PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-15 12:19:02 +00:00
Code Issues Projects Releases Wiki Activity

Normalize NSEDoc documentation of scripts.

Browse Source 
I made every script follow a standard form: it starts with the id, followed by
the description. The description is contained in [[ ]] delimiters. The
description is in the global description variable, not in a LuaDoc comment.
Other LuaDoc information such as @args and @usage follows the description in a
comment.

The first paragraph of each description is a a short summary of what the script
does. More detailed information, if any, is given in following paragraphs.

I also improved some wording and formatting in a few cases.
This commit is contained in:
david
2008-10-14 20:52:50 +00:00
parent 1508da5acc
commit 8bd71aaf43
53 changed files with 634 additions and 573 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
scripts/ASN.nse
View File

@@ -1,17 +1,18 @@
id = "AS Numbers"
description = [[
This script performs IP address to Autonomous System Numbers (ASN) lookups. It
sends DNS TXT queries to a DNS server which in turn queries a third party
service provided by Team Cymru (team-cymru.org) using an in-addr.arpa style
zone set-up especially for use by Nmap.
\n
Maps IP addresses to autonomous system (AS) numbers.
\n\n
The script works by sending DNS TXT queries to a DNS server which in turn
queries a third-party service provided by Team Cymru (team-cymru.org) using an
in-addr.arpa style zone set-up especially for use by Nmap.
\n\n
The responses to these queries contain both Origin and Peer ASNs and their
descriptions, displayed along with the BG Prefix and Country Code.
\n
\n\n
The script caches results to reduce the number of queries and should perform a
single query for all scanned targets in a BG Prefix present in Team Cymru's
database.
\n
\n\n
Be aware that any targets against which this script is run will be sent to and
potentially recorded by one or more DNS servers and Team Cymru. In addition
your IP address will be sent along with the ASN to a DNS server (your default

12
scripts/HTTPAuth.nse
View File

@@ -1,15 +1,17 @@
id = "HTTP Auth"
description = [[
Gets the authentication scheme and realm of a web service that requires
authentication.
]]
---
--@output
-- @output
-- | HTTP Auth: HTTP Service requires authentication\n
-- |_ Auth type: Basic, realm = DSL Router\n
-- HTTP authentication information gathering script
-- rev 1.1 (2007-05-25)
id = "HTTP Auth"
description = "If a web server requires authentication, prints the authentication scheme and realm"
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

19
scripts/HTTP_open_proxy.nse
View File

@@ -1,4 +1,14 @@
--- Checks if an HTTP Proxy is Open to us.
id="Open Proxy Test"
description=[[
Checks if an HTTP proxy is open.
\n\n
The script attempts to connect to www.google.com through the proxy and checks
for a 'Server: gws' header field in the response.
\n\n
If the target is an open proxy, this script will cause the target to retrieve a
web page from www.google.com.
]]
-- Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
-- Changelog: Added explode() function. Header-only matching now works.
-- * Fixed set_timeout
@@ -7,13 +17,6 @@
-- * Match case-insensitively against "^Server: gws" rather than
-- case-sensitively against "^Server: GWS/".
id="Open Proxy Test"
description=[[
Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: gws' header response.
\n
If the target is an open proxy, this script will cause the target to retrieve a
web page from www.google.com.
]]
author = "Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "external", "intrusive"}

12
scripts/HTTPpasswd.nse
View File

@@ -1,5 +1,9 @@
--- Probes an HTTP server via directory traversal for /etc/passwd
--
id = "HTTP directory traversal passwd probe"
description = [[
Checks if a web server is vulnerable to directory traversal by attempting to
retrieve /etc/passwd.
]]
-- 07/20/2007:
-- * Used Thomas Buchanan's HTTPAuth script as a starting point
-- * Applied some great suggestions from Brandon Enright, thanks a lot man!
@@ -8,10 +12,6 @@
-- * Rewritten to use Sven Klemm's excellent HTTP library and to do some much
-- needed cleaning up
id = "HTTP directory traversal passwd probe"
description = "Probe for /etc/passwd if server is susceptible to directory traversal"
author = "Kris Katterjohn <katterjohn@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

15
scripts/HTTPtrace.nse
View File

@@ -1,6 +1,11 @@
--- Sends and HTTP TRACE and describes any modifications
--
--@output
id = "HTTP TRACE"
description = [[
Sends an HTTP TRACE request and shows header fields that were modified in the
response.
]]
---
-- @output
-- 80/tcp open http \n
-- | HTTP TRACE: Response differs from request. First 5 additional lines: \n
-- | Cookie: UID=d4287aa38d02f409841b4e0c0050c13148a85d01c0c0a154d4ef56dfc2b4fc1b0 \n
@@ -11,10 +16,6 @@
-- 08/31/2007
id = "HTTP TRACE"
description = "Send HTTP TRACE method and print modifications"
author = "Kris Katterjohn <katterjohn@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

9
scripts/MSSQLm.nse
View File

@@ -1,9 +1,8 @@
-- Microsoft SQL Server information gathering script
-- rev 1.0 (2007-06-09)
id = "MS SQL"
description = "Attempts to extract information from Microsoft SQL Server"
description = [[
Attempts to extract information from Microsoft SQL Server.
]]
-- rev 1.0 (2007-06-09)
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"

22
scripts/MySQLinfo.nse
View File

@@ -1,10 +1,14 @@
--- Connects to a MySQL server and prints information such as the protocol and
--- version numbers, thread id, status, capabilities and the password salt
--
-- If service detection is performed and the server appears to be blocking
-- our host or is blocked from too many connections, then we don't bother
-- running this script (see the portrule)
--
id = "MySQL Server Information"
description = [[
Connects to a MySQL server and prints information such as the protocol and
version numbers, thread ID, status, capabilities, and the password salt.
\n\n
If service detection is performed and the server appears to be blocking
our host or is blocked from too many connections, then we don't bother
running this script (see the portrule).
]]
---
--@output
-- 3306/tcp open mysql \n
-- | MySQL Server Information: Protocol: 10 \n
@@ -16,10 +20,6 @@
-- Many thanks to jah (jah@zadkiel.plus.com) for testing and enhancements
id = "MySQL Server Information"
description = "Connects to a MySQL server and prints information"
author = "Kris Katterjohn <katterjohn@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

9
scripts/PPTPversion.nse
View File

@@ -1,9 +1,8 @@
-- PPTP information gathering script
-- rev 0.2 (11-14-2007)
id = "PPTP"
description = "Attempts to extract system information from PPTP service"
description = [[
Attempts to extract system information from the PPTP service.
]]
-- rev 0.2 (11-14-2007)
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"

7
scripts/RealVNC_auth_bypass.nse
View File

@@ -1,5 +1,8 @@
id="RealVNC Authentication Bypass (CVE-2006-2369)"
description="Checks to see if the VNC Server is vulnerable to the RealVNC authentication bypass."
id = "RealVNC Authentication Bypass"
description = [[
Checks if a VNC server is vulnerable to the RealVNC authentication bypass
(CVE-2006-2369).
]]
author = "Brandon Enright <bmenrigh@ucsd.edu>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

7
scripts/SMTP_openrelay_test.nse
View File

@@ -1,3 +1,8 @@
id = "Open Relay SMTP"
description = [[
Checks if an SMTP server is an open relay.
]]
-- Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
-- Same as Nmap--See http://nmap.org/book/man-legal.html file for licence details
-- This is version 20070516.
@@ -10,8 +15,6 @@
-- * The "ourdomain" variable's contents are used instead of hardcoded "insecure.org". Settable by the user.
-- * Fixed tags -> categories (reported by Jason DePriest to nmap-dev)
id="Open Relay SMTP"
description="Checks to see if a SMTP server is an open relay"
categories = {"demo"}
require "shortport"

14
scripts/SMTPcommands.nse
View File

@@ -1,8 +1,10 @@
--- SMTP supported commands gathering script \n
-- \n
-- Attempts to use EHLO and HELP to gather the Extended commands an
-- SMTP server supports.
-- \n
id = "SMTPcommands"
description = [[
Attempts to use EHLO and HELP to gather the Extended commands supported by an
SMTP server.
]]
---
-- @output
-- 25/tcp open smtp \n
-- | SMTPcommands: EHLO uninvited.example.net Hello root at localhost [127.0.0.1], SIZE 52428800, PIPELINING, 250 HELP \n
@@ -41,8 +43,6 @@
-- script and from Arturo 'Buanzo' Busleiman's SMTP open relay
-- detector script.
id = "SMTPcommands"
description = "Attempts to use EHLO and HELP to gather the Extended commands an SMTP server supports."
author = "Jason DePriest <jrdepriest@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}

9
scripts/SNMPcommunitybrute.nse
View File

@@ -1,9 +1,8 @@
-- SNMP community string brute force script
-- 2008-07-03
id = "SNMPv1-communitybrute"
description = "Attempts to find SNMP community string by brute force"
description = [[
Attempts to find an SNMP community string by brute force.
]]
-- 2008-07-03
author = "Philip Pickering <pgpickering@gmail.com>"

14
scripts/SNMPsysdescr.nse
View File

@@ -1,12 +1,13 @@
--- SNMP version 1 system information gathering script
id = "SNMPv1"
description = [[
Attempts to extract system information from an SNMP version 1 service.
]]
---
-- @output
-- | SNMPv1: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006 \n
-- |_ System uptime: 28 days, 17:18:59 (248153900 timeticks)
id = "SNMPv1"
description = "Attempts to extract system information from SNMP service"
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
@@ -19,11 +20,8 @@ require "snmp"
-- runs after SNMPcommunityprobe.nse
runlevel = 2
---
-- Runs on UDP port 161
portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})
---
-- Sends SNMP packets to host and reads responses
action = function(host, port)

31
scripts/SQLInject.nse
View File

@@ -1,26 +1,24 @@
--[[
Experimental SQL injection spider
---------------------------------
Spiders a http server looking for URLs containing queries.
It then proceeds to combine crafted sql commands with
susceptible urls in order to obtain errors. The errors
id = "sql-inject"
description = [[
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL
injection attack.
\n\n
The script spiders an HTTP server looking for URLs containing queries.
It then proceeds to combine crafted SQL commands with
susceptible URLs in order to obtain errors. The errors
are analysed to see if the url is vulnerable to attack.
This uses the most basic form of SQL injection but anything
more complication is more suited to a stand alone tool.
Both meta and http redirects are supported.
Both meta and HTTP redirects are supported.
\n\n
It is not advisable to run this against unknown hosts.
NOTES
-----
\n\n
NOTES\n
* We may not have access to the servers true hostname.
This means we cannot access virtually hosted sites and
cannot follow absolute links when the hostname is
different from the resolved ip address
--]]
]]
require('url')
require('shortport')
@@ -28,10 +26,7 @@ require('stdnse')
require('strbuf')
require('listop')
id = "sql-inject"
author = "Eddie Bell <ejlbell@gmail.com>"
description = "spiders a http server looking for URLs containing queries \
and tries to determines if they are vulnerable to injection attack"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"intrusive", "vuln"}
runlevel = 1.0

25
scripts/SSH-hostkey.nse
View File

@@ -1,13 +1,17 @@
--- Shows SSH Hostkeys
--
-- Shows fingerprint or fingerprint and key depending on verbosity level.
-- Puts the found hostkeys in nmap.registry for other scripts to use them.
-- You can control the output with the ssh_hostkey script argument. Possible
-- values are bubble,visual,full and all.
--
id = "SSH Hostkey"
description = [[
Shows SSH hostkeys.
\n\n
Shows fingerprint or fingerprint and key depending on verbosity level.
Puts the found hostkeys in nmap.registry for other scripts to use them.
You can control the output with the ssh_hostkey script argument. Possible
values are bubble, visual, full and all.
]]
---
--@usage
-- nmap host --script SSH-hostkey --script-args ssh_hostkey=full
-- nmap host --script SSH-hostkey --script-args ssh_hostkey=all
-- nmap host --script SSH-hostkey --script-args ssh_hostkey=full\n
-- nmap host --script SSH-hostkey --script-args ssh_hostkey=all\n
-- nmap host --script SSH-hostkey --script-args ssh_hostkey='visual bubble'
--
--@output
@@ -29,10 +33,7 @@
-- 22/tcp open ssh\n
-- | SSH Hostkey: 2048 xuvah-degyp-nabus-zegah-hebur-nopig-bubig-difeg-hisym-rumef-cuxex (RSA)\n
-- |_ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ==
id = "SSH Hostkey"
author = "Sven Klemm <sven@c3d2.de>"
description = "Show SSH Hostkeys"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"safe","default","intrusive"}

6
scripts/SSHv1-support.nse
View File

@@ -1,5 +1,7 @@
id="SSH Protocol Version 1"
description="Checks to see if SSH server supports SSH Protocol Version 1."
id = "SSH Protocol Version 1"
description = [[
Checks if an SSH server supports SSH Protocol Version 1.
]]
author = "Brandon Enright <bmenrigh@ucsd.edu>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"}

11
scripts/SSLv2-support.nse
View File

@@ -1,5 +1,10 @@
--- Determines if the target server supports SSL-v2 and what cyphers it
-- supports.
id = "SSLv2"
description = [[
Determines whether the server (still) supports SSL-v2, and what cyphers it
offers.
]]
---
--@ouput
-- 443/tcp open https syn-ack\n
-- | SSLv2: server still supports SSLv2\n
@@ -10,8 +15,6 @@
-- | SSL2_RC4_128_EXPORT40_WITH_MD5\n
-- |_ SSL2_RC2_CBC_128_CBC_WITH_MD5\n
id = "SSLv2"
description = "Determines whether the server (still) supports SSL-v2, and what cyphers it offers."
author = "Matt <mb2263@bristol.ac.uk>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

309
scripts/UPnP-info.nse
View File

@@ -1,162 +1,163 @@
--- UPnP network service information gathering script
id = "UPnP"
description = [[
Attempts to extract system information from the UPnP service.
]]
---
-- @output
-- | UPnP: System/1.0 UPnP/1.0 IGD/1.0 \n
-- |_ Location: http://192.168.1.1:80/UPnP/IGD.xml
id = "UPnP"
description = "Attempts to extract system information from UPnP service"
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
require("stdnse")
require("shortport")
require("strbuf")
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
require("stdnse")
require("shortport")
require("strbuf")
---
-- Runs on UDP port 1900
portrule = shortport.portnumber(1900, "udp", {"open", "open|filtered"})
-- Runs on UDP port 1900
portrule = shortport.portnumber(1900, "udp", {"open", "open|filtered"})
---
-- Sends UPnP discovery packet to host,
-- and extracts service information from results
action = function(host, port)
-- create the socket used for our connection
local socket = nmap.new_socket()
-- set a reasonable timeout value
socket:set_timeout(5000)
-- do some exception handling / cleanup
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
-- connect to the potential UPnP system
try(socket:connect(host.ip, port.number, "udp"))
local payload = strbuf.new()
-- for details about the UPnP message format, see http://upnp.org/resources/documents.asp
payload = payload .. "M-SEARCH * HTTP/1.1\r\n"
payload = payload .. "Host:239.255.255.250:1900\r\n"
payload = payload .. "ST:upnp:rootdevice\r\n"
payload = payload .. "Man:\"ssdp:discover\"\r\n"
payload = payload .. "MX:3\r\n\r\n"
try(socket:send(strbuf.dump(payload)))
local status
local response
-- read in any response we might get
status, response = socket:receive_bytes(1)
if (not status) or (response == "TIMEOUT") then
socket:close()
return
end
-- since we got something back, the port is definitely open
nmap.set_port_state(host, port, "open")
-- buffer to hold script output
local output
if response ~= nil then
-- We should get a response back that has contains one line for the server, and one line for the xml file location
-- these match any combination of upper and lower case responses
local server, location
server = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010")
if server ~= nil then output = server .. "\n" end
location = string.match(response, "[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:(.-)\010")
if location ~= nil then
output = output .. "Location: " .. location
local v = nmap.verbosity()
-- the following check can output quite a lot of information, so we require at least one -v flag
if v > 0 then
-- split the location into an IP address, port, and path name for the xml file
local xhost, xport, xfile
xhost = string.match(location, "http://(.-)/")
-- check to see if the host portionof the location specifies a port
-- if not, use port 80 as a standard web server port
if xhost ~= nil and string.match(xhost, ":") then
xport = string.match(xhost, ":(.*)")
xhost = string.match(xhost, "(.*):")
end
if xport == nil then
xport = 80
end
-- check if the IP address in the location matches the IP address we're scanning
-- if not, alert the user, but continue to scan the IP address we're interested in
if xhost ~= host.ip then
output = output .. "\n !! Location did not match target IP address !! "
-- return output
xhost = host.ip
end
-- extract the path name from the location field, but strip off the \r that HTTP servers return
xfile = string.match(location, "http://.-/(.-)\013")
if xfile ~= nil then
strbuf.clear(payload)
-- create an HTTP request for the file, using the host and port we extracted earlier
payload = payload .. "GET /" .. xfile .. " HTTP/1.1\r\n"
payload = payload .. "Accept: text/xml, application/xml, text/html\r\n"
payload = payload .. "User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)\r\n"
payload = payload .. "Host: " .. xhost .. ":" .. xport .. "\r\n"
payload = payload .. "Connection: Keep-Alive\r\n"
payload = payload .. "Cache-Control: no-cache\r\n"
payload = payload .. "Pragma: no-cache\r\n\r\n"
socket = nmap.new_socket()
socket:set_timeout(5000)
try(socket:connect(xhost, xport, "tcp"))
try(socket:send(strbuf.dump(payload)))
-- we're expecting an xml file, and for UPnP purposes it should end in </root>
status, response = socket:receive_buf("</root>", true)
if (status) and (response ~= "TIMEOUT") then
if string.match(response, "HTTP/1.%d 200") then
local webserver
-- extract information about the webserver that is handling responses for the UPnP system
webserver = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010")
if webserver ~= nil then output = output .. "\nWebserver: " .. webserver end
-- the schema for UPnP includes a number of <device> entries, which can a number of interesting fields
for device in string.gmatch(response, "<deviceType>(.-)</UDN>") do
local fn, mnf, mdl, nm, ver
fn = string.match(device, "<friendlyName>(.-)</friendlyName>")
mnf = string.match(device, "<manufacturer>(.-)</manufacturer>")
mdl = string.match(device, "<modelDescription>(.-)</modelDescription>")
nm = string.match(device, "<modelName>(.-)</modelName>")
ver = string.match(device, "<modelNumber>(.-)</modelNumber>")
if fn ~= nil then output = output .. "\n Name: " .. fn end
if mnf ~= nil then output = output .. "\n Manufacturer: " .. mnf end
if mdl ~= nil then output = output .. "\n Model Descr: " .. mdl end
if nm ~= nil then output = output .. "\n Model Name: " .. nm end
if ver ~= nil then output = output .. "\n Model Version: " .. ver end
end
end
end
socket:close()
end
end
end
return output
end
end
-- and extracts service information from results
action = function(host, port)
-- create the socket used for our connection
local socket = nmap.new_socket()
-- set a reasonable timeout value
socket:set_timeout(5000)
-- do some exception handling / cleanup
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
-- connect to the potential UPnP system
try(socket:connect(host.ip, port.number, "udp"))
local payload = strbuf.new()
-- for details about the UPnP message format, see http://upnp.org/resources/documents.asp
payload = payload .. "M-SEARCH * HTTP/1.1\r\n"
payload = payload .. "Host:239.255.255.250:1900\r\n"
payload = payload .. "ST:upnp:rootdevice\r\n"
payload = payload .. "Man:\"ssdp:discover\"\r\n"
payload = payload .. "MX:3\r\n\r\n"
try(socket:send(strbuf.dump(payload)))
local status
local response
-- read in any response we might get
status, response = socket:receive_bytes(1)
if (not status) or (response == "TIMEOUT") then
socket:close()
return
end
-- since we got something back, the port is definitely open
nmap.set_port_state(host, port, "open")
-- buffer to hold script output
local output
if response ~= nil then
-- We should get a response back that has contains one line for the server, and one line for the xml file location
-- these match any combination of upper and lower case responses
local server, location
server = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010")
if server ~= nil then output = server .. "\n" end
location = string.match(response, "[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:(.-)\010")
if location ~= nil then
output = output .. "Location: " .. location
local v = nmap.verbosity()
-- the following check can output quite a lot of information, so we require at least one -v flag
if v > 0 then
-- split the location into an IP address, port, and path name for the xml file
local xhost, xport, xfile
xhost = string.match(location, "http://(.-)/")
-- check to see if the host portionof the location specifies a port
-- if not, use port 80 as a standard web server port
if xhost ~= nil and string.match(xhost, ":") then
xport = string.match(xhost, ":(.*)")
xhost = string.match(xhost, "(.*):")
end
if xport == nil then
xport = 80
end
-- check if the IP address in the location matches the IP address we're scanning
-- if not, alert the user, but continue to scan the IP address we're interested in
if xhost ~= host.ip then
output = output .. "\n !! Location did not match target IP address !! "
-- return output
xhost = host.ip
end
-- extract the path name from the location field, but strip off the \r that HTTP servers return
xfile = string.match(location, "http://.-/(.-)\013")
if xfile ~= nil then
strbuf.clear(payload)
-- create an HTTP request for the file, using the host and port we extracted earlier
payload = payload .. "GET /" .. xfile .. " HTTP/1.1\r\n"
payload = payload .. "Accept: text/xml, application/xml, text/html\r\n"
payload = payload .. "User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)\r\n"
payload = payload .. "Host: " .. xhost .. ":" .. xport .. "\r\n"
payload = payload .. "Connection: Keep-Alive\r\n"
payload = payload .. "Cache-Control: no-cache\r\n"
payload = payload .. "Pragma: no-cache\r\n\r\n"
socket = nmap.new_socket()
socket:set_timeout(5000)
try(socket:connect(xhost, xport, "tcp"))
try(socket:send(strbuf.dump(payload)))
-- we're expecting an xml file, and for UPnP purposes it should end in </root>
status, response = socket:receive_buf("</root>", true)
if (status) and (response ~= "TIMEOUT") then
if string.match(response, "HTTP/1.%d 200") then
local webserver
-- extract information about the webserver that is handling responses for the UPnP system
webserver = string.match(response, "[Ss][Ee][Rr][Vv][Ee][Rr]:(.-)\010")
if webserver ~= nil then output = output .. "\nWebserver: " .. webserver end
-- the schema for UPnP includes a number of <device> entries, which can a number of interesting fields
for device in string.gmatch(response, "<deviceType>(.-)</UDN>") do
local fn, mnf, mdl, nm, ver
fn = string.match(device, "<friendlyName>(.-)</friendlyName>")
mnf = string.match(device, "<manufacturer>(.-)</manufacturer>")
mdl = string.match(device, "<modelDescription>(.-)</modelDescription>")
nm = string.match(device, "<modelName>(.-)</modelName>")
ver = string.match(device, "<modelNumber>(.-)</modelNumber>")
if fn ~= nil then output = output .. "\n Name: " .. fn end
if mnf ~= nil then output = output .. "\n Manufacturer: " .. mnf end
if mdl ~= nil then output = output .. "\n Model Descr: " .. mdl end
if nm ~= nil then output = output .. "\n Model Name: " .. nm end
if ver ~= nil then output = output .. "\n Model Version: " .. ver end
end
end
end
socket:close()
end
end
end
return output
end
end

19
scripts/anonFTP.nse
View File

@@ -1,22 +1,21 @@
--- Checks if an FTP server allows anonymous logins.
-- @output
-- |_ Anonymous FTP: Anonymous login allowed"
id = "Anonymous FTP"
description = [[
Checks if a FTP server allows anonymous logins.
]]
---
-- @output
-- |_ Anonymous FTP: Anonymous login allowed
id="Anonymous FTP"
description="Checks to see if a FTP server allows anonymous logins"
author = "Eddie Bell <ejlbell@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "auth", "intrusive"}
require "shortport"
---
-- Works on port 21 or "ftp"
portrule = shortport.port_or_service(21, "ftp")
---
-- Connects to the ftp server and checks if the server allows
-- anonymous logins.
--- Connects to the ftp server and checks if the server allows anonymous logins.
action = function(host, port)
local socket = nmap.new_socket()
local result

5
scripts/brutePOP3.nse
View File

@@ -1,6 +1,7 @@
id = "POP3 brute force"
description = "tries to log into a POP3 account"
description = [[
Tries to log into a POP3 account by guessing usernames and passwords.
]]
author = "Philip Pickering <pgpickering@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

8
scripts/bruteTelnet.nse
View File

@@ -1,9 +1,9 @@
--- Obtains the telnet login credentials on a server. This script
-- uses brute force techniques.
id = 'bruteforce'
description = [[
Tries to get Telnet login credentials by guessing usernames and passwords.
]]
id='bruteforce'
author = 'Eddie Bell <ejlbell@gmail.com>'
description='brute force telnet login credientials'
license = 'Same as Nmap--See http://nmap.org/book/man-legal.html'
categories = {'auth', 'intrusive'}

8
scripts/chargenTest.nse
View File

@@ -1,9 +1,7 @@
--- This script connects to a UDP chargen service and attempts to read
-- some data.
id = "Chargen"
description = "Connects to the UDP chargen service and tries to read some bytes"
description = [[
Tries to read bytes from the UDP chargen service.
]]
author = "Diman Todorov <diman.todorov@gmail.com>"

5
scripts/daytimeTest.nse
View File

@@ -1,6 +1,7 @@
id = "Daytime"
description = "Connects to the UDP daytime service and on success prints the daytime."
description = [[
Retrieves the day and time from the UDP Daytime service.
]]
author = "Diman Todorov <diman.todorov@gmail.com>"

9
scripts/dns-safe-recursion-port.nse
View File

@@ -1,10 +1,11 @@
id = "DNS source port randomness"
description = [[
Queries porttest.dns-oarc.net to check for the predictable-port DNS recursion
vulnerability. Predictable source ports can make a DNS server vulnerable to
cache poisoning attacks (CVE-2008-1447)
\n
Checks a DNS server for the predictable-port recursion vulnerability.
Predictable source ports can make a DNS server vulnerable to cache poisoning
attacks (CVE-2008-1447).
\n\n
The script works by querying porttest.dns-oarc.net.
Be aware that any targets against which this script is run will be sent to and
potentially recorded by one or more DNS servers and the porttest server. In
addition your IP address will be sent along with the porttest query to the DNS

7
scripts/dns-safe-recursion-txid.nse
View File

@@ -1,10 +1,11 @@
id = "DNS TXID randomness"
description = [[
Queries txidtest.dns-oarc.net to check for the predictable-TXID DNS recursion
Checks a DNS server for the predictable-TXID DNS recursion
vulnerability. Predictable TXID values can make a DNS server vulnerable to
cache poisoning attacks (CVE-2008-1447)"
\n
cache poisoning attacks (CVE-2008-1447).
\n\n
The script works by querying txidtest.dns-oarc.net.
Be aware that any targets against which this script is run will be sent to and
potentially recorded by one or more DNS servers and the txidtest server. In
addition your IP address will be sent along with the txidtest query to the DNS

6
scripts/dns-test-open-recursion.nse
View File

@@ -1,6 +1,10 @@
id = "Nameserver open recursive queries (CVE-1999-0024) (BID 136, 678)"
description = "Checks if a nameserver on UDP/53 allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers."
description = [[
Checks if a DNS server allows queries for third-party names.
\n\n
It is expected that recursion will be enabled on your own internal nameservers.
]]
author = "Felix Groebert <felix@groebert.org>"

9
scripts/echoTest.nse
View File

@@ -1,7 +1,10 @@
id = "Echo"
description = "Connects to the UDP echo service, sends a string, receives a string and if both\
strings are equal reports success."
description = [[
Tests the UDP echo service.
\n\n
The script sends a string, then receives a string and reports success if the
two strings are equal.
]]
author = "Diman Todorov <diman.todorov@gmail.com>"

7
scripts/finger.nse
View File

@@ -1,6 +1,7 @@
id="Finger Results"
description="attempts to get a list of usernames via the finger service"
id = "Finger Results"
description = [[
Attempts to get a list of usernames via the finger service.
]]
author = "Eddie Bell <ejlbell@gmail.com>"

4
scripts/ftpbounce.nse
View File

@@ -1,5 +1,7 @@
id="FTP bounce check"
description="Checks to see if a FTP server allows port scanning using FTP bounce method"
description=[[
Checks to see if an FTP server allows port scanning using the FTP bounce method.
]]
author="Marek Majkowski <majek04<at>gmail.com>"
license="Same as Nmap--See http://nmap.org/book/man-legal.html"

11
scripts/iax2Detect.nse
View File

@@ -1,7 +1,10 @@
id= "IAX2 Service Detection"
description = "Detects an listening UDP IAX2 service by using a \
IAX Control Frame POKE request."
id = "IAX2 Service Detection"
description = [[
Detects the UDP IAX2 service.
\n\n
The script sends an IAX Control Frame POKE request and checks for a proper
response.
]]
author = "Ferdy Riphagen <f.riphagen@nsec.nl>"

16
scripts/ircServerInfo.nse
View File

@@ -1,6 +1,12 @@
--- Gather information from an IRC server. It uses STATS, LUSERS, and other
-- queries to obtain this information.
--@output
id = "IRC Server Info"
description = [[
Gathers information from an IRC server.
\n\n
It uses STATS, LUSERS, and other queries to obtain this information.
]]
---
-- @output
-- 6665/tcp open irc\n
-- | IRC Server Info: Server: foo.bar.net\n
-- | Version: hyperion-1.0.2b(381). foo.bar.net \n
@@ -9,10 +15,6 @@
-- | Source host: bar.foo.net\n
-- |_ Source ident: OK n=nmap\n
id = "IRC Server Info"
description = "Gets information from an IRC server by issuing STATS, LUSERS, etc queries."
author = "Doug Hoyte"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

11
scripts/ircZombieTest.nse
View File

@@ -1,9 +1,10 @@
--- Checks if the target is an IRC zombie.
id = "IRC zombie"
description = "If port 113 responds before we ask it then something is fishy.\
Usually this means that the host is an irc zombie."
description = [[
Checks for an IRC zombie.
\n\n
If port 113 responds before we ask it then something is fishy. Usually this
means that the host is an IRC zombie.
]]
author = "Diman Todorov <diman.todorov@gmail.com>"

25
scripts/nbstat.nse
View File

@@ -1,11 +1,18 @@
--- Sends a NetBIOS NBSTAT query to target host to try to determine the NetBIOS
-- names and MAC address. By default, displays the name of the computer and the
-- logged-in user; if verbosity is turned up, displays all names the system
-- thinks it owns. \n
--
--@usage
id = "NBSTAT"
description = [[
Attempt's to get the target's NetBIOS names and MAC address.
\n\n
By default, the script displays the name of the computer and the logged-in
user; if the verbosity is turned up, it displays all names the system thinks it
owns.
\n\n
For more information on the NetBIOS protocol, see 'nselib/netbios.lua'.
]]
---
-- @usage
-- sudo nmap -sU --script nbstat.nse -p137 <host>\n
--\n
--
-- @output
-- (no verbose)\n
-- |_ NBSTAT: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n
@@ -21,10 +28,6 @@
-- | Name: WORKGROUP<1d> Flags: <unique><active>\n
-- |_ Name: \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>\n
id = "NBSTAT"
description = "Sends a NetBIOS query to target host to try to determine \
the NetBIOS name and MAC address. For more information on the NetBIOS protocol, \
see 'nselib/netbios.lua'."
author = "Brandon Enright <bmenrigh@ucsd.edu>, Ron Bowes"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

5
scripts/popcapa.nse
View File

@@ -1,6 +1,7 @@
id = "POP3 Capabilites"
description = "retrieves POP3 server capabilites"
description = [[
Retrieves POP3 server capabilities.
]]
author = "Philip Pickering <pgpickering@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

15
scripts/promiscuous.nse
View File

@@ -1,16 +1,13 @@
id = "Promiscuous detection"
description = "Checks if hosts on local ethernet have network card in promiscuous mode."
description = [[
Checks if a target on a local Ethernet has its network card in promiscuous mode.
\n\n
The technique is described at
http://www.securityfriday.com/promiscuous_detection_01.pdf.
]]
author = "Marek Majkowski <majek04+nse@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--[[
This script tries to guess if node in local ethernet is in promisucous mode.
The technique is described here:
http://www.securityfriday.com/promiscuous_detection_01.pdf
]]--
categories = {"discovery"}
-- okay, we're interested only in hosts that are on our ethernet lan

11
scripts/ripeQuery.nse
View File

@@ -1,10 +1,8 @@
require "comm"
require "ipOps"
id = "RIPE query"
description = [[
Connects to the RIPE database, extracts and prints the role: entry for the IP.
\n
Connects to the RIPE database and displays the role: entry for the target's IP
address.
\n\n
This script uses an external database. Your IP address and the IP address of
the target will be sent to whois.ripe.net.
]]
@@ -13,6 +11,9 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "external"}
require "comm"
require "ipOps"
hostrule = function(host, port)
return not ipOps.isPrivate(host.ip)
end

9
scripts/robots.nse
View File

@@ -1,3 +1,10 @@
id = "robots.txt"
description = [[
Checks for disallowed entries in robots.txt.
\n\n
The higher the verbosity or debug level, the more disallowed entries are shown.
]]
---
--@output
-- 80/tcp open http syn-ack\n
@@ -15,9 +22,7 @@ require('shortport')
require('strbuf')
require('http')
id = "robots.txt"
author = "Eddie Bell <ejlbell@gmail.com>"
description = "check for robots.txt with disallowed entries (print them in debug/verbose mode)"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
runlevel = 1.0

11
scripts/rpcinfo.nse
View File

@@ -1,7 +1,10 @@
id = "rpcinfo"
description = [[
Connects to portmapper and fetches a list of all registered programs.
]]
---
-- Connects to portmapper and fetches a list of all registered programs
--
--@output
-- @output
-- 111/tcp open rpcbind\n
-- | rpcinfo:\n
-- | 100000 2 111/udp rpcbind\n
@@ -22,8 +25,6 @@ require "bin"
require "bit"
require "tab"
id = "rpcinfo"
description = "connects to portmapper and fetches a list of all registered programs"
author = "Sven Klemm <sven@c3d2.de>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default","safe","discovery"}

14
scripts/showHTMLTitle.nse
View File

@@ -1,13 +1,19 @@
id = "HTML title"
description = [[
Shows the title of the default page of a web server.
\n\n
The script will follow no more than one HTTP redirect, and only if the
redirection leads to the same host. The script may send a DNS query to
determine if the host the redirect leads to has the same IP address as the
original target.
]]
---
--@output
-- 80/tcp open http syn-ack\n
-- |_ HTML title: Foo.\n
--@copyright Same as Nmap--See http://nmap.org/book/man-legal.html
id = "HTML title"
description = "Connects to an HTTP server and extracts the title of the default page."
author = "Diman Todorov <diman.todorov@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

10
scripts/showHTTPVersion.nse
View File

@@ -1,8 +1,10 @@
description = "Demonstration of a version detection NSE script. It checks and reports\
the version of a remote web server. For real life purposes it is better to use the\
Nmap version detection."
id = "HTTP version"
description = [[
Detects the version of a web server.
\n\n
This is a demonstration script. Its function is done better by normal version
detection.
]]
author = "Diman Todorov <diman.todorov@gmail.com>"

14
scripts/showOwner.nse
View File

@@ -1,12 +1,10 @@
--- Queries the owner of a service on a scanned port. Uses port 113 to
-- make the query.
--@output
--
id = "Service owner"
description = "Opens a connection to the scanned port, opens a connection to port 113, queries the owner\
of the service on the scanned port and prints it."
description = [[
Attempts to find the owner of a scanned port.
\n\n
The script makes a connection to the auth port (113) and queries the owner of
an open port.
]]
author = "Diman Todorov <diman.todorov@gmail.com>"

13
scripts/showSMTPVersion.nse
View File

@@ -1,12 +1,13 @@
--- Queries the version of an SMTP server.
--@output
id = "SMTP version"
description = [[
Prints the version of an SMTP server.
]]
---
-- @output
-- 25/tcp open smtp\n
-- |_ SMTP version: 220 mail.foo.com mx-2.bar.com ESMTP Exim 4.64\n
id = "SMTP version"
description = "Simple script which queries and prints the version of an SMTP server."
author = "Diman Todorov <diman.todorov@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

17
scripts/showSSHVersion.nse
View File

@@ -1,14 +1,15 @@
--- Queries the version from an SSH Server. This typically does not result
-- in any logs of the connection being made.
--@output
id = "Stealth SSH version"
description = [[
Connects to an SSH server and retrieves the version banner.
\n\n
This typically does not result in any logs of the connection being made.
]]
---
-- @output
-- 22/tcp open ssh\n
-- |_ Stealth SSH version: SSH-2.0-OpenSSH_3.9p1\n
id = "Stealth SSH version"
description = "Connects to an SSH server, queries the version string and echos it back. This tends to result\
in the scanning attempt not being logged by the ssh daemon on the target."
author = "Diman Todorov <diman.todorov@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

6
scripts/skype_v2-version.nse
View File

@@ -1,5 +1,7 @@
id="Skype v2"
description="Determines if remote service is Skype protocol version 2"
id = "Skype v2"
description = [[
Detects the Skype version 2 service.
]]
author = "Brandon Enright <bmenrigh@ucsd.edu>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"version"}

33
scripts/smb-enumdomains.nse
View File

@@ -1,19 +1,23 @@
--- Attempts to enumerate domains on a system, along with their policies. This will likely
-- only work without credentials against Windows 2000. \n
-- \n
-- After the initial bind() to SAMR, the sequence of calls is:\n
-- Connect4() -- get a connect_handle\n
-- EnumDomains() -- get a list of the domains (stop here if you just want the names)\n
-- QueryDomain() -- get the sid for the domain\n
-- OpenDomain() -- get a handle for each domain\n
-- QueryDomainInfo2() -- get the domain information\n
--
--@usage
id = "MSRPC: List of domains"
description = [[
Attempts to enumerate domains on a system, along with their policies. This will
likely only work without credentials against Windows 2000.
\n\n
After the initial bind() to SAMR, the sequence of calls is:\n
Connect4() -- get a connect_handle\n
EnumDomains() -- get a list of the domains (stop here if you just want the names)\n
QueryDomain() -- get the sid for the domain\n
OpenDomain() -- get a handle for each domain\n
QueryDomainInfo2() -- get the domain information\n
]]
---
-- @usage
-- nmap --script smb-enumdomains.nse -p445 <host>\n
-- sudo nmap -sU -sS --script smb-enumdomains.nse -p U:137,T:139 <host>\n
--
--@output
-- Host script results:
-- @output
-- Host script results:\n
-- | MSRPC: List of domains:\n
-- | Domain: TEST1\n
-- | |_ SID: S-1-5-21-1060284298-842925246-839522115\n
@@ -29,11 +33,8 @@
-- | |_ Password properties: \n
-- | |_ Password complexity requirements do not exist\n
-- |_ |_ Administrator account cannot be locked out\n
-----------------------------------------------------------------------
id = "MSRPC: List of domains"
description = "Tries calling the EnumDomains() and QueryDomainInfo2() RPC function to obtain a list of domains/policies."
author = "Ron Bowes"
copyright = "Ron Bowes"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

39
scripts/smb-enumshares.nse
View File

@@ -1,29 +1,30 @@
--- Attempts to call the srvsvc.NetShareEnumAll() MSRPC function. This will
-- likely only work anonymously against Windows 2000. \n
--\n
-- There isn't a whole lot to say about this one. The sequence of calls after
-- the initial bind() is:\n
-- NetShareEnumAll()\n
--\n
-- Since NetShareEnumAll() only works anonymously, if it fails this will check
-- a handful of common shares. \n
--\n
-- Once it has a list of shares, whether it was pulled over MSRPC or guessed,
-- we attempt to connect to each of them with a standard smb tree_connect request
-- over a null session. We record which ones succeeded and failed (that is, which
-- shares allowed for anonymous access).\n
--
id = "MSRPC: NetShareEnumAll()"
description = [[
Attempts to list shares using the srvsvc.NetShareEnumAll() MSRPC function. This
will likely only work anonymously against Windows 2000.
\n\n
There isn't a whole lot to say about this one. The sequence of calls after
the initial bind() is:\n
NetShareEnumAll()
\n\n
Since NetShareEnumAll() only works anonymously, if it fails this will check
a handful of common shares.
\n\n
Once it has a list of shares, whether it was pulled over MSRPC or guessed,
we attempt to connect to each of them with a standard smb tree_connect request
over a null session. We record which ones succeeded and failed (that is, which
shares allowed for anonymous access).
]]
---
--@usage
-- nmap --script smb-enumshares.nse -p445 <host>\n
-- sudo nmap -sU -sS --script smb-enumshares.nse -p U:137,T:139 <host>\n
-- sudo nmap -sU -sS --script smb-enumshares.nse -p U:137,T:139 <host>
--
--@output
-- Host script results:\n
-- TODO
-----------------------------------------------------------------------
id = "MSRPC: NetShareEnumAll()"
description = "Tries calling the NetShareEnumAll() RPC function, and guessing shares"
author = "Ron Bowes"
copyright = "Ron Bowes"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

137
scripts/smb-enumusers.nse
View File

@@ -1,73 +1,80 @@
--- Attempts to enumerate the users on a remote Windows system, with as much information as possible,
-- through a variety of techniques (over SMB + MSRPC, which uses port 445 or 139). \n
--\n
-- Will first attempt to call the QueryDisplayInfo() MSRPC function. If NULL sessions are enabled,
-- this will succeed and pull back a detailed list of users. Unfortunately, this likely won't succeed
-- unless we're scanning Windows 2000. When this test is performed, the following MSRPC functions
-- are called:\n
--\n
-- Bind() -- bind to the SAMR service\n
-- Connect4() -- get a connect_handle\n
-- EnumDomains() -- get a list of the domains\n
-- QueryDomain() -- get the sid for the domain\n
-- OpenDomain() -- get a handle for each domain\n
-- QueryDisplayInfo() -- get the list of users in the domain\n
-- Close() -- Close the domain handle\n
-- Close() -- Close the connect handle\n
--\n
-- Credit goes out to the enum.exe program, the code I wrote for this is largely due to packetlogs
-- I took of its operations. \n
--\n
-- Regardless of whether or not this succeeds, a second technique is used to pull user accounts.
-- This one is apparently successful against more machines, although I haven't found a machine
-- that this only works against. However, I did find that this will turn up more users for certain
-- systems (although I haven't figured out why). \n
-- \n
-- Each user on a Windows system has an RID. The RID of 500 is the Administrator account (even if
-- it's renamed), 501 is the Guest account, and 1000+ are the user accounts. This technique, which
-- was originally used in the sid2user/user2sid programs, will attempt to convert common RID numbers
-- to names to discover users. \n
-- \n
-- First, the SID of the server has to be determined. This is done by looking up any name present on
-- the server using a technique like user2sid. For this code, we try and convert as many names as we
-- can find -- all we need is one valid name for this to succeed. In this code, I use:\n
-- - The computer name / domain name, returned in SMB_COM_NEGOTIATE\n
-- - An nbstat query to get the server name and the currently loggeed in user\n
-- - Some common names ("administrator", "guest", and "test")\n
--\n
-- In theory, the computer name should be sufficient for this to always work, and the rest of the \n
-- names are in there for good measure. \n
--\n
-- Once that's completed, the RIDs 500 - 505 are requested, and any responses are displayed. Then,
-- starting at 1000, we take small groups of RIDs which are requestd. I break them into
-- smaller groups because if too many are requested at once, we get a STATUS_BUFFER_OVERFLOW
-- error. We try every RID up to 1100, then, as soon as we get an empty group (5 RIDs in a row
-- without a result), we stop. \n
--\n
-- It might be a good idea to modify this, in the future, with some more intelligence. For example,
-- have it run until it get 5 groups in a row with no results instead of going up to 1100. I
-- performed a test on an old server we have here with a lot of accounts, and I got these results:
-- 500, 501, 1000, 1030, 1031, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063,
-- 1064, 1065, 1066, 1067, 1070, 1075, 1081, 1088, 1090. The jump from 1000 to 1030 is quite large
-- and can easily result in missing accounts.\n
--\n
-- The disadvantage of using the user2sid/sid2user technique is that less information is returned
-- about the user. \n
--\n
-- The names and details from both of these techniques are merged and displayed. If the output is
-- verbose, then as many details as possible are displayed, otherwise only the list of usernames
-- are displayed. The names are ordered alphabetically.\n
--
--@usage
id = "MSRPC: List of user accounts"
description = [[
Attempts to enumerate the users on a remote Windows system, with as much
information as possible, through a variety of techniques (over SMB + MSRPC,
which uses port 445 or 139).
\n\n
Will first attempt to call the QueryDisplayInfo() MSRPC function. If NULL
sessions are enabled, this will succeed and pull back a detailed list of users.
Unfortunately, this likely won't succeed unless we're scanning Windows 2000.
When this test is performed, the following MSRPC functions are called:\n
Bind() -- bind to the SAMR service\n
Connect4() -- get a connect_handle\n
EnumDomains() -- get a list of the domains\n
QueryDomain() -- get the sid for the domain\n
OpenDomain() -- get a handle for each domain\n
QueryDisplayInfo() -- get the list of users in the domain\n
Close() -- Close the domain handle\n
Close() -- Close the connect handle
\n\n
Credit goes out to the enum.exe program, the code I wrote for this is largely
due to packetlogs I took of its operations.
\n\n
Regardless of whether or not this succeeds, a second technique is used to pull
user accounts. This one is apparently successful against more machines,
although I haven't found a machine that this only works against. However, I did
find that this will turn up more users for certain systems (although I haven't
figured out why).
\n\n
Each user on a Windows system has an RID. The RID of 500 is the Administrator
account (even if it's renamed), 501 is the Guest account, and 1000+ are the
user accounts. This technique, which was originally used in the
sid2user/user2sid programs, will attempt to convert common RID numbers to names
to discover users.
\n\n
First, the SID of the server has to be determined. This is done by looking up
any name present on the server using a technique like user2sid. For this code,
we try and convert as many names as we can find -- all we need is one valid
name for this to succeed. In this code, I use:\n
- The computer name / domain name, returned in SMB_COM_NEGOTIATE\n
- An nbstat query to get the server name and the currently loggeed in user\n
- Some common names ("administrator", "guest", and "test")
\n\n
In theory, the computer name should be sufficient for this to always work, and
the rest of the names are in there for good measure.
\n\n
Once that's completed, the RIDs 500 - 505 are requested, and any responses are
displayed. Then, starting at 1000, we take small groups of RIDs which are
requestd. I break them into smaller groups because if too many are requested at
once, we get a STATUS_BUFFER_OVERFLOW error. We try every RID up to 1100, then,
as soon as we get an empty group (5 RIDs in a row without a result), we stop.
\n\n
It might be a good idea to modify this, in the future, with some more
intelligence. For example, have it run until it get 5 groups in a row with no
results instead of going up to 1100. I performed a test on an old server we
have here with a lot of accounts, and I got these results: 500, 501, 1000,
1030, 1031, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063,
1064, 1065, 1066, 1067, 1070, 1075, 1081, 1088, 1090. The jump from 1000 to
1030 is quite large and can easily result in missing accounts.
\n\n
The disadvantage of using the user2sid/sid2user technique is that less
information is returned about the user.
\n\n
The names and details from both of these techniques are merged and displayed.
If the output is verbose, then as many details as possible are displayed,
otherwise only the list of usernames are displayed. The names are ordered
alphabetically.
]]
---
-- @usage
-- nmap --script smb-enumusers.nse -p445 <host>\n
-- sudo nmap -sU -sS --script smb-enumusers.nse -p U:137,T:139 <host>\n
-- sudo nmap -sU -sS --script smb-enumusers.nse -p U:137,T:139 <host>
--
--@output
-- @output
-- TODO
-----------------------------------------------------------------------
id = "MSRPC: List of user accounts"
description = "Tries calling SAMR and LSA functions to get a list of user accounts."
author = "Ron Bowes"
copyright = "Ron Bowes"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

16
scripts/smb-os-discovery.nse
View File

@@ -1,9 +1,15 @@
--- Attempts to determine the operating system over SMB protocol (ports 445 and 139).
-- See nselib/smb.lua for more information on this protocol.
--
id = "OS from SMB"
description = [[
Attempts to determine the operating system over the SMB protocol (ports 445 and
139).
\n\n
See nselib/smb.lua for more information on this protocol.
]]
---
--@usage
-- nmap --script smb-os-discovery.nse -p445 127.0.0.1\n
-- sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1\n
-- sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1
--
--@output
-- | OS from SMB: Windows 2000\n
@@ -13,8 +19,6 @@
--
-----------------------------------------------------------------------
id = "OS from SMB"
description = "Attempts to determine the operating system over the SMB protocol (ports 445 and 139)."
author = "Ron Bowes"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}

73
scripts/smb-security-mode.nse
View File

@@ -1,36 +1,41 @@
--- Returns information about the SMB security level determined by SMB. \n
--\n
-- Here is how to interpret the output:\n
--\n
-- User-level security: Each user has a separate username/password that is used
-- to log into the system. This is the default setup of pretty much everything
-- these days. \n
-- Share-level security: The anonymous account should be used to log in, then
-- the password is given (in plaintext) when a share is accessed. All users who
-- have access to the share use this password. This was the original way of doing
-- things, but isn't commonly seen, now. If a server uses share-level security,
-- it is vulnerable to sniffing. \n
--\n
-- Challenge/response passwords: If enabled, the server can accept any type of
-- password:\n
-- * Plaintext\n
-- * LM and NTLM\n
-- * LMv2 and NTLMv2\n
-- If it isn't set, the server can only accept plaintext passwords. Most servers
-- are configured to use challenge/response these days. If a server is configured
-- to accept plaintext passwords, it is vulnerable to sniffing. \n
--\n
-- Message signing: If required, all messages between the client and server must
-- sign be signed by a shared key, derived from the password and the server
-- challenge. If supported and not required, message signing is negotiated between
-- clients and servers and used if both support and request it. By default, Windows clients
-- don't sign messages, so if message signing isn't required by the server, messages
-- probably won't be signed; additionally, if performing a man-in-the-middle attack,
-- an attacker can negotiate no message signing. If message signing isn't required, the
-- server is vulnerable to man-in-the-middle attacks. \n
-- \n
-- See nselib/smb.lua for more information on the protocol itself. \n
--\n
id = "SMB Security"
description = [[
Returns information about the SMB security level determined by SMB.
\n\n
Here is how to interpret the output:
\n\n
User-level security: Each user has a separate username/password that is used
to log into the system. This is the default setup of pretty much everything
these days.\n
Share-level security: The anonymous account should be used to log in, then
the password is given (in plaintext) when a share is accessed. All users who
have access to the share use this password. This was the original way of doing
things, but isn't commonly seen, now. If a server uses share-level security,
it is vulnerable to sniffing.
\n\n
Challenge/response passwords: If enabled, the server can accept any type of
password:\n
* Plaintext\n
* LM and NTLM\n
* LMv2 and NTLMv2\n
If it isn't set, the server can only accept plaintext passwords. Most servers
are configured to use challenge/response these days. If a server is configured
to accept plaintext passwords, it is vulnerable to sniffing.
\n\n
Message signing: If required, all messages between the client and server must
sign be signed by a shared key, derived from the password and the server
challenge. If supported and not required, message signing is negotiated between
clients and servers and used if both support and request it. By default,
Windows clients don't sign messages, so if message signing isn't required by
the server, messages probably won't be signed; additionally, if performing a
man-in-the-middle attack, an attacker can negotiate no message signing. If
message signing isn't required, the server is vulnerable to man-in-the-middle
attacks.
\n\n
See nselib/smb.lua for more information on the protocol itself.\n
]]
---
--@usage
-- nmap --script smb-security-mode.nse -p445 127.0.0.1\n
-- sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1\n
@@ -42,8 +47,6 @@
--
-----------------------------------------------------------------------
id = "SMB Security"
description = "Attempts to determine the security mode over the SMB protocol (ports 445 and 139)."
author = "Ron Bowes"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}

21
scripts/strangeSMTPport.nse
View File

@@ -1,17 +1,16 @@
--- Checks if SMTP is running on a non-standard port. This usually indicates
-- crackers or script kiddies have set up a backdoor on the system
-- to send spam or control your machine.
--@output
id = "Unexpected SMTP"
description = [[
Checks if SMTP is running on a non-standard port.
\n\n
This usually indicates crackers or script kiddies have set up a backdoor on the
system to send spam or control your machine.
]]
---
-- @output
-- 22/tcp open ssh\n
-- |_ Warning: smtp is running on a strange port.\n
id = "Unexpected SMTP"
description = "\
If smtp is running on a strange port\
there be a backdoor set up by crackers to send spam\
or even control your machine."
author = "Diman Todorov <diman.todorov@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

4
scripts/whois.nse
View File

@@ -1,3 +1,4 @@
id = "Whois"
description = [[
Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address
Assignment which contains the Target IP Address.
@@ -69,7 +70,7 @@ the RIRs.
-- \n nmap target --script whois --script-args whois={whodb=nocache}
-- \n\n
--
--
--
--
-- @output
@@ -83,7 +84,6 @@ the RIRs.
-- \n|_ country: US stateprov: CA
--
id = "Whois"
author = "jah <jah at zadkiel.plus.com>"
license = "See Nmap License: http://nmap.org/book/man-legal.html"
runlevel = 1

19
scripts/xamppDefaultPass.nse
View File

@@ -1,16 +1,17 @@
--- Checks if the remote host is running XAMP or XAMPP's FTP server
-- allows access with nobody/xampp. XAMP is an Apache distribution
-- designed for easy installation and administration.
id = "XAMPP default pwd"
description = [[
Check if an XAMP or XAMPP FTP server uses a default username and password.
\n\n
XAMP is an Apache distribution designed for easy installation and
administration. The default username/password combination the script checks for
is nobody/xampp.
]]
---
-- @output
-- 21/tcp open ftp\n
-- |_ Login success with u/p: foo/bar\n
id = "XAMPP default pwd"
description = "If the remote host is running XAMP (an Apache distribution\
designed for easy installation and administration) and XAMPP's FTP server is\
allows access with nobody/xampp then we report it."
author = "Diman Todorov <diman.todorov@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

44
scripts/zoneTrans.nse
View File

@@ -1,23 +1,25 @@
--- Request a zone transfer (AXFR) from a DNS server.\n
-- \n
-- Send axfr queries to DNS servers. The domain to query is determined
-- by examining the name given on the command line, the domain servers
-- hostname, or it can be specified with the "domain" script argument.
-- If the query is successful all domains and domain types are returned
-- along with common type specific data (SOA/MX/NS/PTR/A).\n
-- \n
-- constraints\n
-- -----------\n
-- If we don't have the 'true' hostname for the dns server we cannot
-- determine a likely zone to perform the transfer on.\n
-- \n
-- useful resources\n
-- ----------------\n
-- DNS for rocket scientists - http://www.zytrax.com/books/dns/\n
-- How the AXFR protocol works - http://cr.yp.to/djbdns/axfr-notes.html\n
--
--@args zoneTrans.domain Domain to transfer.
--@output
id = 'zone-transfer'
description = [[
Requests a zone transfer (AXFR) from a DNS server.
\n\n
The script sends an AXFR query to a DNS server. The domain to query is determined
by examining the name given on the command line, the DNS server's
hostname, or it can be specified with the "domain" script argument.
If the query is successful all domains and domain types are returned
along with common type specific data (SOA/MX/NS/PTR/A).
\n\n
Constraints\n
If we don't have the 'true' hostname for the dns server we cannot
determine a likely zone to perform the transfer on.
\n\n
Useful resources\n
DNS for rocket scientists - http://www.zytrax.com/books/dns/\n
How the AXFR protocol works - http://cr.yp.to/djbdns/axfr-notes.html\n
]]
---
-- @args zoneTrans.domain Domain to transfer.
-- @output
-- 53/tcp open domain
-- | zone-transfer: \n
-- | foo.com. SOA ns2.foo.com. piou.foo.com. \n
@@ -51,9 +53,7 @@ require('listop')
require('bit')
require('tab')
id = 'zone-transfer'
author = 'Eddie Bell <ejlbell@gmail.com>'
description = 'Request a zone transfer (AXFR) from a DNS server'
license = 'Same as Nmap--See http://nmap.org/book/man-legal.html'
categories = {'default', 'intrusive', 'discovery'}
runlevel = 1.0