PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-26 09:29:01 +00:00
Code Issues Projects Releases Wiki Activity

Fix NSEdoc: wrap lines, fix bulleted lists

Browse Source
This commit is contained in:
dmiller
2015-07-11 04:01:05 +00:00
parent a59056e29e
commit 339f0ffd7d
63 changed files with 408 additions and 298 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
scripts/asn-query.nse
View File

@@ -385,8 +385,12 @@ function get_prefix_length( range )
end
---
-- Given an IP address and a prefix length, returns a string representing a valid IP address assignment (size is not checked) which contains
-- the supplied IP address. For example, with <code>ip</code> = <code>"192.168.1.187"</code> and <code>prefix</code> = <code>24</code> the return value will be <code>"192.168.1.1-192.168.1.255"</code>
-- Given an IP address and a prefix length, returns a string representing a
-- valid IP address assignment (size is not checked) which contains the
-- supplied IP address. For example, with
-- <code>ip</code> = <code>"192.168.1.187"</code> and
-- <code>prefix</code> = <code>24</code> the return value will be
-- <code>"192.168.1.1-192.168.1.255"</code>
-- @param ip String representing an IP address.
-- @param prefix String or number representing a prefix length. Should be of the same address family as <code>ip</code>.
-- @return String representing a range of addresses from the first to the last hosts (or <code>nil</code> in case of an error).

8
scripts/broadcast-dropbox-listener.nse
View File

@@ -5,9 +5,13 @@ local tab = require "tab"
local target = require "target"
description = [[
Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more.
Listens for the LAN sync information broadcasts that the Dropbox.com client
broadcasts every 20 seconds, then prints all the discovered client IP
addresses, port numbers, version numbers, display names, and more.
If the <code>newtargets</code> script argument is given, all discovered Dropbox clients will be added to the Nmap target list rather than just listed in the output.
If the <code>newtargets</code> script argument is given, all discovered Dropbox
clients will be added to the Nmap target list rather than just listed in the
output.
]]
---

6
scripts/broadcast-ping.nse
View File

@@ -12,8 +12,10 @@ local openssl = stdnse.silent_require "openssl"
description = [[
Sends broadcast pings on a selected interface using raw ethernet packets and
outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes,
but they can be configured to do so.
outputs the responding hosts' IP and MAC addresses or (if requested) adds them
as targets. Root privileges on UNIX are required to run this script since it
uses raw sockets. Most operating systems don't respond to broadcast-ping
probes, but they can be configured to do so.
The interface on which is broadcasted can be specified using the -e Nmap option
or the <code>broadcast-ping.interface</code> script-arg. If no interface is

15
scripts/firewall-bypass.nse
View File

@@ -5,16 +5,21 @@ local string = require "string"
local packet = require "packet"
description = [[
Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
Detects a vulnerability in netfilter and other firewalls that use helpers to
dynamically open ports for protocols such as ftp and sip.
The script works by spoofing a packet from the target server asking for opening a related connection to a target port which will be
fulfilled by the firewall through the adequate protocol helper port. The attacking machine should be on the same network segment as the
firewall for this to work. The script supports ftp helper on both IPv4 and IPv6. Real path filter is used to prevent such attacks.
The script works by spoofing a packet from the target server asking for opening
a related connection to a target port which will be fulfilled by the firewall
through the adequate protocol helper port. The attacking machine should be on
the same network segment as the firewall for this to work. The script supports
ftp helper on both IPv4 and IPv6. Real path filter is used to prevent such
attacks.
Based on work done by Eric Leblond.
For more information, see:
* http://home.regit.org/2012/03/playing-with-network-layers-to-bypass-firewalls-filtering-policy/
* http://home.regit.org/2012/03/playing-with-network-layers-to-bypass-firewalls-filtering-policy/
]]
---

5
scripts/ftp-proftpd-backdoor.nse
View File

@@ -7,7 +7,10 @@ local stdnse = require "stdnse"
-- vim: set filetype=lua :
description = [[
Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous <code>id</code> command by default, but that can be changed with the <code>ftp-proftpd-backdoor.cmd</code> script argument.
Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID
69562. This script attempts to exploit the backdoor using the innocuous
<code>id</code> command by default, but that can be changed with the
<code>ftp-proftpd-backdoor.cmd</code> script argument.
]]
---

7
scripts/ftp-vsftpd-backdoor.nse
View File

@@ -14,9 +14,10 @@ the <code>exploit.cmd</code> or <code>ftp-vsftpd-backdoor.cmd</code> script
arguments.
References:
* http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
* https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
* http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2011-2523
* http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
* https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
* http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2011-2523
]]
---

10
scripts/hadoop-datanode-info.nse
View File

@@ -4,15 +4,11 @@ local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page.
Discovers information such as log directories from an Apache Hadoop DataNode
HTTP status page.
Information gathered:
* Log directory (relative to http://host:port/)
For more information about hadoop, see:
* http://hadoop.apache.org/
* http://en.wikipedia.org/wiki/Apache_Hadoop
* http://wiki.apache.org/hadoop/DataNode
* Log directory (relative to http://host:port/)
]]
---

22
scripts/hadoop-jobtracker-info.nse
View File

@@ -10,19 +10,14 @@ description = [[
Retrieves information from an Apache Hadoop JobTracker HTTP status page.
Information gathered:
* State of the JobTracker.
* Date/time the service was started
* Hadoop version
* Hadoop Compile date
* JobTracker ID
* Log directory (relative to http://host:port/)
* Associated TaskTrackers
* Optionally also user activity history
For more information about Hadoop, see:
* http://hadoop.apache.org/
* http://en.wikipedia.org/wiki/Apache_Hadoop
* http://wiki.apache.org/hadoop/JobTracker
* State of the JobTracker.
* Date/time the service was started
* Hadoop version
* Hadoop Compile date
* JobTracker ID
* Log directory (relative to http://host:port/)
* Associated TaskTrackers
* Optionally also user activity history
]]
---
@@ -44,6 +39,7 @@ For more information about Hadoop, see:
-- | Userhistory:
-- | User: bob (Wed Sep 07 12:14:33 CEST 2011)
-- |_ User: bob (Wed Sep 07 12:14:33 CEST 2011)
--
-- @xmloutput
-- <elem key="State">RUNNING</elem>
-- <elem key="Started">Wed May 11 22:33:44 PDT 2011, bob</elem>

19
scripts/hadoop-namenode-info.nse
View File

@@ -11,18 +11,13 @@ description = [[
Retrieves information from an Apache Hadoop NameNode HTTP status page.
Information gathered:
* Date/time the service was started
* Hadoop version
* Hadoop compile date
* Upgrades status
* Filesystem directory (relative to http://host:port/)
* Log directory (relative to http://host:port/)
* Associated DataNodes.
For more information about Hadoop, see:
* http://hadoop.apache.org/
* http://en.wikipedia.org/wiki/Apache_Hadoop
* http://wiki.apache.org/hadoop/NameNode
* Date/time the service was started
* Hadoop version
* Hadoop compile date
* Upgrades status
* Filesystem directory (relative to http://host:port/)
* Log directory (relative to http://host:port/)
* Associated DataNodes.
]]
---

21
scripts/hadoop-secondary-namenode-info.nse
View File

@@ -10,19 +10,14 @@ description = [[
Retrieves information from an Apache Hadoop secondary NameNode HTTP status page.
Information gathered:
* Date/time the service was started
* Hadoop version
* Hadoop compile date
* Hostname or IP address and port of the master NameNode server
* Last time a checkpoint was taken
* How often checkpoints are taken (in seconds)
* Log directory (relative to http://host:port/)
* File size of current checkpoint
For more information about Hadoop, see:
* http://hadoop.apache.org/
* http://en.wikipedia.org/wiki/Apache_Hadoop
* http://wiki.apache.org/hadoop/NameNode
* Date/time the service was started
* Hadoop version
* Hadoop compile date
* Hostname or IP address and port of the master NameNode server
* Last time a checkpoint was taken
* How often checkpoints are taken (in seconds)
* Log directory (relative to http://host:port/)
* File size of current checkpoint
]]
---

11
scripts/hadoop-tasktracker-info.nse
View File

@@ -7,14 +7,9 @@ description = [[
Retrieves information from an Apache Hadoop TaskTracker HTTP status page.
Information gathered:
* Hadoop version
* Hadoop Compile date
* Log directory (relative to http://host:port/)
For more information about Hadoop, see:
* http://hadoop.apache.org/
* http://en.wikipedia.org/wiki/Apache_Hadoop
* http://wiki.apache.org/hadoop/TaskTracker
* Hadoop version
* Hadoop Compile date
* Log directory (relative to http://host:port/)
]]
---

21
scripts/hbase-master-info.nse
View File

@@ -10,19 +10,14 @@ description = [[
Retrieves information from an Apache HBase (Hadoop database) master HTTP status page.
Information gathered:
* Hbase version
* Hbase compile date
* Hbase root directory
* Hadoop version
* Hadoop compile date
* Average load
* Zookeeper quorum server
* Associated region servers
For more information about Hbase, see:
* http://hbase.apache.org/
* http://wiki.apache.org/hadoop/Hbase
* http://wiki.apache.org/hadoop/TaskTracker
* Hbase version
* Hbase compile date
* Hbase root directory
* Hadoop version
* Hadoop compile date
* Average load
* Zookeeper quorum server
* Associated region servers
]]
---

12
scripts/hbase-region-info.nse
View File

@@ -8,14 +8,10 @@ description = [[
Retrieves information from an Apache HBase (Hadoop database) region server HTTP status page.
Information gathered:
* HBase version
* HBase compile date
* A bunch of metrics about the state of the region server
* Zookeeper quorum server
For more information about Hbase, see:
* http://hbase.apache.org/
* http://wiki.apache.org/hadoop/Hbase
* HBase version
* HBase compile date
* A bunch of metrics about the state of the region server
* Zookeeper quorum server
]]
---

6
scripts/http-adobe-coldfusion-apsa1301.nse
View File

@@ -1,5 +1,9 @@
description = [[
Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers (APSA13-01: http://www.adobe.com/support/security/advisories/apsa13-01.html) to retrieve a valid administrator's session cookie.
Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion
servers to retrieve a valid administrator's session cookie.
Reference:
* APSA13-01: http://www.adobe.com/support/security/advisories/apsa13-01.html
]]
---

8
scripts/http-awstatstotals-exec.nse
View File

@@ -7,9 +7,13 @@ local string = require "string"
local table = require "table"
description = [[
Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14
and possibly other products based on it (CVE: 2008-3922).
This vulnerability can be exploited through the GET variable <code>sort</code>.
The script queries the web server with the command payload encoded using PHP's
chr() function:
This vulnerability can be exploited through the GET variable sort. The script queries the web server with the command payload encoded using PHP's chr() function:
<code>?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}</code>
Common paths for Awstats Total:

19
scripts/http-axis2-dir-traversal.nse
View File

@@ -8,10 +8,19 @@ local string = require "string"
local table = require "table"
description = [[
Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter <code>xsd</code> (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service <code>'/conf/axis2.xml'</code> using the path <code>'/axis2/services/'</code> to return the username and password of the admin account.
Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by
sending a specially crafted request to the parameter <code>xsd</code>
(OSVDB-59001). By default it will try to retrieve the configuration file of the
Axis2 service <code>'/conf/axis2.xml'</code> using the path
<code>'/axis2/services/'</code> to return the username and password of the
admin account.
To exploit this vulnerability we need to detect a valid service running on the installation so we extract it from <code>/listServices</code> before exploiting the directory traversal vulnerability.
By default it will retrieve the configuration file, if you wish to retrieve other files you need to set the argument <code>http-axis2-dir-traversal.file</code> correctly to traverse to the file's directory. Ex. <code>../../../../../../../../../etc/issue</code>
To exploit this vulnerability we need to detect a valid service running on the
installation so we extract it from <code>/listServices</code> before exploiting
the directory traversal vulnerability. By default it will retrieve the
configuration file, if you wish to retrieve other files you need to set the
argument <code>http-axis2-dir-traversal.file</code> correctly to traverse to
the file's directory. Ex. <code>../../../../../../../../../etc/issue</code>
To check the version of an Apache Axis2 installation go to:
http://domain/axis2/services/Version/getVersion
@@ -33,10 +42,6 @@ Reference:
-- @args http-axis2-dir-traversal.file Remote file to retrieve
-- @args http-axis2-dir-traversal.outfile Output file
-- @args http-axis2-dir-traversal.basepath Basepath to the services page. Default: <code>/axis2/services/</code>
--
-- Other useful arguments for this script:
-- @args http.useragent User Agent used in the GET requests
---
author = "Paulino Calderon <calderon@websec.mx>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

11
scripts/http-cakephp-version.nse
View File

@@ -1,8 +1,13 @@
description = [[
Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework.
Obtains the CakePHP version of a web application built with the CakePHP
framework by fingerprinting default files shipped with the CakePHP framework.
This script queries the files 'vendors.php', 'cake.generic.css', 'cake.icon.png' and 'cake.icon.gif' to try to obtain the version of the CakePHP installation.
Since installations that had been upgraded are prone to false positives due to old files that aren't removed, the script displays 3 different versions:
This script queries the files 'vendors.php', 'cake.generic.css',
'cake.icon.png' and 'cake.icon.gif' to try to obtain the version of the CakePHP
installation.
Since installations that had been upgraded are prone to false positives due to
old files that aren't removed, the script displays 3 different versions:
* Codebase: Taken from the existence of vendors.php (1.1.x or 1.2.x if it does and 1.3.x otherwise)
* Stylesheet: Taken from cake.generic.css
* Icon: Taken from cake.icon.gif or cake.icon.png

41
scripts/http-domino-enum-passwords.nse
View File

@@ -8,36 +8,29 @@ local string = require "string"
local table = require "table"
description = [[
Attempts to enumerate the hashed Domino Internet Passwords that are
(by default) accessible by all authenticated users. This script can
also download any Domino ID Files attached to the Person document.
Attempts to enumerate the hashed Domino Internet Passwords that are (by
default) accessible by all authenticated users. This script can also download
any Domino ID Files attached to the Person document. Passwords are presented
in a form suitable for running in John the Ripper.
The passwords may be stored in two forms (http://comments.gmane.org/gmane.comp.security.openwall.john.user/785):
1. Saltless (legacy support?)
Example: 355E98E7C7B59BD810ED845AD0FD2FC4
John's format name: lotus5
2. Salted (also known as "More Secure Internet Password")
Example: (GKjXibCW2Ml6juyQHUoP)
John's format name: dominosec
It appears as if form based authentication is enabled, basic authentication
still works. Therefore the script should work in both scenarios. Valid
credentials can either be supplied directly using the parameters username
and password or indirectly from results of http-brute or http-form-brute.
]]
---
-- @usage
-- nmap --script domino-enum-passwords -p 80 <host> --script-args domino-enum-passwords.username='patrik karlsson',domino-enum-passwords.password=secret
--
-- This script attempts to enumerate the password hashes used to authenticate
-- to the Lotus Domino Web interface. By default, these hashes are accessible
-- to every authenticated user. Passwords are presented in a form suitable for
-- running in John the Ripper.
--
-- The format can in two forms (http://comments.gmane.org/gmane.comp.security.openwall.john.user/785):
-- 1. Saltless (legacy support?)
-- Example: 355E98E7C7B59BD810ED845AD0FD2FC4
-- John's format name: lotus5
-- 2. Salted (also known as "More Secure Internet Password")
-- Example: (GKjXibCW2Ml6juyQHUoP)
-- John's format name: dominosec
--
-- In addition the script can be used to download
-- any ID files attached to the Person document.
--
-- It appears as if form based authentication is enabled, basic authentication
-- still works. Therefore the script should work in both scenarios. Valid
-- credentials can either be supplied directly using the parameters username
-- and password or indirectly from results of http-brute or http-form-brute.
--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack

4
scripts/http-drupal-enum-users.nse
View File

@@ -5,7 +5,7 @@ local stdnse = require "stdnse"
local table = require "table"
description = [[
Enumerates Drupal users by exploiting a an information disclosure vulnerability
Enumerates Drupal users by exploiting an information disclosure vulnerability
in Views, Drupal's most popular module.
Requests to admin/views/ajax/autocomplete/user/STRING return all usernames that
@@ -13,7 +13,7 @@ begin with STRING. The script works by iterating STRING over letters to extract
all usernames.
For more information,see:
* http://www.madirish.net/node/465
* http://www.madirish.net/node/465
]]
---

8
scripts/http-google-malware.nse
View File

@@ -5,9 +5,13 @@ local stdnse = require "stdnse"
local string = require "string"
description = [[
Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.
Checks if hosts are on Google's blacklist of suspected malware and phishing
servers. These lists are constantly updated and are part of Google's Safe
Browsing service.
To do this the script queries the Google's Safe Browsing service and you need to have your own API key to access Google's Safe Browsing Lookup services. Sign up for yours at http://code.google.com/apis/safebrowsing/key_signup.html
To do this the script queries the Google's Safe Browsing service and you need
to have your own API key to access Google's Safe Browsing Lookup services. Sign
up for yours at http://code.google.com/apis/safebrowsing/key_signup.html
* To learn more about Google's Safe Browsing:
http://code.google.com/apis/safebrowsing/

21
scripts/http-huawei-hg5xx-vuln.nse
View File

@@ -1,17 +1,20 @@
description = [[
Detects Huawei modems models HG530x, HG520x, HG510x (and possibly
others...) vulnerable to a remote credential and information
disclosure vulnerability. It also extracts the PPPoE credentials and
other interesting configuration values.
Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others...)
vulnerable to a remote credential and information disclosure vulnerability. It
also extracts the PPPoE credentials and other interesting configuration values.
Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information
including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values.
Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to
extract sensitive information including PPPoE credentials, firmware version,
model, gateway, dns servers and active connections among other values.
This script exploits two vulnerabilities. One was discovered and reported by Adiaz from Comunidad Underground de Mexico (http://underground.org.mx) and it allows attackers to extract the pppoe password. The configuration disclosure vulnerability was discovered by Pedro Joaquin (http://hakim.ws).
This script exploits two vulnerabilities. One was discovered and reported by
Adiaz from Comunidad Underground de Mexico (http://underground.org.mx) and it
allows attackers to extract the pppoe password. The configuration disclosure
vulnerability was discovered by Pedro Joaquin (http://hakim.ws).
References:
*http://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosure
*http://routerpwn.com/#huawei
* http://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosure
* http://routerpwn.com/#huawei
]]
---

13
scripts/http-iis-webdav-vuln.nse
View File

@@ -6,11 +6,18 @@ local stdnse = require "stdnse"
local string = require "string"
description = [[
Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, http://nmap.org/r/ms09-020.
Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access
secured WebDAV folders by searching for a password-protected folder and
attempting to access it. This vulnerability was patched in Microsoft Security
Bulletin MS09-020, http://nmap.org/r/ms09-020.
A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), then the folder is marked as vulnerable.
A list of well known folders (almost 900) is used by default. Each one is
checked, and if returns an authentication request (401), another attempt is
tried with the malicious encoding. If that attempt returns a successful result
(207), then the folder is marked as vulnerable.
This script is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb auxiliary module.
This script is based on the Metasploit auxiliary module
auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass
For more information on this vulnerability and script, see:
* http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html

8
scripts/http-litespeed-sourcecode-download.nse
View File

@@ -5,9 +5,13 @@ local stdnse = require "stdnse"
local string = require "string"
description = [[
Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x
before 4.0.15 to retrieve the target script's source code by sending a HTTP
request with a null byte followed by a .txt file extension (CVE-2010-2333).
If the server is not vulnerable it returns an error 400. If index.php is not found, you may try /phpinfo.php which is also shipped with LiteSpeed Web Server. The attack payload looks like this:
If the server is not vulnerable it returns an error 400. If index.php is not
found, you may try /phpinfo.php which is also shipped with LiteSpeed Web
Server. The attack payload looks like this:
* <code>/index.php\00.txt</code>
References:

6
scripts/http-phpmyadmin-dir-traversal.nse
View File

@@ -6,7 +6,8 @@ local io = require "io"
local vulns = require "vulns"
description = [[
Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.
Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and
possibly other versions) to retrieve remote files on the web server.
Reference:
* http://www.exploit-db.com/exploits/1244/
@@ -21,9 +22,6 @@ Reference:
-- @args http-phpmyadmin-dir-traversal.outfile Output file
-- @args http-phpmyadmin-dir-traversal.dir Basepath to the services page. Default: <code>/phpMyAdmin-2.6.4-pl1/</code>
--
-- Other useful arguments for this script:
-- @args http.useragent User Agent used in the GET requests
---
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http

22
scripts/http-phpself-xss.nse
View File

@@ -1,21 +1,28 @@
description=[[
Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER["PHP_SELF"].
Crawls a web server and attempts to find PHP files vulnerable to reflected
cross site scripting via the variable <code>$_SERVER["PHP_SELF"]</code>.
This script crawls the webserver to create a list of PHP files and then sends an attack vector/probe to identify PHP_SELF cross site scripting vulnerabilities.
PHP_SELF XSS refers to reflected cross site scripting vulnerabilities caused by the lack of sanitation of the variable <code>$_SERVER["PHP_SELF"]</code> in PHP scripts. This variable is
commonly used in php scripts that display forms and when the script file name is needed.
This script crawls the webserver to create a list of PHP files and then sends
an attack vector/probe to identify PHP_SELF cross site scripting
vulnerabilities. PHP_SELF XSS refers to reflected cross site scripting
vulnerabilities caused by the lack of sanitation of the variable
<code>$_SERVER["PHP_SELF"]</code> in PHP scripts. This variable is commonly
used in PHP scripts that display forms and when the script file name is
needed.
Examples of Cross Site Scripting vulnerabilities in the variable $_SERVER[PHP_SELF]:
*http://www.securityfocus.com/bid/37351
*http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage
*http://websec.ca/advisories/view/xss-vulnerabilities-mantisbt-1.2.x
* http://www.securityfocus.com/bid/37351
* http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage
* http://websec.ca/advisories/view/xss-vulnerabilities-mantisbt-1.2.x
The attack vector/probe used is: <code>/'"/><script>alert(1)</script></code>
]]
---
-- @usage
-- nmap --script=http-phpself-xss -p80 <target>
-- nmap -sV --script http-self-xss <target>
--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
@@ -37,6 +44,7 @@ The attack vector/probe used is: <code>/'"/><script>alert(1)</script></code>
-- | References:
-- | https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
-- |_ http://php.net/manual/en/reserved.variables.server.php
--
-- @args http-phpself-xss.uri URI. Default: /
-- @args http-phpself-xss.timeout Spidering timeout. (default 10s)
author = "Paulino Calderon <calderon@websec.mx>"

4
scripts/http-rfi-spider.nse
View File

@@ -1,5 +1,7 @@
description = [[
Crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query.
Crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It
tests every form field it finds and every parameter of a URL containing a
query.
]]
---

19
scripts/http-slowloris-check.nse
View File

@@ -9,17 +9,18 @@ local http = require "http"
description = [[
Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.
Tests a web server for vulnerability to the Slowloris DoS attack without
actually launching a DoS attack.
Slowloris was described at Defcon 17 by RSnake
(see http://ha.ckers.org/slowloris/).
This script opens two connections to the server, each without
the final CRLF. After 10 seconds, second connection sends
additional header. Both connections then wait for server timeout.
If second connection gets a timeout 10 or more seconds after the
first one, we can conclude that sending additional header prolonged
its timeout and that the server is vulnerable to slowloris DoS attack.
This script opens two connections to the server, each without the final CRLF.
After 10 seconds, second connection sends additional header. Both connections
then wait for server timeout. If second connection gets a timeout 10 or more
seconds after the first one, we can conclude that sending additional header
prolonged its timeout and that the server is vulnerable to slowloris DoS
attack.
A "LIKELY VULNERABLE" result means a server is subject to timeout-extension
attack, but depending on the http server's architecture and resource limits, a
@@ -30,7 +31,7 @@ You can specify custom http User-agent field with <code>http.useragent</code>
script argument.
Idea from Qualys blogpost:
* https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications
* https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications
]]
@@ -38,8 +39,6 @@ Idea from Qualys blogpost:
-- @usage
-- nmap --script http-slowloris-check <target>
--
-- @args http.useragent Specifies custom user agent string.
--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack

10
scripts/http-tplink-dir-traversal.nse
View File

@@ -1,8 +1,12 @@
description = [[
Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
Exploits a directory traversal vulnerability existing in several TP-Link
wireless routers. Attackers may exploit this vulnerability to read any of the
configuration and password files remotely and without authentication.
This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but there are several models that use the same HTTP server so I believe they could be vulnerable as well. I appreciate
any help confirming the vulnerability in other models.
This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but
there are several models that use the same HTTP server so I believe they could
be vulnerable as well. I appreciate any help confirming the vulnerability in
other models.
Advisory:
* http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740

3
scripts/http-trace.nse
View File

@@ -4,7 +4,8 @@ local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.
Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug
is enabled, it returns the header fields that were modified in the response.
]]
---

11
scripts/http-traceroute.nse
View File

@@ -7,22 +7,23 @@ local table = require "table"
description = [[
Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies.
The script works by sending HTTP requests with values of the Max-Forwards HTTP header varying
from 0 to 2 and checking for any anomalies in certain response values such as the status code,
Server, Content-Type and Content-Length HTTP headers and body values such as the html title.
The script works by sending HTTP requests with values of the Max-Forwards HTTP
header varying from 0 to 2 and checking for any anomalies in certain response
values such as the status code, Server, Content-Type and Content-Length HTTP
headers and body values such as the HTML title.
Based on the work of:
* Nicolas Gregoire (nicolas.gregoire@agarri.fr)
* Julien Cayssol (tools@aqwz.com)
For more information, see:
* http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html
* http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html
]]
---
-- @args http-traceroute.path The path to send requests to. Defaults to <code>/</code>.
-- @args http-traceroute.method HTTP request method to use. Defaults to <code>GET</code>.
-- among other values, TRACE is probably the most interesting.
-- Among other values, TRACE is probably the most interesting.
--
-- @usage
-- nmap --script=http-traceroute <targets>

8
scripts/http-vuln-cve2011-3368.nse
View File

@@ -10,12 +10,12 @@ local openssl = stdnse.silent_require "openssl"
description = [[
Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server's reverse proxy mode.
The script will run 3 tests:
o the loopback test, with 3 payloads to handle different rewrite rules
o the internal hosts test. According to Contextis, we expect a delay before a server error.
o The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.
* the loopback test, with 3 payloads to handle different rewrite rules
* the internal hosts test. According to Contextis, we expect a delay before a server error.
* The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.
References:
* http://www.contextis.com/research/blog/reverseproxybypass/
* http://www.contextis.com/research/blog/reverseproxybypass/
]]
---

12
scripts/http-vuln-cve2012-1823.nse
View File

@@ -5,14 +5,14 @@ local string = require "string"
local vulns = require "vulns"
description = [[
Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.
Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This
critical vulnerability allows attackers to retrieve source code and execute
code remotely.
The script works by appending "?-s" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern "<span style=.*>&lt;?" to detect
The script works by appending "?-s" to the uri to make vulnerable php-cgi
handlers return colour syntax highlighted source. We use the pattern "<span
style=.*>&lt;?" to detect
vulnerable installations.
CHANGELOG:
- Added new detection mechanism by trying to perform a "echo" command
- Added exploitation script that allows you to define your command (default: uname -a).
]]
---

17
scripts/http-vuln-cve2013-0156.nse
View File

@@ -1,17 +1,17 @@
description = [[
Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)
Detects Ruby on Rails servers vulnerable to object injection, remote command
executions and denial of service attacks. (CVE-2013-0156)
All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script
sends 3 harmless yaml payloads to detect vulnerable installations. If the malformed object receives a status 500 response, the server
is processing YAML objects and therefore is likely vulnerable.
All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before
3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script sends 3 harmless
YAML payloads to detect vulnerable installations. If the malformed object
receives a status 500 response, the server is processing YAML objects and
therefore is likely vulnerable.
References:
* https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156',
* https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',
* http://cvedetails.com/cve/2013-0156/
TODO:
* Add argument to exploit cmd exec vuln
]]
---
@@ -39,6 +39,9 @@ TODO:
-- @args http-vuln-cve2013-0156.uri Basepath URI (default: /).
---
-- TODO:
-- * Add argument to exploit cmd exec vuln
author = "Paulino Calderon <calderon@websec.mx>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit","vuln"}

3
scripts/http-vuln-cve2014-2126.nse
View File

@@ -4,7 +4,8 @@ local vulns = require('vulns')
local sslcert = require('sslcert')
description = [[
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM
Privilege Escalation Vulnerability (CVE-2014-2126).
]]
---

3
scripts/http-vuln-cve2014-2127.nse
View File

@@ -4,7 +4,8 @@ local vulns = require('vulns')
local sslcert = require('sslcert')
description = [[
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN
Privilege Escalation Vulnerability (CVE-2014-2127).
]]
---

3
scripts/http-vuln-cve2014-2128.nse
View File

@@ -4,7 +4,8 @@ local vulns = require('vulns')
local sslcert = require('sslcert')
description = [[
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN
Authentication Bypass Vulnerability (CVE-2014-2128).
]]
---

3
scripts/http-vuln-cve2014-2129.nse
View File

@@ -4,7 +4,8 @@ local vulns = require('vulns')
local sslcert = require('sslcert')
description = [[
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP
Denial of Service Vulnerability (CVE-2014-2129).
]]
---

49
scripts/http-waf-detect.nse
View File

@@ -5,26 +5,30 @@ local string = require "string"
local table = require "table"
description = [[
Attempts to determine whether a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) by probing the web server with malicious payloads and detecting changes in the response code and body.
Attempts to determine whether a web server is protected by an IPS (Intrusion
Prevention System), IDS (Intrusion Detection System) or WAF (Web Application
Firewall) by probing the web server with malicious payloads and detecting
changes in the response code and body.
To do this the script will send a "good" request and record the response, afterwards it will match this response against new requests containing
malicious payloads. In theory, web applications shouldn't react to malicious requests because we are storing the payloads in a variable that is
not used by the script/file and only WAF/IDS/IPS should react to it.
If aggro mode is set, the script will try all attack vectors (More noisy)
To do this the script will send a "good" request and record the response,
afterwards it will match this response against new requests containing
malicious payloads. In theory, web applications shouldn't react to malicious
requests because we are storing the payloads in a variable that is not used by
the script/file and only WAF/IDS/IPS should react to it. If aggro mode is set,
the script will try all attack vectors (More noisy)
This script can detect numerous IDS, IPS, and WAF products since
they often protect web applications in the same way. But it
won't detect products which don't alter the http traffic.
Results can vary based on product configuration, but this script
has been tested to work against various configurations of the
This script can detect numerous IDS, IPS, and WAF products since they often
protect web applications in the same way. But it won't detect products which
don't alter the http traffic. Results can vary based on product configuration,
but this script has been tested to work against various configurations of the
following products:
* Apache ModSecurity
* Barracuda Web Application Firewall
* PHPIDS
* dotDefender
* Imperva Web Firewall
* Blue Coat SG 400
* Apache ModSecurity
* Barracuda Web Application Firewall
* PHPIDS
* dotDefender
* Imperva Web Firewall
* Blue Coat SG 400
]]
@@ -38,13 +42,12 @@ following products:
-- 80/tcp open http
-- |_http-waf-detect: IDS/IPS/WAF detected
--
-- @args http-waf-detect.uri Target URI. Use a path that does not redirect to a different page
-- @args http-waf-detect.aggro If aggro mode is set, the script will try all attack vectors to trigger the IDS/IPS/WAF
-- @args http-waf-detect.detectBodyChanges If set it also checks for changes in the document's body
--
-- Other useful args when running this script
-- http.useragent User Agent for HTTP requests
-- http.pipeline Number of requests sent in the single request
-- @args http-waf-detect.uri Target URI. Use a path that does not redirect to a
-- different page
-- @args http-waf-detect.aggro If aggro mode is set, the script will try all
-- attack vectors to trigger the IDS/IPS/WAF
-- @args http-waf-detect.detectBodyChanges If set it also checks for changes in
-- the document's body
author = "Paulino Calderon <calderon@websec.mx>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

9
scripts/http-webdav-scan.nse
View File

@@ -12,16 +12,17 @@ and allowed methods. It then sends a PROPFIND request and tries to fetch exposed
directories and internal ip addresses by doing pattern matching in the response body.
This script takes inspiration from the various scripts listed here:
*http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
*https://github.com/sussurro/Metasploit-Tools/blob/master/modules/auxiliary/scanner/http/webdav_test.rb
*http://code.google.com/p/davtest/
* http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
* https://github.com/sussurro/Metasploit-Tools/blob/master/modules/auxiliary/scanner/http/webdav_test.rb
* http://code.google.com/p/davtest/
]]
---
-- @usage
-- nmap --script http-webdav-scan -p80,8080 <target>
--
-- @args path The path to start in; eg, <code>"/web/"</code> will try <code>"/web/xxx"</code>.
-- @args http-webdav-scan.path The path to start in; e.g. <code>"/web/"</code>
-- will try <code>"/web/xxx"</code>.
--
-- @output
-- PORT STATE SERVICE

4
scripts/iax2-version.nse
View File

@@ -6,7 +6,9 @@ local string = require "string"
description = [[
Detects the UDP IAX2 service.
The script sends an Inter-Asterisk eXchange (IAX) Revision 2 Control Frame POKE request and checks for a proper response. This protocol is used to enable VoIP connections between servers as well as client-server communication.
The script sends an Inter-Asterisk eXchange (IAX) Revision 2 Control Frame POKE
request and checks for a proper response. This protocol is used to enable VoIP
connections between servers as well as client-server communication.
]]
---

6
scripts/ike-version.nse
View File

@@ -6,9 +6,9 @@ local ike = require "ike"
description=[[
Obtains information (such as vendor and device type where available) from an IKE service by sending four packets to the host. This scripts tests with both Main and Aggressive Mode and sends multiple transforms per request.
Obtains information (such as vendor and device type where available) from an
IKE service by sending four packets to the host. This scripts tests with both
Main and Aggressive Mode and sends multiple transforms per request.
]]

18
scripts/ipv6-ra-flood.nse
View File

@@ -6,8 +6,13 @@ local math = require "math"
local string = require "string"
local os = require "os"
description = [[ Generates a flood of Router Advertisements (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS),
will start to compute IPv6 suffix and update their routing table to reflect the accepted announcement. This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests.
description = [[
Generates a flood of Router Advertisements (RA) with random source MAC
addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration
enabled by default (every major OS), will start to compute IPv6 suffix and
update their routing table to reflect the accepted announcement. This will
cause 100% CPU usage on Windows and platforms, preventing to process other
application requests.
Vulnerable platforms:
* All Cisco IOS ASA with firmware < November 2010
@@ -19,16 +24,17 @@ Vulnerable platforms:
Security advisory: http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt
WARNING: This script is dangerous and is very likely to bring down a server or network appliance.
It should not be run in a production environment unless you (and, more importantly,
the business) understand the risks!
WARNING: This script is dangerous and is very likely to bring down a server or
network appliance. It should not be run in a production environment unless you
(and, more importantly, the business) understand the risks!
Additional documents: https://tools.ietf.org/rfc/rfc6104.txt
]]
---
-- @args ipv6-ra-flood.interface defines interface we should broadcast on
-- @args ipv6-ra-flood.timeout runs the script until the timeout is reached (default: 30s). If timeout is zero, the script will run forever.
-- @args ipv6-ra-flood.timeout runs the script until the timeout is reached
-- (default: 30s). If timeout is zero, the script will run forever.
--
-- @usage
-- nmap -6 --script ipv6-ra-flood.nse

13
scripts/irc-unrealircd-backdoor.nse
View File

@@ -39,9 +39,16 @@ Reference:
]]
---
-- @args irc-unrealircd-backdoor.command An arbitrary command to run on the remote system (note, however, that you won't see the output of your command). This will always be attempted, even if the host isn't vulnerable. The pattern <code>%IP%</code> will be replaced with the ip address of the target host.
-- @args irc-unrealircd-backdoor.kill If set to <code>1</code> or <code>true</code>, kill the backdoored UnrealIRCd running.
-- @args irc-unrealircd-backdoor.wait Wait time in seconds before executing the check. This is recommended to set for more reliable check (100 is good value).
-- @args irc-unrealircd-backdoor.command An arbitrary command to run on the
-- remote system (note, however, that you won't see the output of your
-- command). This will always be attempted, even if the host isn't
-- vulnerable. The pattern <code>%IP%</code> will be replaced with the
-- ip address of the target host.
-- @args irc-unrealircd-backdoor.kill If set to <code>1</code> or
-- <code>true</code>, kill the backdoored UnrealIRCd running.
-- @args irc-unrealircd-backdoor.wait Wait time in seconds before executing the
-- check. This is recommended to set for more reliable check (100 is good
-- value).
--
-- @output
-- PORT STATE SERVICE

4
scripts/jdwp-inject.nse
View File

@@ -7,7 +7,9 @@ local shortport = require "shortport"
local string = require "string"
description = [[
Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script allows injection of arbitrary class files.
Attempts to exploit java's remote debugging port. When remote debugging port
is left open, it is possible to inject java bytecode and achieve remote code
execution. This script allows injection of arbitrary class files.
After injection, class' run() method is executed.
Method run() has no parameters, and is expected to return a string.

42
scripts/ldap-search.nse
View File

@@ -16,21 +16,35 @@ anonymous bind will be used as a last attempt.
]]
---
-- @args ldap.username If set, the script will attempt to perform an LDAP bind using the username and password
-- @args ldap.password If set, used together with the username to authenticate to the LDAP server
-- @args ldap.qfilter If set, specifies a quick filter. The library does not support parsing real LDAP filters.
-- The following values are valid for the filter parameter: computer, users, ad_dcs, custom or all. If no value is specified it defaults to all.
-- @args ldap.searchattrib When used with the 'custom' qfilter, this parameter works in conjunction with ldap.searchvalue to allow the user to specify a custom attribute and value as search criteria.
-- @args ldap.searchvalue When used with the 'custom' qfilter, this parameter works in conjunction with ldap.searchattrib to allow the user to specify a custom attribute and value as search criteria.
-- @args ldap.username If set, the script will attempt to perform an LDAP bind
-- using the username and password
-- @args ldap.password If set, used together with the username to authenticate
-- to the LDAP server
-- @args ldap.qfilter If set, specifies a quick filter. The library does not
-- support parsing real LDAP filters. The following values are valid for
-- the filter parameter: computer, users, ad_dcs, custom or all. If no
-- value is specified it defaults to all.
-- @args ldap.searchattrib When used with the 'custom' qfilter, this parameter
-- works in conjunction with ldap.searchvalue to allow the user to
-- specify a custom attribute and value as search criteria.
-- @args ldap.searchvalue When used with the 'custom' qfilter, this parameter
-- works in conjunction with ldap.searchattrib to allow the user to
-- specify a custom attribute and value as search criteria.
-- This parameter DOES PERMIT the use of the asterisk '*' as a wildcard.
-- @args ldap.base If set, the script will use it as a base for the search. By default the defaultNamingContext is retrieved and used.
-- If no defaultNamingContext is available the script iterates over the available namingContexts
-- @args ldap.attrib If set, the search will include only the attributes specified. For a single attribute a string value can be used, if
-- multiple attributes need to be supplied a table should be used instead.
-- @args ldap.maxobjects If set, overrides the number of objects returned by the script (default 20).
-- The value -1 removes the limit completely.
-- @args ldap.savesearch If set, the script will save the output to a file beginning with the specified path and name. The file suffix
-- of .CSV as well as the hostname and port will automatically be added based on the output type selected.
-- @args ldap.base If set, the script will use it as a base for the search. By
-- default the defaultNamingContext is retrieved and used. If no
-- defaultNamingContext is available the script iterates over the
-- available namingContexts
-- @args ldap.attrib If set, the search will include only the attributes
-- specified. For a single attribute a string value can be used, if
-- multiple attributes need to be supplied a table should be used
-- instead.
-- @args ldap.maxobjects If set, overrides the number of objects returned by
-- the script (default 20). The value -1 removes the limit completely.
-- @args ldap.savesearch If set, the script will save the output to a file
-- beginning with the specified path and name. The file suffix of .CSV
-- as well as the hostname and port will automatically be added based on
-- the output type selected.
--
-- @usage
-- nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,

2
scripts/llmnr-resolve.nse
View File

@@ -18,7 +18,7 @@ LLMNR responses that are sent to the local machine with a 5355 UDP source port.
A hostname to resolve must be provided.
For more information, see:
* http://technet.microsoft.com/en-us/library/bb878128.aspx
* http://technet.microsoft.com/en-us/library/bb878128.aspx
]]
---

14
scripts/metasploit-info.nse
View File

@@ -6,14 +6,14 @@ local http = require "http"
local bin = require "bin"
description = [[
Gathers info from the Metasploit rpc service.
It requires a valid login pair. After authentication it
tries to determine Metasploit version and deduce the OS type.
Then it creates a new console and executes few commands
to get additional info.
Gathers info from the Metasploit rpc service. It requires a valid login pair.
After authentication it tries to determine Metasploit version and deduce the OS
type. Then it creates a new console and executes few commands to get
additional info.
References:
* http://wiki.msgpack.org/display/MSGPACK/Format+specification
* https://community.rapid7.com/docs/DOC-1516 Metasploit RPC API Guide
* http://wiki.msgpack.org/display/MSGPACK/Format+specification
* https://community.rapid7.com/docs/DOC-1516 Metasploit RPC API Guide
]]
---

12
scripts/nexpose-brute.nse
View File

@@ -7,7 +7,13 @@ local stdnse = require "stdnse"
local openssl = stdnse.silent_require "openssl"
description=[[
Performs brute force password auditing against a Nexpose vulnerability scanner using the API 1.1. By default it only tries three guesses per username to avoid target account lockout.
Performs brute force password auditing against a Nexpose vulnerability scanner
using the API 1.1.
As the Nexpose application enforces account lockout after 4 incorrect login
attempts, the script performs only 3 guesses per default. This can be
altered by supplying the <code>brute.guesses</code> argument a different
value or 0 (zero) to guess the whole dictionary.
]]
---
@@ -23,10 +29,6 @@ Performs brute force password auditing against a Nexpose vulnerability scanner u
-- | Statistics
-- |_ Performed 5 guesses in 1 seconds, average tps: 5
--
-- As the Nexpose application enforces account lockout after 4 incorrect login
-- attempts, the script performs only 3 guesses per default. This can be
-- altered by supplying the <code>brute.guesses</code> argument a different
-- value or 0 (zero) to guess the whole dictionary.
author = "Vlatko Kosturjak"

3
scripts/nrpe-enum.nse
View File

@@ -10,7 +10,8 @@ local tab = require "tab"
-- vim: set filetype=lua :
description = [[
Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc.
Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such
as load averages, process counts, logged in user information, etc.
This script attempts to execute the stock list of commands that are
enabled. User-supplied arguments are not supported.

18
scripts/path-mtu.nse
View File

@@ -10,22 +10,20 @@ local table = require "table"
description = [[
Performs simple Path MTU Discovery to target hosts.
TCP or UDP packets are sent to the host with the DF (don't fragment) bit
set and with varying amounts of data. If an ICMP Fragmentation Needed
is received, or no reply is received after retransmissions, the amount
of data is lowered and another packet is sent. This continues until
(assuming no errors occur) a reply from the final host is received,
indicating the packet reached the host without being fragmented.
TCP or UDP packets are sent to the host with the DF (don't fragment) bit set
and with varying amounts of data. If an ICMP Fragmentation Needed is received,
or no reply is received after retransmissions, the amount of data is lowered
and another packet is sent. This continues until (assuming no errors occur) a
reply from the final host is received, indicating the packet reached the host
without being fragmented.
Not all MTUs are attempted so as to not expend too much time or network
resources. Currently the relatively short list of MTUs to try contains
the plateau values from Table 7-1 in RFC 1191, "Path MTU Discovery".
Using these values significantly cuts down the MTU search space. On top
of that, this list is rarely traversed in whole because:
* the MTU of the outgoing interface is used as a starting point, and
* we can jump down the list when an intermediate router sending a
"can't fragment" message includes its next hop MTU (as described
in RFC 1191 and required by RFC 1812)
* the MTU of the outgoing interface is used as a starting point, and
* we can jump down the list when an intermediate router sending a "can't fragment" message includes its next hop MTU (as described in RFC 1191 and required by RFC 1812)
]]
---

16
scripts/qscan.nse
View File

@@ -33,11 +33,19 @@ for Nmap.
-- @usage
-- nmap --script qscan --script-args qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10 target
--
-- @args confidence Confidence level: <code>0.75</code>, <code>0.9</code>, <code>0.95</code>, <code>0.975</code>, <code>0.99</code>, <code>0.995</code>, or <code>0.9995</code>.
-- @args delay Average delay between packet sends. This is a number followed by <code>ms</code> for milliseconds or <code>s</code> for seconds. (<code>m</code> and <code>h</code> are also supported but are too long for timeouts.) The actual delay will randomly vary between 50% and 150% of the time specified. Default: <code>200ms</code>.
-- @args confidence Confidence level: <code>0.75</code>, <code>0.9</code>,
-- <code>0.95</code>, <code>0.975</code>, <code>0.99</code>,
-- <code>0.995</code>, or <code>0.9995</code>.
-- @args delay Average delay between packet sends. This is a number followed by
-- <code>ms</code> for milliseconds or <code>s</code> for seconds.
-- (<code>m</code> and <code>h</code> are also supported but are too long
-- for timeouts.) The actual delay will randomly vary between 50% and
-- 150% of the time specified. Default: <code>200ms</code>.
-- @args numtrips Number of round-trip times to try to get.
-- @args numopen Maximum number of open ports to probe (default 8). A negative number disables the limit.
-- @args numclosed Maximum number of closed ports to probe (default 1). A negative number disables the limit.
-- @args numopen Maximum number of open ports to probe (default 8). A negative
-- number disables the limit.
-- @args numclosed Maximum number of closed ports to probe (default 1). A
-- negative number disables the limit.
--
-- @output
-- | qscan:

4
scripts/reverse-index.nse
View File

@@ -3,7 +3,9 @@ local stdnse = require "stdnse"
local table = require "table"
description = [[
Creates a reverse index at the end of scan output showing which hosts run a particular service. This is in addition to Nmap's normal output listing the services on each host.
Creates a reverse index at the end of scan output showing which hosts run a
particular service. This is in addition to Nmap's normal output listing the
services on each host.
]]
---

4
scripts/rlogin-brute.nse
View File

@@ -6,7 +6,9 @@ local shortport = require "shortport"
local stdnse = require "stdnse"
description=[[
Performs brute force password auditing against the classic UNIX rlogin (remote login) service. This script must be run in privileged mode on UNIX because it must bind to a low source port number.
Performs brute force password auditing against the classic UNIX rlogin (remote
login) service. This script must be run in privileged mode on UNIX because it
must bind to a low source port number.
]]
---

4
scripts/rpcinfo.nse
View File

@@ -4,7 +4,9 @@ local stdnse = require "stdnse"
local table = require "table"
description = [[
Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.
Connects to portmapper and fetches a list of all registered programs. It then
prints out a table including (for each program) the RPC program number,
supported version numbers, port number and protocol, and program name.
]]
---

3
scripts/sip-brute.nse
View File

@@ -6,7 +6,8 @@ local sip = require "sip"
local stdnse = require "stdnse"
description = [[
Performs brute force password auditing against Session Initiation Protocol (SIP - http://en.wikipedia.org/wiki/Session_Initiation_Protocol) accounts. This protocol is most commonly associated with VoIP sessions.
Performs brute force password auditing against Session Initiation Protocol
(SIP) accounts. This protocol is most commonly associated with VoIP sessions.
]]
---

4
scripts/smb-enum-users.nse
View File

@@ -94,7 +94,9 @@ doesn't hurt to add more.
The names and details from both of these techniques are merged and displayed.
If the output is verbose, then extra details are shown. The output is ordered alphabetically.
Credit goes out to the <code>enum.exe</code>, <code>sid2user.exe</code>, and <code>user2sid.exe</code> programs for pioneering some of the techniques used in this script.
Credit goes out to the <code>enum.exe</code>, <code>sid2user.exe</code>, and
<code>user2sid.exe</code> programs for pioneering some of the techniques used
in this script.
]]
---

7
scripts/supermicro-ipmi-conf.nse
View File

@@ -1,7 +1,10 @@
description = [[
Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.
Attempts to download an unprotected configuration file containing plain-text
user credentials in vulnerable Supermicro Onboard IPMI controllers.
The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file contains users with their passwords in plain text.
The script connects to port 49152 and issues a request for "/PSBlock" to
download the file. This configuration file contains users with their passwords
in plain text.
References:
* http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/

6
scripts/targets-ipv6-multicast-mld.nse
View File

@@ -9,7 +9,11 @@ local table = require "table"
local target = require "target"
description = [[
Attempts to discover available IPv6 hosts on the LAN by sending an MLD (multicast listener discovery) query to the link-local multicast address (ff02::1) and listening for any responses. The query's maximum response delay set to 0 to provoke hosts to respond immediately rather than waiting for other responses from their multicast group.
Attempts to discover available IPv6 hosts on the LAN by sending an MLD
(multicast listener discovery) query to the link-local multicast address
(ff02::1) and listening for any responses. The query's maximum response delay
set to 0 to provoke hosts to respond immediately rather than waiting for other
responses from their multicast group.
]]
---

8
scripts/targets-ipv6-multicast-slaac.nse
View File

@@ -149,7 +149,9 @@ local function single_interface_broadcast(if_nfo, results)
-- preferred_lifetime <= valid_lifetime.
-- Nmap will get the whole IPv6 addresses of each host if the two parameters are both longer than 5 seconds.
-- Sometimes it makes sense to regard the several addresses of a host as different hosts, as the host's administrator may apply different firewall configurations on them.
-- Sometimes it makes sense to regard the several addresses of a host as
-- different hosts, as the host's administrator may apply different firewall
-- configurations on them.
local valid_lifetime = 6
local preferred_lifetime = 6
@@ -191,7 +193,9 @@ local function single_interface_broadcast(if_nfo, results)
local ula_target_addr_str = ipOps.str_to_ip(reply.ns_target)
local identifier = get_identifier(reply.ns_target)
--Filter out the reduplicative identifiers.
--A host will send several NS packets with the same interface identifier if it receives several RA packets with different prefix during the discovery phase.
--A host will send several NS packets with the same interface
--identifier if it receives several RA packets with different prefix
--during the discovery phase.
local actual_addr_str = ipOps.str_to_ip(actual_prefix .. identifier)
if not results[actual_addr_str] then
if target.ALLOW_NEW_TARGETS then

4
scripts/targets-traceroute.nse
View File

@@ -3,7 +3,9 @@ local string = require "string"
local target = require "target"
description = [[
Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's <code>--traceroute</code> option is used and the <code>newtargets</code> script argument is given.
Inserts traceroute hops into the Nmap scanning queue. It only functions if
Nmap's <code>--traceroute</code> option is used and the <code>newtargets</code>
script argument is given.
]]
---

6
scripts/telnet-encryption.nse
View File

@@ -4,7 +4,11 @@ local shortport = require "shortport"
local table = require "table"
description = [[
Determines whether the encryption option is supported on a remote telnet server. Some systems (including FreeBSD and the krb5 telnetd available in many Linux distributions) implement this option incorrectly, leading to a remote root vulnerability. This script currently only tests whether encryption is supported, not for that particular vulnerability.
Determines whether the encryption option is supported on a remote telnet
server. Some systems (including FreeBSD and the krb5 telnetd available in many
Linux distributions) implement this option incorrectly, leading to a remote
root vulnerability. This script currently only tests whether encryption is
supported, not for that particular vulnerability.
References:
* FreeBSD Advisory: http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001398.html

11
scripts/tls-nextprotoneg.nse
View File

@@ -6,13 +6,14 @@ local bin = require "bin"
local tls = require "tls"
description = [[
Enumerates a TLS server's supported protocols by using the next protocol negotiation extension.
Enumerates a TLS server's supported protocols by using the next protocol
negotiation extension.
This works by adding the next protocol negotiation extension in the client hello
packet and parsing the returned server hello's NPN extension data.
This works by adding the next protocol negotiation extension in the client
hello packet and parsing the returned server hello's NPN extension data.
For more information , see:
* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-03
For more information, see:
* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-03
]]
---

5
scripts/unusual-port.nse
View File

@@ -4,7 +4,10 @@ local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
Compares the detected service on a port against the expected service for that port number (e.g. ssh on 22, http on 80) and reports deviations. The script requires that a version scan has been run in order to be able to discover what service is actually running on each port.
Compares the detected service on a port against the expected service for that
port number (e.g. ssh on 22, http on 80) and reports deviations. The script
requires that a version scan has been run in order to be able to discover what
service is actually running on each port.
]]
---