Rename scripts (almost all of them) to make their names more consistent and

make them look better in output. The full list of changes is
  anonFTP => ftp-anon
  ASN => asn-query
  brutePOP3 => pop3-brute
  bruteTelnet => telnet-brute
  daytimeTest => daytime
  dns-safe-recursion-port => dns-random-srcport
  dns-safe-recursion-txid => dns-random-txid
  dns-test-open-recursion => dns-recursion
  ftpbounce => ftp-bounce
  HTTPAuth => http-auth
  HTTP_open_proxy => http-open-proxy
  HTTPpasswd => http-passwd
  HTTPtrace => http-trace
  iax2Detect => iax2-version
  ircServerInfo => irc-info
  ircZombieTest => irc-zombie
  MSSQLm => ms-sql-info
  MySQLinfo => mysql-info
  popcapa => pop3-capabilities
  PPTPversion => pptp-version
  promiscuous => sniffer-detect
  RealVNC_auth_bypass => realvnc-auth-bypass
  robots => robots.txt
  showHTMLTitle => html-title
  showOwner => identd-owners
  skype_v2-version => skypev2-version
  smb-enumdomains => smb-enum-domains
  smb-enumsessions => smb-enum-sessions
  smb-enumshares => smb-enum-shares
  smb-enumusers => smb-enum-users
  smb-serverstats => smb-server-stats
  smb-systeminfo => smb-system-info
  SMTPcommands => smtp-commands
  SMTP_openrelay_test => smtp-open-relay
  SNMPcommunitybrute => snmp-brute
  SNMPsysdescr => snmp-sysdescr
  SQLInject => sql-injection
  SSH-hostkey => ssh-hostkey
  SSHv1-support => sshv1
  SSLv2-support => sslv2
  strangeSMTPport => smtp-strangeport
  UPnP-info => upnp-info
  xamppDefaultPass => xampp-default-auth
  zoneTrans => zone-transfer

scripts/sniffer-detect.nse

@@ -0,0 +1,130 @@
+description = [[
+Checks if a target on a local Ethernet has its network card in promiscuous mode.
+
+The technique is described at
+http://www.securityfriday.com/promiscuous_detection_01.pdf.
+]]
+author = "Marek Majkowski <majek04+nse@gmail.com>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+
+categories = {"discovery"}
+
+-- okay, we're interested only in hosts that are on our ethernet lan
+hostrule = function(host, port)
+	if host.directly_connected == true and
+	   host.mac_addr ~= nil and
+	   host.mac_addr_src ~= nil and
+	   host.interface ~= nil and
+	   nmap.get_interface_link(host.interface) == 'ethernet' then
+	    return true
+	end
+	return false
+end
+
+--[[
+function bintohex(str)
+        local b = ""
+        for c in string.gmatch(str, ".") do
+                b = string.format('%s%02x',b, string.byte(c))
+        end
+        return b
+end
+]]--
+
+callback = function(packetsz, layer2, layer3)
+	return string.sub(layer2, 0, 12)
+end
+
+
+do_test = function(dnet, pcap, host, test)
+	local _
+	local status
+	local i = 0
+
+	-- ARP requests are send with timeouts: 10ms, 40ms, 90ms
+	-- before each try, we wait at least 100ms
+	-- in summary, this test takes at least 100ms and at most 440ms
+	for i=1,3 do
+		-- flush buffers :), wait quite long.
+		repeat
+			pcap:set_timeout(100)
+			pcap:pcap_register(host.mac_addr_src .. host.mac_addr)
+			status ,_,_,_ = pcap:pcap_receive()
+		until status ~= true
+		pcap:set_timeout(10 * i*i)
+		pcap:pcap_register(host.mac_addr_src .. host.mac_addr)
+
+		dnet:ethernet_send(test)
+
+		status ,_,_,_ = pcap:pcap_receive()
+		if status == true then
+			-- the basic idea, was to inform user about time, when we got packet
+			-- so that 1 would mean (0-10ms), 2=(10-40ms) and 3=(40ms-90ms)
+			-- but when we're running this tests on macs, first test is always 2.
+			-- which means that the first answer is dropped.
+			-- for now, just return 1 if test was successfull, it's easier
+			-- return(i)
+			return(1)
+		end
+	end
+	return('_')
+end
+
+action = function(host, port)
+	local dnet = nmap.new_dnet()
+	local pcap = nmap.new_socket()
+	local _
+	local status
+	local results = {
+		['1_____1_'] = false, -- MacOSX(Tiger.Panther)/Linux/ ?Win98/ WinXP sp2(no pcap)
+		['1_______'] = false, -- Old Apple/SunOS/3Com
+		['1___1_1_'] = false, -- MacOSX(Tiger)
+		['11111111'] = true,  -- BSD/Linux/OSX/     (or not promiscous openwrt )
+		['1_1___1_'] = false, -- WinXP sp2 + pcap|| win98 sniff || win2k sniff (see below)
+		['111___1_'] = true,  -- WinXP sp2 promisc
+--		['1111__1_'] = true,  -- ?Win98 promisc + ??win98 no promisc *not confirmed*
+		}
+	dnet:ethernet_open(host.interface)
+
+	pcap:pcap_open(host.interface, 64, 0, callback, "arp")
+
+	local test_static = host.mac_addr_src ..
+			string.char(0x08,0x06, 0x00,0x01, 0x08,0x00, 0x06,0x04, 0x00,0x01) ..
+			host.mac_addr_src ..
+			host.bin_ip_src ..
+			string.char(0x00,0x00, 0x00,0x00, 0x00,0x00) ..
+			host.bin_ip
+	local t = {
+		string.char(0xff,0xff, 0xff,0xff, 0xff,0xff), -- B32 no meaning?
+		string.char(0xff,0xff, 0xff,0xff, 0xff,0xfe), -- B31
+		string.char(0xff,0xff, 0x00,0x00, 0x00,0x00), -- B16
+		string.char(0xff,0x00, 0x00,0x00, 0x00,0x00), -- B8
+		string.char(0x01,0x00, 0x00,0x00, 0x00,0x00), -- G
+		string.char(0x01,0x00, 0x5e,0x00, 0x00,0x00), -- M0
+		string.char(0x01,0x00, 0x5e,0x00, 0x00,0x01), -- M1 no meaning?
+		string.char(0x01,0x00, 0x5e,0x00, 0x00,0x03), -- M3
+		}
+	local v
+	local out = ""
+	for _, v in ipairs(t) do
+		out = out .. do_test(dnet, pcap, host, v .. test_static)
+	end
+
+	dnet:ethernet_close()
+	pcap:pcap_close()
+
+	if out == '1_1___1_' then
+		return 'Win98/Win2K/WinXP with pcap installed. I\'m unsure if they\'re sniffing. (tests: "' .. out .. '")'
+	end
+	if results[out] == false then
+		-- probably not sniffing
+		return
+	end
+	if results[out] == true then
+		-- rather sniffer.
+		return 'PROMISCUOUS (tests: "' .. out .. '")'
+	end
+
+	-- results[out] == nil
+	return 'Unknown (tests: "' .. out .. '")'
+end