+allows attackers to extract the pppoe password. The configuration disclosure
+vulnerability was discovered by Pedro Joaquin (http://hakim.ws).
References:
-*http://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosure
-*http://routerpwn.com/#huawei
+* http://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosure
+* http://routerpwn.com/#huawei
]]
---
diff --git a/scripts/http-iis-webdav-vuln.nse b/scripts/http-iis-webdav-vuln.nse
index 3c9048adc..97c6ffe2f 100644
--- a/scripts/http-iis-webdav-vuln.nse
+++ b/scripts/http-iis-webdav-vuln.nse
@@ -6,11 +6,18 @@ local stdnse = require "stdnse"
local string = require "string"
description = [[
-Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, http://nmap.org/r/ms09-020.
+Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access
+secured WebDAV folders by searching for a password-protected folder and
+attempting to access it. This vulnerability was patched in Microsoft Security
+Bulletin MS09-020, http://nmap.org/r/ms09-020.
-A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), then the folder is marked as vulnerable.
+A list of well known folders (almost 900) is used by default. Each one is
+checked, and if returns an authentication request (401), another attempt is
+tried with the malicious encoding. If that attempt returns a successful result
+(207), then the folder is marked as vulnerable.
-This script is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb auxiliary module.
+This script is based on the Metasploit auxiliary module
+auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass
For more information on this vulnerability and script, see:
* http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
diff --git a/scripts/http-litespeed-sourcecode-download.nse b/scripts/http-litespeed-sourcecode-download.nse
index e9e841cc6..ce3774ab5 100644
--- a/scripts/http-litespeed-sourcecode-download.nse
+++ b/scripts/http-litespeed-sourcecode-download.nse
@@ -5,9 +5,13 @@ local stdnse = require "stdnse"
local string = require "string"
description = [[
-Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
+Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x
+before 4.0.15 to retrieve the target script's source code by sending a HTTP
+request with a null byte followed by a .txt file extension (CVE-2010-2333).
-If the server is not vulnerable it returns an error 400. If index.php is not found, you may try /phpinfo.php which is also shipped with LiteSpeed Web Server. The attack payload looks like this:
+If the server is not vulnerable it returns an error 400. If index.php is not
+found, you may try /phpinfo.php which is also shipped with LiteSpeed Web
+Server. The attack payload looks like this:
* /index.php\00.txt
References:
diff --git a/scripts/http-phpmyadmin-dir-traversal.nse b/scripts/http-phpmyadmin-dir-traversal.nse
index d5df7ab88..c987eb074 100644
--- a/scripts/http-phpmyadmin-dir-traversal.nse
+++ b/scripts/http-phpmyadmin-dir-traversal.nse
@@ -6,7 +6,8 @@ local io = require "io"
local vulns = require "vulns"
description = [[
-Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.
+Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and
+possibly other versions) to retrieve remote files on the web server.
Reference:
* http://www.exploit-db.com/exploits/1244/
@@ -21,9 +22,6 @@ Reference:
-- @args http-phpmyadmin-dir-traversal.outfile Output file
-- @args http-phpmyadmin-dir-traversal.dir Basepath to the services page. Default: /phpMyAdmin-2.6.4-pl1/
--
--- Other useful arguments for this script:
--- @args http.useragent User Agent used in the GET requests
----
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
diff --git a/scripts/http-phpself-xss.nse b/scripts/http-phpself-xss.nse
index 59c4fe7e9..42efe3997 100644
--- a/scripts/http-phpself-xss.nse
+++ b/scripts/http-phpself-xss.nse
@@ -1,21 +1,28 @@
description=[[
-Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER["PHP_SELF"].
+Crawls a web server and attempts to find PHP files vulnerable to reflected
+cross site scripting via the variable $_SERVER["PHP_SELF"].
-This script crawls the webserver to create a list of PHP files and then sends an attack vector/probe to identify PHP_SELF cross site scripting vulnerabilities.
-PHP_SELF XSS refers to reflected cross site scripting vulnerabilities caused by the lack of sanitation of the variable $_SERVER["PHP_SELF"] in PHP scripts. This variable is
-commonly used in php scripts that display forms and when the script file name is needed.
+This script crawls the webserver to create a list of PHP files and then sends
+an attack vector/probe to identify PHP_SELF cross site scripting
+vulnerabilities. PHP_SELF XSS refers to reflected cross site scripting
+vulnerabilities caused by the lack of sanitation of the variable
+$_SERVER["PHP_SELF"] in PHP scripts. This variable is commonly
+used in PHP scripts that display forms and when the script file name is
+needed.
Examples of Cross Site Scripting vulnerabilities in the variable $_SERVER[PHP_SELF]:
-*http://www.securityfocus.com/bid/37351
-*http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage
-*http://websec.ca/advisories/view/xss-vulnerabilities-mantisbt-1.2.x
+* http://www.securityfocus.com/bid/37351
+* http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage
+* http://websec.ca/advisories/view/xss-vulnerabilities-mantisbt-1.2.x
The attack vector/probe used is: /'"/>
]]
+
---
-- @usage
-- nmap --script=http-phpself-xss -p80
-- nmap -sV --script http-self-xss
+--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
@@ -37,6 +44,7 @@ The attack vector/probe used is: /'"/>
-- | References:
-- | https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
-- |_ http://php.net/manual/en/reserved.variables.server.php
+--
-- @args http-phpself-xss.uri URI. Default: /
-- @args http-phpself-xss.timeout Spidering timeout. (default 10s)
author = "Paulino Calderon "
diff --git a/scripts/http-rfi-spider.nse b/scripts/http-rfi-spider.nse
index 5edf98381..7bfb48729 100644
--- a/scripts/http-rfi-spider.nse
+++ b/scripts/http-rfi-spider.nse
@@ -1,5 +1,7 @@
description = [[
-Crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query.
+Crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It
+tests every form field it finds and every parameter of a URL containing a
+query.
]]
---
diff --git a/scripts/http-slowloris-check.nse b/scripts/http-slowloris-check.nse
index 1a48b38be..dde03a17b 100644
--- a/scripts/http-slowloris-check.nse
+++ b/scripts/http-slowloris-check.nse
@@ -9,17 +9,18 @@ local http = require "http"
description = [[
-Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.
+Tests a web server for vulnerability to the Slowloris DoS attack without
+actually launching a DoS attack.
Slowloris was described at Defcon 17 by RSnake
(see http://ha.ckers.org/slowloris/).
-This script opens two connections to the server, each without
-the final CRLF. After 10 seconds, second connection sends
-additional header. Both connections then wait for server timeout.
-If second connection gets a timeout 10 or more seconds after the
-first one, we can conclude that sending additional header prolonged
-its timeout and that the server is vulnerable to slowloris DoS attack.
+This script opens two connections to the server, each without the final CRLF.
+After 10 seconds, second connection sends additional header. Both connections
+then wait for server timeout. If second connection gets a timeout 10 or more
+seconds after the first one, we can conclude that sending additional header
+prolonged its timeout and that the server is vulnerable to slowloris DoS
+attack.
A "LIKELY VULNERABLE" result means a server is subject to timeout-extension
attack, but depending on the http server's architecture and resource limits, a
@@ -30,7 +31,7 @@ You can specify custom http User-agent field with http.useragent
script argument.
Idea from Qualys blogpost:
- * https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications
+* https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications
]]
@@ -38,8 +39,6 @@ Idea from Qualys blogpost:
-- @usage
-- nmap --script http-slowloris-check
--
--- @args http.useragent Specifies custom user agent string.
---
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
diff --git a/scripts/http-tplink-dir-traversal.nse b/scripts/http-tplink-dir-traversal.nse
index c202af980..23784a526 100644
--- a/scripts/http-tplink-dir-traversal.nse
+++ b/scripts/http-tplink-dir-traversal.nse
@@ -1,8 +1,12 @@
description = [[
-Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
+Exploits a directory traversal vulnerability existing in several TP-Link
+wireless routers. Attackers may exploit this vulnerability to read any of the
+configuration and password files remotely and without authentication.
-This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but there are several models that use the same HTTP server so I believe they could be vulnerable as well. I appreciate
-any help confirming the vulnerability in other models.
+This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but
+there are several models that use the same HTTP server so I believe they could
+be vulnerable as well. I appreciate any help confirming the vulnerability in
+other models.
Advisory:
* http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740
diff --git a/scripts/http-trace.nse b/scripts/http-trace.nse
index 55cfe34a3..6b2b15150 100644
--- a/scripts/http-trace.nse
+++ b/scripts/http-trace.nse
@@ -4,7 +4,8 @@ local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
-Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.
+Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug
+is enabled, it returns the header fields that were modified in the response.
]]
---
diff --git a/scripts/http-traceroute.nse b/scripts/http-traceroute.nse
index 00c00745a..910dd0de7 100644
--- a/scripts/http-traceroute.nse
+++ b/scripts/http-traceroute.nse
@@ -7,22 +7,23 @@ local table = require "table"
description = [[
Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies.
-The script works by sending HTTP requests with values of the Max-Forwards HTTP header varying
-from 0 to 2 and checking for any anomalies in certain response values such as the status code,
-Server, Content-Type and Content-Length HTTP headers and body values such as the html title.
+The script works by sending HTTP requests with values of the Max-Forwards HTTP
+header varying from 0 to 2 and checking for any anomalies in certain response
+values such as the status code, Server, Content-Type and Content-Length HTTP
+headers and body values such as the HTML title.
Based on the work of:
* Nicolas Gregoire (nicolas.gregoire@agarri.fr)
* Julien Cayssol (tools@aqwz.com)
For more information, see:
- * http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html
+* http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html
]]
---
-- @args http-traceroute.path The path to send requests to. Defaults to /.
-- @args http-traceroute.method HTTP request method to use. Defaults to GET.
--- among other values, TRACE is probably the most interesting.
+-- Among other values, TRACE is probably the most interesting.
--
-- @usage
-- nmap --script=http-traceroute
diff --git a/scripts/http-vuln-cve2011-3368.nse b/scripts/http-vuln-cve2011-3368.nse
index 128ec4e9f..49ea7fe04 100644
--- a/scripts/http-vuln-cve2011-3368.nse
+++ b/scripts/http-vuln-cve2011-3368.nse
@@ -10,12 +10,12 @@ local openssl = stdnse.silent_require "openssl"
description = [[
Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server's reverse proxy mode.
The script will run 3 tests:
- o the loopback test, with 3 payloads to handle different rewrite rules
- o the internal hosts test. According to Contextis, we expect a delay before a server error.
- o The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.
+* the loopback test, with 3 payloads to handle different rewrite rules
+* the internal hosts test. According to Contextis, we expect a delay before a server error.
+* The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.
References:
- * http://www.contextis.com/research/blog/reverseproxybypass/
+* http://www.contextis.com/research/blog/reverseproxybypass/
]]
---
diff --git a/scripts/http-vuln-cve2012-1823.nse b/scripts/http-vuln-cve2012-1823.nse
index f6e064549..df6c11a7d 100644
--- a/scripts/http-vuln-cve2012-1823.nse
+++ b/scripts/http-vuln-cve2012-1823.nse
@@ -5,14 +5,14 @@ local string = require "string"
local vulns = require "vulns"
description = [[
-Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.
+Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This
+critical vulnerability allows attackers to retrieve source code and execute
+code remotely.
-The script works by appending "?-s" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern "<?" to detect
+The script works by appending "?-s" to the uri to make vulnerable php-cgi
+handlers return colour syntax highlighted source. We use the pattern "<?" to detect
vulnerable installations.
-
-CHANGELOG:
-- Added new detection mechanism by trying to perform a "echo" command
-- Added exploitation script that allows you to define your command (default: uname -a).
]]
---
diff --git a/scripts/http-vuln-cve2013-0156.nse b/scripts/http-vuln-cve2013-0156.nse
index e8a81222a..fff5e153a 100644
--- a/scripts/http-vuln-cve2013-0156.nse
+++ b/scripts/http-vuln-cve2013-0156.nse
@@ -1,17 +1,17 @@
description = [[
-Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)
+Detects Ruby on Rails servers vulnerable to object injection, remote command
+executions and denial of service attacks. (CVE-2013-0156)
-All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script
-sends 3 harmless yaml payloads to detect vulnerable installations. If the malformed object receives a status 500 response, the server
-is processing YAML objects and therefore is likely vulnerable.
+All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before
+3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script sends 3 harmless
+YAML payloads to detect vulnerable installations. If the malformed object
+receives a status 500 response, the server is processing YAML objects and
+therefore is likely vulnerable.
References:
* https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156',
* https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',
* http://cvedetails.com/cve/2013-0156/
-
-TODO:
-* Add argument to exploit cmd exec vuln
]]
---
@@ -39,6 +39,9 @@ TODO:
-- @args http-vuln-cve2013-0156.uri Basepath URI (default: /).
---
+-- TODO:
+-- * Add argument to exploit cmd exec vuln
+
author = "Paulino Calderon "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit","vuln"}
diff --git a/scripts/http-vuln-cve2014-2126.nse b/scripts/http-vuln-cve2014-2126.nse
index 50ed610ab..4c01d9f0a 100644
--- a/scripts/http-vuln-cve2014-2126.nse
+++ b/scripts/http-vuln-cve2014-2126.nse
@@ -4,7 +4,8 @@ local vulns = require('vulns')
local sslcert = require('sslcert')
description = [[
-Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).
+Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM
+Privilege Escalation Vulnerability (CVE-2014-2126).
]]
---
diff --git a/scripts/http-vuln-cve2014-2127.nse b/scripts/http-vuln-cve2014-2127.nse
index cfe2b1b6b..c90258ae6 100644
--- a/scripts/http-vuln-cve2014-2127.nse
+++ b/scripts/http-vuln-cve2014-2127.nse
@@ -4,7 +4,8 @@ local vulns = require('vulns')
local sslcert = require('sslcert')
description = [[
-Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).
+Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN
+Privilege Escalation Vulnerability (CVE-2014-2127).
]]
---
diff --git a/scripts/http-vuln-cve2014-2128.nse b/scripts/http-vuln-cve2014-2128.nse
index b444acae6..ec922a85c 100644
--- a/scripts/http-vuln-cve2014-2128.nse
+++ b/scripts/http-vuln-cve2014-2128.nse
@@ -4,7 +4,8 @@ local vulns = require('vulns')
local sslcert = require('sslcert')
description = [[
-Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).
+Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN
+Authentication Bypass Vulnerability (CVE-2014-2128).
]]
---
diff --git a/scripts/http-vuln-cve2014-2129.nse b/scripts/http-vuln-cve2014-2129.nse
index 69168d13c..661673f26 100644
--- a/scripts/http-vuln-cve2014-2129.nse
+++ b/scripts/http-vuln-cve2014-2129.nse
@@ -4,7 +4,8 @@ local vulns = require('vulns')
local sslcert = require('sslcert')
description = [[
-Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).
+Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP
+Denial of Service Vulnerability (CVE-2014-2129).
]]
---
diff --git a/scripts/http-waf-detect.nse b/scripts/http-waf-detect.nse
index 382611f05..96de8b5b2 100644
--- a/scripts/http-waf-detect.nse
+++ b/scripts/http-waf-detect.nse
@@ -5,26 +5,30 @@ local string = require "string"
local table = require "table"
description = [[
-Attempts to determine whether a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) by probing the web server with malicious payloads and detecting changes in the response code and body.
+Attempts to determine whether a web server is protected by an IPS (Intrusion
+Prevention System), IDS (Intrusion Detection System) or WAF (Web Application
+Firewall) by probing the web server with malicious payloads and detecting
+changes in the response code and body.
-To do this the script will send a "good" request and record the response, afterwards it will match this response against new requests containing
-malicious payloads. In theory, web applications shouldn't react to malicious requests because we are storing the payloads in a variable that is
-not used by the script/file and only WAF/IDS/IPS should react to it.
-If aggro mode is set, the script will try all attack vectors (More noisy)
+To do this the script will send a "good" request and record the response,
+afterwards it will match this response against new requests containing
+malicious payloads. In theory, web applications shouldn't react to malicious
+requests because we are storing the payloads in a variable that is not used by
+the script/file and only WAF/IDS/IPS should react to it. If aggro mode is set,
+the script will try all attack vectors (More noisy)
-This script can detect numerous IDS, IPS, and WAF products since
-they often protect web applications in the same way. But it
-won't detect products which don't alter the http traffic.
-Results can vary based on product configuration, but this script
-has been tested to work against various configurations of the
+This script can detect numerous IDS, IPS, and WAF products since they often
+protect web applications in the same way. But it won't detect products which
+don't alter the http traffic. Results can vary based on product configuration,
+but this script has been tested to work against various configurations of the
following products:
- * Apache ModSecurity
- * Barracuda Web Application Firewall
- * PHPIDS
- * dotDefender
- * Imperva Web Firewall
- * Blue Coat SG 400
+* Apache ModSecurity
+* Barracuda Web Application Firewall
+* PHPIDS
+* dotDefender
+* Imperva Web Firewall
+* Blue Coat SG 400
]]
@@ -38,13 +42,12 @@ following products:
-- 80/tcp open http
-- |_http-waf-detect: IDS/IPS/WAF detected
--
--- @args http-waf-detect.uri Target URI. Use a path that does not redirect to a different page
--- @args http-waf-detect.aggro If aggro mode is set, the script will try all attack vectors to trigger the IDS/IPS/WAF
--- @args http-waf-detect.detectBodyChanges If set it also checks for changes in the document's body
---
--- Other useful args when running this script
--- http.useragent User Agent for HTTP requests
--- http.pipeline Number of requests sent in the single request
+-- @args http-waf-detect.uri Target URI. Use a path that does not redirect to a
+-- different page
+-- @args http-waf-detect.aggro If aggro mode is set, the script will try all
+-- attack vectors to trigger the IDS/IPS/WAF
+-- @args http-waf-detect.detectBodyChanges If set it also checks for changes in
+-- the document's body
author = "Paulino Calderon "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
diff --git a/scripts/http-webdav-scan.nse b/scripts/http-webdav-scan.nse
index 4d6d3d809..718bc77ce 100644
--- a/scripts/http-webdav-scan.nse
+++ b/scripts/http-webdav-scan.nse
@@ -12,16 +12,17 @@ and allowed methods. It then sends a PROPFIND request and tries to fetch exposed
directories and internal ip addresses by doing pattern matching in the response body.
This script takes inspiration from the various scripts listed here:
- *http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
- *https://github.com/sussurro/Metasploit-Tools/blob/master/modules/auxiliary/scanner/http/webdav_test.rb
- *http://code.google.com/p/davtest/
+* http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
+* https://github.com/sussurro/Metasploit-Tools/blob/master/modules/auxiliary/scanner/http/webdav_test.rb
+* http://code.google.com/p/davtest/
]]
---
--- @usage
+-- @usage
-- nmap --script http-webdav-scan -p80,8080
--
--- @args path The path to start in; eg, "/web/" will try "/web/xxx".
+-- @args http-webdav-scan.path The path to start in; e.g. "/web/"
+-- will try "/web/xxx".
--
-- @output
-- PORT STATE SERVICE
diff --git a/scripts/iax2-version.nse b/scripts/iax2-version.nse
index 3e304a0c6..01c9fd6fb 100644
--- a/scripts/iax2-version.nse
+++ b/scripts/iax2-version.nse
@@ -6,7 +6,9 @@ local string = require "string"
description = [[
Detects the UDP IAX2 service.
-The script sends an Inter-Asterisk eXchange (IAX) Revision 2 Control Frame POKE request and checks for a proper response. This protocol is used to enable VoIP connections between servers as well as client-server communication.
+The script sends an Inter-Asterisk eXchange (IAX) Revision 2 Control Frame POKE
+request and checks for a proper response. This protocol is used to enable VoIP
+connections between servers as well as client-server communication.
]]
---
diff --git a/scripts/ike-version.nse b/scripts/ike-version.nse
index 3df084563..c9027a5d5 100644
--- a/scripts/ike-version.nse
+++ b/scripts/ike-version.nse
@@ -6,9 +6,9 @@ local ike = require "ike"
description=[[
-
-Obtains information (such as vendor and device type where available) from an IKE service by sending four packets to the host. This scripts tests with both Main and Aggressive Mode and sends multiple transforms per request.
-
+Obtains information (such as vendor and device type where available) from an
+IKE service by sending four packets to the host. This scripts tests with both
+Main and Aggressive Mode and sends multiple transforms per request.
]]
diff --git a/scripts/ipv6-ra-flood.nse b/scripts/ipv6-ra-flood.nse
index 213957691..1778a875f 100644
--- a/scripts/ipv6-ra-flood.nse
+++ b/scripts/ipv6-ra-flood.nse
@@ -6,8 +6,13 @@ local math = require "math"
local string = require "string"
local os = require "os"
-description = [[ Generates a flood of Router Advertisements (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS),
-will start to compute IPv6 suffix and update their routing table to reflect the accepted announcement. This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests.
+description = [[
+Generates a flood of Router Advertisements (RA) with random source MAC
+addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration
+enabled by default (every major OS), will start to compute IPv6 suffix and
+update their routing table to reflect the accepted announcement. This will
+cause 100% CPU usage on Windows and platforms, preventing to process other
+application requests.
Vulnerable platforms:
* All Cisco IOS ASA with firmware < November 2010
@@ -19,16 +24,17 @@ Vulnerable platforms:
Security advisory: http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt
-WARNING: This script is dangerous and is very likely to bring down a server or network appliance.
-It should not be run in a production environment unless you (and, more importantly,
-the business) understand the risks!
+WARNING: This script is dangerous and is very likely to bring down a server or
+network appliance. It should not be run in a production environment unless you
+(and, more importantly, the business) understand the risks!
Additional documents: https://tools.ietf.org/rfc/rfc6104.txt
]]
---
-- @args ipv6-ra-flood.interface defines interface we should broadcast on
--- @args ipv6-ra-flood.timeout runs the script until the timeout is reached (default: 30s). If timeout is zero, the script will run forever.
+-- @args ipv6-ra-flood.timeout runs the script until the timeout is reached
+-- (default: 30s). If timeout is zero, the script will run forever.
--
-- @usage
-- nmap -6 --script ipv6-ra-flood.nse
diff --git a/scripts/irc-unrealircd-backdoor.nse b/scripts/irc-unrealircd-backdoor.nse
index f5c963465..d845d850e 100644
--- a/scripts/irc-unrealircd-backdoor.nse
+++ b/scripts/irc-unrealircd-backdoor.nse
@@ -39,9 +39,16 @@ Reference:
]]
---
--- @args irc-unrealircd-backdoor.command An arbitrary command to run on the remote system (note, however, that you won't see the output of your command). This will always be attempted, even if the host isn't vulnerable. The pattern %IP% will be replaced with the ip address of the target host.
--- @args irc-unrealircd-backdoor.kill If set to 1 or true, kill the backdoored UnrealIRCd running.
--- @args irc-unrealircd-backdoor.wait Wait time in seconds before executing the check. This is recommended to set for more reliable check (100 is good value).
+-- @args irc-unrealircd-backdoor.command An arbitrary command to run on the
+-- remote system (note, however, that you won't see the output of your
+-- command). This will always be attempted, even if the host isn't
+-- vulnerable. The pattern %IP% will be replaced with the
+-- ip address of the target host.
+-- @args irc-unrealircd-backdoor.kill If set to 1 or
+-- true, kill the backdoored UnrealIRCd running.
+-- @args irc-unrealircd-backdoor.wait Wait time in seconds before executing the
+-- check. This is recommended to set for more reliable check (100 is good
+-- value).
--
-- @output
-- PORT STATE SERVICE
diff --git a/scripts/jdwp-inject.nse b/scripts/jdwp-inject.nse
index 8fc171bf3..d713ceef0 100644
--- a/scripts/jdwp-inject.nse
+++ b/scripts/jdwp-inject.nse
@@ -7,7 +7,9 @@ local shortport = require "shortport"
local string = require "string"
description = [[
-Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script allows injection of arbitrary class files.
+Attempts to exploit java's remote debugging port. When remote debugging port
+is left open, it is possible to inject java bytecode and achieve remote code
+execution. This script allows injection of arbitrary class files.
After injection, class' run() method is executed.
Method run() has no parameters, and is expected to return a string.
diff --git a/scripts/ldap-search.nse b/scripts/ldap-search.nse
index 717aa087b..3f94e2cb9 100644
--- a/scripts/ldap-search.nse
+++ b/scripts/ldap-search.nse
@@ -16,21 +16,35 @@ anonymous bind will be used as a last attempt.
]]
---
--- @args ldap.username If set, the script will attempt to perform an LDAP bind using the username and password
--- @args ldap.password If set, used together with the username to authenticate to the LDAP server
--- @args ldap.qfilter If set, specifies a quick filter. The library does not support parsing real LDAP filters.
--- The following values are valid for the filter parameter: computer, users, ad_dcs, custom or all. If no value is specified it defaults to all.
--- @args ldap.searchattrib When used with the 'custom' qfilter, this parameter works in conjunction with ldap.searchvalue to allow the user to specify a custom attribute and value as search criteria.
--- @args ldap.searchvalue When used with the 'custom' qfilter, this parameter works in conjunction with ldap.searchattrib to allow the user to specify a custom attribute and value as search criteria.
+-- @args ldap.username If set, the script will attempt to perform an LDAP bind
+-- using the username and password
+-- @args ldap.password If set, used together with the username to authenticate
+-- to the LDAP server
+-- @args ldap.qfilter If set, specifies a quick filter. The library does not
+-- support parsing real LDAP filters. The following values are valid for
+-- the filter parameter: computer, users, ad_dcs, custom or all. If no
+-- value is specified it defaults to all.
+-- @args ldap.searchattrib When used with the 'custom' qfilter, this parameter
+-- works in conjunction with ldap.searchvalue to allow the user to
+-- specify a custom attribute and value as search criteria.
+-- @args ldap.searchvalue When used with the 'custom' qfilter, this parameter
+-- works in conjunction with ldap.searchattrib to allow the user to
+-- specify a custom attribute and value as search criteria.
-- This parameter DOES PERMIT the use of the asterisk '*' as a wildcard.
--- @args ldap.base If set, the script will use it as a base for the search. By default the defaultNamingContext is retrieved and used.
--- If no defaultNamingContext is available the script iterates over the available namingContexts
--- @args ldap.attrib If set, the search will include only the attributes specified. For a single attribute a string value can be used, if
--- multiple attributes need to be supplied a table should be used instead.
--- @args ldap.maxobjects If set, overrides the number of objects returned by the script (default 20).
--- The value -1 removes the limit completely.
--- @args ldap.savesearch If set, the script will save the output to a file beginning with the specified path and name. The file suffix
--- of .CSV as well as the hostname and port will automatically be added based on the output type selected.
+-- @args ldap.base If set, the script will use it as a base for the search. By
+-- default the defaultNamingContext is retrieved and used. If no
+-- defaultNamingContext is available the script iterates over the
+-- available namingContexts
+-- @args ldap.attrib If set, the search will include only the attributes
+-- specified. For a single attribute a string value can be used, if
+-- multiple attributes need to be supplied a table should be used
+-- instead.
+-- @args ldap.maxobjects If set, overrides the number of objects returned by
+-- the script (default 20). The value -1 removes the limit completely.
+-- @args ldap.savesearch If set, the script will save the output to a file
+-- beginning with the specified path and name. The file suffix of .CSV
+-- as well as the hostname and port will automatically be added based on
+-- the output type selected.
--
-- @usage
-- nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
diff --git a/scripts/llmnr-resolve.nse b/scripts/llmnr-resolve.nse
index 8486a442f..be0124c13 100644
--- a/scripts/llmnr-resolve.nse
+++ b/scripts/llmnr-resolve.nse
@@ -18,7 +18,7 @@ LLMNR responses that are sent to the local machine with a 5355 UDP source port.
A hostname to resolve must be provided.
For more information, see:
- * http://technet.microsoft.com/en-us/library/bb878128.aspx
+* http://technet.microsoft.com/en-us/library/bb878128.aspx
]]
---
diff --git a/scripts/metasploit-info.nse b/scripts/metasploit-info.nse
index 055ef8915..588677260 100644
--- a/scripts/metasploit-info.nse
+++ b/scripts/metasploit-info.nse
@@ -6,14 +6,14 @@ local http = require "http"
local bin = require "bin"
description = [[
-Gathers info from the Metasploit rpc service.
-It requires a valid login pair. After authentication it
-tries to determine Metasploit version and deduce the OS type.
-Then it creates a new console and executes few commands
-to get additional info.
+Gathers info from the Metasploit rpc service. It requires a valid login pair.
+After authentication it tries to determine Metasploit version and deduce the OS
+type. Then it creates a new console and executes few commands to get
+additional info.
+
References:
- * http://wiki.msgpack.org/display/MSGPACK/Format+specification
- * https://community.rapid7.com/docs/DOC-1516 Metasploit RPC API Guide
+* http://wiki.msgpack.org/display/MSGPACK/Format+specification
+* https://community.rapid7.com/docs/DOC-1516 Metasploit RPC API Guide
]]
---
diff --git a/scripts/nexpose-brute.nse b/scripts/nexpose-brute.nse
index 218110138..08b6e671c 100644
--- a/scripts/nexpose-brute.nse
+++ b/scripts/nexpose-brute.nse
@@ -7,7 +7,13 @@ local stdnse = require "stdnse"
local openssl = stdnse.silent_require "openssl"
description=[[
-Performs brute force password auditing against a Nexpose vulnerability scanner using the API 1.1. By default it only tries three guesses per username to avoid target account lockout.
+Performs brute force password auditing against a Nexpose vulnerability scanner
+using the API 1.1.
+
+As the Nexpose application enforces account lockout after 4 incorrect login
+attempts, the script performs only 3 guesses per default. This can be
+altered by supplying the brute.guesses argument a different
+value or 0 (zero) to guess the whole dictionary.
]]
---
@@ -23,10 +29,6 @@ Performs brute force password auditing against a Nexpose vulnerability scanner u
-- | Statistics
-- |_ Performed 5 guesses in 1 seconds, average tps: 5
--
--- As the Nexpose application enforces account lockout after 4 incorrect login
--- attempts, the script performs only 3 guesses per default. This can be
--- altered by supplying the brute.guesses argument a different
--- value or 0 (zero) to guess the whole dictionary.
author = "Vlatko Kosturjak"
diff --git a/scripts/nrpe-enum.nse b/scripts/nrpe-enum.nse
index 3713e23af..3c2ac0735 100644
--- a/scripts/nrpe-enum.nse
+++ b/scripts/nrpe-enum.nse
@@ -10,7 +10,8 @@ local tab = require "tab"
-- vim: set filetype=lua :
description = [[
-Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc.
+Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such
+as load averages, process counts, logged in user information, etc.
This script attempts to execute the stock list of commands that are
enabled. User-supplied arguments are not supported.
diff --git a/scripts/path-mtu.nse b/scripts/path-mtu.nse
index 4614f8d21..b70b209ba 100644
--- a/scripts/path-mtu.nse
+++ b/scripts/path-mtu.nse
@@ -10,22 +10,20 @@ local table = require "table"
description = [[
Performs simple Path MTU Discovery to target hosts.
-TCP or UDP packets are sent to the host with the DF (don't fragment) bit
-set and with varying amounts of data. If an ICMP Fragmentation Needed
-is received, or no reply is received after retransmissions, the amount
-of data is lowered and another packet is sent. This continues until
-(assuming no errors occur) a reply from the final host is received,
-indicating the packet reached the host without being fragmented.
+TCP or UDP packets are sent to the host with the DF (don't fragment) bit set
+and with varying amounts of data. If an ICMP Fragmentation Needed is received,
+or no reply is received after retransmissions, the amount of data is lowered
+and another packet is sent. This continues until (assuming no errors occur) a
+reply from the final host is received, indicating the packet reached the host
+without being fragmented.
Not all MTUs are attempted so as to not expend too much time or network
resources. Currently the relatively short list of MTUs to try contains
the plateau values from Table 7-1 in RFC 1191, "Path MTU Discovery".
Using these values significantly cuts down the MTU search space. On top
of that, this list is rarely traversed in whole because:
- * the MTU of the outgoing interface is used as a starting point, and
- * we can jump down the list when an intermediate router sending a
- "can't fragment" message includes its next hop MTU (as described
- in RFC 1191 and required by RFC 1812)
+* the MTU of the outgoing interface is used as a starting point, and
+* we can jump down the list when an intermediate router sending a "can't fragment" message includes its next hop MTU (as described in RFC 1191 and required by RFC 1812)
]]
---
diff --git a/scripts/qscan.nse b/scripts/qscan.nse
index fb2e1e1a3..c08ce99a1 100644
--- a/scripts/qscan.nse
+++ b/scripts/qscan.nse
@@ -33,11 +33,19 @@ for Nmap.
-- @usage
-- nmap --script qscan --script-args qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10 target
--
--- @args confidence Confidence level: 0.75, 0.9, 0.95, 0.975, 0.99, 0.995, or 0.9995.
--- @args delay Average delay between packet sends. This is a number followed by ms for milliseconds or s for seconds. (m and h are also supported but are too long for timeouts.) The actual delay will randomly vary between 50% and 150% of the time specified. Default: 200ms.
+-- @args confidence Confidence level: 0.75, 0.9,
+-- 0.95, 0.975, 0.99,
+-- 0.995, or 0.9995.
+-- @args delay Average delay between packet sends. This is a number followed by
+-- ms for milliseconds or s for seconds.
+-- (m and h are also supported but are too long
+-- for timeouts.) The actual delay will randomly vary between 50% and
+-- 150% of the time specified. Default: 200ms.
-- @args numtrips Number of round-trip times to try to get.
--- @args numopen Maximum number of open ports to probe (default 8). A negative number disables the limit.
--- @args numclosed Maximum number of closed ports to probe (default 1). A negative number disables the limit.
+-- @args numopen Maximum number of open ports to probe (default 8). A negative
+-- number disables the limit.
+-- @args numclosed Maximum number of closed ports to probe (default 1). A
+-- negative number disables the limit.
--
-- @output
-- | qscan:
diff --git a/scripts/reverse-index.nse b/scripts/reverse-index.nse
index 78c551600..d02168dee 100644
--- a/scripts/reverse-index.nse
+++ b/scripts/reverse-index.nse
@@ -3,7 +3,9 @@ local stdnse = require "stdnse"
local table = require "table"
description = [[
-Creates a reverse index at the end of scan output showing which hosts run a particular service. This is in addition to Nmap's normal output listing the services on each host.
+Creates a reverse index at the end of scan output showing which hosts run a
+particular service. This is in addition to Nmap's normal output listing the
+services on each host.
]]
---
diff --git a/scripts/rlogin-brute.nse b/scripts/rlogin-brute.nse
index bcf467a4d..aac85a424 100644
--- a/scripts/rlogin-brute.nse
+++ b/scripts/rlogin-brute.nse
@@ -6,7 +6,9 @@ local shortport = require "shortport"
local stdnse = require "stdnse"
description=[[
-Performs brute force password auditing against the classic UNIX rlogin (remote login) service. This script must be run in privileged mode on UNIX because it must bind to a low source port number.
+Performs brute force password auditing against the classic UNIX rlogin (remote
+login) service. This script must be run in privileged mode on UNIX because it
+must bind to a low source port number.
]]
---
diff --git a/scripts/rpcinfo.nse b/scripts/rpcinfo.nse
index 42f3e92a2..b9d68e056 100644
--- a/scripts/rpcinfo.nse
+++ b/scripts/rpcinfo.nse
@@ -4,7 +4,9 @@ local stdnse = require "stdnse"
local table = require "table"
description = [[
-Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.
+Connects to portmapper and fetches a list of all registered programs. It then
+prints out a table including (for each program) the RPC program number,
+supported version numbers, port number and protocol, and program name.
]]
---
diff --git a/scripts/sip-brute.nse b/scripts/sip-brute.nse
index 1c374f6a4..fedd72b86 100644
--- a/scripts/sip-brute.nse
+++ b/scripts/sip-brute.nse
@@ -6,7 +6,8 @@ local sip = require "sip"
local stdnse = require "stdnse"
description = [[
-Performs brute force password auditing against Session Initiation Protocol (SIP - http://en.wikipedia.org/wiki/Session_Initiation_Protocol) accounts. This protocol is most commonly associated with VoIP sessions.
+Performs brute force password auditing against Session Initiation Protocol
+(SIP) accounts. This protocol is most commonly associated with VoIP sessions.
]]
---
diff --git a/scripts/smb-enum-users.nse b/scripts/smb-enum-users.nse
index 7637b032c..018ffedd6 100644
--- a/scripts/smb-enum-users.nse
+++ b/scripts/smb-enum-users.nse
@@ -94,7 +94,9 @@ doesn't hurt to add more.
The names and details from both of these techniques are merged and displayed.
If the output is verbose, then extra details are shown. The output is ordered alphabetically.
-Credit goes out to the enum.exe, sid2user.exe, and user2sid.exe programs for pioneering some of the techniques used in this script.
+Credit goes out to the enum.exe, sid2user.exe, and
+user2sid.exe programs for pioneering some of the techniques used
+in this script.
]]
---
diff --git a/scripts/supermicro-ipmi-conf.nse b/scripts/supermicro-ipmi-conf.nse
index e6f7e8d25..58c3d6974 100644
--- a/scripts/supermicro-ipmi-conf.nse
+++ b/scripts/supermicro-ipmi-conf.nse
@@ -1,7 +1,10 @@
description = [[
-Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.
+Attempts to download an unprotected configuration file containing plain-text
+user credentials in vulnerable Supermicro Onboard IPMI controllers.
-The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file contains users with their passwords in plain text.
+The script connects to port 49152 and issues a request for "/PSBlock" to
+download the file. This configuration file contains users with their passwords
+in plain text.
References:
* http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
diff --git a/scripts/targets-ipv6-multicast-mld.nse b/scripts/targets-ipv6-multicast-mld.nse
index 8ecccda9a..eb9f5d19f 100644
--- a/scripts/targets-ipv6-multicast-mld.nse
+++ b/scripts/targets-ipv6-multicast-mld.nse
@@ -9,7 +9,11 @@ local table = require "table"
local target = require "target"
description = [[
-Attempts to discover available IPv6 hosts on the LAN by sending an MLD (multicast listener discovery) query to the link-local multicast address (ff02::1) and listening for any responses. The query's maximum response delay set to 0 to provoke hosts to respond immediately rather than waiting for other responses from their multicast group.
+Attempts to discover available IPv6 hosts on the LAN by sending an MLD
+(multicast listener discovery) query to the link-local multicast address
+(ff02::1) and listening for any responses. The query's maximum response delay
+set to 0 to provoke hosts to respond immediately rather than waiting for other
+responses from their multicast group.
]]
---
diff --git a/scripts/targets-ipv6-multicast-slaac.nse b/scripts/targets-ipv6-multicast-slaac.nse
index 88417d297..2bcab885b 100644
--- a/scripts/targets-ipv6-multicast-slaac.nse
+++ b/scripts/targets-ipv6-multicast-slaac.nse
@@ -149,7 +149,9 @@ local function single_interface_broadcast(if_nfo, results)
-- preferred_lifetime <= valid_lifetime.
-- Nmap will get the whole IPv6 addresses of each host if the two parameters are both longer than 5 seconds.
- -- Sometimes it makes sense to regard the several addresses of a host as different hosts, as the host's administrator may apply different firewall configurations on them.
+ -- Sometimes it makes sense to regard the several addresses of a host as
+ -- different hosts, as the host's administrator may apply different firewall
+ -- configurations on them.
local valid_lifetime = 6
local preferred_lifetime = 6
@@ -191,7 +193,9 @@ local function single_interface_broadcast(if_nfo, results)
local ula_target_addr_str = ipOps.str_to_ip(reply.ns_target)
local identifier = get_identifier(reply.ns_target)
--Filter out the reduplicative identifiers.
- --A host will send several NS packets with the same interface identifier if it receives several RA packets with different prefix during the discovery phase.
+ --A host will send several NS packets with the same interface
+ --identifier if it receives several RA packets with different prefix
+ --during the discovery phase.
local actual_addr_str = ipOps.str_to_ip(actual_prefix .. identifier)
if not results[actual_addr_str] then
if target.ALLOW_NEW_TARGETS then
diff --git a/scripts/targets-traceroute.nse b/scripts/targets-traceroute.nse
index 0138a6aa5..d0416d8e8 100644
--- a/scripts/targets-traceroute.nse
+++ b/scripts/targets-traceroute.nse
@@ -3,7 +3,9 @@ local string = require "string"
local target = require "target"
description = [[
-Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's --traceroute option is used and the newtargets script argument is given.
+Inserts traceroute hops into the Nmap scanning queue. It only functions if
+Nmap's --traceroute option is used and the newtargets
+script argument is given.
]]
---
diff --git a/scripts/telnet-encryption.nse b/scripts/telnet-encryption.nse
index 5617e5b65..e7371653c 100644
--- a/scripts/telnet-encryption.nse
+++ b/scripts/telnet-encryption.nse
@@ -4,7 +4,11 @@ local shortport = require "shortport"
local table = require "table"
description = [[
-Determines whether the encryption option is supported on a remote telnet server. Some systems (including FreeBSD and the krb5 telnetd available in many Linux distributions) implement this option incorrectly, leading to a remote root vulnerability. This script currently only tests whether encryption is supported, not for that particular vulnerability.
+Determines whether the encryption option is supported on a remote telnet
+server. Some systems (including FreeBSD and the krb5 telnetd available in many
+Linux distributions) implement this option incorrectly, leading to a remote
+root vulnerability. This script currently only tests whether encryption is
+supported, not for that particular vulnerability.
References:
* FreeBSD Advisory: http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001398.html
diff --git a/scripts/tls-nextprotoneg.nse b/scripts/tls-nextprotoneg.nse
index 4da4e74a1..5fc974c79 100644
--- a/scripts/tls-nextprotoneg.nse
+++ b/scripts/tls-nextprotoneg.nse
@@ -6,13 +6,14 @@ local bin = require "bin"
local tls = require "tls"
description = [[
-Enumerates a TLS server's supported protocols by using the next protocol negotiation extension.
+Enumerates a TLS server's supported protocols by using the next protocol
+negotiation extension.
-This works by adding the next protocol negotiation extension in the client hello
-packet and parsing the returned server hello's NPN extension data.
+This works by adding the next protocol negotiation extension in the client
+hello packet and parsing the returned server hello's NPN extension data.
-For more information , see:
- * https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-03
+For more information, see:
+* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-03
]]
---
diff --git a/scripts/unusual-port.nse b/scripts/unusual-port.nse
index b6a4338ed..904d77881 100644
--- a/scripts/unusual-port.nse
+++ b/scripts/unusual-port.nse
@@ -4,7 +4,10 @@ local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
-Compares the detected service on a port against the expected service for that port number (e.g. ssh on 22, http on 80) and reports deviations. The script requires that a version scan has been run in order to be able to discover what service is actually running on each port.
+Compares the detected service on a port against the expected service for that
+port number (e.g. ssh on 22, http on 80) and reports deviations. The script
+requires that a version scan has been run in order to be able to discover what
+service is actually running on each port.
]]
---