Normalize NSEDoc documentation of scripts.

I made every script follow a standard form: it starts with the id, followed by the description. The description is contained in [[ ]] delimiters. The description is in the global description variable, not in a LuaDoc comment. Other LuaDoc information such as @args and @usage follows the description in a comment. The first paragraph of each description is a a short summary of what the script does. More detailed information, if any, is given in following paragraphs. I also improved some wording and formatting in a few cases.
2025-12-14 19:59:02 +00:00 · 2008-10-14 20:52:50 +00:00
parent 1508da5acc
commit 8bd71aaf43
53 changed files with 634 additions and 573 deletions
--- a/scripts/ASN.nse
+++ b/scripts/ASN.nse
@@ -1,17 +1,18 @@
 id = "AS Numbers"
 description = [[
-This script performs IP address to Autonomous System Numbers (ASN) lookups.  It
+Maps IP addresses to autonomous system (AS) numbers.
-sends DNS TXT queries to a DNS server which in turn queries a third party
+\n\n
-service provided by Team Cymru (team-cymru.org) using an in-addr.arpa style
+The script works by sending DNS TXT queries to a DNS server which in turn
-zone set-up especially for use by Nmap.
+queries a third-party service provided by Team Cymru (team-cymru.org) using an
-\n
+in-addr.arpa style zone set-up especially for use by Nmap.
 \n\n
 The responses to these queries contain both Origin and Peer ASNs and their
 descriptions, displayed along with the BG Prefix and Country Code.
-\n
+\n\n
 The script caches results to reduce the number of queries and should perform a
 single query for all scanned targets in a BG Prefix present in Team Cymru's
 database.
-\n
+\n\n
 Be aware that any targets against which this script is run will be sent to and
 potentially recorded by one or more DNS servers and Team Cymru. In addition
 your IP address will be sent along with the ASN to a DNS server (your default
--- a/scripts/HTTPAuth.nse
+++ b/scripts/HTTPAuth.nse
@@ -1,15 +1,17 @@
 id = "HTTP Auth"
 description = [[
 Gets the authentication scheme and realm of a web service that requires
 authentication.
 ]]
 ---
--@output
+-- @output
 -- |  HTTP Auth: HTTP Service requires authentication\n
 -- |_   Auth type: Basic, realm = DSL Router\n
 -- HTTP authentication information gathering script
 -- rev 1.1 (2007-05-25)
 id = "HTTP Auth"
 description = "If a web server requires authentication, prints the authentication scheme and realm"
 author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/HTTP_open_proxy.nse
+++ b/scripts/HTTP_open_proxy.nse
@@ -1,4 +1,14 @@
--- Checks if an HTTP Proxy is Open to us.
+id="Open Proxy Test"
 description=[[
 Checks if an HTTP proxy is open.
 \n\n
 The script attempts to connect to www.google.com through the proxy and checks
 for a 'Server: gws' header field in the response.
 \n\n
 If the target is an open proxy, this script will cause the target to retrieve a
 web page from www.google.com.
 ]]
 -- Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
 -- Changelog: Added explode() function. Header-only matching now works.
 --   * Fixed set_timeout
@@ -7,13 +17,6 @@
 --   * Match case-insensitively against "^Server: gws" rather than
 --     case-sensitively against "^Server: GWS/".
 id="Open Proxy Test"
 description=[[
 Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: gws' header response.
 \n
 If the target is an open proxy, this script will cause the target to retrieve a
 web page from www.google.com.
 ]]
 author = "Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"default", "discovery", "external", "intrusive"}
--- a/scripts/HTTPpasswd.nse
+++ b/scripts/HTTPpasswd.nse
@@ -1,5 +1,9 @@
--- Probes an HTTP server via directory traversal for /etc/passwd
+id = "HTTP directory traversal passwd probe"
--
+description = [[
 Checks if a web server is vulnerable to directory traversal by attempting to
 retrieve /etc/passwd.
 ]]
 -- 07/20/2007:
 --   * Used Thomas Buchanan's HTTPAuth script as a starting point
 --   * Applied some great suggestions from Brandon Enright, thanks a lot man!
@@ -8,10 +12,6 @@
 --   * Rewritten to use Sven Klemm's excellent HTTP library and to do some much
 --     needed cleaning up
 id = "HTTP directory traversal passwd probe"
 description = "Probe for /etc/passwd if server is susceptible to directory traversal"
 author = "Kris Katterjohn <katterjohn@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/HTTPtrace.nse
+++ b/scripts/HTTPtrace.nse
@@ -1,6 +1,11 @@
--- Sends and HTTP TRACE and describes any modifications
+id = "HTTP TRACE"
--
+description = [[
--@output
+Sends an HTTP TRACE request and shows header fields that were modified in the
 response.
 ]]
 ---
 -- @output
 -- 80/tcp open  http \n
 -- |  HTTP TRACE: Response differs from request.  First 5 additional lines: \n
 -- |  Cookie: UID=d4287aa38d02f409841b4e0c0050c13148a85d01c0c0a154d4ef56dfc2b4fc1b0 \n
@@ -11,10 +16,6 @@
 -- 08/31/2007
 id = "HTTP TRACE"
 description = "Send HTTP TRACE method and print modifications"
 author = "Kris Katterjohn <katterjohn@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/MSSQLm.nse
+++ b/scripts/MSSQLm.nse
@@ -1,9 +1,8 @@
 -- Microsoft SQL Server information gathering script
 -- rev 1.0 (2007-06-09)
 id = "MS SQL"
-
+description = [[
-description = "Attempts to extract information from Microsoft SQL Server"
+Attempts to extract information from Microsoft SQL Server.
 ]]
 -- rev 1.0 (2007-06-09)
 author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
--- a/scripts/MySQLinfo.nse
+++ b/scripts/MySQLinfo.nse
@@ -1,10 +1,14 @@
--- Connects to a MySQL server and prints information such as the protocol and
+id = "MySQL Server Information"
--- version numbers, thread id, status, capabilities and the password salt
+description = [[
--
+Connects to a MySQL server and prints information such as the protocol and
-- If service detection is performed and the server appears to be blocking
+version numbers, thread ID, status, capabilities, and the password salt.
-- our host or is blocked from too many connections, then we don't bother
+\n\n
-- running this script (see the portrule)
+If service detection is performed and the server appears to be blocking
--
+our host or is blocked from too many connections, then we don't bother
 running this script (see the portrule).
 ]]
 ---
 --@output
 -- 3306/tcp open  mysql \n
 -- |  MySQL Server Information: Protocol: 10 \n
@@ -16,10 +20,6 @@
 -- Many thanks to jah (jah@zadkiel.plus.com) for testing and enhancements
 id = "MySQL Server Information"
 description = "Connects to a MySQL server and prints information"
 author = "Kris Katterjohn <katterjohn@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/PPTPversion.nse
+++ b/scripts/PPTPversion.nse
@@ -1,9 +1,8 @@
 -- PPTP information gathering script
 -- rev 0.2 (11-14-2007)
 id = "PPTP"
-
+description = [[
-description = "Attempts to extract system information from PPTP service"
+Attempts to extract system information from the PPTP service.
 ]]
 -- rev 0.2 (11-14-2007)
 author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
--- a/scripts/RealVNC_auth_bypass.nse
+++ b/scripts/RealVNC_auth_bypass.nse
@@ -1,5 +1,8 @@
-id="RealVNC Authentication Bypass (CVE-2006-2369)"
+id = "RealVNC Authentication Bypass"
-description="Checks to see if the VNC Server is vulnerable to the RealVNC authentication bypass."
+description = [[
 Checks if a VNC server is vulnerable to the RealVNC authentication bypass
 (CVE-2006-2369).
 ]]
 author = "Brandon Enright <bmenrigh@ucsd.edu>" 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/SMTP_openrelay_test.nse
+++ b/scripts/SMTP_openrelay_test.nse
@@ -1,3 +1,8 @@
 id = "Open Relay SMTP"
 description = [[
 Checks if an SMTP server is an open relay.
 ]]
 -- Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
 -- Same as Nmap--See http://nmap.org/book/man-legal.html file for licence details
 -- This is version 20070516.
@@ -10,8 +15,6 @@
 --   * The "ourdomain" variable's contents are used instead of hardcoded "insecure.org". Settable by the user.
 --   * Fixed tags -> categories (reported by Jason DePriest to nmap-dev)
 id="Open Relay SMTP"
 description="Checks to see if a SMTP server is an open relay"
 categories = {"demo"}
 require "shortport"
--- a/scripts/SMTPcommands.nse
+++ b/scripts/SMTPcommands.nse
@@ -1,8 +1,10 @@
--- SMTP supported commands gathering script \n
+id = "SMTPcommands"
-- \n
+description = [[
-- Attempts to use EHLO and HELP to gather the Extended commands an
+Attempts to use EHLO and HELP to gather the Extended commands supported by an
-- SMTP server supports.
+SMTP server.
-- \n
+]]
 ---
 -- @output
 -- 25/tcp	open	smtp \n
 -- |  SMTPcommands: EHLO uninvited.example.net Hello root at localhost [127.0.0.1], SIZE 52428800, PIPELINING, 250 HELP \n
@@ -41,8 +43,6 @@
 -- script and from Arturo 'Buanzo' Busleiman's SMTP open relay
 -- detector script.
 id = "SMTPcommands"
 description = "Attempts to use EHLO and HELP to gather the Extended commands an SMTP server supports."
 author = "Jason DePriest <jrdepriest@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"default", "discovery", "safe"}
--- a/scripts/SNMPcommunitybrute.nse
+++ b/scripts/SNMPcommunitybrute.nse
@@ -1,9 +1,8 @@
 -- SNMP community string brute force script
 -- 2008-07-03
 id = "SNMPv1-communitybrute"
-
+description = [[
-description = "Attempts to find SNMP community string by brute force"
+Attempts to find an SNMP community string by brute force.
 ]]
 -- 2008-07-03
 author = "Philip Pickering <pgpickering@gmail.com>"
--- a/scripts/SNMPsysdescr.nse
+++ b/scripts/SNMPsysdescr.nse
@@ -1,12 +1,13 @@
--- SNMP version 1 system information gathering script
+id = "SNMPv1"
 description = [[
 Attempts to extract system information from an SNMP version 1 service.
 ]]
 ---
 -- @output
 -- |  SNMPv1: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006 \n
 -- |_   System uptime: 28 days, 17:18:59 (248153900 timeticks)
 id = "SNMPv1"
 description = "Attempts to extract system information from SNMP service"
 author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
@@ -19,11 +20,8 @@ require "snmp"
 -- runs after SNMPcommunityprobe.nse
 runlevel = 2
 ---
 -- Runs on UDP port 161
 portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})
 ---
 -- Sends SNMP packets to host and reads responses
 action = function(host, port)
--- a/scripts/SQLInject.nse
+++ b/scripts/SQLInject.nse
@@ -1,26 +1,24 @@
--[[
+id = "sql-inject"
-
+description = [[
-Experimental SQL injection spider
+Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL
---------------------------------
+injection attack.
-Spiders a http server looking for URLs containing queries.
+\n\n
-It then proceeds to combine crafted sql commands with 
+The script spiders an HTTP server looking for URLs containing queries.
-susceptible urls in order to obtain errors. The errors
+It then proceeds to combine crafted SQL commands with 
 susceptible URLs in order to obtain errors. The errors
 are analysed to see if the url is vulnerable to attack. 
 This uses the most basic form of SQL injection but anything
 more complication is more suited to a stand alone tool. 
-Both meta and http redirects are supported.
+Both meta and HTTP redirects are supported.
-
+\n\n
 It is not advisable to run this against unknown hosts.
-
+\n\n
-NOTES
+NOTES\n
 -----
 * We may not have access to the servers true hostname. 
  This means we cannot access virtually hosted sites and
  cannot follow absolute links when the hostname is 
  different from the resolved ip address
-
+]]
 --]]
 require('url')
 require('shortport')
@@ -28,10 +26,7 @@ require('stdnse')
 require('strbuf')
 require('listop')
 id = "sql-inject"
 author = "Eddie Bell <ejlbell@gmail.com>"
 description = "spiders a http server looking for URLs containing queries \
 		and tries to determines if they are vulnerable to injection attack"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"intrusive", "vuln"}
 runlevel = 1.0
--- a/scripts/SSH-hostkey.nse
+++ b/scripts/SSH-hostkey.nse
@@ -1,13 +1,17 @@
--- Shows SSH Hostkeys 
+id = "SSH Hostkey"
--
+description = [[
-- Shows fingerprint or fingerprint and key depending on verbosity level.
+Shows SSH hostkeys.
-- Puts the found hostkeys in nmap.registry for other scripts to use them.
+\n\n
-- You can control the output with the ssh_hostkey script argument. Possible
+Shows fingerprint or fingerprint and key depending on verbosity level.
-- values are bubble,visual,full and all.
+Puts the found hostkeys in nmap.registry for other scripts to use them.
--
+You can control the output with the ssh_hostkey script argument. Possible
 values are bubble, visual, full and all.
 ]]
 ---
 --@usage
-- nmap host --script SSH-hostkey --script-args ssh_hostkey=full
+-- nmap host --script SSH-hostkey --script-args ssh_hostkey=full\n
-- nmap host --script SSH-hostkey --script-args ssh_hostkey=all
+-- nmap host --script SSH-hostkey --script-args ssh_hostkey=all\n
 -- nmap host --script SSH-hostkey --script-args ssh_hostkey='visual bubble'
 --
 --@output
@@ -29,10 +33,7 @@
 -- 22/tcp open  ssh\n
 -- |  SSH Hostkey: 2048 xuvah-degyp-nabus-zegah-hebur-nopig-bubig-difeg-hisym-rumef-cuxex (RSA)\n
 -- |_ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ==
 id = "SSH Hostkey"
 author = "Sven Klemm <sven@c3d2.de>"
 description = "Show SSH Hostkeys"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"safe","default","intrusive"}
--- a/scripts/SSHv1-support.nse
+++ b/scripts/SSHv1-support.nse
@@ -1,5 +1,7 @@
-id="SSH Protocol Version 1"
+id = "SSH Protocol Version 1"
-description="Checks to see if SSH server supports SSH Protocol Version 1."
+description = [[
 Checks if an SSH server supports SSH Protocol Version 1.
 ]]
 author = "Brandon Enright <bmenrigh@ucsd.edu>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"default", "safe"}
--- a/scripts/SSLv2-support.nse
+++ b/scripts/SSLv2-support.nse
@@ -1,5 +1,10 @@
--- Determines if the target server supports SSL-v2 and what cyphers it
+id = "SSLv2"
-- supports.
+description = [[
 Determines whether the server (still) supports SSL-v2, and what cyphers it
 offers.
 ]]
 ---
 --@ouput
 -- 443/tcp open   https   syn-ack\n
 -- |  SSLv2: server still supports SSLv2\n
@@ -10,8 +15,6 @@
 -- |       SSL2_RC4_128_EXPORT40_WITH_MD5\n
 -- |_      SSL2_RC2_CBC_128_CBC_WITH_MD5\n
 id = "SSLv2"
 description = "Determines whether the server (still) supports SSL-v2, and what cyphers it offers."
 author = "Matt <mb2263@bristol.ac.uk>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/UPnP-info.nse
+++ b/scripts/UPnP-info.nse
@@ -1,162 +1,163 @@
--- UPnP network service information gathering script
+id = "UPnP"
 description = [[
 Attempts to extract system information from the UPnP service.
 ]]
 ---
 -- @output
 -- |  UPnP:  System/1.0 UPnP/1.0 IGD/1.0 \n
 -- |_ Location: http://192.168.1.1:80/UPnP/IGD.xml
-
+
-id = "UPnP"
+author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
-
+
-description = "Attempts to extract system information from UPnP service"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-
+
-author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
+categories = {"default", "safe"}
-
+
-license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+require("stdnse")
-
+require("shortport")
-categories = {"default", "safe"}
+require("strbuf")
 require("stdnse")
 require("shortport")
 require("strbuf")
 ---
-- Runs on UDP port 1900
+-- Runs on UDP port 1900
-portrule = shortport.portnumber(1900, "udp", {"open", "open|filtered"})
+portrule = shortport.portnumber(1900, "udp", {"open", "open|filtered"})
 ---
 -- Sends UPnP discovery packet to host, 
-- and extracts service information from results
+-- and extracts service information from results
-action = function(host, port)
+action = function(host, port)
-	
+	
-	-- create the socket used for our connection
+	-- create the socket used for our connection
-	local socket = nmap.new_socket()
+	local socket = nmap.new_socket()
-	
+	
-	-- set a reasonable timeout value
+	-- set a reasonable timeout value
-	socket:set_timeout(5000)
+	socket:set_timeout(5000)
-	
+	
-	-- do some exception handling / cleanup
+	-- do some exception handling / cleanup
-	local catch = function()
+	local catch = function()
-		socket:close()
+		socket:close()
-	end
+	end
-	
+	
-	local try = nmap.new_try(catch)
+	local try = nmap.new_try(catch)
-	
+	
-	-- connect to the potential UPnP system
+	-- connect to the potential UPnP system
-	try(socket:connect(host.ip, port.number, "udp"))
+	try(socket:connect(host.ip, port.number, "udp"))
-	
+	
-	local payload = strbuf.new()
+	local payload = strbuf.new()
-	
+	
-	-- for details about the UPnP message format, see http://upnp.org/resources/documents.asp
+	-- for details about the UPnP message format, see http://upnp.org/resources/documents.asp
-	payload = payload .. "M-SEARCH * HTTP/1.1\r\n"
+	payload = payload .. "M-SEARCH * HTTP/1.1\r\n"
-	payload = payload .. "Host:239.255.255.250:1900\r\n"
+	payload = payload .. "Host:239.255.255.250:1900\r\n"
-	payload = payload .. "ST:upnp:rootdevice\r\n"
+	payload = payload .. "ST:upnp:rootdevice\r\n"
-	payload = payload .. "Man:\"ssdp:discover\"\r\n"
+	payload = payload .. "Man:\"ssdp:discover\"\r\n"
-	payload = payload .. "MX:3\r\n\r\n"
+	payload = payload .. "MX:3\r\n\r\n"
-	
+	
-	try(socket:send(strbuf.dump(payload)))
+	try(socket:send(strbuf.dump(payload)))
-	
+	
-	local status
+	local status
-	local response
+	local response
-	
+	
-	-- read in any response we might get
+	-- read in any response we might get
-	status, response = socket:receive_bytes(1)
+	status, response = socket:receive_bytes(1)
-
+
-	if (not status) or (response == "TIMEOUT") then
+	if (not status) or (response == "TIMEOUT") then
-		socket:close()
+		socket:close()
-		return
+		return
-	end
+	end
-
+
-	-- since we got something back, the port is definitely open
+	-- since we got something back, the port is definitely open
-	nmap.set_port_state(host, port, "open")
+	nmap.set_port_state(host, port, "open")
-	
+	
-	-- buffer to hold script output
+	-- buffer to hold script output
-	local output
+	local output
-	
+	
-	if response ~= nil then
+	if response ~= nil then
-		-- We should get a response back that has contains one line for the server, and one line for the xml file location
+		-- We should get a response back that has contains one line for the server, and one line for the xml file location
-		-- these match any combination of upper and lower case responses
+		-- these match any combination of upper and lower case responses
-		local server, location
+		local server, location
-		server = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010")
+		server = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010")
-		if server ~= nil then output = server .. "\n" end
+		if server ~= nil then output = server .. "\n" end
-		location = string.match(response, "[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:(.-)\010")
+		location = string.match(response, "[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:(.-)\010")
-		if location ~= nil then
+		if location ~= nil then
-			output = output .. "Location: " .. location 
+			output = output .. "Location: " .. location 
-			
+			
-			local v = nmap.verbosity()
+			local v = nmap.verbosity()
-			
+			
-			-- the following check can output quite a lot of information, so we require at least one -v flag
+			-- the following check can output quite a lot of information, so we require at least one -v flag
-			if v > 0 then
+			if v > 0 then
-				-- split the location into an IP address, port, and path name for the xml file
+				-- split the location into an IP address, port, and path name for the xml file
-				local xhost, xport, xfile
+				local xhost, xport, xfile
-				xhost = string.match(location, "http://(.-)/")
+				xhost = string.match(location, "http://(.-)/")
-				-- check to see if the host portionof the location specifies a port
+				-- check to see if the host portionof the location specifies a port
-				-- if not, use port 80 as a standard web server port
+				-- if not, use port 80 as a standard web server port
-				if xhost ~= nil and string.match(xhost, ":") then
+				if xhost ~= nil and string.match(xhost, ":") then
-					xport = string.match(xhost, ":(.*)")
+					xport = string.match(xhost, ":(.*)")
-					xhost = string.match(xhost, "(.*):")
+					xhost = string.match(xhost, "(.*):")
-				end
+				end
-
+
-				if xport == nil then
+				if xport == nil then
-					xport = 80
+					xport = 80
-				end
+				end
-
+
-				-- check if the IP address in the location matches the IP address we're scanning
+				-- check if the IP address in the location matches the IP address we're scanning
-				-- if not, alert the user, but continue to scan the IP address we're interested in
+				-- if not, alert the user, but continue to scan the IP address we're interested in
-				if xhost ~= host.ip then 
+				if xhost ~= host.ip then 
-					output = output .. "\n !! Location did not match target IP address !! "
+					output = output .. "\n !! Location did not match target IP address !! "
-				--	return output 
+				--	return output 
-					xhost = host.ip
+					xhost = host.ip
-				end
+				end
-
+
-				-- extract the path name from the location field, but strip off the \r that HTTP servers return
+				-- extract the path name from the location field, but strip off the \r that HTTP servers return
-				xfile = string.match(location, "http://.-/(.-)\013")
+				xfile = string.match(location, "http://.-/(.-)\013")
-				if xfile ~= nil then
+				if xfile ~= nil then
-					strbuf.clear(payload)
+					strbuf.clear(payload)
-					-- create an HTTP request for the file, using the host and port we extracted earlier
+					-- create an HTTP request for the file, using the host and port we extracted earlier
-					payload = payload .. "GET /" .. xfile .. " HTTP/1.1\r\n"
+					payload = payload .. "GET /" .. xfile .. " HTTP/1.1\r\n"
-					payload = payload .. "Accept: text/xml, application/xml, text/html\r\n"
+					payload = payload .. "Accept: text/xml, application/xml, text/html\r\n"
-					payload = payload .. "User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)\r\n"
+					payload = payload .. "User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)\r\n"
-					payload = payload .. "Host: " .. xhost .. ":" .. xport .. "\r\n"
+					payload = payload .. "Host: " .. xhost .. ":" .. xport .. "\r\n"
-					payload = payload .. "Connection: Keep-Alive\r\n"
+					payload = payload .. "Connection: Keep-Alive\r\n"
-					payload = payload .. "Cache-Control: no-cache\r\n"
+					payload = payload .. "Cache-Control: no-cache\r\n"
-					payload = payload .. "Pragma: no-cache\r\n\r\n"
+					payload = payload .. "Pragma: no-cache\r\n\r\n"
-
+
-					socket = nmap.new_socket()
+					socket = nmap.new_socket()
-					socket:set_timeout(5000)
+					socket:set_timeout(5000)
-
+
-					try(socket:connect(xhost, xport, "tcp"))
+					try(socket:connect(xhost, xport, "tcp"))
-					try(socket:send(strbuf.dump(payload)))
+					try(socket:send(strbuf.dump(payload)))
-					-- we're expecting an xml file, and for UPnP purposes it should end in </root>
+					-- we're expecting an xml file, and for UPnP purposes it should end in </root>
-					status, response = socket:receive_buf("</root>", true)
+					status, response = socket:receive_buf("</root>", true)
-
+
-					if (status) and (response ~= "TIMEOUT") then
+					if (status) and (response ~= "TIMEOUT") then
-						if string.match(response, "HTTP/1.%d 200") then
+						if string.match(response, "HTTP/1.%d 200") then
-							local webserver
+							local webserver
-							-- extract information about the webserver that is handling responses for the UPnP system
+							-- extract information about the webserver that is handling responses for the UPnP system
-							webserver = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010")
+							webserver = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010")
-							if webserver ~= nil then output = output .. "\nWebserver: " .. webserver end
+							if webserver ~= nil then output = output .. "\nWebserver: " .. webserver end
-
+
-							-- the schema for UPnP includes a number of <device> entries, which can a number of interesting fields
+							-- the schema for UPnP includes a number of <device> entries, which can a number of interesting fields
-							for device in string.gmatch(response, "<deviceType>(.-)</UDN>") do
+							for device in string.gmatch(response, "<deviceType>(.-)</UDN>") do
-								local fn, mnf, mdl, nm, ver
+								local fn, mnf, mdl, nm, ver
-
+
-								fn = string.match(device, "<friendlyName>(.-)</friendlyName>")
+								fn = string.match(device, "<friendlyName>(.-)</friendlyName>")
-								mnf = string.match(device, "<manufacturer>(.-)</manufacturer>")
+								mnf = string.match(device, "<manufacturer>(.-)</manufacturer>")
-								mdl = string.match(device, "<modelDescription>(.-)</modelDescription>")
+								mdl = string.match(device, "<modelDescription>(.-)</modelDescription>")
-								nm = string.match(device, "<modelName>(.-)</modelName>")
+								nm = string.match(device, "<modelName>(.-)</modelName>")
-								ver = string.match(device, "<modelNumber>(.-)</modelNumber>")
+								ver = string.match(device, "<modelNumber>(.-)</modelNumber>")
-
+
-								if fn ~= nil then output = output .. "\n Name: " .. fn end
+								if fn ~= nil then output = output .. "\n Name: " .. fn end
-								if mnf ~= nil then output = output .. "\n  Manufacturer: " .. mnf end
+								if mnf ~= nil then output = output .. "\n  Manufacturer: " .. mnf end
-								if mdl ~= nil then output = output .. "\n  Model Descr: " .. mdl end
+								if mdl ~= nil then output = output .. "\n  Model Descr: " .. mdl end
-								if nm ~= nil then output = output .. "\n  Model Name: " .. nm end
+								if nm ~= nil then output = output .. "\n  Model Name: " .. nm end
-								if ver ~= nil then output = output .. "\n  Model Version: " .. ver end
+								if ver ~= nil then output = output .. "\n  Model Version: " .. ver end
-							end
+							end
-						end
+						end
-					end
+					end
-
+
-					socket:close()
+					socket:close()
-				end
+				end
-			end	
+			end	
-		end
+		end
-		return output
+		return output
-	end
+	end
-end
+end
--- a/scripts/anonFTP.nse
+++ b/scripts/anonFTP.nse
@@ -1,22 +1,21 @@
--- Checks if an FTP server allows anonymous logins.
+id = "Anonymous FTP"
-- @output
+description = [[
-- |_ Anonymous FTP: Anonymous login allowed"
+Checks if a FTP server allows anonymous logins.
 ]]
 ---
 -- @output
 -- |_ Anonymous FTP: Anonymous login allowed
 id="Anonymous FTP"
 description="Checks to see if a FTP server allows anonymous logins"
 author = "Eddie Bell <ejlbell@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"default", "auth", "intrusive"}
 require "shortport"
 ---
 -- Works on port 21 or "ftp"
 portrule = shortport.port_or_service(21, "ftp")
---
+--- Connects to the ftp server and checks if the server allows anonymous logins.
 -- Connects to the ftp server and checks if the server allows
 -- anonymous logins.
 action = function(host, port)
 	local socket = nmap.new_socket()
 	local result
--- a/scripts/brutePOP3.nse
+++ b/scripts/brutePOP3.nse
@@ -1,6 +1,7 @@
 id = "POP3 brute force"
-
+description = [[
-description = "tries to log into a POP3 account"
+Tries to log into a POP3 account by guessing usernames and passwords.
 ]]
 author = "Philip Pickering <pgpickering@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/bruteTelnet.nse
+++ b/scripts/bruteTelnet.nse
@@ -1,9 +1,9 @@
--- Obtains the telnet login credentials on a server. This script
+id = 'bruteforce'
-- uses brute force techniques. 
+description = [[
 Tries to get Telnet login credentials by guessing usernames and passwords.
 ]]
 id='bruteforce'
 author = 'Eddie Bell <ejlbell@gmail.com>'
 description='brute force telnet login credientials'
 license = 'Same as Nmap--See http://nmap.org/book/man-legal.html'
 categories = {'auth', 'intrusive'}
--- a/scripts/chargenTest.nse
+++ b/scripts/chargenTest.nse
@@ -1,9 +1,7 @@
 --- This script connects to a UDP chargen service and attempts to read
 -- some data.
 id = "Chargen"
-
+description = [[
-description = "Connects to the UDP chargen service and tries to read some bytes"
+Tries to read bytes from the UDP chargen service.
 ]]
 author = "Diman Todorov <diman.todorov@gmail.com>"
--- a/scripts/daytimeTest.nse
+++ b/scripts/daytimeTest.nse
@@ -1,6 +1,7 @@
 id = "Daytime"
-
+description = [[
-description = "Connects to the UDP daytime service and on success prints the daytime."
+Retrieves the day and time from the UDP Daytime service.
 ]]
 author = "Diman Todorov <diman.todorov@gmail.com>"
--- a/scripts/dns-safe-recursion-port.nse
+++ b/scripts/dns-safe-recursion-port.nse
@@ -1,10 +1,11 @@
 id = "DNS source port randomness"
 description = [[
-Queries porttest.dns-oarc.net to check for the predictable-port DNS recursion
+Checks a DNS server for the predictable-port recursion vulnerability.
-vulnerability.  Predictable source ports can make a DNS server vulnerable to
+Predictable source ports can make a DNS server vulnerable to cache poisoning
-cache poisoning attacks (CVE-2008-1447)
+attacks (CVE-2008-1447).
-\n
+\n\n
 The script works by querying porttest.dns-oarc.net.
 Be aware that any targets against which this script is run will be sent to and
 potentially recorded by one or more DNS servers and the porttest server. In
 addition your IP address will be sent along with the porttest query to the DNS
--- a/scripts/dns-safe-recursion-txid.nse
+++ b/scripts/dns-safe-recursion-txid.nse
@@ -1,10 +1,11 @@
 id = "DNS TXID randomness"
 description = [[
-Queries txidtest.dns-oarc.net to check for the predictable-TXID DNS recursion
+Checks a DNS server for the predictable-TXID DNS recursion
 vulnerability.  Predictable TXID values can make a DNS server vulnerable to
-cache poisoning attacks (CVE-2008-1447)"
+cache poisoning attacks (CVE-2008-1447).
-\n
+\n\n
 The script works by querying txidtest.dns-oarc.net.
 Be aware that any targets against which this script is run will be sent to and
 potentially recorded by one or more DNS servers and the txidtest server. In
 addition your IP address will be sent along with the txidtest query to the DNS
--- a/scripts/dns-test-open-recursion.nse
+++ b/scripts/dns-test-open-recursion.nse
@@ -1,6 +1,10 @@
 id = "Nameserver open recursive queries (CVE-1999-0024) (BID 136, 678)"
-description = "Checks if a nameserver on UDP/53 allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers."
+description = [[
 Checks if a DNS server allows queries for third-party names.
 \n\n
 It is expected that recursion will be enabled on your own internal nameservers.
 ]]
 author = "Felix Groebert <felix@groebert.org>"
--- a/scripts/echoTest.nse
+++ b/scripts/echoTest.nse
@@ -1,7 +1,10 @@
 id = "Echo"
-
+description = [[
-description = "Connects to the UDP echo service, sends a string, receives a string and if both\
+Tests the UDP echo service.
-strings are equal reports success."
+\n\n
 The script sends a string, then receives a string and reports success if the
 two strings are equal.
 ]]
 author = "Diman Todorov <diman.todorov@gmail.com>"
--- a/scripts/finger.nse
+++ b/scripts/finger.nse
@@ -1,6 +1,7 @@
-id="Finger Results"
+id = "Finger Results"
-
+description = [[
-description="attempts to get a list of usernames via the finger service"
+Attempts to get a list of usernames via the finger service.
 ]]
 author = "Eddie Bell <ejlbell@gmail.com>"
--- a/scripts/ftpbounce.nse
+++ b/scripts/ftpbounce.nse
@@ -1,5 +1,7 @@
 id="FTP bounce check"
-description="Checks to see if a FTP server allows port scanning using FTP bounce method"
+description=[[
 Checks to see if an FTP server allows port scanning using the FTP bounce method.
 ]]
 author="Marek Majkowski <majek04<at>gmail.com>"
 license="Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/iax2Detect.nse
+++ b/scripts/iax2Detect.nse
@@ -1,7 +1,10 @@
-id= "IAX2 Service Detection"
+id = "IAX2 Service Detection"
-
+description = [[
-description = "Detects an listening UDP IAX2 service by using a \
+Detects the UDP IAX2 service.
-				IAX Control Frame POKE request." 
+\n\n
 The script sends an IAX Control Frame POKE request and checks for a proper
 response.
 ]]
 author = "Ferdy Riphagen <f.riphagen@nsec.nl>"
--- a/scripts/ircServerInfo.nse
+++ b/scripts/ircServerInfo.nse
@@ -1,6 +1,12 @@
--- Gather information from an IRC server. It uses STATS, LUSERS, and other
+id = "IRC Server Info"
-- queries to obtain this information.
+description = [[
--@output
+Gathers information from an IRC server.
 \n\n
 It uses STATS, LUSERS, and other queries to obtain this information.
 ]]
 ---
 -- @output
 -- 6665/tcp open     irc\n
 -- |  IRC Server Info: Server: foo.bar.net\n
 -- |  Version: hyperion-1.0.2b(381). foo.bar.net \n
@@ -9,10 +15,6 @@
 -- |  Source host: bar.foo.net\n
 -- |_ Source ident: OK n=nmap\n
 id = "IRC Server Info"
 description = "Gets information from an IRC server by issuing STATS, LUSERS, etc queries."
 author = "Doug Hoyte"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/ircZombieTest.nse
+++ b/scripts/ircZombieTest.nse
@@ -1,9 +1,10 @@
 --- Checks if the target is an IRC zombie.
 id = "IRC zombie"
-
+description = [[
-description = "If port 113 responds before we ask it then something is fishy.\
+Checks for an IRC zombie.
-Usually this means that the host is an irc zombie."
+\n\n
 If port 113 responds before we ask it then something is fishy. Usually this
 means that the host is an IRC zombie.
 ]]
 author = "Diman Todorov <diman.todorov@gmail.com>"
--- a/scripts/nbstat.nse
+++ b/scripts/nbstat.nse
@@ -1,11 +1,18 @@
--- Sends a NetBIOS NBSTAT query to target host to try to determine the NetBIOS
+id = "NBSTAT"
--  names and MAC address. By default, displays the name of the computer and the
+description = [[
--  logged-in user; if verbosity is turned up, displays all names the system
+Attempt's to get the target's NetBIOS names and MAC address.
--  thinks it owns. \n
+\n\n
--
+By default, the script displays the name of the computer and the logged-in
--@usage
+user; if the verbosity is turned up, it displays all names the system thinks it
 owns.
 \n\n
 For more information on the NetBIOS protocol, see 'nselib/netbios.lua'.
 ]]
 ---
 -- @usage
 -- sudo nmap -sU --script nbstat.nse -p137 <host>\n
--\n
+--
 -- @output
 -- (no verbose)\n
 -- |_ NBSTAT: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n
@@ -21,10 +28,6 @@
 -- |  Name: WORKGROUP<1d>        Flags: <unique><active>\n
 -- |_ Name: \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>\n
 id = "NBSTAT"
 description = "Sends a NetBIOS query to target host to try to determine \
 the NetBIOS name and MAC address. For more information on the NetBIOS protocol, \
 see 'nselib/netbios.lua'."
 author = "Brandon Enright <bmenrigh@ucsd.edu>, Ron Bowes"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/popcapa.nse
+++ b/scripts/popcapa.nse
@@ -1,6 +1,7 @@
 id = "POP3 Capabilites"
-
+description = [[
-description = "retrieves POP3 server capabilites"
+Retrieves POP3 server capabilities.
 ]]
 author = "Philip Pickering <pgpickering@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/promiscuous.nse
+++ b/scripts/promiscuous.nse
@@ -1,16 +1,13 @@
 id = "Promiscuous detection"
-description = "Checks if hosts on local ethernet have network card in promiscuous mode."
+description = [[
 Checks if a target on a local Ethernet has its network card in promiscuous mode.
 \n\n
 The technique is described at
 http://www.securityfriday.com/promiscuous_detection_01.pdf.
 ]]
 author = "Marek Majkowski <majek04+nse@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 --[[
 This script tries to guess if node in local ethernet is in promisucous mode.
 The technique is described here:
 http://www.securityfriday.com/promiscuous_detection_01.pdf
 ]]--
 categories = {"discovery"}
 -- okay, we're interested only in hosts that are on our ethernet lan
--- a/scripts/ripeQuery.nse
+++ b/scripts/ripeQuery.nse
@@ -1,10 +1,8 @@
 require "comm"
 require "ipOps"
 id = "RIPE query"
 description = [[
-Connects to the RIPE database, extracts and prints the role: entry for the IP.
+Connects to the RIPE database and displays the role: entry for the target's IP
-\n
+address.
 \n\n
 This script uses an external database. Your IP address and the IP address of
 the target will be sent to whois.ripe.net.
 ]]
@@ -13,6 +11,9 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"discovery", "external"}
 require "comm"
 require "ipOps"
 hostrule = function(host, port)
 	return not ipOps.isPrivate(host.ip)
 end
--- a/scripts/robots.nse
+++ b/scripts/robots.nse
@@ -1,3 +1,10 @@
 id = "robots.txt"
 description = [[
 Checks for disallowed entries in robots.txt.
 \n\n
 The higher the verbosity or debug level, the more disallowed entries are shown.
 ]]
 ---
 --@output
 -- 80/tcp  open   http    syn-ack\n
@@ -15,9 +22,7 @@ require('shortport')
 require('strbuf')
 require('http')
 id = "robots.txt"
 author = "Eddie Bell <ejlbell@gmail.com>"
 description = "check for robots.txt with disallowed entries (print them in debug/verbose mode)"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"default", "safe"}
 runlevel = 1.0
--- a/scripts/rpcinfo.nse
+++ b/scripts/rpcinfo.nse
@@ -1,7 +1,10 @@
 id = "rpcinfo"
 description = [[
 Connects to portmapper and fetches a list of all registered programs.
 ]]
 ---
-- Connects to portmapper and fetches a list of all registered programs
+-- @output
 -- 
 --@output
 -- 111/tcp open  rpcbind\n
 -- |  rpcinfo:\n
 -- |  100000  2        111/udp  rpcbind\n
@@ -22,8 +25,6 @@ require "bin"
 require "bit"
 require "tab"
 id = "rpcinfo"
 description = "connects to portmapper and fetches a list of all registered programs"
 author = "Sven Klemm <sven@c3d2.de>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"default","safe","discovery"}
--- a/scripts/showHTMLTitle.nse
+++ b/scripts/showHTMLTitle.nse
@@ -1,13 +1,19 @@
 id = "HTML title"
 description = [[
 Shows the title of the default page of a web server.
 \n\n
 The script will follow no more than one HTTP redirect, and only if the
 redirection leads to the same host. The script may send a DNS query to
 determine if the host the redirect leads to has the same IP address as the
 original target.
 ]]
 ---
 --@output
 -- 80/tcp  open   http    syn-ack\n
 -- |_ HTML title: Foo.\n
 --@copyright Same as Nmap--See http://nmap.org/book/man-legal.html
 id = "HTML title"
 description = "Connects to an HTTP server and extracts the title of the default page."
 author = "Diman Todorov <diman.todorov@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/showHTTPVersion.nse
+++ b/scripts/showHTTPVersion.nse
@@ -1,8 +1,10 @@
 description = "Demonstration of a version detection NSE script. It checks and reports\
 the version of a remote web server. For real life purposes it is better to use the\
 Nmap version detection."
 id = "HTTP version"
 description = [[
 Detects the version of a web server.
 \n\n
 This is a demonstration script. Its function is done better by normal version
 detection.
 ]]
 author = "Diman Todorov <diman.todorov@gmail.com>"
--- a/scripts/showOwner.nse
+++ b/scripts/showOwner.nse
@@ -1,12 +1,10 @@
 --- Queries the owner of a service on a scanned port. Uses port 113 to
 -- make the query.
 --@output
 --
 id = "Service owner"
-
+description = [[
-description = "Opens a connection to the scanned port, opens a connection to port 113, queries the owner\
+Attempts to find the owner of a scanned port.
-of the service on the scanned port and prints it."
+\n\n
 The script makes a connection to the auth port (113) and queries the owner of
 an open port.
 ]]
 author = "Diman Todorov <diman.todorov@gmail.com>"
--- a/scripts/showSMTPVersion.nse
+++ b/scripts/showSMTPVersion.nse
@@ -1,12 +1,13 @@
--- Queries the version of an SMTP server.
+id = "SMTP version"
--@output
+description = [[
 Prints the version of an SMTP server.
 ]]
 ---
 -- @output
 -- 25/tcp open  smtp\n
 -- |_ SMTP version: 220 mail.foo.com mx-2.bar.com ESMTP Exim 4.64\n
 id = "SMTP version"
 description = "Simple script which queries and prints the version of an SMTP server."
 author = "Diman Todorov <diman.todorov@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/showSSHVersion.nse
+++ b/scripts/showSSHVersion.nse
@@ -1,14 +1,15 @@
--- Queries the version from an SSH Server. This typically does not result
+id = "Stealth SSH version"
-- in any logs of the connection being made.
+description = [[
--@output
+Connects to an SSH server and retrieves the version banner.
 \n\n
 This typically does not result in any logs of the connection being made.
 ]]
 ---
 -- @output
 -- 22/tcp  open   ssh\n
 -- |_ Stealth SSH version: SSH-2.0-OpenSSH_3.9p1\n
 id = "Stealth SSH version"
 description = "Connects to an SSH server, queries the version string and echos it back. This tends to result\
 in the scanning attempt not being logged by the ssh daemon on the target."
 author = "Diman Todorov <diman.todorov@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/skype_v2-version.nse
+++ b/scripts/skype_v2-version.nse
@@ -1,5 +1,7 @@
-id="Skype v2"
+id = "Skype v2"
-description="Determines if remote service is Skype protocol version 2"
+description = [[
 Detects the Skype version 2 service.
 ]]
 author = "Brandon Enright <bmenrigh@ucsd.edu>" 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"version"}
--- a/scripts/smb-enumdomains.nse
+++ b/scripts/smb-enumdomains.nse
@@ -1,19 +1,23 @@
--- Attempts to enumerate domains on a system, along with their policies. This will likely
+id = "MSRPC: List of domains"
-- only work without credentials against Windows 2000. \n
+description = [[
-- \n
+Attempts to enumerate domains on a system, along with their policies. This will
-- After the initial bind() to SAMR, the sequence of calls is:\n
+likely only work without credentials against Windows 2000.
-- Connect4() -- get a connect_handle\n
+\n\n
-- EnumDomains() -- get a list of the domains (stop here if you just want the names)\n
+After the initial bind() to SAMR, the sequence of calls is:\n
-- QueryDomain() -- get the sid for the domain\n
+Connect4() -- get a connect_handle\n
-- OpenDomain() -- get a handle for each domain\n
+EnumDomains() -- get a list of the domains (stop here if you just want the names)\n
-- QueryDomainInfo2() -- get the domain information\n
+QueryDomain() -- get the sid for the domain\n
--
+OpenDomain() -- get a handle for each domain\n
--@usage
+QueryDomainInfo2() -- get the domain information\n
 ]]
 ---
 -- @usage
 -- nmap --script smb-enumdomains.nse -p445 <host>\n
 -- sudo nmap -sU -sS --script smb-enumdomains.nse -p U:137,T:139 <host>\n
 --
--@output
+-- @output
-- Host script results:
+-- Host script results:\n
 -- |  MSRPC: List of domains:\n
 -- |  Domain: TEST1\n
 -- |   |_ SID: S-1-5-21-1060284298-842925246-839522115\n
@@ -29,11 +33,8 @@
 -- |   |_ Password properties: \n
 -- |     |_  Password complexity requirements do not exist\n
 -- |_    |_  Administrator account cannot be locked out\n
 -----------------------------------------------------------------------
 id = "MSRPC: List of domains"
 description = "Tries calling the EnumDomains() and QueryDomainInfo2() RPC function to obtain a list of domains/policies."
 author = "Ron Bowes"
 copyright = "Ron Bowes"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/smb-enumshares.nse
+++ b/scripts/smb-enumshares.nse
@@ -1,29 +1,30 @@
--- Attempts to call the srvsvc.NetShareEnumAll() MSRPC function. This will
+id = "MSRPC: NetShareEnumAll()"
--  likely only work anonymously against Windows 2000. \n
+description = [[
--\n
+Attempts to list shares using the srvsvc.NetShareEnumAll() MSRPC function. This
-- There isn't a whole lot to say about this one. The sequence of calls after
+will likely only work anonymously against Windows 2000.
-- the initial bind() is:\n
+\n\n
-- NetShareEnumAll()\n
+There isn't a whole lot to say about this one. The sequence of calls after
--\n
+the initial bind() is:\n
-- Since NetShareEnumAll() only works anonymously, if it fails this will check
+NetShareEnumAll()
-- a handful of common shares. \n
+\n\n
--\n
+Since NetShareEnumAll() only works anonymously, if it fails this will check
-- Once it has a list of shares, whether it was pulled over MSRPC or guessed, 
+a handful of common shares.
-- we attempt to connect to each of them with a standard smb tree_connect request
+\n\n
-- over a null session. We record which ones succeeded and failed (that is, which
+Once it has a list of shares, whether it was pulled over MSRPC or guessed, 
-- shares allowed for anonymous access).\n
+we attempt to connect to each of them with a standard smb tree_connect request
--
+over a null session. We record which ones succeeded and failed (that is, which
 shares allowed for anonymous access).
 ]]
 ---
 --@usage
 -- nmap --script smb-enumshares.nse -p445 <host>\n
-- sudo nmap -sU -sS --script smb-enumshares.nse -p U:137,T:139 <host>\n
+-- sudo nmap -sU -sS --script smb-enumshares.nse -p U:137,T:139 <host>
 --
 --@output
 -- Host script results:\n
 -- TODO
 -----------------------------------------------------------------------
 id = "MSRPC: NetShareEnumAll()"
 description = "Tries calling the NetShareEnumAll() RPC function, and guessing shares"
 author = "Ron Bowes"
 copyright = "Ron Bowes"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/smb-enumusers.nse
+++ b/scripts/smb-enumusers.nse
@@ -1,73 +1,80 @@
--- Attempts to enumerate the users on a remote Windows system, with as much information as possible, 
+id = "MSRPC: List of user accounts"
--  through a variety of techniques (over SMB + MSRPC, which uses port 445 or 139). \n
+description = [[
--\n
+Attempts to enumerate the users on a remote Windows system, with as much
-- Will first attempt to call the QueryDisplayInfo() MSRPC function. If NULL sessions are enabled, 
+information as possible, through a variety of techniques (over SMB + MSRPC,
-- this will succeed and pull back a detailed list of users. Unfortunately, this likely won't succeed
+which uses port 445 or 139).
-- unless we're scanning Windows 2000. When this test is performed, the following MSRPC functions
+\n\n
-- are called:\n
+Will first attempt to call the QueryDisplayInfo() MSRPC function. If NULL
--\n
+sessions are enabled, this will succeed and pull back a detailed list of users.
-- Bind() -- bind to the SAMR service\n
+Unfortunately, this likely won't succeed unless we're scanning Windows 2000.
-- Connect4() -- get a connect_handle\n
+When this test is performed, the following MSRPC functions are called:\n
-- EnumDomains() -- get a list of the domains\n
+Bind() -- bind to the SAMR service\n
-- QueryDomain() -- get the sid for the domain\n
+Connect4() -- get a connect_handle\n
-- OpenDomain() -- get a handle for each domain\n
+EnumDomains() -- get a list of the domains\n
-- QueryDisplayInfo() -- get the list of users in the domain\n
+QueryDomain() -- get the sid for the domain\n
-- Close() -- Close the domain handle\n
+OpenDomain() -- get a handle for each domain\n
-- Close() -- Close the connect handle\n
+QueryDisplayInfo() -- get the list of users in the domain\n
--\n
+Close() -- Close the domain handle\n
-- Credit goes out to the enum.exe program, the code I wrote for this is largely due to packetlogs 
+Close() -- Close the connect handle
-- I took of its operations. \n
+\n\n
--\n
+Credit goes out to the enum.exe program, the code I wrote for this is largely
-- Regardless of whether or not this succeeds, a second technique is used to pull user accounts. 
+due to packetlogs I took of its operations.
-- This one is apparently successful against more machines, although I haven't found a machine
+\n\n
-- that this only works against. However, I did find that this will turn up more users for certain
+Regardless of whether or not this succeeds, a second technique is used to pull
-- systems (although I haven't figured out why). \n
+user accounts. This one is apparently successful against more machines,
-- \n
+although I haven't found a machine that this only works against. However, I did
-- Each user on a Windows system has an RID. The RID of 500 is the Administrator account (even if 
+find that this will turn up more users for certain systems (although I haven't
-- it's renamed), 501 is the Guest account, and 1000+ are the user accounts. This technique, which
+figured out why).
-- was originally used in the sid2user/user2sid programs, will attempt to convert common RID numbers
+\n\n
-- to names to discover users. \n
+Each user on a Windows system has an RID. The RID of 500 is the Administrator
-- \n
+account (even if it's renamed), 501 is the Guest account, and 1000+ are the
-- First, the SID of the server has to be determined. This is done by looking up any name present on
+user accounts. This technique, which was originally used in the
-- the server using a technique like user2sid. For this code, we try and convert as many names as we
+sid2user/user2sid programs, will attempt to convert common RID numbers to names
-- can find -- all we need is one valid name for this to succeed. In this code, I use:\n
+to discover users.
-- - The computer name / domain name, returned in SMB_COM_NEGOTIATE\n
+\n\n
-- - An nbstat query to get the server name and the currently loggeed in user\n
+First, the SID of the server has to be determined. This is done by looking up
-- - Some common names ("administrator", "guest", and "test")\n
+any name present on the server using a technique like user2sid. For this code,
--\n
+we try and convert as many names as we can find -- all we need is one valid
-- In theory, the computer name should be sufficient for this to always work, and the rest of the \n
+name for this to succeed. In this code, I use:\n
-- names are in there for good measure. \n
+- The computer name / domain name, returned in SMB_COM_NEGOTIATE\n
--\n
+- An nbstat query to get the server name and the currently loggeed in user\n
-- Once that's completed, the RIDs 500 - 505 are requested, and any responses are displayed. Then,
+- Some common names ("administrator", "guest", and "test")
-- starting at 1000, we take small groups of RIDs which are requestd. I break them into
+\n\n
-- smaller groups because if too many are requested at once, we get a STATUS_BUFFER_OVERFLOW 
+In theory, the computer name should be sufficient for this to always work, and
-- error. We try every RID up to 1100, then, as soon as we get an empty group (5 RIDs in a row 
+the rest of the names are in there for good measure.
-- without a result), we stop. \n
+\n\n
--\n
+Once that's completed, the RIDs 500 - 505 are requested, and any responses are
-- It might be a good idea to modify this, in the future, with some more intelligence. For example,
+displayed. Then, starting at 1000, we take small groups of RIDs which are
-- have it run until it get 5 groups in a row with no results instead of going up to 1100. I 
+requestd. I break them into smaller groups because if too many are requested at
-- performed a test on an old server we have here with a lot of accounts, and I got these results:
+once, we get a STATUS_BUFFER_OVERFLOW error. We try every RID up to 1100, then,
-- 500, 501, 1000, 1030, 1031, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 
+as soon as we get an empty group (5 RIDs in a row without a result), we stop.
-- 1064, 1065, 1066, 1067, 1070, 1075, 1081, 1088, 1090. The jump from 1000 to 1030 is quite large
+\n\n
-- and can easily result in missing accounts.\n
+It might be a good idea to modify this, in the future, with some more
--\n
+intelligence. For example, have it run until it get 5 groups in a row with no
-- The disadvantage of using the user2sid/sid2user technique is that less information is returned 
+results instead of going up to 1100. I performed a test on an old server we
-- about the user. \n
+have here with a lot of accounts, and I got these results: 500, 501, 1000,
--\n
+1030, 1031, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063,
-- The names and details from both of these techniques are merged and displayed. If the output is
+1064, 1065, 1066, 1067, 1070, 1075, 1081, 1088, 1090. The jump from 1000 to
-- verbose, then as many details as possible are displayed, otherwise only the list of usernames
+1030 is quite large and can easily result in missing accounts.
-- are displayed. The names are ordered alphabetically.\n
+\n\n
--
+The disadvantage of using the user2sid/sid2user technique is that less
--@usage
+information is returned about the user.
 \n\n
 The names and details from both of these techniques are merged and displayed.
 If the output is verbose, then as many details as possible are displayed,
 otherwise only the list of usernames are displayed. The names are ordered
 alphabetically.
 ]]
 ---
 -- @usage
 -- nmap --script smb-enumusers.nse -p445 <host>\n
-- sudo nmap -sU -sS --script smb-enumusers.nse -p U:137,T:139 <host>\n
+-- sudo nmap -sU -sS --script smb-enumusers.nse -p U:137,T:139 <host>
 --
--@output
+-- @output
 -- TODO
 -----------------------------------------------------------------------
 id = "MSRPC: List of user accounts"
 description = "Tries calling SAMR and LSA functions to get a list of user accounts."
 author = "Ron Bowes"
 copyright = "Ron Bowes"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/smb-os-discovery.nse
+++ b/scripts/smb-os-discovery.nse
@@ -1,9 +1,15 @@
--- Attempts to determine the operating system over SMB protocol (ports 445 and 139). 
+id = "OS from SMB"
--  See nselib/smb.lua for more information on this protocol. 
+description = [[
--
+Attempts to determine the operating system over the SMB protocol (ports 445 and
 139). 
 \n\n
 See nselib/smb.lua for more information on this protocol. 
 ]]
 ---
 --@usage
 -- nmap --script smb-os-discovery.nse -p445 127.0.0.1\n
-- sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1\n
+-- sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1
 --
 --@output
 -- |  OS from SMB: Windows 2000\n
@@ -13,8 +19,6 @@
 -- 
 -----------------------------------------------------------------------
 id = "OS from SMB"
 description = "Attempts to determine the operating system over the SMB protocol (ports 445 and 139)."
 author = "Ron Bowes"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"default", "discovery", "safe"}
--- a/scripts/smb-security-mode.nse
+++ b/scripts/smb-security-mode.nse
@@ -1,36 +1,41 @@
--- Returns information about the SMB security level determined by SMB. \n
+id = "SMB Security"
--\n
+description = [[
-- Here is how to interpret the output:\n
+Returns information about the SMB security level determined by SMB.
--\n
+\n\n
-- User-level security: Each user has a separate username/password that is used
+Here is how to interpret the output:
--  to log into the system. This is the default setup of pretty much everything
+\n\n
--  these days. \n
+User-level security: Each user has a separate username/password that is used
-- Share-level security: The anonymous account should be used to log in, then 
+to log into the system. This is the default setup of pretty much everything
--  the password is given (in plaintext) when a share is accessed. All users who
+these days.\n
--  have access to the share use this password. This was the original way of doing
+Share-level security: The anonymous account should be used to log in, then 
--  things, but isn't commonly seen, now. If a server uses share-level security, 
+the password is given (in plaintext) when a share is accessed. All users who
--  it is vulnerable to sniffing. \n
+have access to the share use this password. This was the original way of doing
--\n
+things, but isn't commonly seen, now. If a server uses share-level security, 
-- Challenge/response passwords: If enabled, the server can accept any type of
+it is vulnerable to sniffing.
--  password:\n
+\n\n
--  * Plaintext\n
+Challenge/response passwords: If enabled, the server can accept any type of
--  * LM and NTLM\n
+password:\n
--  * LMv2 and NTLMv2\n
+* Plaintext\n
-- If it isn't set, the server can only accept plaintext passwords. Most servers
+* LM and NTLM\n
--  are configured to use challenge/response these days. If a server is configured
+* LMv2 and NTLMv2\n
--  to accept plaintext passwords, it is vulnerable to sniffing. \n
+If it isn't set, the server can only accept plaintext passwords. Most servers
--\n
+are configured to use challenge/response these days. If a server is configured
-- Message signing: If required, all messages between the client and server must
+to accept plaintext passwords, it is vulnerable to sniffing.
--  sign be signed by a shared key, derived from the password and the server 
+\n\n
--  challenge. If supported and not required, message signing is negotiated between
+Message signing: If required, all messages between the client and server must
--  clients and servers and used if both support and request it. By default, Windows clients 
+sign be signed by a shared key, derived from the password and the server
--  don't sign messages, so if message signing isn't required by the server, messages
+challenge. If supported and not required, message signing is negotiated between
--  probably won't be signed; additionally, if performing a man-in-the-middle attack,
+clients and servers and used if both support and request it. By default,
--  an attacker can negotiate no message signing. If message signing isn't required, the 
+Windows clients don't sign messages, so if message signing isn't required by
--  server is vulnerable to man-in-the-middle attacks. \n
+the server, messages probably won't be signed; additionally, if performing a
-- \n
+man-in-the-middle attack, an attacker can negotiate no message signing. If
--  See nselib/smb.lua for more information on the protocol itself. \n
+message signing isn't required, the server is vulnerable to man-in-the-middle
--\n
+attacks.
 \n\n
 See nselib/smb.lua for more information on the protocol itself.\n
 ]]
 ---
 --@usage
 -- nmap --script smb-security-mode.nse -p445 127.0.0.1\n
 -- sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1\n
@@ -42,8 +47,6 @@
 -- 
 -----------------------------------------------------------------------
 id = "SMB Security"
 description = "Attempts to determine the security mode over the SMB protocol (ports 445 and 139)."
 author = "Ron Bowes"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"discovery", "safe"}
--- a/scripts/strangeSMTPport.nse
+++ b/scripts/strangeSMTPport.nse
@@ -1,17 +1,16 @@
--- Checks if SMTP is running on a non-standard port. This usually indicates
+id = "Unexpected SMTP"
-- crackers or script kiddies have set up a backdoor on the system
+description = [[
-- to send spam or control your machine.
+Checks if SMTP is running on a non-standard port.
--@output
+\n\n
 This usually indicates crackers or script kiddies have set up a backdoor on the
 system to send spam or control your machine.
 ]]
 ---
 -- @output
 -- 22/tcp  open   ssh\n
 -- |_ Warning: smtp is running on a strange port.\n
 id = "Unexpected SMTP"
 description = "\
 If smtp is running on a strange port\
 there be a backdoor set up by crackers to send spam\
 or even control your machine."
 author = "Diman Todorov <diman.todorov@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/whois.nse
+++ b/scripts/whois.nse
@@ -1,3 +1,4 @@
 id          = "Whois"
 description = [[
 Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address
 Assignment which contains the Target IP Address.
@@ -69,7 +70,7 @@ the RIRs.
 -- \n        nmap target --script whois --script-args whois={whodb=nocache}
 -- \n\n
 --
-
+--
 --
 --
 -- @output
@@ -83,7 +84,6 @@ the RIRs.
 -- \n|_ country: US stateprov: CA
 --
 id          = "Whois"
 author      = "jah <jah at zadkiel.plus.com>"
 license     = "See Nmap License: http://nmap.org/book/man-legal.html"
 runlevel    = 1
--- a/scripts/xamppDefaultPass.nse
+++ b/scripts/xamppDefaultPass.nse
@@ -1,16 +1,17 @@
--- Checks if the remote host is running XAMP or XAMPP's FTP server
+id = "XAMPP default pwd"
-- allows access with nobody/xampp. XAMP is an Apache distribution
+description = [[
-- designed for easy installation and administration.
+Check if an XAMP or XAMPP FTP server uses a default username and password.
 \n\n
 XAMP is an Apache distribution designed for easy installation and
 administration. The default username/password combination the script checks for
 is nobody/xampp.
 ]]
 ---
 -- @output
 -- 21/tcp  open   ftp\n
 -- |_ Login success with u/p: foo/bar\n
 id = "XAMPP default pwd"
 description = "If the remote host is running XAMP (an Apache distribution\
 designed for easy installation and administration) and XAMPP's FTP server is\
 allows access with nobody/xampp then we report it."
 author = "Diman Todorov <diman.todorov@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/zoneTrans.nse
+++ b/scripts/zoneTrans.nse
@@ -1,23 +1,25 @@
--- Request a zone transfer (AXFR) from a DNS server.\n
+id = 'zone-transfer'
-- \n
+description = [[
-- Send axfr queries to DNS servers. The domain to query is determined 
+Requests a zone transfer (AXFR) from a DNS server.
-- by examining the name given on the command line, the domain servers
+\n\n
-- hostname, or it can be specified with the "domain" script argument.
+The script sends an AXFR query to a DNS server. The domain to query is determined 
-- If the query is successful all domains and domain types are returned
+by examining the name given on the command line, the DNS server's
-- along with common type specific data (SOA/MX/NS/PTR/A).\n
+hostname, or it can be specified with the "domain" script argument.
-- \n
+If the query is successful all domains and domain types are returned
-- constraints\n
+along with common type specific data (SOA/MX/NS/PTR/A).
-- -----------\n
+\n\n
-- If we don't have the 'true' hostname for the dns server we cannot
+Constraints\n
-- determine a likely zone to perform the transfer on.\n
+If we don't have the 'true' hostname for the dns server we cannot
-- \n
+determine a likely zone to perform the transfer on.
-- useful resources\n
+\n\n
-- ----------------\n
+Useful resources\n
-- DNS for rocket scientists - http://www.zytrax.com/books/dns/\n
+DNS for rocket scientists - http://www.zytrax.com/books/dns/\n
-- How the AXFR protocol works - http://cr.yp.to/djbdns/axfr-notes.html\n
+How the AXFR protocol works - http://cr.yp.to/djbdns/axfr-notes.html\n
--
+]]
--@args zoneTrans.domain Domain to transfer.
+
--@output
+---
 -- @args zoneTrans.domain Domain to transfer.
 -- @output
 -- 53/tcp   open     domain
 -- |  zone-transfer:  \n
 -- |  foo.com.            SOA     ns2.foo.com. piou.foo.com.  \n
@@ -51,9 +53,7 @@ require('listop')
 require('bit')
 require('tab')
 id = 'zone-transfer'
 author = 'Eddie Bell <ejlbell@gmail.com>'
 description = 'Request a zone transfer (AXFR) from a DNS server'
 license = 'Same as Nmap--See http://nmap.org/book/man-legal.html'
 categories = {'default', 'intrusive', 'discovery'}
 runlevel = 1.0