PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-10 08:11:32 +00:00
Code Issues Projects Releases Wiki Activity

Update and proofread documentation of all the scripts, with the exception of

Browse Source 
nbstat.nse and smb-*.nse, which Ron is going to do.
This commit is contained in:
david
2008-10-25 03:11:25 +00:00
parent 879b33ad75
commit 84afa54d3a
31 changed files with 268 additions and 274 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
scripts/ASN.nse
View File

@@ -4,7 +4,7 @@ Maps IP addresses to autonomous system (AS) numbers.
The script works by sending DNS TXT queries to a DNS server which in
turn queries a third-party service provided by Team Cymru
(team-cymru.org) using an in-addr.arpa style zone set-up especially for
(team-cymru.org) using an in-addr.arpa style zone set up especially for
use by Nmap.
The responses to these queries contain both Origin and Peer ASNs and
@@ -23,7 +23,7 @@ server (your default DNS server, or whichever you specified with the
---
-- @usage
-- nmap --script ASN.nse [--script-args dns=<dns server>] <target>
-- nmap --script ASN.nse [--script-args dns=<DNS server>] <target>
-- @args dns The address of a recursive nameserver to use (optional).
-- @output
-- Host script results:
@@ -70,8 +70,8 @@ end
-- Cached results are checked before sending a query for the target and extracting the
-- relevent information from the response. Mutual exclusion is used so that results can be
-- cached and so a single thread will be active at any time.
-- @param host Host Table.
-- @return Formatted answers or nil on errors.
-- @param host Host table.
-- @return Formatted answers or <code>nil</code> on errors.
action = function( host )
@@ -149,9 +149,9 @@ end -- action
-- Checks whether the target IP address is within any BGP prefixes for which a query has
-- already been performed and returns a pointer to the HOST SCRIPT RESULT displaying the applicable answers.
-- @param ip String representing the target IP address.
-- @return Boolean True if there are cached answers for the supplied target, otherwise
-- @return Boolean true if there are cached answers for the supplied target, otherwise
-- false.
-- @return Table containing a string for each answer or nil if there are none.
-- @return Table containing a string for each answer or <code>nil</code> if there are none.
function check_cache( ip )
local ret = {}
@@ -187,9 +187,9 @@ end
---
-- Performs an IP address to ASN lookup. See http://www.team-cymru.org/Services/ip-to-asn.html#dns.
-- @param query String - PTR like DNS query.
-- @return Boolean true for a successful dns query resulting in an answer, otherwise false.
-- @return Table of answers or a String err msg.
-- @param query String - PTR-like DNS query.
-- @return Boolean true for a successful DNS query resulting in an answer, otherwise false.
-- @return Table of answers or a string error message.
function ip_to_asn( query )
@@ -238,7 +238,7 @@ end
-- Extracts fields from the supplied DNS answer sections and generates a records entry for each.
-- @param answers Table containing string DNS answers.
-- @param asn_type String denoting whether the query is for Origin or Peer ASN.
-- @param recs Table of existing recognised answers to which to add (ref to <code>actions()</code> <code>records{}</code>.
-- @param recs Table of existing recognised answers to which to add (refer to the <code>records</code> table inside <code>action()</code>.
-- @return Boolean true if successful otherwise false.
function result_recog( answers, asn_type, recs, discoverer_ip )
@@ -284,8 +284,8 @@ end
---
-- Performs an AS Number to AS Description lookup.
-- @param asn String AS Number
-- @return String Description or ""
-- @param asn String AS number.
-- @return String description or <code>""</code>.
function asn_description( asn )
@@ -315,7 +315,7 @@ end
---
-- Processes records which are recognised dns answers by combining them into unique BGPs before caching
-- Processes records which are recognised DNS answers by combining them into unique BGPs before caching
-- them in the registry and returning <code>combined_records</code>. If there aren't any records (No Such Name message
-- or DNS failure) we signal this fact to other threads by using the cache and return with an empty table.
-- @param records Table of recognised answers (may be empty).
@@ -401,7 +401,7 @@ end
-- Given an IP address and a prefix length, returns a string representing a valid IP address assignment (size is not checked) which contains
-- the supplied IP address. For example, with <code>ip</code> = <code>"192.168.1.187"</code> and <code>prefix</code> = <code>24</code> the return value will be <code>"192.168.1.1-192.168.1.255"</code>
-- @param ip String representing an IP address.
-- @param prefix String or number representing a prefix length. Should be of the same address family as ip.
-- @param prefix String or number representing a prefix length. Should be of the same address family as <code>ip</code>.
-- @return String representing a range of addresses from the first to the last hosts (or <code>nil</code> in case of an error).
-- @return <code>nil</code> or error message in case of an error.
@@ -430,7 +430,7 @@ end
---
-- Decides what to output based on the content of the supplied parameters and formats it for return by <code>action()</code>.
-- @param output String non-answer message to be returned as is or an empty table
-- @param output String non-answer message to be returned as is or an empty table.
-- @param combined_records Table containing combined records.
-- @return Formatted nice output string.

4
scripts/HTTPAuth.nse
View File

@@ -6,8 +6,8 @@ authentication.
---
-- @output
-- | HTTP Auth: HTTP Service requires authentication\n
-- |_ Auth type: Basic, realm = DSL Router\n
-- | HTTP Auth: HTTP Service requires authentication
-- |_ Auth type: Basic, realm = DSL Router
-- HTTP authentication information gathering script
-- rev 1.1 (2007-05-25)

6
scripts/HTTP_open_proxy.nse
View File

@@ -1,10 +1,10 @@
id="Open Proxy Test"
description=[[
Checks if an HTTP proxy is open.
\n\n
The script attempts to connect to www.google.com through the proxy and checks
for a 'Server: gws' header field in the response.
\n\n
for a <code>Server: gws</code> header field in the response.
If the target is an open proxy, this script will cause the target to retrieve a
web page from www.google.com.
]]

24
scripts/HTTPpasswd.nse
View File

@@ -21,10 +21,10 @@ categories = {"intrusive", "vuln"}
require "shortport"
require "http"
--- Validates the HTTP response code and checks for a valid passwd format
--- in the body
--@param response The HTTP response from the server
--@return The body of the HTTP response
--- Validates the HTTP response code and checks for a <code>valid</code> passwd
-- format in the body.
--@param response The HTTP response from the server.
--@return The body of the HTTP response.
local validate = function(response)
if not response.status then
return nil
@@ -43,8 +43,8 @@ end
--- Transforms a string with ".", "/" and "\" converted to their URL-formatted
--- hex equivalents
--@param str String to hexify
--@return Transformed string
--@param str String to hexify.
--@return Transformed string.
local hexify = function(str)
local ret
ret = str:gsub("%.", "%%2E")
@@ -53,17 +53,17 @@ local hexify = function(str)
return ret
end
--- Truncates the passwd file
--@param passwd passwd file
--@return Truncated passwd file and truncated length
--- Truncates the <code>passwd</code> file.
--@param passwd <code>passwd</code> file.
--@return Truncated passwd file and truncated length.
local truncatePasswd = function(passwd)
local len = 250
return passwd:sub(1, len), len
end
--- Formats output
--@param passwd passwd file
--@param dir Formatted request which elicited the good reponse
--- Formats output.
--@param passwd <code>passwd</code> file.
--@param dir Formatted request which elicited the good reponse.
--@return String description for output
local output = function(passwd, dir)
local trunc, len = truncatePasswd(passwd)

26
scripts/HTTPtrace.nse
View File

@@ -6,12 +6,12 @@ response.
---
-- @output
-- 80/tcp open http \n
-- | HTTP TRACE: Response differs from request. First 5 additional lines: \n
-- | Cookie: UID=d4287aa38d02f409841b4e0c0050c13148a85d01c0c0a154d4ef56dfc2b4fc1b0 \n
-- | Country: us \n
-- | Ip_is_advertise_combined: yes \n
-- | Ip_conntype-Confidence: -1 \n
-- 80/tcp open http
-- | HTTP TRACE: Response differs from request. First 5 additional lines:
-- | Cookie: UID=d4287aa38d02f409841b4e0c0050c13148a85d01c0c0a154d4ef56dfc2b4fc1b0
-- | Country: us
-- | Ip_is_advertise_combined: yes
-- | Ip_conntype-Confidence: -1
-- |_ Ip_line_speed: medium
-- 08/31/2007
@@ -26,9 +26,9 @@ require "comm"
require "shortport"
require "stdnse"
--- Truncates and formats the first 5 elements of a table
--@param tab The table to truncate
--@return Truncated, formatted table
--- Truncates and formats the first 5 elements of a table.
--@param tab The table to truncate.
--@return Truncated, formatted table.
local truncate = function(tab)
local str = ""
str = str .. tab[1] .. "\n"
@@ -39,11 +39,11 @@ local truncate = function(tab)
return str
end
--- Validates the HTTP response and checks for modifications
--@param response The HTTP response from the server
--@param original The original HTTP request sent to the server
--- Validates the HTTP response and checks for modifications.
--@param response The HTTP response from the server.
--@param original The original HTTP request sent to the server.
--@return A string describing the changes (if any) between the response and
-- request
-- request.
local validate = function(response, original)
local start, stop
local body

14
scripts/MySQLinfo.nse
View File

@@ -2,7 +2,7 @@ id = "MySQL Server Information"
description = [[
Connects to a MySQL server and prints information such as the protocol and
version numbers, thread ID, status, capabilities, and the password salt.
\n\n
If service detection is performed and the server appears to be blocking
our host or is blocked from too many connections, then we don't bother
running this script (see the portrule).
@@ -10,12 +10,12 @@ running this script (see the portrule).
---
--@output
-- 3306/tcp open mysql \n
-- | MySQL Server Information: Protocol: 10 \n
-- | Version: 5.0.51a-3ubuntu5.1 \n
-- | Thread ID: 7 \n
-- | Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection \n
-- | Status: Autocommit \n
-- 3306/tcp open mysql
-- | MySQL Server Information: Protocol: 10
-- | Version: 5.0.51a-3ubuntu5.1
-- | Thread ID: 7
-- | Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
-- | Status: Autocommit
-- |_ Salt: bYyt\NQ/4V6IN+*3`imj
-- Many thanks to jah (jah@zadkiel.plus.com) for testing and enhancements

6
scripts/SMTPcommands.nse
View File

@@ -6,9 +6,9 @@ SMTP server.
---
-- @output
-- 25/tcp open smtp \n
-- | SMTPcommands: EHLO uninvited.example.net Hello root at localhost [127.0.0.1], SIZE 52428800, PIPELINING, 250 HELP \n
-- |_ HELP Commands supported:, , AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP \n
-- 25/tcp open smtp
-- | SMTPcommands: EHLO uninvited.example.net Hello root at localhost [127.0.0.1], SIZE 52428800, PIPELINING, 250 HELP
-- |_ HELP Commands supported:, , AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
-- Version History
-- 1.1.0.0 - 2007-10-12

2
scripts/SNMPsysdescr.nse
View File

@@ -5,7 +5,7 @@ Attempts to extract system information from an SNMP version 1 service.
---
-- @output
-- | SNMPv1: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006 \n
-- | SNMPv1: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006
-- |_ System uptime: 28 days, 17:18:59 (248153900 timeticks)
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"

27
scripts/SQLInject.nse
View File

@@ -2,22 +2,19 @@ id = "sql-inject"
description = [[
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL
injection attack.
\n\n
The script spiders an HTTP server looking for URLs containing queries.
It then proceeds to combine crafted SQL commands with
susceptible URLs in order to obtain errors. The errors
are analysed to see if the url is vulnerable to attack.
This uses the most basic form of SQL injection but anything
more complication is more suited to a stand alone tool.
Both meta and HTTP redirects are supported.
\n\n
The script spiders an HTTP server looking for URLs containing queries. It then
proceeds to combine crafted SQL commands with susceptible URLs in order to
obtain errors. The errors are analysed to see if the url is vulnerable to
attack. This uses the most basic form of SQL injection but anything more
complication is more suited to a stand alone tool. Both meta and HTTP redirects
are supported.
It is not advisable to run this against unknown hosts.
\n\n
NOTES\n
We may not have access to the servers true hostname.
This means we cannot access virtually hosted sites and
cannot follow absolute links when the hostname is
different from the resolved ip address
We may not have access to the servers true hostname. This means we cannot
access virtually hosted sites and cannot follow absolute links when the
hostname is different from the resolved ip address
]]
require('url')

54
scripts/SSH-hostkey.nse
View File

@@ -1,37 +1,43 @@
id = "SSH Hostkey"
description = [[
Shows SSH hostkeys.
\n\n
Shows fingerprint or fingerprint and key depending on verbosity level.
Puts the found hostkeys in nmap.registry for other scripts to use them.
You can control the output with the ssh_hostkey script argument. Possible
values are bubble, visual, full and all.
Shows fingerprint or fingerprint and key depending on verbosity level. Puts the
found hostkeys in nmap.registry for other scripts to use them. You can control
the output with the <code>ssh_hostkey</code> script argument.
]]
---
--@usage
-- nmap host --script SSH-hostkey --script-args ssh_hostkey=full\n
-- nmap host --script SSH-hostkey --script-args ssh_hostkey=all\n
-- nmap host --script SSH-hostkey --script-args ssh_hostkey=full
-- nmap host --script SSH-hostkey --script-args ssh_hostkey=all
-- nmap host --script SSH-hostkey --script-args ssh_hostkey='visual bubble'
--
--@args ssh_hostkey Controls the output format of keys. Multiple values may be
-- given, separated by spaces. Possible values are
-- * <code>"full"</code>: The entire key, not just the fingerprint.
-- * <code>"bubble"</code>: Bubble Babble output,
-- * <code>"visual"</code>: Visual ASCII art representation.
-- * <code>"all"</code>: All of the above.
--
--@output
-- 22/tcp open ssh\n
-- | SSH Hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)\n
-- 22/tcp open ssh\n
-- | SSH Hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)\n
-- | +--[ RSA 2048]----+\n
-- | | .E*+ |\n
-- | | oo |\n
-- | | . o . |\n
-- | | O . . |\n
-- | | o S o . |\n
-- | | = o + . |\n
-- | | . * o . |\n
-- | | = . |\n
-- | | o . |\n
-- |_ +-----------------+\n
-- 22/tcp open ssh\n
-- | SSH Hostkey: 2048 xuvah-degyp-nabus-zegah-hebur-nopig-bubig-difeg-hisym-rumef-cuxex (RSA)\n
-- 22/tcp open ssh
-- | SSH Hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)
-- 22/tcp open ssh
-- | SSH Hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)
-- | +--[ RSA 2048]----+
-- | | .E*+ |
-- | | oo |
-- | | . o . |
-- | | O . . |
-- | | o S o . |
-- | | = o + . |
-- | | . * o . |
-- | | = . |
-- | | o . |
-- |_ +-----------------+
-- 22/tcp open ssh
-- | SSH Hostkey: 2048 xuvah-degyp-nabus-zegah-hebur-nopig-bubig-difeg-hisym-rumef-cuxex (RSA)
-- |_ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ==
author = "Sven Klemm <sven@c3d2.de>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

18
scripts/SSLv2-support.nse
View File

@@ -1,19 +1,19 @@
id = "SSLv2"
description = [[
Determines whether the server (still) supports SSL-v2, and what cyphers it
Determines whether the server (still) supports SSL-v2, and what ciphers it
offers.
]]
---
--@output
-- 443/tcp open https syn-ack\n
-- | SSLv2: server still supports SSLv2\n
-- | SSL2_RC4_128_WITH_MD5\n
-- | SSL2_DES_192_EDE3_CBC_WITH_MD5\n
-- | SSL2_RC2_CBC_128_CBC_WITH_MD5\n
-- | SSL2_DES_64_CBC_WITH_MD5\n
-- | SSL2_RC4_128_EXPORT40_WITH_MD5\n
-- |_ SSL2_RC2_CBC_128_CBC_WITH_MD5\n
-- 443/tcp open https syn-ack
-- | SSLv2: server still supports SSLv2
-- | SSL2_RC4_128_WITH_MD5
-- | SSL2_DES_192_EDE3_CBC_WITH_MD5
-- | SSL2_RC2_CBC_128_CBC_WITH_MD5
-- | SSL2_DES_64_CBC_WITH_MD5
-- | SSL2_RC4_128_EXPORT40_WITH_MD5
-- |_ SSL2_RC2_CBC_128_CBC_WITH_MD5
author = "Matt <mb2263@bristol.ac.uk>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

2
scripts/UPnP-info.nse
View File

@@ -5,7 +5,7 @@ Attempts to extract system information from the UPnP service.
---
-- @output
-- | UPnP: System/1.0 UPnP/1.0 IGD/1.0 \n
-- | UPnP: System/1.0 UPnP/1.0 IGD/1.0
-- |_ Location: http://192.168.1.1:80/UPnP/IGD.xml
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"

2
scripts/anonFTP.nse
View File

@@ -15,7 +15,7 @@ require "shortport"
portrule = shortport.port_or_service(21, "ftp")
--- Connects to the ftp server and checks if the server allows anonymous logins.
--- Connects to the FTP server and checks if the server allows anonymous logins.
action = function(host, port)
local socket = nmap.new_socket()
local result

2
scripts/bruteTelnet.nse
View File

@@ -28,7 +28,7 @@ end
---
-- Returns a function which returns the next user/pass pair each time
-- it is called. When no more pairs are available nil is returned.
-- \n
--
-- There are plenty more possible pairs but we need to find
-- a compromise between speed and coverage
--@return iterator Function which will return user and password pairs.

15
scripts/dns-safe-recursion-port.nse
View File

@@ -1,10 +1,9 @@
id = "DNS source port randomness"
description = [[
Checks a DNS server for the predictable-port recursion vulnerability.
Predictable source ports can make a DNS server vulnerable to cache poisoning
attacks (CVE-2008-1447).
\n\n
The script works by querying porttest.dns-oarc.net.
Be aware that any targets against which this script is run will be sent to and
potentially recorded by one or more DNS servers and the porttest server. In
@@ -12,11 +11,15 @@ addition your IP address will be sent along with the porttest query to the DNS
server running on the target.
]]
license = "Script: Same as Nmap--See http://nmap.org/book/man-legal.html\n" ..
"porttest.dns-oarc.net: https://www.dns-oarc.net/oarc/services/porttest"
license = [[
Script: Same as Nmap--See http://nmap.org/book/man-legal.html \n
porttest.dns-oarc.net: https://www.dns-oarc.net/oarc/services/porttest
]]
author = "Script: Brandon Enright <bmenrigh@ucsd.edu>\n" ..
"porttest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>"
author = [[
Script: Brandon Enright <bmenrigh@ucsd.edu>\n
porttest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>
]]
-- This script uses (with permission) Duane Wessels' porttest.dns-oarc.net
-- service. Duane/OARC believe the service is valuable to the community

14
scripts/dns-safe-recursion-txid.nse
View File

@@ -4,7 +4,7 @@ description = [[
Checks a DNS server for the predictable-TXID DNS recursion
vulnerability. Predictable TXID values can make a DNS server vulnerable to
cache poisoning attacks (CVE-2008-1447).
\n\n
The script works by querying txidtest.dns-oarc.net.
Be aware that any targets against which this script is run will be sent to and
potentially recorded by one or more DNS servers and the txidtest server. In
@@ -12,11 +12,15 @@ addition your IP address will be sent along with the txidtest query to the DNS
server running on the target.
]]
license = "Script: Same as Nmap--See http://nmap.org/book/man-legal.html\n" ..
"txidtest.dns-oarc.net: https://www.dns-oarc.net/oarc/services/txidtest"
license = [[
Script: Same as Nmap--See http://nmap.org/book/man-legal.html \n
txidtest.dns-oarc.net: https://www.dns-oarc.net/oarc/services/txidtest
]]
author = "Script: Brandon Enright <bmenrigh@ucsd.edu>\n" ..
"txidtest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>"
author = [[
Script: Brandon Enright <bmenrigh@ucsd.edu>\n
txidtest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>
]]
-- This script uses (with permission) Duane Wessels' txidtest.dns-oarc.net
-- service. Duane/OARC believe the service is valuable to the community

2
scripts/dns-test-open-recursion.nse
View File

@@ -2,7 +2,7 @@ id = "Nameserver open recursive queries"
description = [[
Checks if a DNS server allows queries for third-party names.
\n\n
It is expected that recursion will be enabled on your own internal nameservers.
]]

2
scripts/iax2Detect.nse
View File

@@ -1,7 +1,7 @@
id = "IAX2 Service Detection"
description = [[
Detects the UDP IAX2 service.
\n\n
The script sends an IAX Control Frame POKE request and checks for a proper
response.
]]

16
scripts/ircServerInfo.nse
View File

@@ -1,19 +1,19 @@
id = "IRC Server Info"
description = [[
Gathers information from an IRC server.
\n\n
It uses STATS, LUSERS, and other queries to obtain this information.
]]
---
-- @output
-- 6665/tcp open irc\n
-- | IRC Server Info: Server: foo.bar.net\n
-- | Version: hyperion-1.0.2b(381). foo.bar.net \n
-- | Lservers/Lusers: 0/4204\n
-- | Uptime: 106 days, 2:46:30\n
-- | Source host: bar.foo.net\n
-- |_ Source ident: OK n=nmap\n
-- 6665/tcp open irc
-- | IRC Server Info: Server: foo.bar.net
-- | Version: hyperion-1.0.2b(381). foo.bar.net
-- | Lservers/Lusers: 0/4204
-- | Uptime: 106 days, 2:46:30
-- | Source host: bar.foo.net
-- |_ Source ident: OK n=nmap
author = "Doug Hoyte"

2
scripts/ircZombieTest.nse
View File

@@ -1,7 +1,7 @@
id = "IRC zombie"
description = [[
Checks for an IRC zombie.
\n\n
If port 113 responds before we ask it then something is fishy. Usually this
means that the host is an IRC zombie.
]]

2
scripts/promiscuous.nse
View File

@@ -1,7 +1,7 @@
id = "Promiscuous detection"
description = [[
Checks if a target on a local Ethernet has its network card in promiscuous mode.
\n\n
The technique is described at
http://www.securityfriday.com/promiscuous_detection_01.pdf.
]]

6
scripts/ripeQuery.nse
View File

@@ -1,8 +1,8 @@
id = "RIPE query"
description = [[
Connects to the RIPE database and displays the role: entry for the target's IP
address.
\n\n
Connects to the RIPE database and displays the <code>role:</code> entry for the
target's IP address.
This script uses an external database. Your IP address and the IP address of
the target will be sent to whois.ripe.net.
]]

22
scripts/robots.nse
View File

@@ -1,21 +1,21 @@
id = "robots.txt"
description = [[
Checks for disallowed entries in robots.txt.
\n\n
Checks for disallowed entries in <code>robots.txt</code>.
The higher the verbosity or debug level, the more disallowed entries are shown.
]]
---
--@output
-- 80/tcp open http syn-ack\n
-- | robots.txt: has 156 disallowed entries (40 shown)\n
-- | /news?output=xhtml& /search /groups /images /catalogs\n
-- | /catalogues /news /nwshp /news?btcid=*& /news?btaid=*&\n
-- | /setnewsprefs? /index.html? /? /addurl/image? /pagead/ /relpage/\n
-- | /relcontent /sorry/ /imgres /keyword/ /u/ /univ/ /cobrand /custom\n
-- | /advanced_group_search /googlesite /preferences /setprefs /swr /url /default\n
-- | /m? /m/? /m/lcb /m/news? /m/setnewsprefs? /m/search? /wml?\n
-- |_ /wml/? /wml/search?\n
-- 80/tcp open http syn-ack
-- | robots.txt: has 156 disallowed entries (40 shown)
-- | /news?output=xhtml& /search /groups /images /catalogs
-- | /catalogues /news /nwshp /news?btcid=*& /news?btaid=*&
-- | /setnewsprefs? /index.html? /? /addurl/image? /pagead/ /relpage/
-- | /relcontent /sorry/ /imgres /keyword/ /u/ /univ/ /cobrand /custom
-- | /advanced_group_search /googlesite /preferences /setprefs /swr /url /default
-- | /m? /m/? /m/lcb /m/news? /m/setnewsprefs? /m/search? /wml?
-- |_ /wml/? /wml/search?
require('shortport')

28
scripts/rpcinfo.nse
View File

@@ -5,17 +5,17 @@ Connects to portmapper and fetches a list of all registered programs.
---
-- @output
-- 111/tcp open rpcbind\n
-- | rpcinfo:\n
-- | 100000 2 111/udp rpcbind\n
-- | 100005 1,2,3 705/udp mountd\n
-- | 100003 2,3,4 2049/udp nfs\n
-- | 100024 1 32769/udp status\n
-- | 100021 1,3,4 32769/udp nlockmgr\n
-- | 100000 2 111/tcp rpcbind\n
-- | 100005 1,2,3 706/tcp mountd\n
-- | 100003 2,3,4 2049/tcp nfs\n
-- | 100024 1 50468/tcp status\n
-- 111/tcp open rpcbind
-- | rpcinfo:
-- | 100000 2 111/udp rpcbind
-- | 100005 1,2,3 705/udp mountd
-- | 100003 2,3,4 2049/udp nfs
-- | 100024 1 32769/udp status
-- | 100021 1,3,4 32769/udp nlockmgr
-- | 100000 2 111/tcp rpcbind
-- | 100005 1,2,3 706/tcp mountd
-- | 100003 2,3,4 2049/tcp nfs
-- | 100024 1 50468/tcp status
-- |_ 100021 1,3,4 50468/tcp nlockmgr
@@ -31,9 +31,9 @@ categories = {"default","safe","discovery"}
portrule = shortport.port_or_service(111, "rpcbind")
--- format a table of version for output
--@param version_table table containing the versions
--@return string with the formatted versions
--- Format a table of version for output.
--@param version_table table containing the versions .
--@return string with the formatted versions.
local format_version = function( version_table )
table.sort( version_table )
return table.concat( version_table, ',' )

7
scripts/showHTMLTitle.nse
View File

@@ -1,7 +1,7 @@
id = "HTML title"
description = [[
Shows the title of the default page of a web server.
\n\n
The script will follow no more than one HTTP redirect, and only if the
redirection leads to the same host. The script may send a DNS query to
determine if the host the redirect leads to has the same IP address as the
@@ -10,9 +10,8 @@ original target.
---
--@output
-- 80/tcp open http syn-ack\n
-- |_ HTML title: Foo.\n
--@copyright Same as Nmap--See http://nmap.org/book/man-legal.html
-- 80/tcp open http syn-ack
-- |_ HTML title: Foo.
author = "Diman Todorov <diman.todorov@gmail.com>"

2
scripts/showOwner.nse
View File

@@ -1,7 +1,7 @@
id = "Service owner"
description = [[
Attempts to find the owner of a scanned port.
\n\n
The script makes a connection to the auth port (113) and queries the owner of
an open port.
]]

6
scripts/showSSHVersion.nse
View File

@@ -1,14 +1,14 @@
id = "Stealth SSH version"
description = [[
Connects to an SSH server and retrieves the version banner.
\n\n
This typically does not result in any logs of the connection being made.
]]
---
-- @output
-- 22/tcp open ssh\n
-- |_ Stealth SSH version: SSH-2.0-OpenSSH_3.9p1\n
-- 22/tcp open ssh
-- |_ Stealth SSH version: SSH-2.0-OpenSSH_3.9p1
author = "Diman Todorov <diman.todorov@gmail.com>"

6
scripts/strangeSMTPport.nse
View File

@@ -1,15 +1,15 @@
id = "Unexpected SMTP"
description = [[
Checks if SMTP is running on a non-standard port.
\n\n
This usually indicates crackers or script kiddies have set up a backdoor on the
system to send spam or control your machine.
]]
---
-- @output
-- 22/tcp open ssh\n
-- |_ Warning: smtp is running on a strange port.\n
-- 22/tcp open ssh
-- |_ Warning: smtp is running on a strange port.
author = "Diman Todorov <diman.todorov@gmail.com>"

112
scripts/whois.nse
View File

@@ -2,92 +2,77 @@ id = "Whois"
description = [[
Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address
Assignment which contains the Target IP Address.
\n\n
The fields displayed contain information about the assignment and the organisation responsible for managing the address
space. When output verbosity is requested on the Nmap command line (-v) extra information about the assignment will
space. When output verbosity is requested on the Nmap command line (<code>-v</code>) extra information about the assignment will
be displayed.
\n\n
To determine which of the RIRs to query for a given Target IP Address this script utilises Assignments Data hosted by IANA.
The data is cached locally and then parsed for use as a lookup table. The locally cached files are refreshed periodically
to help ensure the data is current. If, for any reason, these files are not available to the script then a default sequence
of Whois services are queried in turn until: the desired record is found; or a referral to another (defined) Whois service is
found; or until the sequence is exhausted without finding either a referral or the desired record.
\n\n
The script will recognise a referral to another Whois service if that service is defined in the script and will continue by
sending a query to the referred service. A record is assumed to be the desired one if it does not contain a referral.
\n\n
To reduce the number unecessary queries sent to Whois services a record cache is employed and the entries in the cache can be
applied to any targets within the range of addresses represented in the record.
\n\n
In certain circumstances, the ability to cache responses prevents the discovery of other, smaller IP address assignments
applicable to the target because a cached response is accepted in preference to sending a Whois query. When it is important
to ensure that the most accurate information about the IP address assignment is retrieved the script argument "whodb"
should be used with a value of "nocache" (see script arguments below). This reduces the range of addresses that may use a
to ensure that the most accurate information about the IP address assignment is retrieved the script argument <code>whodb</code>
should be used with a value of <code>"nocache"</code> (see script arguments). This reduces the range of addresses that may use a
cached record to a size that helps ensure that smaller assignments will be discovered. This option should be used with caution
due to the potential to send large numbers of whois queries and possibly be banned from using the services.
\n\n
In using this script your IP address will be sent to iana.org. Additionally
your address and the address of the target of the scan will be sent to one of
the RIRs.
]]
---
-- @args whodb Takes the following values: nofile, nofollow, nocache and any defined whois services. These values may be combined.
-- \n
-- \n whodb=nofile - Prevent the use of IANA assignments data and instead query the default services.
-- \n whodb=[service-ids] - Redefine the default services to query. Implies nofile.
-- \n whodb=nofollow - Ignore referrals and instead display the first record obtained.
-- \n whodb=nocache - Prevent the acceptance of records in the cache when they apply to large ranges of addresses.
--
-- @args whodb Takes any of the the following values, which may be combined:
-- * <code>whodb=nofile</code> Prevent the use of IANA assignments data and instead query the default services.
-- * <code>whodb=nofollow</code> Ignore referrals and instead display the first record obtained.
-- * <code>whodb=nocache</code> Prevent the acceptance of records in the cache when they apply to large ranges of addresses.
-- * <code>whodb=[service-ids]</code> Redefine the default services to query. Implies <code>nofile</code>.
-- @usage
--
-- # Basic usage:
-- nmap target --script whois
-- \n\n
-- \n To prevent the use of IANA assignments data supply the nofile
-- \n value to the whodb argument:
-- \n
-- \n nmap target --script whois --script-args whodb=nofile
-- \n nmap target --script whois --script-args whois={whodb=nofile}
--
-- \n\n
-- \n Supplying a sequence of whois services will also prevent the
-- \n use of IANA assignments data and override the default sequence:
-- \n
-- \n nmap target --script whois --script-args whodb=arin+ripe+afrinic
-- \n nmap target --script whois --script-args whois={whodb=apnic*lacnic}
-- \n\n The order in which the services are supplied is the order in which
-- \n they will be queried.
-- \n (N.B. commas or semi-colons should not be used to delimit
-- \n argument values)
--
-- \n\n
-- \n To return the first record obtained even if it contains a
-- \n referral to another service, supply the nofollow value to whodb:
-- \n
-- \n nmap target --script whois --script-args whodb=nofollow
-- \n nmap target --script whois --script-args whois={whodb=nofollow+ripe}
-- \n\n Note that only one service (the first one supplied) will be used
-- \n in conjunction with nofollow.
-- \n\n
-- \n To ensure discovery of smaller assignments even if larger
-- \n ones exist in the cache, supply the nocache value to whodb:
-- \n
-- \n nmap target --script whois --script-args whodb=nocache
-- \n nmap target --script whois --script-args whois={whodb=nocache}
--
-- # To prevent the use of IANA assignments data supply the nofile value
-- # to the whodb argument:
-- nmap target --script whois --script-args whodb=nofile
-- nmap target --script whois --script-args whois={whodb=nofile}
--
-- # Supplying a sequence of whois services will also prevent the use of
-- # IANA assignments data and override the default sequence:
-- nmap target --script whois --script-args whodb=arin+ripe+afrinic
-- nmap target --script whois --script-args whois={whodb=apnic*lacnic}
-- # The order in which the services are supplied is the order in which
-- # they will be queried. (N.B. commas or semi-colons should not be
-- # used to delimit argument values.)
--
-- # To return the first record obtained even if it contains a referral
-- # to another service, supply the nofollow value to whodb:
-- nmap target --script whois --script-args whodb=nofollow
-- nmap target --script whois --script-args whois={whodb=nofollow+ripe}
-- # Note that only one service (the first one supplied) will be used in
-- # conjunction with nofollow.
--
-- # To ensure discovery of smaller assignments even if larger ones
-- # exist in the cache, supply the nocache value to whodb:
-- nmap target --script whois --script-args whodb=nocache
-- nmap target --script whois --script-args whois={whodb=nocache}
-- @output
--
-- Host script results:
-- \n| Whois: Record found at whois.arin.net
-- \n| netrange: 64.13.134.0 - 64.13.134.63
-- \n| netname: NET-64-13-143-0-26
-- \n| orgname: Titan Networks
-- \n| orgid: INSEC
-- \n|_ country: US stateprov: CA
--
-- | Whois: Record found at whois.arin.net
-- | netrange: 64.13.134.0 - 64.13.134.63
-- | netname: NET-64-13-143-0-26
-- | orgname: Titan Networks
-- | orgid: INSEC
-- |_ country: US stateprov: CA
author = "jah <jah at zadkiel.plus.com>"
license = "See Nmap License: http://nmap.org/book/man-legal.html"
@@ -134,7 +119,7 @@ action = function( host )
if not nmap.registry.whois then
---
-- Data and flags shared between threads.\n
-- Data and flags shared between threads.
-- @name whois
-- @class table
--@field whoisdb_default_order The default number and order of whois services to query.
@@ -167,13 +152,14 @@ action = function( host )
---
-- Holds field data captured from the responses of each service queried and includes additional information about the final desired record.
--\n The table, indexed by whois service id, holds a table of fields captured from each queried service. Once it has been determined that a record
--\n represents the final record we wish to output, the existing values are destroyed and replaced with the one required record. This is done purely
--\n to make it easier to reference the data of a desired record. Other values in the table are as follows\n
--
-- The table, indexed by whois service id, holds a table of fields captured from each queried service. Once it has been determined that a record
-- represents the final record we wish to output, the existing values are destroyed and replaced with the one required record. This is done purely
-- to make it easier to reference the data of a desired record. Other values in the table are as follows.
-- @name data
-- @class table
--@field data.iana is set after the table is initialised and is the number of times a response encountered represents "The Whole Address Space".
--\n If the value reaches 2 it is assumed that a valid record is held at ARIN.
-- If the value reaches 2 it is assumed that a valid record is held at ARIN.
--@field data.id is set in analyse_response() after final record and is the service name at which a valid record has been found. Used in
-- format_data_for_output().
--@field data.mirror is set in analyse_response() after final record and is the service name from which a mirrored record has been found. Used in
@@ -184,7 +170,7 @@ action = function( host )
data.iana = 0
---
-- Used in the main loop to manage mutexes, the structure of tracking is as follows:\n
-- Used in the main loop to manage mutexes, the structure of tracking is as follows.
-- @name tracking
-- @class table
--@field this_db The service for which a thread will wait for exclusive access before sending a query to it.

9
scripts/xamppDefaultPass.nse
View File

@@ -1,16 +1,15 @@
id = "XAMPP default pwd"
description = [[
Check if an XAMP or XAMPP FTP server uses a default username and password.
\n\n
XAMP is an Apache distribution designed for easy installation and
administration. The default username/password combination the script checks for
is nobody/xampp.
administration.
]]
---
-- @output
-- 21/tcp open ftp\n
-- |_ Login success with u/p: foo/bar\n
-- 21/tcp open ftp
-- |_ Login success with u/p: nobody/xampp
author = "Diman Todorov <diman.todorov@gmail.com>"

74
scripts/zoneTrans.nse
View File

@@ -1,50 +1,50 @@
id = 'zone-transfer'
description = [[
Requests a zone transfer (AXFR) from a DNS server.
\n\n
The script sends an AXFR query to a DNS server. The domain to query is determined
by examining the name given on the command line, the DNS server's
hostname, or it can be specified with the "domain" script argument.
If the query is successful all domains and domain types are returned
along with common type specific data (SOA/MX/NS/PTR/A).
\n\n
Constraints\n
If we don't have the 'true' hostname for the dns server we cannot
The script sends an AXFR query to a DNS server. The domain to query is
determined by examining the name given on the command line, the DNS
server's hostname, or it can be specified with the
<code>zoneTrans.domain</code> script argument. If the query is
successful all domains and domain types are returned along with common
type specific data (SOA/MX/NS/PTR/A).
If we don't have the "true" hostname for the DNS server we cannot
determine a likely zone to perform the transfer on.
\n\n
Useful resources\n
DNS for rocket scientists - http://www.zytrax.com/books/dns/\n
How the AXFR protocol works - http://cr.yp.to/djbdns/axfr-notes.html\n
Useful resources
* DNS for rocket scientists: http://www.zytrax.com/books/dns/
* How the AXFR protocol works: http://cr.yp.to/djbdns/axfr-notes.html
]]
---
-- @args zoneTrans.domain Domain to transfer.
-- @output
-- 53/tcp open domain
-- | zone-transfer: \n
-- | foo.com. SOA ns2.foo.com. piou.foo.com. \n
-- | foo.com. TXT \n
-- | foo.com. NS ns1.foo.com. \n
-- | foo.com. NS ns2.foo.com. \n
-- | foo.com. NS ns3.foo.com. \n
-- | foo.com. A 127.0.0.1 \n
-- | foo.com. MX mail.foo.com. \n
-- | anansie.foo.com. A 127.0.0.2 \n
-- | dhalgren.foo.com. A 127.0.0.3 \n
-- | drupal.foo.com. CNAME \n
-- | goodman.foo.com. A 127.0.0.4 i \n
-- | goodman.foo.com. MX mail.foo.com. \n
-- | isaac.foo.com. A 127.0.0.5 \n
-- | julie.foo.com. A 127.0.0.6 \n
-- | mail.foo.com. A 127.0.0.7 \n
-- | ns1.foo.com. A 127.0.0.7 \n
-- | ns2.foo.com. A 127.0.0.8 \n
-- | ns3.foo.com. A 127.0.0.9 \n
-- | stubing.foo.com. A 127.0.0.10 \n
-- | vicki.foo.com. A 127.0.0.11 \n
-- | votetrust.foo.com. CNAME \n
-- | www.foo.com. CNAME \n
-- |_ foo.com. SOA ns2.foo.com. piou.foo.com. \n
-- | zone-transfer:
-- | foo.com. SOA ns2.foo.com. piou.foo.com.
-- | foo.com. TXT
-- | foo.com. NS ns1.foo.com.
-- | foo.com. NS ns2.foo.com.
-- | foo.com. NS ns3.foo.com.
-- | foo.com. A 127.0.0.1
-- | foo.com. MX mail.foo.com.
-- | anansie.foo.com. A 127.0.0.2
-- | dhalgren.foo.com. A 127.0.0.3
-- | drupal.foo.com. CNAME
-- | goodman.foo.com. A 127.0.0.4 i
-- | goodman.foo.com. MX mail.foo.com.
-- | isaac.foo.com. A 127.0.0.5
-- | julie.foo.com. A 127.0.0.6
-- | mail.foo.com. A 127.0.0.7
-- | ns1.foo.com. A 127.0.0.7
-- | ns2.foo.com. A 127.0.0.8
-- | ns3.foo.com. A 127.0.0.9
-- | stubing.foo.com. A 127.0.0.10
-- | vicki.foo.com. A 127.0.0.11
-- | votetrust.foo.com. CNAME
-- | www.foo.com. CNAME
-- |_ foo.com. SOA ns2.foo.com. piou.foo.com.
require('shortport')
require('strbuf')