diff --git a/scripts/ASN.nse b/scripts/ASN.nse index 786224cf6..37a4e42d5 100644 --- a/scripts/ASN.nse +++ b/scripts/ASN.nse @@ -1,17 +1,18 @@ id = "AS Numbers" description = [[ -This script performs IP address to Autonomous System Numbers (ASN) lookups. It -sends DNS TXT queries to a DNS server which in turn queries a third party -service provided by Team Cymru (team-cymru.org) using an in-addr.arpa style -zone set-up especially for use by Nmap. -\n +Maps IP addresses to autonomous system (AS) numbers. +\n\n +The script works by sending DNS TXT queries to a DNS server which in turn +queries a third-party service provided by Team Cymru (team-cymru.org) using an +in-addr.arpa style zone set-up especially for use by Nmap. +\n\n The responses to these queries contain both Origin and Peer ASNs and their descriptions, displayed along with the BG Prefix and Country Code. -\n +\n\n The script caches results to reduce the number of queries and should perform a single query for all scanned targets in a BG Prefix present in Team Cymru's database. -\n +\n\n Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and Team Cymru. In addition your IP address will be sent along with the ASN to a DNS server (your default diff --git a/scripts/HTTPAuth.nse b/scripts/HTTPAuth.nse index 4d8400d9f..31c4060e5 100644 --- a/scripts/HTTPAuth.nse +++ b/scripts/HTTPAuth.nse @@ -1,15 +1,17 @@ +id = "HTTP Auth" +description = [[ +Gets the authentication scheme and realm of a web service that requires +authentication. +]] + --- ---@output +-- @output -- | HTTP Auth: HTTP Service requires authentication\n -- |_ Auth type: Basic, realm = DSL Router\n -- HTTP authentication information gathering script -- rev 1.1 (2007-05-25) -id = "HTTP Auth" - -description = "If a web server requires authentication, prints the authentication scheme and realm" - author = "Thomas Buchanan " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/HTTP_open_proxy.nse b/scripts/HTTP_open_proxy.nse index 71f91471f..7e523b6b2 100644 --- a/scripts/HTTP_open_proxy.nse +++ b/scripts/HTTP_open_proxy.nse @@ -1,4 +1,14 @@ ---- Checks if an HTTP Proxy is Open to us. +id="Open Proxy Test" +description=[[ +Checks if an HTTP proxy is open. +\n\n +The script attempts to connect to www.google.com through the proxy and checks +for a 'Server: gws' header field in the response. +\n\n +If the target is an open proxy, this script will cause the target to retrieve a +web page from www.google.com. +]] + -- Arturo 'Buanzo' Busleiman / www.buanzo.com.ar / linux-consulting.buanzo.com.ar -- Changelog: Added explode() function. Header-only matching now works. -- * Fixed set_timeout @@ -7,13 +17,6 @@ -- * Match case-insensitively against "^Server: gws" rather than -- case-sensitively against "^Server: GWS/". -id="Open Proxy Test" -description=[[ -Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: gws' header response. -\n -If the target is an open proxy, this script will cause the target to retrieve a -web page from www.google.com. -]] author = "Arturo 'Buanzo' Busleiman " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "discovery", "external", "intrusive"} diff --git a/scripts/HTTPpasswd.nse b/scripts/HTTPpasswd.nse index 4e9cf9655..b9161efb7 100644 --- a/scripts/HTTPpasswd.nse +++ b/scripts/HTTPpasswd.nse @@ -1,5 +1,9 @@ ---- Probes an HTTP server via directory traversal for /etc/passwd --- +id = "HTTP directory traversal passwd probe" +description = [[ +Checks if a web server is vulnerable to directory traversal by attempting to +retrieve /etc/passwd. +]] + -- 07/20/2007: -- * Used Thomas Buchanan's HTTPAuth script as a starting point -- * Applied some great suggestions from Brandon Enright, thanks a lot man! @@ -8,10 +12,6 @@ -- * Rewritten to use Sven Klemm's excellent HTTP library and to do some much -- needed cleaning up -id = "HTTP directory traversal passwd probe" - -description = "Probe for /etc/passwd if server is susceptible to directory traversal" - author = "Kris Katterjohn " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/HTTPtrace.nse b/scripts/HTTPtrace.nse index 92464a405..f81628a69 100644 --- a/scripts/HTTPtrace.nse +++ b/scripts/HTTPtrace.nse @@ -1,6 +1,11 @@ ---- Sends and HTTP TRACE and describes any modifications --- ---@output +id = "HTTP TRACE" +description = [[ +Sends an HTTP TRACE request and shows header fields that were modified in the +response. +]] + +--- +-- @output -- 80/tcp open http \n -- | HTTP TRACE: Response differs from request. First 5 additional lines: \n -- | Cookie: UID=d4287aa38d02f409841b4e0c0050c13148a85d01c0c0a154d4ef56dfc2b4fc1b0 \n @@ -11,10 +16,6 @@ -- 08/31/2007 -id = "HTTP TRACE" - -description = "Send HTTP TRACE method and print modifications" - author = "Kris Katterjohn " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/MSSQLm.nse b/scripts/MSSQLm.nse index 5f6aff1a4..8e551da1b 100644 --- a/scripts/MSSQLm.nse +++ b/scripts/MSSQLm.nse @@ -1,9 +1,8 @@ --- Microsoft SQL Server information gathering script --- rev 1.0 (2007-06-09) - id = "MS SQL" - -description = "Attempts to extract information from Microsoft SQL Server" +description = [[ +Attempts to extract information from Microsoft SQL Server. +]] +-- rev 1.0 (2007-06-09) author = "Thomas Buchanan " diff --git a/scripts/MySQLinfo.nse b/scripts/MySQLinfo.nse index 3cf4922c6..54781423f 100644 --- a/scripts/MySQLinfo.nse +++ b/scripts/MySQLinfo.nse @@ -1,10 +1,14 @@ ---- Connects to a MySQL server and prints information such as the protocol and ---- version numbers, thread id, status, capabilities and the password salt --- --- If service detection is performed and the server appears to be blocking --- our host or is blocked from too many connections, then we don't bother --- running this script (see the portrule) --- +id = "MySQL Server Information" +description = [[ +Connects to a MySQL server and prints information such as the protocol and +version numbers, thread ID, status, capabilities, and the password salt. +\n\n +If service detection is performed and the server appears to be blocking +our host or is blocked from too many connections, then we don't bother +running this script (see the portrule). +]] + +--- --@output -- 3306/tcp open mysql \n -- | MySQL Server Information: Protocol: 10 \n @@ -16,10 +20,6 @@ -- Many thanks to jah (jah@zadkiel.plus.com) for testing and enhancements -id = "MySQL Server Information" - -description = "Connects to a MySQL server and prints information" - author = "Kris Katterjohn " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/PPTPversion.nse b/scripts/PPTPversion.nse index 3c43c0d66..5d34c41a2 100644 --- a/scripts/PPTPversion.nse +++ b/scripts/PPTPversion.nse @@ -1,9 +1,8 @@ --- PPTP information gathering script --- rev 0.2 (11-14-2007) - id = "PPTP" - -description = "Attempts to extract system information from PPTP service" +description = [[ +Attempts to extract system information from the PPTP service. +]] +-- rev 0.2 (11-14-2007) author = "Thomas Buchanan " diff --git a/scripts/RealVNC_auth_bypass.nse b/scripts/RealVNC_auth_bypass.nse index 11b3c1072..ac6ecd6cb 100644 --- a/scripts/RealVNC_auth_bypass.nse +++ b/scripts/RealVNC_auth_bypass.nse @@ -1,5 +1,8 @@ -id="RealVNC Authentication Bypass (CVE-2006-2369)" -description="Checks to see if the VNC Server is vulnerable to the RealVNC authentication bypass." +id = "RealVNC Authentication Bypass" +description = [[ +Checks if a VNC server is vulnerable to the RealVNC authentication bypass +(CVE-2006-2369). +]] author = "Brandon Enright " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/SMTP_openrelay_test.nse b/scripts/SMTP_openrelay_test.nse index 429e479de..c11abac3e 100644 --- a/scripts/SMTP_openrelay_test.nse +++ b/scripts/SMTP_openrelay_test.nse @@ -1,3 +1,8 @@ +id = "Open Relay SMTP" +description = [[ +Checks if an SMTP server is an open relay. +]] + -- Arturo 'Buanzo' Busleiman / www.buanzo.com.ar / linux-consulting.buanzo.com.ar -- Same as Nmap--See http://nmap.org/book/man-legal.html file for licence details -- This is version 20070516. @@ -10,8 +15,6 @@ -- * The "ourdomain" variable's contents are used instead of hardcoded "insecure.org". Settable by the user. -- * Fixed tags -> categories (reported by Jason DePriest to nmap-dev) -id="Open Relay SMTP" -description="Checks to see if a SMTP server is an open relay" categories = {"demo"} require "shortport" diff --git a/scripts/SMTPcommands.nse b/scripts/SMTPcommands.nse index b904dc5f1..c73a7c469 100644 --- a/scripts/SMTPcommands.nse +++ b/scripts/SMTPcommands.nse @@ -1,8 +1,10 @@ ---- SMTP supported commands gathering script \n --- \n --- Attempts to use EHLO and HELP to gather the Extended commands an --- SMTP server supports. --- \n +id = "SMTPcommands" +description = [[ +Attempts to use EHLO and HELP to gather the Extended commands supported by an +SMTP server. +]] + +--- -- @output -- 25/tcp open smtp \n -- | SMTPcommands: EHLO uninvited.example.net Hello root at localhost [127.0.0.1], SIZE 52428800, PIPELINING, 250 HELP \n @@ -41,8 +43,6 @@ -- script and from Arturo 'Buanzo' Busleiman's SMTP open relay -- detector script. -id = "SMTPcommands" -description = "Attempts to use EHLO and HELP to gather the Extended commands an SMTP server supports." author = "Jason DePriest " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "discovery", "safe"} diff --git a/scripts/SNMPcommunitybrute.nse b/scripts/SNMPcommunitybrute.nse index 8ae80b4c5..7511ebbf0 100644 --- a/scripts/SNMPcommunitybrute.nse +++ b/scripts/SNMPcommunitybrute.nse @@ -1,9 +1,8 @@ --- SNMP community string brute force script --- 2008-07-03 - id = "SNMPv1-communitybrute" - -description = "Attempts to find SNMP community string by brute force" +description = [[ +Attempts to find an SNMP community string by brute force. +]] +-- 2008-07-03 author = "Philip Pickering " diff --git a/scripts/SNMPsysdescr.nse b/scripts/SNMPsysdescr.nse index 746765f22..fbc7e7d02 100644 --- a/scripts/SNMPsysdescr.nse +++ b/scripts/SNMPsysdescr.nse @@ -1,12 +1,13 @@ ---- SNMP version 1 system information gathering script +id = "SNMPv1" +description = [[ +Attempts to extract system information from an SNMP version 1 service. +]] + +--- -- @output -- | SNMPv1: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006 \n -- |_ System uptime: 28 days, 17:18:59 (248153900 timeticks) -id = "SNMPv1" - -description = "Attempts to extract system information from SNMP service" - author = "Thomas Buchanan " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" @@ -19,11 +20,8 @@ require "snmp" -- runs after SNMPcommunityprobe.nse runlevel = 2 ---- --- Runs on UDP port 161 portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"}) - --- -- Sends SNMP packets to host and reads responses action = function(host, port) diff --git a/scripts/SQLInject.nse b/scripts/SQLInject.nse index ba654d74e..aa85f8a47 100644 --- a/scripts/SQLInject.nse +++ b/scripts/SQLInject.nse @@ -1,26 +1,24 @@ ---[[ - -Experimental SQL injection spider ---------------------------------- -Spiders a http server looking for URLs containing queries. -It then proceeds to combine crafted sql commands with -susceptible urls in order to obtain errors. The errors +id = "sql-inject" +description = [[ +Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL +injection attack. +\n\n +The script spiders an HTTP server looking for URLs containing queries. +It then proceeds to combine crafted SQL commands with +susceptible URLs in order to obtain errors. The errors are analysed to see if the url is vulnerable to attack. This uses the most basic form of SQL injection but anything more complication is more suited to a stand alone tool. -Both meta and http redirects are supported. - +Both meta and HTTP redirects are supported. +\n\n It is not advisable to run this against unknown hosts. - -NOTES ------ - +\n\n +NOTES\n * We may not have access to the servers true hostname. This means we cannot access virtually hosted sites and cannot follow absolute links when the hostname is different from the resolved ip address - ---]] +]] require('url') require('shortport') @@ -28,10 +26,7 @@ require('stdnse') require('strbuf') require('listop') -id = "sql-inject" author = "Eddie Bell " -description = "spiders a http server looking for URLs containing queries \ - and tries to determines if they are vulnerable to injection attack" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"intrusive", "vuln"} runlevel = 1.0 diff --git a/scripts/SSH-hostkey.nse b/scripts/SSH-hostkey.nse index 39d9124c2..576982d87 100644 --- a/scripts/SSH-hostkey.nse +++ b/scripts/SSH-hostkey.nse @@ -1,13 +1,17 @@ ---- Shows SSH Hostkeys --- --- Shows fingerprint or fingerprint and key depending on verbosity level. --- Puts the found hostkeys in nmap.registry for other scripts to use them. --- You can control the output with the ssh_hostkey script argument. Possible --- values are bubble,visual,full and all. --- +id = "SSH Hostkey" +description = [[ +Shows SSH hostkeys. +\n\n +Shows fingerprint or fingerprint and key depending on verbosity level. +Puts the found hostkeys in nmap.registry for other scripts to use them. +You can control the output with the ssh_hostkey script argument. Possible +values are bubble, visual, full and all. +]] + +--- --@usage --- nmap host --script SSH-hostkey --script-args ssh_hostkey=full --- nmap host --script SSH-hostkey --script-args ssh_hostkey=all +-- nmap host --script SSH-hostkey --script-args ssh_hostkey=full\n +-- nmap host --script SSH-hostkey --script-args ssh_hostkey=all\n -- nmap host --script SSH-hostkey --script-args ssh_hostkey='visual bubble' -- --@output @@ -29,10 +33,7 @@ -- 22/tcp open ssh\n -- | SSH Hostkey: 2048 xuvah-degyp-nabus-zegah-hebur-nopig-bubig-difeg-hisym-rumef-cuxex (RSA)\n -- |_ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ== - -id = "SSH Hostkey" author = "Sven Klemm " -description = "Show SSH Hostkeys" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"safe","default","intrusive"} diff --git a/scripts/SSHv1-support.nse b/scripts/SSHv1-support.nse index 0b12cdd5b..accb1c8c9 100644 --- a/scripts/SSHv1-support.nse +++ b/scripts/SSHv1-support.nse @@ -1,5 +1,7 @@ -id="SSH Protocol Version 1" -description="Checks to see if SSH server supports SSH Protocol Version 1." +id = "SSH Protocol Version 1" +description = [[ +Checks if an SSH server supports SSH Protocol Version 1. +]] author = "Brandon Enright " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "safe"} diff --git a/scripts/SSLv2-support.nse b/scripts/SSLv2-support.nse index 31a4acd72..c6c482bb2 100644 --- a/scripts/SSLv2-support.nse +++ b/scripts/SSLv2-support.nse @@ -1,5 +1,10 @@ ---- Determines if the target server supports SSL-v2 and what cyphers it --- supports. +id = "SSLv2" +description = [[ +Determines whether the server (still) supports SSL-v2, and what cyphers it +offers. +]] + +--- --@ouput -- 443/tcp open https syn-ack\n -- | SSLv2: server still supports SSLv2\n @@ -10,8 +15,6 @@ -- | SSL2_RC4_128_EXPORT40_WITH_MD5\n -- |_ SSL2_RC2_CBC_128_CBC_WITH_MD5\n -id = "SSLv2" -description = "Determines whether the server (still) supports SSL-v2, and what cyphers it offers." author = "Matt " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/UPnP-info.nse b/scripts/UPnP-info.nse index 03c5c7de0..78c9ef68e 100644 --- a/scripts/UPnP-info.nse +++ b/scripts/UPnP-info.nse @@ -1,162 +1,163 @@ ---- UPnP network service information gathering script +id = "UPnP" +description = [[ +Attempts to extract system information from the UPnP service. +]] + +--- -- @output -- | UPnP: System/1.0 UPnP/1.0 IGD/1.0 \n -- |_ Location: http://192.168.1.1:80/UPnP/IGD.xml - -id = "UPnP" - -description = "Attempts to extract system information from UPnP service" - -author = "Thomas Buchanan " - -license = "Same as Nmap--See http://nmap.org/book/man-legal.html" - -categories = {"default", "safe"} - -require("stdnse") -require("shortport") -require("strbuf") + +author = "Thomas Buchanan " + +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" + +categories = {"default", "safe"} + +require("stdnse") +require("shortport") +require("strbuf") --- --- Runs on UDP port 1900 -portrule = shortport.portnumber(1900, "udp", {"open", "open|filtered"}) +-- Runs on UDP port 1900 +portrule = shortport.portnumber(1900, "udp", {"open", "open|filtered"}) --- -- Sends UPnP discovery packet to host, --- and extracts service information from results -action = function(host, port) - - -- create the socket used for our connection - local socket = nmap.new_socket() - - -- set a reasonable timeout value - socket:set_timeout(5000) - - -- do some exception handling / cleanup - local catch = function() - socket:close() - end - - local try = nmap.new_try(catch) - - -- connect to the potential UPnP system - try(socket:connect(host.ip, port.number, "udp")) - - local payload = strbuf.new() - - -- for details about the UPnP message format, see http://upnp.org/resources/documents.asp - payload = payload .. "M-SEARCH * HTTP/1.1\r\n" - payload = payload .. "Host:239.255.255.250:1900\r\n" - payload = payload .. "ST:upnp:rootdevice\r\n" - payload = payload .. "Man:\"ssdp:discover\"\r\n" - payload = payload .. "MX:3\r\n\r\n" - - try(socket:send(strbuf.dump(payload))) - - local status - local response - - -- read in any response we might get - status, response = socket:receive_bytes(1) - - if (not status) or (response == "TIMEOUT") then - socket:close() - return - end - - -- since we got something back, the port is definitely open - nmap.set_port_state(host, port, "open") - - -- buffer to hold script output - local output - - if response ~= nil then - -- We should get a response back that has contains one line for the server, and one line for the xml file location - -- these match any combination of upper and lower case responses - local server, location - server = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010") - if server ~= nil then output = server .. "\n" end - location = string.match(response, "[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:(.-)\010") - if location ~= nil then - output = output .. "Location: " .. location - - local v = nmap.verbosity() - - -- the following check can output quite a lot of information, so we require at least one -v flag - if v > 0 then - -- split the location into an IP address, port, and path name for the xml file - local xhost, xport, xfile - xhost = string.match(location, "http://(.-)/") - -- check to see if the host portionof the location specifies a port - -- if not, use port 80 as a standard web server port - if xhost ~= nil and string.match(xhost, ":") then - xport = string.match(xhost, ":(.*)") - xhost = string.match(xhost, "(.*):") - end - - if xport == nil then - xport = 80 - end - - -- check if the IP address in the location matches the IP address we're scanning - -- if not, alert the user, but continue to scan the IP address we're interested in - if xhost ~= host.ip then - output = output .. "\n !! Location did not match target IP address !! " - -- return output - xhost = host.ip - end - - -- extract the path name from the location field, but strip off the \r that HTTP servers return - xfile = string.match(location, "http://.-/(.-)\013") - if xfile ~= nil then - strbuf.clear(payload) - -- create an HTTP request for the file, using the host and port we extracted earlier - payload = payload .. "GET /" .. xfile .. " HTTP/1.1\r\n" - payload = payload .. "Accept: text/xml, application/xml, text/html\r\n" - payload = payload .. "User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)\r\n" - payload = payload .. "Host: " .. xhost .. ":" .. xport .. "\r\n" - payload = payload .. "Connection: Keep-Alive\r\n" - payload = payload .. "Cache-Control: no-cache\r\n" - payload = payload .. "Pragma: no-cache\r\n\r\n" - - socket = nmap.new_socket() - socket:set_timeout(5000) - - try(socket:connect(xhost, xport, "tcp")) - try(socket:send(strbuf.dump(payload))) - -- we're expecting an xml file, and for UPnP purposes it should end in - status, response = socket:receive_buf("", true) - - if (status) and (response ~= "TIMEOUT") then - if string.match(response, "HTTP/1.%d 200") then - local webserver - -- extract information about the webserver that is handling responses for the UPnP system - webserver = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010") - if webserver ~= nil then output = output .. "\nWebserver: " .. webserver end - - -- the schema for UPnP includes a number of entries, which can a number of interesting fields - for device in string.gmatch(response, "(.-)") do - local fn, mnf, mdl, nm, ver - - fn = string.match(device, "(.-)") - mnf = string.match(device, "(.-)") - mdl = string.match(device, "(.-)") - nm = string.match(device, "(.-)") - ver = string.match(device, "(.-)") - - if fn ~= nil then output = output .. "\n Name: " .. fn end - if mnf ~= nil then output = output .. "\n Manufacturer: " .. mnf end - if mdl ~= nil then output = output .. "\n Model Descr: " .. mdl end - if nm ~= nil then output = output .. "\n Model Name: " .. nm end - if ver ~= nil then output = output .. "\n Model Version: " .. ver end - end - end - end - - socket:close() - end - end - end - return output - end -end +-- and extracts service information from results +action = function(host, port) + + -- create the socket used for our connection + local socket = nmap.new_socket() + + -- set a reasonable timeout value + socket:set_timeout(5000) + + -- do some exception handling / cleanup + local catch = function() + socket:close() + end + + local try = nmap.new_try(catch) + + -- connect to the potential UPnP system + try(socket:connect(host.ip, port.number, "udp")) + + local payload = strbuf.new() + + -- for details about the UPnP message format, see http://upnp.org/resources/documents.asp + payload = payload .. "M-SEARCH * HTTP/1.1\r\n" + payload = payload .. "Host:239.255.255.250:1900\r\n" + payload = payload .. "ST:upnp:rootdevice\r\n" + payload = payload .. "Man:\"ssdp:discover\"\r\n" + payload = payload .. "MX:3\r\n\r\n" + + try(socket:send(strbuf.dump(payload))) + + local status + local response + + -- read in any response we might get + status, response = socket:receive_bytes(1) + + if (not status) or (response == "TIMEOUT") then + socket:close() + return + end + + -- since we got something back, the port is definitely open + nmap.set_port_state(host, port, "open") + + -- buffer to hold script output + local output + + if response ~= nil then + -- We should get a response back that has contains one line for the server, and one line for the xml file location + -- these match any combination of upper and lower case responses + local server, location + server = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010") + if server ~= nil then output = server .. "\n" end + location = string.match(response, "[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:(.-)\010") + if location ~= nil then + output = output .. "Location: " .. location + + local v = nmap.verbosity() + + -- the following check can output quite a lot of information, so we require at least one -v flag + if v > 0 then + -- split the location into an IP address, port, and path name for the xml file + local xhost, xport, xfile + xhost = string.match(location, "http://(.-)/") + -- check to see if the host portionof the location specifies a port + -- if not, use port 80 as a standard web server port + if xhost ~= nil and string.match(xhost, ":") then + xport = string.match(xhost, ":(.*)") + xhost = string.match(xhost, "(.*):") + end + + if xport == nil then + xport = 80 + end + + -- check if the IP address in the location matches the IP address we're scanning + -- if not, alert the user, but continue to scan the IP address we're interested in + if xhost ~= host.ip then + output = output .. "\n !! Location did not match target IP address !! " + -- return output + xhost = host.ip + end + + -- extract the path name from the location field, but strip off the \r that HTTP servers return + xfile = string.match(location, "http://.-/(.-)\013") + if xfile ~= nil then + strbuf.clear(payload) + -- create an HTTP request for the file, using the host and port we extracted earlier + payload = payload .. "GET /" .. xfile .. " HTTP/1.1\r\n" + payload = payload .. "Accept: text/xml, application/xml, text/html\r\n" + payload = payload .. "User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)\r\n" + payload = payload .. "Host: " .. xhost .. ":" .. xport .. "\r\n" + payload = payload .. "Connection: Keep-Alive\r\n" + payload = payload .. "Cache-Control: no-cache\r\n" + payload = payload .. "Pragma: no-cache\r\n\r\n" + + socket = nmap.new_socket() + socket:set_timeout(5000) + + try(socket:connect(xhost, xport, "tcp")) + try(socket:send(strbuf.dump(payload))) + -- we're expecting an xml file, and for UPnP purposes it should end in + status, response = socket:receive_buf("", true) + + if (status) and (response ~= "TIMEOUT") then + if string.match(response, "HTTP/1.%d 200") then + local webserver + -- extract information about the webserver that is handling responses for the UPnP system + webserver = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010") + if webserver ~= nil then output = output .. "\nWebserver: " .. webserver end + + -- the schema for UPnP includes a number of entries, which can a number of interesting fields + for device in string.gmatch(response, "(.-)") do + local fn, mnf, mdl, nm, ver + + fn = string.match(device, "(.-)") + mnf = string.match(device, "(.-)") + mdl = string.match(device, "(.-)") + nm = string.match(device, "(.-)") + ver = string.match(device, "(.-)") + + if fn ~= nil then output = output .. "\n Name: " .. fn end + if mnf ~= nil then output = output .. "\n Manufacturer: " .. mnf end + if mdl ~= nil then output = output .. "\n Model Descr: " .. mdl end + if nm ~= nil then output = output .. "\n Model Name: " .. nm end + if ver ~= nil then output = output .. "\n Model Version: " .. ver end + end + end + end + + socket:close() + end + end + end + return output + end +end diff --git a/scripts/anonFTP.nse b/scripts/anonFTP.nse index 444c7045d..41d13ae70 100644 --- a/scripts/anonFTP.nse +++ b/scripts/anonFTP.nse @@ -1,22 +1,21 @@ ---- Checks if an FTP server allows anonymous logins. --- @output --- |_ Anonymous FTP: Anonymous login allowed" +id = "Anonymous FTP" +description = [[ +Checks if a FTP server allows anonymous logins. +]] + +--- +-- @output +-- |_ Anonymous FTP: Anonymous login allowed -id="Anonymous FTP" -description="Checks to see if a FTP server allows anonymous logins" author = "Eddie Bell " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "auth", "intrusive"} require "shortport" ---- --- Works on port 21 or "ftp" portrule = shortport.port_or_service(21, "ftp") ---- --- Connects to the ftp server and checks if the server allows --- anonymous logins. +--- Connects to the ftp server and checks if the server allows anonymous logins. action = function(host, port) local socket = nmap.new_socket() local result diff --git a/scripts/brutePOP3.nse b/scripts/brutePOP3.nse index 8c4417dd5..6a3bcc5f4 100644 --- a/scripts/brutePOP3.nse +++ b/scripts/brutePOP3.nse @@ -1,6 +1,7 @@ id = "POP3 brute force" - -description = "tries to log into a POP3 account" +description = [[ +Tries to log into a POP3 account by guessing usernames and passwords. +]] author = "Philip Pickering " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/bruteTelnet.nse b/scripts/bruteTelnet.nse index b4b9ab76d..f19bc42b4 100644 --- a/scripts/bruteTelnet.nse +++ b/scripts/bruteTelnet.nse @@ -1,9 +1,9 @@ ---- Obtains the telnet login credentials on a server. This script --- uses brute force techniques. +id = 'bruteforce' +description = [[ +Tries to get Telnet login credentials by guessing usernames and passwords. +]] -id='bruteforce' author = 'Eddie Bell ' -description='brute force telnet login credientials' license = 'Same as Nmap--See http://nmap.org/book/man-legal.html' categories = {'auth', 'intrusive'} diff --git a/scripts/chargenTest.nse b/scripts/chargenTest.nse index 5a16501fb..d3a16f3ef 100644 --- a/scripts/chargenTest.nse +++ b/scripts/chargenTest.nse @@ -1,9 +1,7 @@ ---- This script connects to a UDP chargen service and attempts to read --- some data. - id = "Chargen" - -description = "Connects to the UDP chargen service and tries to read some bytes" +description = [[ +Tries to read bytes from the UDP chargen service. +]] author = "Diman Todorov " diff --git a/scripts/daytimeTest.nse b/scripts/daytimeTest.nse index 320ec21ae..63c3261ed 100644 --- a/scripts/daytimeTest.nse +++ b/scripts/daytimeTest.nse @@ -1,6 +1,7 @@ id = "Daytime" - -description = "Connects to the UDP daytime service and on success prints the daytime." +description = [[ +Retrieves the day and time from the UDP Daytime service. +]] author = "Diman Todorov " diff --git a/scripts/dns-safe-recursion-port.nse b/scripts/dns-safe-recursion-port.nse index f3a899a53..f9d70ea1a 100644 --- a/scripts/dns-safe-recursion-port.nse +++ b/scripts/dns-safe-recursion-port.nse @@ -1,10 +1,11 @@ id = "DNS source port randomness" description = [[ -Queries porttest.dns-oarc.net to check for the predictable-port DNS recursion -vulnerability. Predictable source ports can make a DNS server vulnerable to -cache poisoning attacks (CVE-2008-1447) -\n +Checks a DNS server for the predictable-port recursion vulnerability. +Predictable source ports can make a DNS server vulnerable to cache poisoning +attacks (CVE-2008-1447). +\n\n +The script works by querying porttest.dns-oarc.net. Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and the porttest server. In addition your IP address will be sent along with the porttest query to the DNS diff --git a/scripts/dns-safe-recursion-txid.nse b/scripts/dns-safe-recursion-txid.nse index feff29800..135b3bae2 100644 --- a/scripts/dns-safe-recursion-txid.nse +++ b/scripts/dns-safe-recursion-txid.nse @@ -1,10 +1,11 @@ id = "DNS TXID randomness" description = [[ -Queries txidtest.dns-oarc.net to check for the predictable-TXID DNS recursion +Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to -cache poisoning attacks (CVE-2008-1447)" -\n +cache poisoning attacks (CVE-2008-1447). +\n\n +The script works by querying txidtest.dns-oarc.net. Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition your IP address will be sent along with the txidtest query to the DNS diff --git a/scripts/dns-test-open-recursion.nse b/scripts/dns-test-open-recursion.nse index 829bb4da7..7f690be2e 100644 --- a/scripts/dns-test-open-recursion.nse +++ b/scripts/dns-test-open-recursion.nse @@ -1,6 +1,10 @@ id = "Nameserver open recursive queries (CVE-1999-0024) (BID 136, 678)" -description = "Checks if a nameserver on UDP/53 allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers." +description = [[ +Checks if a DNS server allows queries for third-party names. +\n\n +It is expected that recursion will be enabled on your own internal nameservers. +]] author = "Felix Groebert " diff --git a/scripts/echoTest.nse b/scripts/echoTest.nse index 6e5f15cc9..a738a1a2d 100644 --- a/scripts/echoTest.nse +++ b/scripts/echoTest.nse @@ -1,7 +1,10 @@ id = "Echo" - -description = "Connects to the UDP echo service, sends a string, receives a string and if both\ -strings are equal reports success." +description = [[ +Tests the UDP echo service. +\n\n +The script sends a string, then receives a string and reports success if the +two strings are equal. +]] author = "Diman Todorov " diff --git a/scripts/finger.nse b/scripts/finger.nse index d24c91d85..1107c7098 100644 --- a/scripts/finger.nse +++ b/scripts/finger.nse @@ -1,6 +1,7 @@ -id="Finger Results" - -description="attempts to get a list of usernames via the finger service" +id = "Finger Results" +description = [[ +Attempts to get a list of usernames via the finger service. +]] author = "Eddie Bell " diff --git a/scripts/ftpbounce.nse b/scripts/ftpbounce.nse index e5ab6f709..ebc7a8e92 100644 --- a/scripts/ftpbounce.nse +++ b/scripts/ftpbounce.nse @@ -1,5 +1,7 @@ id="FTP bounce check" -description="Checks to see if a FTP server allows port scanning using FTP bounce method" +description=[[ +Checks to see if an FTP server allows port scanning using the FTP bounce method. +]] author="Marek Majkowski gmail.com>" license="Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/iax2Detect.nse b/scripts/iax2Detect.nse index 4b53e7c3b..98aab7de7 100644 --- a/scripts/iax2Detect.nse +++ b/scripts/iax2Detect.nse @@ -1,7 +1,10 @@ -id= "IAX2 Service Detection" - -description = "Detects an listening UDP IAX2 service by using a \ - IAX Control Frame POKE request." +id = "IAX2 Service Detection" +description = [[ +Detects the UDP IAX2 service. +\n\n +The script sends an IAX Control Frame POKE request and checks for a proper +response. +]] author = "Ferdy Riphagen " diff --git a/scripts/ircServerInfo.nse b/scripts/ircServerInfo.nse index ce0402fa0..1448283c5 100644 --- a/scripts/ircServerInfo.nse +++ b/scripts/ircServerInfo.nse @@ -1,6 +1,12 @@ ---- Gather information from an IRC server. It uses STATS, LUSERS, and other --- queries to obtain this information. ---@output +id = "IRC Server Info" +description = [[ +Gathers information from an IRC server. +\n\n +It uses STATS, LUSERS, and other queries to obtain this information. +]] + +--- +-- @output -- 6665/tcp open irc\n -- | IRC Server Info: Server: foo.bar.net\n -- | Version: hyperion-1.0.2b(381). foo.bar.net \n @@ -9,10 +15,6 @@ -- | Source host: bar.foo.net\n -- |_ Source ident: OK n=nmap\n -id = "IRC Server Info" - -description = "Gets information from an IRC server by issuing STATS, LUSERS, etc queries." - author = "Doug Hoyte" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/ircZombieTest.nse b/scripts/ircZombieTest.nse index 1013390a1..fb5c1c2c0 100644 --- a/scripts/ircZombieTest.nse +++ b/scripts/ircZombieTest.nse @@ -1,9 +1,10 @@ ---- Checks if the target is an IRC zombie. - id = "IRC zombie" - -description = "If port 113 responds before we ask it then something is fishy.\ -Usually this means that the host is an irc zombie." +description = [[ +Checks for an IRC zombie. +\n\n +If port 113 responds before we ask it then something is fishy. Usually this +means that the host is an IRC zombie. +]] author = "Diman Todorov " diff --git a/scripts/nbstat.nse b/scripts/nbstat.nse index e6c7c6f4b..b57060a0f 100644 --- a/scripts/nbstat.nse +++ b/scripts/nbstat.nse @@ -1,11 +1,18 @@ ---- Sends a NetBIOS NBSTAT query to target host to try to determine the NetBIOS --- names and MAC address. By default, displays the name of the computer and the --- logged-in user; if verbosity is turned up, displays all names the system --- thinks it owns. \n --- ---@usage +id = "NBSTAT" +description = [[ +Attempt's to get the target's NetBIOS names and MAC address. +\n\n +By default, the script displays the name of the computer and the logged-in +user; if the verbosity is turned up, it displays all names the system thinks it +owns. +\n\n +For more information on the NetBIOS protocol, see 'nselib/netbios.lua'. +]] + +--- +-- @usage -- sudo nmap -sU --script nbstat.nse -p137 \n ---\n +-- -- @output -- (no verbose)\n -- |_ NBSTAT: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n @@ -21,10 +28,6 @@ -- | Name: WORKGROUP<1d> Flags: \n -- |_ Name: \x01\x02__MSBROWSE__\x02<01> Flags: \n -id = "NBSTAT" -description = "Sends a NetBIOS query to target host to try to determine \ -the NetBIOS name and MAC address. For more information on the NetBIOS protocol, \ -see 'nselib/netbios.lua'." author = "Brandon Enright , Ron Bowes" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/popcapa.nse b/scripts/popcapa.nse index c500f60a4..138a87be9 100644 --- a/scripts/popcapa.nse +++ b/scripts/popcapa.nse @@ -1,6 +1,7 @@ id = "POP3 Capabilites" - -description = "retrieves POP3 server capabilites" +description = [[ +Retrieves POP3 server capabilities. +]] author = "Philip Pickering " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/promiscuous.nse b/scripts/promiscuous.nse index 63faf50df..42961d2fe 100644 --- a/scripts/promiscuous.nse +++ b/scripts/promiscuous.nse @@ -1,16 +1,13 @@ id = "Promiscuous detection" -description = "Checks if hosts on local ethernet have network card in promiscuous mode." +description = [[ +Checks if a target on a local Ethernet has its network card in promiscuous mode. +\n\n +The technique is described at +http://www.securityfriday.com/promiscuous_detection_01.pdf. +]] author = "Marek Majkowski " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" ---[[ -This script tries to guess if node in local ethernet is in promisucous mode. - -The technique is described here: - http://www.securityfriday.com/promiscuous_detection_01.pdf - -]]-- - categories = {"discovery"} -- okay, we're interested only in hosts that are on our ethernet lan diff --git a/scripts/ripeQuery.nse b/scripts/ripeQuery.nse index 27630e6bd..425f80539 100644 --- a/scripts/ripeQuery.nse +++ b/scripts/ripeQuery.nse @@ -1,10 +1,8 @@ -require "comm" -require "ipOps" - id = "RIPE query" description = [[ -Connects to the RIPE database, extracts and prints the role: entry for the IP. -\n +Connects to the RIPE database and displays the role: entry for the target's IP +address. +\n\n This script uses an external database. Your IP address and the IP address of the target will be sent to whois.ripe.net. ]] @@ -13,6 +11,9 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"discovery", "external"} +require "comm" +require "ipOps" + hostrule = function(host, port) return not ipOps.isPrivate(host.ip) end diff --git a/scripts/robots.nse b/scripts/robots.nse index cbfce0cc9..fff6ef377 100644 --- a/scripts/robots.nse +++ b/scripts/robots.nse @@ -1,3 +1,10 @@ +id = "robots.txt" +description = [[ +Checks for disallowed entries in robots.txt. +\n\n +The higher the verbosity or debug level, the more disallowed entries are shown. +]] + --- --@output -- 80/tcp open http syn-ack\n @@ -15,9 +22,7 @@ require('shortport') require('strbuf') require('http') -id = "robots.txt" author = "Eddie Bell " -description = "check for robots.txt with disallowed entries (print them in debug/verbose mode)" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "safe"} runlevel = 1.0 diff --git a/scripts/rpcinfo.nse b/scripts/rpcinfo.nse index e9f302d03..c5e1abb6c 100644 --- a/scripts/rpcinfo.nse +++ b/scripts/rpcinfo.nse @@ -1,7 +1,10 @@ +id = "rpcinfo" +description = [[ +Connects to portmapper and fetches a list of all registered programs. +]] + --- --- Connects to portmapper and fetches a list of all registered programs --- ---@output +-- @output -- 111/tcp open rpcbind\n -- | rpcinfo:\n -- | 100000 2 111/udp rpcbind\n @@ -22,8 +25,6 @@ require "bin" require "bit" require "tab" -id = "rpcinfo" -description = "connects to portmapper and fetches a list of all registered programs" author = "Sven Klemm " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default","safe","discovery"} diff --git a/scripts/showHTMLTitle.nse b/scripts/showHTMLTitle.nse index 313f02b14..2ef94504e 100644 --- a/scripts/showHTMLTitle.nse +++ b/scripts/showHTMLTitle.nse @@ -1,13 +1,19 @@ +id = "HTML title" +description = [[ +Shows the title of the default page of a web server. +\n\n +The script will follow no more than one HTTP redirect, and only if the +redirection leads to the same host. The script may send a DNS query to +determine if the host the redirect leads to has the same IP address as the +original target. +]] + --- --@output -- 80/tcp open http syn-ack\n -- |_ HTML title: Foo.\n --@copyright Same as Nmap--See http://nmap.org/book/man-legal.html -id = "HTML title" - -description = "Connects to an HTTP server and extracts the title of the default page." - author = "Diman Todorov " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/showHTTPVersion.nse b/scripts/showHTTPVersion.nse index 84b0f1d98..c195785c6 100644 --- a/scripts/showHTTPVersion.nse +++ b/scripts/showHTTPVersion.nse @@ -1,8 +1,10 @@ -description = "Demonstration of a version detection NSE script. It checks and reports\ -the version of a remote web server. For real life purposes it is better to use the\ -Nmap version detection." - id = "HTTP version" +description = [[ +Detects the version of a web server. +\n\n +This is a demonstration script. Its function is done better by normal version +detection. +]] author = "Diman Todorov " diff --git a/scripts/showOwner.nse b/scripts/showOwner.nse index 013bb75fb..828b58c10 100644 --- a/scripts/showOwner.nse +++ b/scripts/showOwner.nse @@ -1,12 +1,10 @@ ---- Queries the owner of a service on a scanned port. Uses port 113 to --- make the query. ---@output --- - id = "Service owner" - -description = "Opens a connection to the scanned port, opens a connection to port 113, queries the owner\ -of the service on the scanned port and prints it." +description = [[ +Attempts to find the owner of a scanned port. +\n\n +The script makes a connection to the auth port (113) and queries the owner of +an open port. +]] author = "Diman Todorov " diff --git a/scripts/showSMTPVersion.nse b/scripts/showSMTPVersion.nse index 11a10562c..804184418 100644 --- a/scripts/showSMTPVersion.nse +++ b/scripts/showSMTPVersion.nse @@ -1,12 +1,13 @@ ---- Queries the version of an SMTP server. ---@output +id = "SMTP version" +description = [[ +Prints the version of an SMTP server. +]] + +--- +-- @output -- 25/tcp open smtp\n -- |_ SMTP version: 220 mail.foo.com mx-2.bar.com ESMTP Exim 4.64\n -id = "SMTP version" - -description = "Simple script which queries and prints the version of an SMTP server." - author = "Diman Todorov " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/showSSHVersion.nse b/scripts/showSSHVersion.nse index 1b71d6aca..ce93e79d0 100644 --- a/scripts/showSSHVersion.nse +++ b/scripts/showSSHVersion.nse @@ -1,14 +1,15 @@ ---- Queries the version from an SSH Server. This typically does not result --- in any logs of the connection being made. ---@output +id = "Stealth SSH version" +description = [[ +Connects to an SSH server and retrieves the version banner. +\n\n +This typically does not result in any logs of the connection being made. +]] + +--- +-- @output -- 22/tcp open ssh\n -- |_ Stealth SSH version: SSH-2.0-OpenSSH_3.9p1\n -id = "Stealth SSH version" - -description = "Connects to an SSH server, queries the version string and echos it back. This tends to result\ -in the scanning attempt not being logged by the ssh daemon on the target." - author = "Diman Todorov " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/skype_v2-version.nse b/scripts/skype_v2-version.nse index 617c79ae6..97613d83f 100644 --- a/scripts/skype_v2-version.nse +++ b/scripts/skype_v2-version.nse @@ -1,5 +1,7 @@ -id="Skype v2" -description="Determines if remote service is Skype protocol version 2" +id = "Skype v2" +description = [[ +Detects the Skype version 2 service. +]] author = "Brandon Enright " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"version"} diff --git a/scripts/smb-enumdomains.nse b/scripts/smb-enumdomains.nse index 6492fb6da..5982c4137 100644 --- a/scripts/smb-enumdomains.nse +++ b/scripts/smb-enumdomains.nse @@ -1,19 +1,23 @@ ---- Attempts to enumerate domains on a system, along with their policies. This will likely --- only work without credentials against Windows 2000. \n --- \n --- After the initial bind() to SAMR, the sequence of calls is:\n --- Connect4() -- get a connect_handle\n --- EnumDomains() -- get a list of the domains (stop here if you just want the names)\n --- QueryDomain() -- get the sid for the domain\n --- OpenDomain() -- get a handle for each domain\n --- QueryDomainInfo2() -- get the domain information\n --- ---@usage +id = "MSRPC: List of domains" +description = [[ +Attempts to enumerate domains on a system, along with their policies. This will +likely only work without credentials against Windows 2000. +\n\n +After the initial bind() to SAMR, the sequence of calls is:\n +Connect4() -- get a connect_handle\n +EnumDomains() -- get a list of the domains (stop here if you just want the names)\n +QueryDomain() -- get the sid for the domain\n +OpenDomain() -- get a handle for each domain\n +QueryDomainInfo2() -- get the domain information\n +]] + +--- +-- @usage -- nmap --script smb-enumdomains.nse -p445 \n -- sudo nmap -sU -sS --script smb-enumdomains.nse -p U:137,T:139 \n -- ---@output --- Host script results: +-- @output +-- Host script results:\n -- | MSRPC: List of domains:\n -- | Domain: TEST1\n -- | |_ SID: S-1-5-21-1060284298-842925246-839522115\n @@ -29,11 +33,8 @@ -- | |_ Password properties: \n -- | |_ Password complexity requirements do not exist\n -- |_ |_ Administrator account cannot be locked out\n - ----------------------------------------------------------------------- -id = "MSRPC: List of domains" -description = "Tries calling the EnumDomains() and QueryDomainInfo2() RPC function to obtain a list of domains/policies." author = "Ron Bowes" copyright = "Ron Bowes" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/smb-enumshares.nse b/scripts/smb-enumshares.nse index 6cf1e3615..9e2292fa5 100644 --- a/scripts/smb-enumshares.nse +++ b/scripts/smb-enumshares.nse @@ -1,29 +1,30 @@ ---- Attempts to call the srvsvc.NetShareEnumAll() MSRPC function. This will --- likely only work anonymously against Windows 2000. \n ---\n --- There isn't a whole lot to say about this one. The sequence of calls after --- the initial bind() is:\n --- NetShareEnumAll()\n ---\n --- Since NetShareEnumAll() only works anonymously, if it fails this will check --- a handful of common shares. \n ---\n --- Once it has a list of shares, whether it was pulled over MSRPC or guessed, --- we attempt to connect to each of them with a standard smb tree_connect request --- over a null session. We record which ones succeeded and failed (that is, which --- shares allowed for anonymous access).\n --- +id = "MSRPC: NetShareEnumAll()" +description = [[ +Attempts to list shares using the srvsvc.NetShareEnumAll() MSRPC function. This +will likely only work anonymously against Windows 2000. +\n\n +There isn't a whole lot to say about this one. The sequence of calls after +the initial bind() is:\n +NetShareEnumAll() +\n\n +Since NetShareEnumAll() only works anonymously, if it fails this will check +a handful of common shares. +\n\n +Once it has a list of shares, whether it was pulled over MSRPC or guessed, +we attempt to connect to each of them with a standard smb tree_connect request +over a null session. We record which ones succeeded and failed (that is, which +shares allowed for anonymous access). +]] + +--- --@usage -- nmap --script smb-enumshares.nse -p445 \n --- sudo nmap -sU -sS --script smb-enumshares.nse -p U:137,T:139 \n +-- sudo nmap -sU -sS --script smb-enumshares.nse -p U:137,T:139 -- --@output --- Host script results:\n -- TODO ----------------------------------------------------------------------- -id = "MSRPC: NetShareEnumAll()" -description = "Tries calling the NetShareEnumAll() RPC function, and guessing shares" author = "Ron Bowes" copyright = "Ron Bowes" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/smb-enumusers.nse b/scripts/smb-enumusers.nse index c3a38e71f..d30500057 100644 --- a/scripts/smb-enumusers.nse +++ b/scripts/smb-enumusers.nse @@ -1,73 +1,80 @@ ---- Attempts to enumerate the users on a remote Windows system, with as much information as possible, --- through a variety of techniques (over SMB + MSRPC, which uses port 445 or 139). \n ---\n --- Will first attempt to call the QueryDisplayInfo() MSRPC function. If NULL sessions are enabled, --- this will succeed and pull back a detailed list of users. Unfortunately, this likely won't succeed --- unless we're scanning Windows 2000. When this test is performed, the following MSRPC functions --- are called:\n ---\n --- Bind() -- bind to the SAMR service\n --- Connect4() -- get a connect_handle\n --- EnumDomains() -- get a list of the domains\n --- QueryDomain() -- get the sid for the domain\n --- OpenDomain() -- get a handle for each domain\n --- QueryDisplayInfo() -- get the list of users in the domain\n --- Close() -- Close the domain handle\n --- Close() -- Close the connect handle\n ---\n --- Credit goes out to the enum.exe program, the code I wrote for this is largely due to packetlogs --- I took of its operations. \n ---\n --- Regardless of whether or not this succeeds, a second technique is used to pull user accounts. --- This one is apparently successful against more machines, although I haven't found a machine --- that this only works against. However, I did find that this will turn up more users for certain --- systems (although I haven't figured out why). \n --- \n --- Each user on a Windows system has an RID. The RID of 500 is the Administrator account (even if --- it's renamed), 501 is the Guest account, and 1000+ are the user accounts. This technique, which --- was originally used in the sid2user/user2sid programs, will attempt to convert common RID numbers --- to names to discover users. \n --- \n --- First, the SID of the server has to be determined. This is done by looking up any name present on --- the server using a technique like user2sid. For this code, we try and convert as many names as we --- can find -- all we need is one valid name for this to succeed. In this code, I use:\n --- - The computer name / domain name, returned in SMB_COM_NEGOTIATE\n --- - An nbstat query to get the server name and the currently loggeed in user\n --- - Some common names ("administrator", "guest", and "test")\n ---\n --- In theory, the computer name should be sufficient for this to always work, and the rest of the \n --- names are in there for good measure. \n ---\n --- Once that's completed, the RIDs 500 - 505 are requested, and any responses are displayed. Then, --- starting at 1000, we take small groups of RIDs which are requestd. I break them into --- smaller groups because if too many are requested at once, we get a STATUS_BUFFER_OVERFLOW --- error. We try every RID up to 1100, then, as soon as we get an empty group (5 RIDs in a row --- without a result), we stop. \n ---\n --- It might be a good idea to modify this, in the future, with some more intelligence. For example, --- have it run until it get 5 groups in a row with no results instead of going up to 1100. I --- performed a test on an old server we have here with a lot of accounts, and I got these results: --- 500, 501, 1000, 1030, 1031, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, --- 1064, 1065, 1066, 1067, 1070, 1075, 1081, 1088, 1090. The jump from 1000 to 1030 is quite large --- and can easily result in missing accounts.\n ---\n --- The disadvantage of using the user2sid/sid2user technique is that less information is returned --- about the user. \n ---\n --- The names and details from both of these techniques are merged and displayed. If the output is --- verbose, then as many details as possible are displayed, otherwise only the list of usernames --- are displayed. The names are ordered alphabetically.\n --- ---@usage +id = "MSRPC: List of user accounts" +description = [[ +Attempts to enumerate the users on a remote Windows system, with as much +information as possible, through a variety of techniques (over SMB + MSRPC, +which uses port 445 or 139). +\n\n +Will first attempt to call the QueryDisplayInfo() MSRPC function. If NULL +sessions are enabled, this will succeed and pull back a detailed list of users. +Unfortunately, this likely won't succeed unless we're scanning Windows 2000. +When this test is performed, the following MSRPC functions are called:\n +Bind() -- bind to the SAMR service\n +Connect4() -- get a connect_handle\n +EnumDomains() -- get a list of the domains\n +QueryDomain() -- get the sid for the domain\n +OpenDomain() -- get a handle for each domain\n +QueryDisplayInfo() -- get the list of users in the domain\n +Close() -- Close the domain handle\n +Close() -- Close the connect handle +\n\n +Credit goes out to the enum.exe program, the code I wrote for this is largely +due to packetlogs I took of its operations. +\n\n +Regardless of whether or not this succeeds, a second technique is used to pull +user accounts. This one is apparently successful against more machines, +although I haven't found a machine that this only works against. However, I did +find that this will turn up more users for certain systems (although I haven't +figured out why). +\n\n +Each user on a Windows system has an RID. The RID of 500 is the Administrator +account (even if it's renamed), 501 is the Guest account, and 1000+ are the +user accounts. This technique, which was originally used in the +sid2user/user2sid programs, will attempt to convert common RID numbers to names +to discover users. +\n\n +First, the SID of the server has to be determined. This is done by looking up +any name present on the server using a technique like user2sid. For this code, +we try and convert as many names as we can find -- all we need is one valid +name for this to succeed. In this code, I use:\n +- The computer name / domain name, returned in SMB_COM_NEGOTIATE\n +- An nbstat query to get the server name and the currently loggeed in user\n +- Some common names ("administrator", "guest", and "test") +\n\n +In theory, the computer name should be sufficient for this to always work, and +the rest of the names are in there for good measure. +\n\n +Once that's completed, the RIDs 500 - 505 are requested, and any responses are +displayed. Then, starting at 1000, we take small groups of RIDs which are +requestd. I break them into smaller groups because if too many are requested at +once, we get a STATUS_BUFFER_OVERFLOW error. We try every RID up to 1100, then, +as soon as we get an empty group (5 RIDs in a row without a result), we stop. +\n\n +It might be a good idea to modify this, in the future, with some more +intelligence. For example, have it run until it get 5 groups in a row with no +results instead of going up to 1100. I performed a test on an old server we +have here with a lot of accounts, and I got these results: 500, 501, 1000, +1030, 1031, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, +1064, 1065, 1066, 1067, 1070, 1075, 1081, 1088, 1090. The jump from 1000 to +1030 is quite large and can easily result in missing accounts. +\n\n +The disadvantage of using the user2sid/sid2user technique is that less +information is returned about the user. +\n\n +The names and details from both of these techniques are merged and displayed. +If the output is verbose, then as many details as possible are displayed, +otherwise only the list of usernames are displayed. The names are ordered +alphabetically. +]] + +--- +-- @usage -- nmap --script smb-enumusers.nse -p445 \n --- sudo nmap -sU -sS --script smb-enumusers.nse -p U:137,T:139 \n +-- sudo nmap -sU -sS --script smb-enumusers.nse -p U:137,T:139 -- ---@output +-- @output -- TODO ----------------------------------------------------------------------- -id = "MSRPC: List of user accounts" -description = "Tries calling SAMR and LSA functions to get a list of user accounts." author = "Ron Bowes" copyright = "Ron Bowes" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/smb-os-discovery.nse b/scripts/smb-os-discovery.nse index 8d8989d95..e0a3ac038 100644 --- a/scripts/smb-os-discovery.nse +++ b/scripts/smb-os-discovery.nse @@ -1,9 +1,15 @@ ---- Attempts to determine the operating system over SMB protocol (ports 445 and 139). --- See nselib/smb.lua for more information on this protocol. --- +id = "OS from SMB" +description = [[ +Attempts to determine the operating system over the SMB protocol (ports 445 and +139). +\n\n +See nselib/smb.lua for more information on this protocol. +]] + +--- --@usage -- nmap --script smb-os-discovery.nse -p445 127.0.0.1\n --- sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1\n +-- sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1 -- --@output -- | OS from SMB: Windows 2000\n @@ -13,8 +19,6 @@ -- ----------------------------------------------------------------------- -id = "OS from SMB" -description = "Attempts to determine the operating system over the SMB protocol (ports 445 and 139)." author = "Ron Bowes" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "discovery", "safe"} diff --git a/scripts/smb-security-mode.nse b/scripts/smb-security-mode.nse index 3c5ce4fa3..01cb877f0 100644 --- a/scripts/smb-security-mode.nse +++ b/scripts/smb-security-mode.nse @@ -1,36 +1,41 @@ ---- Returns information about the SMB security level determined by SMB. \n ---\n --- Here is how to interpret the output:\n ---\n --- User-level security: Each user has a separate username/password that is used --- to log into the system. This is the default setup of pretty much everything --- these days. \n --- Share-level security: The anonymous account should be used to log in, then --- the password is given (in plaintext) when a share is accessed. All users who --- have access to the share use this password. This was the original way of doing --- things, but isn't commonly seen, now. If a server uses share-level security, --- it is vulnerable to sniffing. \n ---\n --- Challenge/response passwords: If enabled, the server can accept any type of --- password:\n --- * Plaintext\n --- * LM and NTLM\n --- * LMv2 and NTLMv2\n --- If it isn't set, the server can only accept plaintext passwords. Most servers --- are configured to use challenge/response these days. If a server is configured --- to accept plaintext passwords, it is vulnerable to sniffing. \n ---\n --- Message signing: If required, all messages between the client and server must --- sign be signed by a shared key, derived from the password and the server --- challenge. If supported and not required, message signing is negotiated between --- clients and servers and used if both support and request it. By default, Windows clients --- don't sign messages, so if message signing isn't required by the server, messages --- probably won't be signed; additionally, if performing a man-in-the-middle attack, --- an attacker can negotiate no message signing. If message signing isn't required, the --- server is vulnerable to man-in-the-middle attacks. \n --- \n --- See nselib/smb.lua for more information on the protocol itself. \n ---\n +id = "SMB Security" +description = [[ +Returns information about the SMB security level determined by SMB. +\n\n +Here is how to interpret the output: +\n\n +User-level security: Each user has a separate username/password that is used +to log into the system. This is the default setup of pretty much everything +these days.\n +Share-level security: The anonymous account should be used to log in, then +the password is given (in plaintext) when a share is accessed. All users who +have access to the share use this password. This was the original way of doing +things, but isn't commonly seen, now. If a server uses share-level security, +it is vulnerable to sniffing. +\n\n +Challenge/response passwords: If enabled, the server can accept any type of +password:\n +* Plaintext\n +* LM and NTLM\n +* LMv2 and NTLMv2\n +If it isn't set, the server can only accept plaintext passwords. Most servers +are configured to use challenge/response these days. If a server is configured +to accept plaintext passwords, it is vulnerable to sniffing. +\n\n +Message signing: If required, all messages between the client and server must +sign be signed by a shared key, derived from the password and the server +challenge. If supported and not required, message signing is negotiated between +clients and servers and used if both support and request it. By default, +Windows clients don't sign messages, so if message signing isn't required by +the server, messages probably won't be signed; additionally, if performing a +man-in-the-middle attack, an attacker can negotiate no message signing. If +message signing isn't required, the server is vulnerable to man-in-the-middle +attacks. +\n\n +See nselib/smb.lua for more information on the protocol itself.\n +]] + +--- --@usage -- nmap --script smb-security-mode.nse -p445 127.0.0.1\n -- sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1\n @@ -42,8 +47,6 @@ -- ----------------------------------------------------------------------- -id = "SMB Security" -description = "Attempts to determine the security mode over the SMB protocol (ports 445 and 139)." author = "Ron Bowes" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"discovery", "safe"} diff --git a/scripts/strangeSMTPport.nse b/scripts/strangeSMTPport.nse index 567a719d4..4ef5640d9 100644 --- a/scripts/strangeSMTPport.nse +++ b/scripts/strangeSMTPport.nse @@ -1,17 +1,16 @@ ---- Checks if SMTP is running on a non-standard port. This usually indicates --- crackers or script kiddies have set up a backdoor on the system --- to send spam or control your machine. ---@output +id = "Unexpected SMTP" +description = [[ +Checks if SMTP is running on a non-standard port. +\n\n +This usually indicates crackers or script kiddies have set up a backdoor on the +system to send spam or control your machine. +]] + +--- +-- @output -- 22/tcp open ssh\n -- |_ Warning: smtp is running on a strange port.\n -id = "Unexpected SMTP" - -description = "\ -If smtp is running on a strange port\ -there be a backdoor set up by crackers to send spam\ -or even control your machine." - author = "Diman Todorov " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/whois.nse b/scripts/whois.nse index c102c9f08..1babf7244 100644 --- a/scripts/whois.nse +++ b/scripts/whois.nse @@ -1,3 +1,4 @@ +id = "Whois" description = [[ Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address. @@ -69,7 +70,7 @@ the RIRs. -- \n nmap target --script whois --script-args whois={whodb=nocache} -- \n\n -- - +-- -- -- -- @output @@ -83,7 +84,6 @@ the RIRs. -- \n|_ country: US stateprov: CA -- -id = "Whois" author = "jah " license = "See Nmap License: http://nmap.org/book/man-legal.html" runlevel = 1 diff --git a/scripts/xamppDefaultPass.nse b/scripts/xamppDefaultPass.nse index 529298d15..27935e9eb 100644 --- a/scripts/xamppDefaultPass.nse +++ b/scripts/xamppDefaultPass.nse @@ -1,16 +1,17 @@ ---- Checks if the remote host is running XAMP or XAMPP's FTP server --- allows access with nobody/xampp. XAMP is an Apache distribution --- designed for easy installation and administration. +id = "XAMPP default pwd" +description = [[ +Check if an XAMP or XAMPP FTP server uses a default username and password. +\n\n +XAMP is an Apache distribution designed for easy installation and +administration. The default username/password combination the script checks for +is nobody/xampp. +]] + +--- -- @output -- 21/tcp open ftp\n -- |_ Login success with u/p: foo/bar\n -id = "XAMPP default pwd" - -description = "If the remote host is running XAMP (an Apache distribution\ -designed for easy installation and administration) and XAMPP's FTP server is\ -allows access with nobody/xampp then we report it." - author = "Diman Todorov " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" diff --git a/scripts/zoneTrans.nse b/scripts/zoneTrans.nse index 15db360c8..12c4fe42d 100644 --- a/scripts/zoneTrans.nse +++ b/scripts/zoneTrans.nse @@ -1,23 +1,25 @@ ---- Request a zone transfer (AXFR) from a DNS server.\n --- \n --- Send axfr queries to DNS servers. The domain to query is determined --- by examining the name given on the command line, the domain servers --- hostname, or it can be specified with the "domain" script argument. --- If the query is successful all domains and domain types are returned --- along with common type specific data (SOA/MX/NS/PTR/A).\n --- \n --- constraints\n --- -----------\n --- If we don't have the 'true' hostname for the dns server we cannot --- determine a likely zone to perform the transfer on.\n --- \n --- useful resources\n --- ----------------\n --- DNS for rocket scientists - http://www.zytrax.com/books/dns/\n --- How the AXFR protocol works - http://cr.yp.to/djbdns/axfr-notes.html\n --- ---@args zoneTrans.domain Domain to transfer. ---@output +id = 'zone-transfer' +description = [[ +Requests a zone transfer (AXFR) from a DNS server. +\n\n +The script sends an AXFR query to a DNS server. The domain to query is determined +by examining the name given on the command line, the DNS server's +hostname, or it can be specified with the "domain" script argument. +If the query is successful all domains and domain types are returned +along with common type specific data (SOA/MX/NS/PTR/A). +\n\n +Constraints\n +If we don't have the 'true' hostname for the dns server we cannot +determine a likely zone to perform the transfer on. +\n\n +Useful resources\n +DNS for rocket scientists - http://www.zytrax.com/books/dns/\n +How the AXFR protocol works - http://cr.yp.to/djbdns/axfr-notes.html\n +]] + +--- +-- @args zoneTrans.domain Domain to transfer. +-- @output -- 53/tcp open domain -- | zone-transfer: \n -- | foo.com. SOA ns2.foo.com. piou.foo.com. \n @@ -51,9 +53,7 @@ require('listop') require('bit') require('tab') -id = 'zone-transfer' author = 'Eddie Bell ' -description = 'Request a zone transfer (AXFR) from a DNS server' license = 'Same as Nmap--See http://nmap.org/book/man-legal.html' categories = {'default', 'intrusive', 'discovery'} runlevel = 1.0