PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-05 22:19:03 +00:00
Code Issues Projects Releases Wiki Activity

Add a section to the TODO containing descriptions of all 85 (wow!) new scripts since Nmap 6.01

Browse Source
This commit is contained in:
fyodor
2012-11-15 23:06:21 +00:00
parent f13353a610
commit 5f5d246620
1 changed files with 371 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

371
CHANGELOG
View File

@@ -1,5 +1,7 @@
# Nmap Changelog ($Id$); -*-text-*-
o Add summer of code results.
o [Ncat] Use the fallback nsock engine by default in order to maximize
compatibility between systems and use cases. [Henri Doreau]
@@ -32,6 +34,375 @@ o Fixed a bug that caused an incorrect source address to be set when
Thanks to Robert Washam and Jorge Hernandez for reports and help
debugging. [David Fifield]
o [NSE] Added 85(!) NSE scripts, bringing the total up to 433. They
are all listed at http://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):
+ ajp-auth retrieves the authentication scheme and realm of an AJP
service (Apache JServ Protocol) that requires authentication. The
Apache JServ Protocol is commonly used by web servers to
communicate with back-end Java application server
containers. [Patrik Karlsson]
+ ajp-brute performs brute force passwords auditing against the
Apache JServ protocol. [Patrik Karlsson]
+ ajp-headers performs a HEAD or GET request against either the root
directory or any optional directory of an Apache JServe Protocol
server and returns the server response headers. [Patrik Karlsson]
+ ajp-methods discovers which options are supported by the AJP
(Apache JServ Protocol) server by sending an OPTIONS request and
lists potentially risky methods. [Patrik Karlsson]
+ ajp-request requests a URI over the Apache JServe Protocol and
displays the result (or stores it in a file). Different AJP
methods such as; GET, HEAD, TRACE, PUT or DELETE may be
used. [Patrik Karlsson]
+ bjnp-discover retrievs printer or scanner information from a
remote device supporting the BJNP protocol. The protocol is known
to be supported by network based Canon devices. [Patrik Karlsson]
+ broadcast-ataoe-discover discovers servers supporting the ATA over
Ethernet protocol. ATA over Ethernet is an ethernet protocol
developed by the Brantley Coile Company and allows for simple,
high-performance access to SATA drives over Ethernet. [Patrik
Karlsson]
+ broadcast-bjnp-discover attempts to discover Canon devices
(Printers/Scanners) supporting the BJNP protocol by sending BJNP
Discover requests to the network broadcast address for both ports
associated with the protocol. [Patrik Karlsson]
+ broadcast-eigrp-discovery performs network discovery and routing
information gathering through Cisco's EIGRP protocol. [Hani
Benhabiles]
+ broadcast-igmp-discovery discovers targets that have IGMP
Multicast memberships and grabs interesting information. [Hani
Benhabiles]
+ broadcast-pim-discovery discovers routers that are running PIM
(Protocol Independant Multicast). [Hani Benhabiles]
+ broadcast-tellstick-discover discovers Telldus Technologies
TellStickNet devices on the LAN. The Telldus TellStick is used to
wirelessly control electric devices such as lights, dimmers and
electric outlets. [Patrik Karlsson]
+ cassandra-brute performs brute force password auditing against the
Cassandra database. [Vlatko Kosturjak]
+ cassandra-info attempts to get basic info and server status from a
Cassandra database. [Vlatko Kosturjak]
+ cups-info lists printers managed by the CUPS printing
service. [Patrik Karlsson]
+ cups-queue-info Lists currently queued print jobs of the remote
CUPS service grouped by printer. [Patrik Karlsson]
+ dict-info Connects to a dictionary server using the DICT protocol,
runs the SHOW SERVER command, and displays the result. [Patrik
Karlsson]
+ distcc-cve2004-2687 detects and exploits a remote code execution
vulnerability in the distributed compiler daemon distcc. [Patrik
Karlsson]
+ dns-check-zone checks DNS zone configuration against best
practices, including RFC 1912. The configuration checks are
divided into categories which each have a number of different
tests. [Patrik Karlsson]
+ dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6
network using a technique which analyzes DNS server response codes
to dramatically reduce the number of queries needed to enumerate
large networks. [Patrik Karlsson]
+ dns-nsec3-enum tries to enumerate domain names from the DNS server
that supports DNSSEC NSEC3 records. [Aleksandar Nikolic, John
Bond]
+ eppc-enum-processes attempts to enumerate process info over the
Apple Remote Event protocol. When accessing an application over
the Apple Remote Event protocol the service responds with the uid
and pid of the application, if it is running, prior to requesting
authentication. [Patrik Karlsson]
+ firewall-bypass detects a vulnerability in netfilter and other
firewalls that use helpers to dynamically open ports for protocols
such as ftp and sip. [Hani Benhabiles]
+ flume-master-info retrieves information from Flume master HTTP
pages. [John R. Bond]
+ gkrellm-info queries a GKRellM service for monitoring
information. A single round of collection is made, showing a
snapshot of information at the time of the request. [Patrik
Karlsson]
+ gpsd-info retrieves GPS time, coordinates and speed from the GPSD
network daemon. [Patrik Karlsson]
+ hostmap-robtex discovers hostnames that resolve to the target's IP
address by querying the Robtex service at
http://www.robtex.com/dns/. [Arturo Busleiman]
+ http-drupal-enum-users enumerates Drupal users by exploiting a an
information disclosure vulnerability in Views, Drupal's most
popular module. [Hani Benhabiles]
+ http-drupal-modules enumerates the installed Drupal modules by
using a list of known modules. [Hani Benhabiles]
+ http-exif-spider spiders a site's images looking for interesting
exif data embedded in .jpg files. Displays the make and model of
the camera, the date the photo was taken, and the embedded geotag
information. [Ron Bowes]
+ http-form-fuzzer performs a simple form fuzzing against forms
found on websites. Tries strings and numbers of increasing length
and attempts to determine if the fuzzing was successful. [Piotr
Olma]
+ http-frontpage-login checks whether target machines are vulnerable
to anonymous Frontpage login. [Aleksandar Nikolic]
+ http-git checks for a Git repository found in a website's document
root (/.git/<something>) then retrieves as much repo
information as possible, including language/framework, Github
username, last commit message, and repository description. [Alex
Weber]
+ http-gitweb-projects-enum retrieves a list of Git projects, owners
and descriptions from a gitweb (web interface to the Git revision
control system). [riemann]
+ http-huawei-hg5xx-vuln detects Huawei modems models HG530x,
HG520x, HG510x (and possibly others...) vulnerable to a remote
credential and information disclosure vulnerability. It also
extracts the PPPoE credentials and other interesting configuration
values. [Paulino Calderon]
+ http-icloud-findmyiphone retrieves the locations of all "Find my
iPhone" enabled iOS devices by querying the MobileMe web service
(authentication required). [Patrik Karlsson]
+ http-icloud-sendmsg sends a message to a iOS device throught the
Apple MobileMe web service. The device has to be registered with
an Apple ID using the Find My Iphone application. [Patrik
Karlsson]
+ http-phpself-xss crawls a web server and attempts to find PHP
files vulnerable to reflected cross site scripting via the
variable $_SERVER["PHP_SELF"]. [Paulino Calderon]
+ http-rfi-spider crawls webservers in search of RFI (remote file
inclusion) vulnerabilities. It tests every form field it finds and
every parameter of a URL containing a query. [Piotr Olma]
+ http-robtex-shared-ns Finds up to 100 domain names which use the
same name server as the target by querying the Robtex service at
http://www.robtex.com/dns/. [Arturo Busleiman]
+ http-sitemap-generator spiders a web server and displays its
directory structure along with number and types of files in each
folder. Note that files listed as having an 'Other' extension are
ones that have no extension or that are a root document. [Piotr
Olma]
+ http-slowloris-check tests a web server for vulnerability to the
Slowloris DoS attack without actually launching a DoS
attack. [Aleksandar Nikolic]
+ http-slowloris tests a web server for vulnerability to the
Slowloris DoS attack by launching a Slowlaris attack. [Aleksandar
Nikolic, Ange Gutek]
+ http-tplink-dir-traversal exploits a directory traversal
vulnerability existing in several TP-Link wireless
routers. Attackers may exploit this vulnerability to read any of
the configuration and password files remotely and without
authentication. [Paulino Calderon]
+ http-traceroute exploits the Max-Forwards HTTP header to detect
the presence of reverse proxies. [Hani Benhabiles]
+ http-virustotal checks whether a file has been determined as
malware by virustotal. Virustotal is a service that provides the
capability to scan a file or check a checksum against a number of
the major AntiVirus vendors. [Patrik Karlsson]
+ http-vlcstreamer-ls connects to a VLC Streamer helper service and
lists directory contents. The VLC Streamer helper service is used
by the iOS VLC Streamer application to enable streaming of
multimedia content from the remote server to the device. [Patrik
Karlsson]
+ http-vuln-cve2010-0738 tests whether a JBoss target is vulnerable
to jmx console authentication bypass (CVE-2010-0738). [Hani
Benhabiles]
+ http-waf-fingerprint Tries to detect the presence of a web
application firewall and its type and version. [Hani Benhabiles]
+ icap-info tests a list of known ICAP service names and prints
information about any it detects. The Internet Content Adaptation
Protocol (ICAP) is used to extend transparent proxy servers and is
generally used for content filtering and antivirus
scanning. [Patrik Karlsson]
+ ip-forwarding detects whether the remote device has ip forwarding
or "Internet connection sharing" enabled, by sending an ICMP echo
request to a given target using the scanned host as default
gateway. [Patrik Karlsson]
+ ipv6-ra-flood generates a flood of Router Adverisments (RA) with
random source MAC addresses and IPv6 prefixes. Computers, which
have stateless autoconfiguration enabled by default (every major
OS), will start to compute IPv6 suffix and update their routing
table to reflect the accepted annoucement. This will cause 100%
CPU usage on Windows and platforms, preventing to process other
application requests. [Adam Stevko]
+ irc-sasl-brute performs brute force password auditing against IRC
(Internet Relay Chat) servers supporting SASL
authentication. [Piotr Olma]
+ isns-info lists portals and iSCSI nodes registered with the
Internet Storage Name Service (iSNS). [Patrik Karlsson]
+ jdwp-exec attempts to exploit java's remote debugging port. When
remote debugging port is left open, it is possible to inject java
bytecode and achieve remote code execution. This script abuses
this to inject and execute a Java class file that executes the
supplied shell command and returns its output. [Aleksandar
Nikolic]
+ jdwp-info attempts to exploit java's remote debugging port. When
remote debugging port is left open, it is possible to inject java
bytecode and achieve remote code execution. This script injects
and execute a Java class file that returns remote system
information. [Aleksandar Nikolic]
+ jdwp-inject attempts to exploit java's remote debugging port.
When remote debugging port is left open, it is possible to inject
java bytecode and achieve remote code execution. This script
allows injection of arbitrary class files. [Aleksandar Nikolic]
+ llmnr-resolve resolves a hostname by using the LLMNR (Link-Local
Multicast Name Resolution) protocol. [Hani Benhabiles]
+ mcafee-epo-agent check if ePO agent is running on port 8081 or
port identified as ePO Agent port. [Didier Stevens and Daniel
Miller]
+ metasploit-info gathers info from the Metasploit rpc service. It
requires a valid login pair. After authentication it tries to
determine Metasploit version and deduce the OS type. Then it
creates a new console and executes few commands to get additional
info. [Aleksandar Nikolic]
+ metasploit-msgrpc-brute performs brute force username and password
auditing against Metasploit msgrpc interface. [Aleksandar Nikolic]
+ mmouse-brute performs brute force password auditing against the
RPA Tech Mobile Mouse servers. [Patrik Karlsson]
+ mmouse-exec connects to an RPA Tech Mobile Mouse server, starts an
application and sends a sequence of keys to it. Any application
that the user has access to can be started and the key sequence is
sent to the application after it has been started. [Patrik
Karlsson]
+ mrinfo queries targets for multicast routing information. [Hani
Benhabiles]
+ msrpc-enum queries an MSRPC endpoint mapper for a list of mapped
services and displays the gathered information. [Aleksandar
Nikolic]
+ ms-sql-dac qeries the Microsoft SQL Browser service for the DAC
(Dedicated Admin Connection) port of a given (or all) SQL Server
instance. The DAC port is used to connect to the database instance
when normal connection attempts fail, for example, when server is
hanging, out of memory or in other bad states. [Patrik Karlsson]
+ mtrace queries for the multicast path from a source to a
destination host. [Hani Benhabiles]
+ mysql-dump-hashes dumps the password hashes from an MySQL server
in a format suitable for cracking by tools such as John the
Ripper. Appropriate DB privileges (root) are required. [Patrik
Karlsson]
+ mysql-query runs a query against a MySQL database and returns the
results as a table. [Patrik Karlsson]
+ mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQL
and MariaDB servers by exploiting CVE2012-2122. If its vulnerable,
it will also attempt to dump the MySQL usernames and password
hashes. [Paulino Calderon]
+ oracle-brute-stealth exploits the CVE-2012-3137 vulnerability, a
weaknes in Oracle's O5LOGIN authentication scheme. The
vulnerability exists in Oracle 11g R1/R2 and allows linking the
session key to a password hash. [Dhiru Kholia]
+ pcanywhere-brute performs brute force password auditing against
the pcAnywhere remote access protocol. [Aleksandar Nikolic]
+ rdp-enum-encryption determines which Security layer and Encryption
level is supported by the RDP service. It does so by cycling
through all existing protocols and ciphers. [Patrik Karlsson]
+ rmi-vuln-classloader tests whether Java rmiregistry allows class
loading. The default configuration of rmiregistry allows loading
classes from remote URLs, which can lead to remote code
execution. The vendor (Oracle/Sun) classifies this as a design
feature. [Aleksandar Nikolic]
+ rpc-grind fingerprints the target RPC port to extract the target
service, RPC number and version. [Hani Benhabiles]
+ sip-call-spoof spoofs a call to a SIP phone and detects the action
taken by the target (busy, declined, hung up, etc.) [Hani
Benhabiles]
+ sip-methods enumerates a SIP Server's allowed methods (INVITE,
OPTIONS, SUBSCRIBE, etc.) [Hani Benhabiles]
+ smb-ls attempts to retrieve useful information about files shared
on SMB volumes. The output is intended to resemble the output of
the UNIX <code>ls</code> command. [Patrik Karlsson]
+ smb-print-text attempts to print text on a shared printer by
calling Print Spooler Service RPC functions. [Aleksandar Nikolic]
+ smb-vuln-ms10-054 tests whether target machines are vulnerable to
the ms10-054 SMB remote memory corruption
vulnerability. [Aleksandar Nikolic]
+ smb-vuln-ms10-061 tests whether target machines are vulnerable to
ms10-061 Printer Spooler impersonation vulnerability. [Aleksandar
Nikolic]
+ snmp-hh3c-logins attempts to enumerate Huawei / HP/H3C Locally
Defined Users through the hh3c-user.mib OID [Kurt Grutzmacher]
+ ssl-date retrieves a target host's time and date from its TLS
ServerHello response. [Aleksandar Nikolic]
+ tls-nextprotoneg enumerates a TLS server's supported protocols by
using the next protocol negotiation extension. [Hani Benhabiles]
+ traceroute-geolocation lists the geographic locations of each hop
in a traceroute and optionally saves the results to a KML file,
plottable on Google earth and maps. [Patrik Karlsson]
o Added some additional CPE entries to nmap-service-probes.
[Dillon Graham]