From 536e00ea42d250cfb61c8c9760faab8dc4bf335a Mon Sep 17 00:00:00 2001 From: fyodor Date: Wed, 29 Jun 2011 01:29:14 +0000 Subject: [PATCH] Went through all the new (since 5.51) scripts and improved (I hope) the nsedoc descriptions a bit and made some other very minor cleanups --- scripts/creds-summary.nse | 2 +- scripts/dns-brute.nse | 4 ++-- scripts/dns-service-discovery.nse | 2 +- scripts/dpap-brute.nse | 2 +- scripts/http-affiliate-id.nse | 5 +++-- scripts/http-barracuda-dir-traversal.nse | 13 ++++++++----- scripts/http-cakephp-version.nse | 2 +- scripts/http-majordomo2-dir-traversal.nse | 4 +++- scripts/http-wp-plugins.nse | 5 +++-- scripts/ip-geolocation-geobytes.nse | 10 ++++++---- scripts/ip-geolocation-geoplugin.nse | 5 +++-- scripts/ip-geolocation-ipinfodb.nse | 9 ++++++--- scripts/ip-geolocation-maxmind.nse | 9 +++++---- scripts/ip-geolocation-quova.nse | 6 ++++-- scripts/ldap-novell-getpass.nse | 4 +++- scripts/mac-geolocation.nse | 10 +++++----- scripts/mysql-audit.nse | 4 +++- scripts/ncp-enum-users.nse | 2 +- scripts/ncp-serverinfo.nse | 3 ++- scripts/nping-brute.nse | 2 +- scripts/omp2-enum-targets.nse | 2 +- scripts/ovs-agent-version.nse | 3 ++- scripts/quake3-master-getservers.nse | 2 +- scripts/servicetags.nse | 2 +- scripts/sip-brute.nse | 2 +- scripts/sip-enum-users.nse | 6 ++++-- scripts/smtp-vuln-cve2011-1720.nse | 6 ++++-- scripts/snmp-ios-config.nse | 2 +- scripts/ssl-known-key.nse | 12 +++++++----- scripts/targets-sniffer.nse | 9 +++++---- scripts/xmpp.nse | 2 +- 31 files changed, 90 insertions(+), 61 deletions(-) diff --git a/scripts/creds-summary.nse b/scripts/creds-summary.nse index 92fea36e5..c72a91cba 100644 --- a/scripts/creds-summary.nse +++ b/scripts/creds-summary.nse @@ -1,5 +1,5 @@ description = [[ -Lists all discovered credentials at end of scan +Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan ]] --- diff --git a/scripts/dns-brute.nse b/scripts/dns-brute.nse index c9112a932..fb8891845 100644 --- a/scripts/dns-brute.nse +++ b/scripts/dns-brute.nse @@ -1,5 +1,5 @@ description = [[ -Attempts to enumerate DNS hostnames by brute force guessing. +Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. ]] -- 2011-01-26 @@ -22,7 +22,7 @@ Attempts to enumerate DNS hostnames by brute force guessing. -- | ns1.foo.com - 127.0.0.4 -- |_ admin.foo.com - 127.0.0.5 -author = "cirrus" +author = "Cirrus" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/dns-service-discovery.nse b/scripts/dns-service-discovery.nse index b69859c62..15301c651 100644 --- a/scripts/dns-service-discovery.nse +++ b/scripts/dns-service-discovery.nse @@ -1,5 +1,5 @@ description=[[ -Attempts to discover a hosts services using the DNS Service Discovery protocol. +Attempts to discover target hosts' services using the DNS Service Discovery protocol. The script first sends a query for _services._dns-sd._udp.local to get a list of services. It then sends a followup query for each one to try to diff --git a/scripts/dpap-brute.nse b/scripts/dpap-brute.nse index 38a5314e2..ff7949c64 100644 --- a/scripts/dpap-brute.nse +++ b/scripts/dpap-brute.nse @@ -1,5 +1,5 @@ description = [[ -Performs password guessing against an iPhoto Library +Performs brute force password auditing against an iPhoto Library. ]] diff --git a/scripts/http-affiliate-id.nse b/scripts/http-affiliate-id.nse index 4780f7bd4..235a4fb5c 100644 --- a/scripts/http-affiliate-id.nse +++ b/scripts/http-affiliate-id.nse @@ -1,6 +1,7 @@ description = [[ -Grabs affiliate network IDs from an HTML page. These can be used to -identify pages with the same owner. +Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon +Associates, etc.) from a web page. These can be used to identify pages +with the same owner. If there is more than one target using an ID, the postrule of this script shows the ID along with a list of the targets using it. diff --git a/scripts/http-barracuda-dir-traversal.nse b/scripts/http-barracuda-dir-traversal.nse index cd4b8c4c9..f31c348ea 100644 --- a/scripts/http-barracuda-dir-traversal.nse +++ b/scripts/http-barracuda-dir-traversal.nse @@ -1,10 +1,13 @@ description = [[ -Attempts to retrieve the configuration settings from the MySQL database -dump on a Barracuda Networks Spam & Virus Firewall device using the -directory traversal vulnerability in the "locale" parameter of -"/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi". +Attempts to retrieve the configuration settings from a Barracuda +Networks Spam & Virus Firewall device using the directory traversal +vulnerability described at +http://seclists.org/fulldisclosure/2010/Oct/119. -The web administration interface runs on port 8000 by default. +This vulnerability is in the "locale" parameter of +"/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi", allowing the +information to be retrieved from a MySQL database dump. The web +administration interface runs on port 8000 by default. Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval Original exploit by ShadowHatesYou diff --git a/scripts/http-cakephp-version.nse b/scripts/http-cakephp-version.nse index aa7a7001b..426d6fce4 100644 --- a/scripts/http-cakephp-version.nse +++ b/scripts/http-cakephp-version.nse @@ -1,5 +1,5 @@ description = [[ -Obtains the CakePHP version of a web application built with the CakePHP framework. This script depends on default files shipped with the CakePHP framework. +Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework. This script queries the files 'vendors.php', 'cake.generic.css', 'cake.icon.png' and 'cake.icon.gif' to try to obtain the version of the CakePHP installation. Since installations that had been upgraded are prone to false positives due to old files that aren't removed, the script displays 3 different versions: diff --git a/scripts/http-majordomo2-dir-traversal.nse b/scripts/http-majordomo2-dir-traversal.nse index 6b026ef3f..9af3a2fa9 100644 --- a/scripts/http-majordomo2-dir-traversal.nse +++ b/scripts/http-majordomo2-dir-traversal.nse @@ -1,5 +1,7 @@ description = [[ -Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049). +Exploits a directory traversal vulnerability existing in the +Majordomo2 mailing list manager to retrieve remote +files. (CVE-2011-0049). Vulnerability originally discovered by Michael Brooks. diff --git a/scripts/http-wp-plugins.nse b/scripts/http-wp-plugins.nse index 8712bb05d..8feea6f84 100644 --- a/scripts/http-wp-plugins.nse +++ b/scripts/http-wp-plugins.nse @@ -1,5 +1,6 @@ description = [[ -Tries to give a list of installed WordPress plugins. +Tries to obtain a list of installed WordPress plugins by brute force +testing for known plugins. The script will brute force the /wp-content/plugins/ folder with a dictionnary of 14K (and counting) known WP plugins. Anything but a 404 means that a given @@ -31,7 +32,7 @@ check the first 100 ones. Users can tweak this with an option (see below). -- | stats -- |_ wp-to-twitter -author = "Ange Gutek " +author = "Ange Gutek" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/ip-geolocation-geobytes.nse b/scripts/ip-geolocation-geobytes.nse index e7cc295e9..946733556 100755 --- a/scripts/ip-geolocation-geobytes.nse +++ b/scripts/ip-geolocation-geobytes.nse @@ -1,8 +1,10 @@ description = [[ -This script looks up the host's IP address using the Geobytes geolocation web -service. The limit of lookups using this service is 20 requests per hour. Once -the limit is reached, an nmap.registry["ip-geolocation-geobytes"].blocked -boolean is set so no further requests are made during a scan. +Tries to identify the physical location of an IP address using the +Geobytes geolocation web service +(http://www.geobytes.com/iplocator.htm). The limit of lookups using +this service is 20 requests per hour. Once the limit is reached, an +nmap.registry["ip-geolocation-geobytes"].blocked boolean is set so no +further requests are made during a scan. ]] --- diff --git a/scripts/ip-geolocation-geoplugin.nse b/scripts/ip-geolocation-geoplugin.nse index b9a8caa44..7f49b269c 100755 --- a/scripts/ip-geolocation-geoplugin.nse +++ b/scripts/ip-geolocation-geoplugin.nse @@ -1,6 +1,7 @@ description = [[ -This script looks up the host's IP address using the Geoplugin geolocation web -service. There is no limit on lookups using this service. +Tries to identify the physical location of an IP address using the +Geoplugin geolocation web service (http://www.geoplugin.com/). There +is no limit on lookups using this service. ]] --- diff --git a/scripts/ip-geolocation-ipinfodb.nse b/scripts/ip-geolocation-ipinfodb.nse index 53aa97849..c1f3aaf2a 100755 --- a/scripts/ip-geolocation-ipinfodb.nse +++ b/scripts/ip-geolocation-ipinfodb.nse @@ -1,7 +1,10 @@ description = [[ -This script looks up the host's IP address using the IPInfoDB geolocation web -service. There is no limit on requests to this service. However, the API key -used is obtained through a free registration with the service. +Tries to identify the physical location of an IP address using the +IPInfoDB geolocation web service +(http://ipinfodb.com/ip_location_api.php). + +There is no limit on requests to this service. However, the API key +used was obtained through a free registration with the service. ]] --- diff --git a/scripts/ip-geolocation-maxmind.nse b/scripts/ip-geolocation-maxmind.nse index 23486e6b7..1838c59d6 100755 --- a/scripts/ip-geolocation-maxmind.nse +++ b/scripts/ip-geolocation-maxmind.nse @@ -1,8 +1,9 @@ description = [[ -Geolocation lookup by IP address in a Maxmind database. This script supports -queries using all Maxmind databases that are supported by their API including -the commercial ones. The databases can be obtained at: -http://www.maxmind.com/app/ip-location +Tries to identify the physical location of an IP address using a +Geolocation Maxmind database file (available from +http://www.maxmind.com/app/ip-location). This script supports queries +using all Maxmind databases that are supported by their API including +the commercial ones. ]] --- diff --git a/scripts/ip-geolocation-quova.nse b/scripts/ip-geolocation-quova.nse index 693e2634d..96d03697d 100755 --- a/scripts/ip-geolocation-quova.nse +++ b/scripts/ip-geolocation-quova.nse @@ -1,6 +1,8 @@ description = [[ -This script looks up the host's IP address using the Quova geolocation web -service. It uses three API keys obtained through a free registration. The limit +Tries to identify the physical location of an IP address using the +Quova geolocation web service (http://www.quova.com/). + +It uses three API keys obtained through a free registration. The limit on lookups is 1000 per API key per day, and 2 per API key per second. ]] diff --git a/scripts/ldap-novell-getpass.nse b/scripts/ldap-novell-getpass.nse index 760804e06..f2f5c416e 100644 --- a/scripts/ldap-novell-getpass.nse +++ b/scripts/ldap-novell-getpass.nse @@ -1,5 +1,7 @@ description = [[ -Attempts to retrieve the Novell Universal Password for a user. +Attempts to retrieve the Novell Universal Password for a user. You +must already have (and include in script arguments) the username and password for an eDirectory server +administrative account. ]] --- diff --git a/scripts/mac-geolocation.nse b/scripts/mac-geolocation.nse index e797bb1fa..e95cbf602 100644 --- a/scripts/mac-geolocation.nse +++ b/scripts/mac-geolocation.nse @@ -1,9 +1,9 @@ description = [[ Looks up geolocation information for BSSID (MAC) addresses of WiFi access points in the Google geolocation database. Geolocation information in this databasea -usually includes information including coordinates, country, state, city, -street address etc. The MAC addresses can be supplied as an argument -macs, or in the registry under +usually includes coordinates, country, state, city, +street address, etc. The MAC addresses can be supplied as an argument +mac-geolocation.macs, or in the registry under nmap.registry.[host.ip][mac-geolocation]. ]] @@ -11,8 +11,8 @@ street address etc. The MAC addresses can be supplied as an argument -- @usage -- nmap --script mac-geolocation --script-args 'mac-geolocation.macs="00:24:B2:1E:24:FE,00:23:69:2A:B1:27"' -- --- @arg macs a list of MAC addresses separated by "," for which to do a geolocation lookup --- @arg extra_info include additional information in the output such as lookup accuracy, street address etc. +-- @arg mac-geolocation.macs a list of MAC addresses separated by "," for which to do a geolocation lookup +-- @arg mac-geolocation.extra_info include additional information in the output such as lookup accuracy, street address etc. -- -- @output Location info arranged by MAC and geolocation database -- | mac-geolocation: diff --git a/scripts/mysql-audit.nse b/scripts/mysql-audit.nse index 6c0de00fe..1c212438f 100644 --- a/scripts/mysql-audit.nse +++ b/scripts/mysql-audit.nse @@ -1,5 +1,7 @@ description = [[ -Audit MySQL database server +Audit MySQL database server security configuration against parts of +the CIS MySQL v1.0.2 benchmark (the engine can be used for other MySQL +audits by creating appropriate audit files). ]] diff --git a/scripts/ncp-enum-users.nse b/scripts/ncp-enum-users.nse index d07dfe7d8..9cf9401b1 100644 --- a/scripts/ncp-enum-users.nse +++ b/scripts/ncp-enum-users.nse @@ -1,5 +1,5 @@ description = [[ -Retrieves a list of all eDirectory users from the NCP service +Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service. ]] --- diff --git a/scripts/ncp-serverinfo.nse b/scripts/ncp-serverinfo.nse index f299eb3ee..96cd64ef6 100644 --- a/scripts/ncp-serverinfo.nse +++ b/scripts/ncp-serverinfo.nse @@ -1,5 +1,6 @@ description = [[ -Gets NCP Server Information +Retrieves eDirectory server information (OS version, server name, +mounts, etc.) from the Novell NetWare Core Protocol (NCP) service. ]] --- diff --git a/scripts/nping-brute.nse b/scripts/nping-brute.nse index 96e5c21e3..be0acef51 100644 --- a/scripts/nping-brute.nse +++ b/scripts/nping-brute.nse @@ -1,5 +1,5 @@ description = [[ -Performs brute force password auditing against the Nping Echo service. +Performs brute force password auditing against an Nping Echo service. See http://nmap.org/book/nping-man-echo-mode.html for Echo Mode documentation. diff --git a/scripts/omp2-enum-targets.nse b/scripts/omp2-enum-targets.nse index fd0ff4774..eb8ebbd33 100644 --- a/scripts/omp2-enum-targets.nse +++ b/scripts/omp2-enum-targets.nse @@ -1,5 +1,5 @@ description = [[ -Attempts to get the list of targets from an OpenVAS Manager server. +Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server. The script authenticates on the manager using provided or previously cracked credentials and gets the list of defined targets for each account. diff --git a/scripts/ovs-agent-version.nse b/scripts/ovs-agent-version.nse index e567de24e..36b0242d4 100644 --- a/scripts/ovs-agent-version.nse +++ b/scripts/ovs-agent-version.nse @@ -1,5 +1,6 @@ description = [[ -Detects the version of an OVSAgentServer. +Detects the version of an Oracle OVSAgentServer by fingerprinting +responses to an HTTP GET request and an XML-RPC method call. Version 2.2 of OVSAgentServer returns a distinctive string in response to an HTTP GET request. However version 3.0 returns a generic response that looks like diff --git a/scripts/quake3-master-getservers.nse b/scripts/quake3-master-getservers.nse index 3a16bec68..545957e33 100644 --- a/scripts/quake3-master-getservers.nse +++ b/scripts/quake3-master-getservers.nse @@ -1,5 +1,5 @@ description = [[ -Queries Quake 3 styled master servers for game servers. +Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol). ]] --- diff --git a/scripts/servicetags.nse b/scripts/servicetags.nse index 38b7c9519..cd374bd45 100644 --- a/scripts/servicetags.nse +++ b/scripts/servicetags.nse @@ -1,5 +1,5 @@ description = [[ -Attempts to extract system information from the Service Tags. +Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service (UDP port 6481). Based on protocol specs from http://arc.opensolaris.org/caselog/PSARC/2006/638/stdiscover_protocolv2.pdf diff --git a/scripts/sip-brute.nse b/scripts/sip-brute.nse index 4e7280afb..423ba1076 100755 --- a/scripts/sip-brute.nse +++ b/scripts/sip-brute.nse @@ -1,5 +1,5 @@ description = [[ -Attempts to brute-force SIP accounts +Performs brute force password auditing against Session Initiation Protocol (SIP - http://en.wikipedia.org/wiki/Session_Initiation_Protocol) accounts. This protocol is most commonly associated with VoIP sessions. ]] --- diff --git a/scripts/sip-enum-users.nse b/scripts/sip-enum-users.nse index c10fb3d38..985b91179 100644 --- a/scripts/sip-enum-users.nse +++ b/scripts/sip-enum-users.nse @@ -1,6 +1,8 @@ description = [[ -Attempts to enumerate valid user account using SIP. Currently only the SIP -server Asterisk is supported. +Attempts to enumerate valid user account using SIP (Session Initiation +Protocol - http://en.wikipedia.org/wiki/Session_Initiation_Protocol). +This protocol is most commonly associated with VoIP +sessions. Currently only the SIP server Asterisk is supported. * Asterisk - The script enumerates valid accounts by checking the SIP servers response diff --git a/scripts/smtp-vuln-cve2011-1720.nse b/scripts/smtp-vuln-cve2011-1720.nse index fb4539b00..356485e3e 100644 --- a/scripts/smtp-vuln-cve2011-1720.nse +++ b/scripts/smtp-vuln-cve2011-1720.nse @@ -1,6 +1,8 @@ description = [[ -Checks for a Memory corruption in the Postfix SMTP server when it uses -Cyrus SASL library authentication mechanisms (CVE-2011-1720). +Checks for a memory corruption in the Postfix SMTP server when it uses +Cyrus SASL library authentication mechanisms (CVE-2011-1720). This +vulnerability can allow denial of service and possibly remote code +execution. Reference: * http://www.postfix.org/CVE-2011-1720.html diff --git a/scripts/snmp-ios-config.nse b/scripts/snmp-ios-config.nse index 34d91fbf0..6336e4a1b 100644 --- a/scripts/snmp-ios-config.nse +++ b/scripts/snmp-ios-config.nse @@ -1,5 +1,5 @@ description = [[ -Download IOS configuration using SNMP RW (v1) and displays the result or saves it to a file. +Attempts to downloads Cisco router IOS configuration files using SNMP RW (v1) and display or save them. ]] --- diff --git a/scripts/ssl-known-key.nse b/scripts/ssl-known-key.nse index f83c86fbc..b83cac920 100644 --- a/scripts/ssl-known-key.nse +++ b/scripts/ssl-known-key.nse @@ -2,12 +2,14 @@ -- vim: set filetype=lua : description = [[ -This script checks whether the SSL certificate used by a host has a fingerprint -that matches the ones in a database. +Checks whether the SSL certificate used by a host has a fingerprint +that matches the ones in database of problematic keys. -The database checked is currently from LittleBlackBox 0.1, but any file of -fingerprints will serve just as well. One suggestion is the list of the weak -Debian OpenSSL keys. +The only database currently checked the LittleBlackBox 0.1 database of +comprimised keys from various devices, but any file of fingerprints +will serve just as well. For example, this could be used to find weak +Debian OpenSSL keys using the widely available (but too large to +include with Nmap) list. ]] --- diff --git a/scripts/targets-sniffer.nse b/scripts/targets-sniffer.nse index 71242a5b8..c78716c9d 100644 --- a/scripts/targets-sniffer.nse +++ b/scripts/targets-sniffer.nse @@ -2,9 +2,10 @@ -- vim: set filetype=lua : description = [[ -Sniffs the local network for a configurable amount of time and prints -discovered addresses. If newtargets is true, adds the addresses to -the queue to be scanned. +Sniffs the local network for a configurable amount of time (10 seconds +by default) and prints discovered addresses. If the +newtargets script argument is set, discovered addresses +are added to the scan queue. Requires root privileges. Either the targets-sniffer.iface script argument or -e Nmap option to define which interface to use. @@ -27,7 +28,7 @@ argument or -e Nmap option to define which interface to use. -- Thanks to everyone for the feedback and especially Henri Doreau for his detailed feedback and suggestions -author = "Nick Nikolaou " +author = "Nick Nikolaou" categories = {"broadcast", "discovery"} license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/xmpp.nse b/scripts/xmpp.nse index 548aa2fc7..ff0af5703 100644 --- a/scripts/xmpp.nse +++ b/scripts/xmpp.nse @@ -1,5 +1,5 @@ description = [[ -Connect to XMPP server (port 5222) and collect server information such as: +Connects to an XMPP server (port 5222) and collects server information such as supported auth mechanisms, compression methods and whether TLS is supported and mandatory. ]]