mostly documentation cleanup, though I also moved ftp-anon into the safe category since I don't think it is any more intrusive than other scripts in that category

scripts/asn-query.nse

@@ -7,7 +7,7 @@ turn queries a third-party service provided by Team Cymru
 use by Nmap.
 
 The responses to these queries contain both Origin and Peer ASNs and
-their descriptions, displayed along with the BG Prefix and Country Code.
+their descriptions, displayed along with the BGP Prefix and Country Code.
 
 The script caches results to reduce the number of queries and should
 perform a single query for all scanned targets in a BG Prefix present in
@@ -16,7 +16,7 @@ Team Cymru's database.
 Be aware that any targets against which this script is run will be sent
 to and potentially recorded by one or more DNS servers and Team Cymru.
 In addition your IP address will be sent along with the ASN to a DNS
-server (your default DNS server, or whichever you specified with the
+server (your default DNS server, or whichever one you specified with the
 <code>dns</code> script argument).
 ]]
 

scripts/dns-random-srcport.nse

@@ -1,7 +1,7 @@
 description = [[
 Checks a DNS server for the predictable-port recursion vulnerability.
 Predictable source ports can make a DNS server vulnerable to cache poisoning
-attacks (CVE-2008-1447).
+attacks (see CVE-2008-1447).
 
 The script works by querying porttest.dns-oarc.net.
 Be aware that any targets against which this script is run will be sent to and

scripts/dns-random-txid.nse

@@ -2,7 +2,7 @@
 description = [[
 Checks a DNS server for the predictable-TXID DNS recursion
 vulnerability.  Predictable TXID values can make a DNS server vulnerable to
-cache poisoning attacks (CVE-2008-1447).
+cache poisoning attacks (see CVE-2008-1447).
 
 The script works by querying txidtest.dns-oarc.net.
 Be aware that any targets against which this script is run will be sent to and

scripts/finger.nse

@@ -1,5 +1,5 @@
 description = [[
-Attempts to get a list of usernames via the finger service.
+Attempts to retrieve a list of usernames using the finger service.
 ]]
 
 author = "Eddie Bell <ejlbell@gmail.com>"

scripts/ftp-anon.nse

@@ -8,7 +8,7 @@ Checks if an FTP server allows anonymous logins.
 
 author = "Eddie Bell <ejlbell@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"default", "auth", "intrusive"}
+categories = {"default", "auth", "safe"}
 
 require "shortport"
 

scripts/html-title.nse

@@ -3,14 +3,16 @@ Shows the title of the default page of a web server.
 
 The script will follow no more than one HTTP redirect, and only if the
 redirection leads to the same host. The script may send a DNS query to
-determine if the host the redirect leads to has the same IP address as the
+determine whether the host the redirect leads to has the same IP address as the
 original target.
 ]]
 
 ---
 --@output
--- 80/tcp  open   http    syn-ack
+-- Interesting ports on scanme.nmap.org (64.13.134.52):
--- |_ html-title: Foo.
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+-- |_ html-title.nse: Go ahead and ScanMe!
 
 author = "Diman Todorov <diman.todorov@gmail.com>"
 

scripts/http-auth.nse

@@ -1,5 +1,5 @@
 description = [[
-Gets the authentication scheme and realm of a web service that requires
+Retrieves the authentication scheme and realm of a web service that requires
 authentication.
 ]]
 

scripts/http-open-proxy.nse

@@ -1,10 +1,10 @@
 description=[[
 Checks if an HTTP proxy is open.
 
-The script attempts to connect to www.google.com through the proxy and checks
+The script attempts to connect to www.google.com through the (possible) proxy and checks
 for a <code>Server: gws</code> header field in the response.
 
-If the target is an open proxy, this script will cause the target to retrieve a
+If the target is an open proxy, this script causes the target to retrieve a
 web page from www.google.com.
 ]]
 

scripts/http-passwd.nse

@@ -1,6 +1,6 @@
 description = [[
 Checks if a web server is vulnerable to directory traversal by attempting to
-retrieve /etc/passwd.
+retrieve <code>/etc/passwd</code> using various traversal methods such as requestiong <code>../../../../etc/passwd</code>.
 ]]
 
 -- 07/20/2007:

scripts/iax2-version.nse

@@ -1,8 +1,7 @@
 description = [[
 Detects the UDP IAX2 service.
 
-The script sends an IAX Control Frame POKE request and checks for a proper
+The script sends an Inter-Asterisk eXchange (IAX) Revision 2 Control Frame POKE request and checks for a proper response.  This protocol is used to enable VoIP connections between servers as well as client-server communication.
-response.
 ]]
 
 author = "Ferdy Riphagen <f.riphagen@nsec.nl>"

scripts/identd-owners.nse

@@ -1,8 +1,6 @@
 description = [[
-Attempts to find the owner of a scanned port.
+Attempts to find the owner of an open TCP port by querying an identd
-
+(auth - port 113) daemon which must also be open on the target system.
-The script makes a connection to the auth port (113) and queries the owner of
-an open port.
 ]]
 
 author = "Diman Todorov <diman.todorov@gmail.com>"

scripts/irc-info.nse

@@ -7,11 +7,11 @@ It uses STATS, LUSERS, and other queries to obtain this information.
 ---
 -- @output
 -- 6665/tcp open     irc
--- |  irc-info: Server: foo.bar.net
+-- |  irc-info: Server: target.example.org
--- |  Version: hyperion-1.0.2b(381). foo.bar.net 
+-- |  Version: hyperion-1.0.2b(381). target.example.org
 -- |  Lservers/Lusers: 0/4204
 -- |  Uptime: 106 days, 2:46:30
--- |  Source host: bar.foo.net
+-- |  Source host: source.example.org
 -- |_ Source ident: OK n=nmap
 
 author = "Doug Hoyte"

scripts/ms-sql-info.nse

@@ -1,5 +1,5 @@
 description = [[
-Attempts to extract information from Microsoft SQL Server.
+Attempts to extract information from Microsoft SQL Server instances.
 ]]
 -- rev 1.0 (2007-06-09)
 

scripts/mysql-info.nse

@@ -3,8 +3,8 @@ Connects to a MySQL server and prints information such as the protocol and
 version numbers, thread ID, status, capabilities, and the password salt.
 
 If service detection is performed and the server appears to be blocking
-our host or is blocked from too many connections, then we don't bother
+our host or is blocked because of too many connections, then this script isn't run
-running this script (see the portrule).
+(see the portrule).
 ]]
 
 ---
@@ -13,7 +13,7 @@ running this script (see the portrule).
 -- |  mysql-info: Protocol: 10
 -- |  Version: 5.0.51a-3ubuntu5.1
 -- |  Thread ID: 7
--- |  Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
+-- |  Some Capabilities: Connect with DB, Transactions, Secure Connection
 -- |  Status: Autocommit
 -- |_ Salt: bYyt\NQ/4V6IN+*3`imj
 

scripts/nbstat.nse

@@ -1,5 +1,5 @@
 description = [[
-Attempt's to get the target's NetBIOS names and MAC address.
+Attempt's to retrieve the target's NetBIOS names and MAC address.
 
 By default, the script displays the name of the computer and the logged-in
 user; if the verbosity is turned up, it displays all names the system thinks it
@@ -12,14 +12,14 @@ owns.
 --
 -- @output
 -- (no verbose)\n
--- |_ nbstat: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n
+-- |_ nbstat: NetBIOS name: TST, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n
 --\n
 -- (verbose)\n
--- |  nbstat: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n
+-- |  nbstat: NetBIOS name: TST, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n
--- |  Name: TEST1<00>            Flags: <unique><active>\n
+-- |  Name: TST<00>            Flags: <unique><active>\n
--- |  Name: TEST1<20>            Flags: <unique><active>\n
+-- |  Name: TST<20>            Flags: <unique><active>\n
 -- |  Name: WORKGROUP<00>        Flags: <group><active>\n
--- |  Name: TEST1<03>            Flags: <unique><active>\n
+-- |  Name: TST<03>            Flags: <unique><active>\n
 -- |  Name: WORKGROUP<1e>        Flags: <group><active>\n
 -- |  Name: RON<03>              Flags: <unique><active>\n
 -- |  Name: WORKGROUP<1d>        Flags: <unique><active>\n

scripts/pop3-capabilities.nse

@@ -1,5 +1,5 @@
 description = [[
-Retrieves POP3 server capabilities.
+Retrieves POP3 email server capabilities.
 ]]
 
 ---

scripts/pptp-version.nse

@@ -1,5 +1,5 @@
 description = [[
-Attempts to extract system information from the PPTP service.
+Attempts to extract system information from the point-to-point tunneling protocol (PPTP) service.
 ]]
 -- rev 0.2 (11-14-2007)
 

scripts/smtp-strangeport.nse

@@ -1,14 +1,14 @@
 description = [[
 Checks if SMTP is running on a non-standard port.
 
-This usually indicates crackers or script kiddies have set up a backdoor on the
+This may indicate that crackers or script kiddies have set up a backdoor on the
-system to send spam or control your machine.
+system to send spam or control the machine.
 ]]
 
 ---
 -- @output
--- 22/tcp  open   ssh
+-- 22/tcp  open   smtp
--- |_ smtp-strangeport: Warning: smtp is running on a strange port
+-- |_ smtp-strangeport: Mail server on unusual port: possible malware
 
 author = "Diman Todorov <diman.todorov@gmail.com>"
 
@@ -35,6 +35,6 @@ portrule = function(host, port)
 end
 
 action = function()
-	return "Warning: smtp is running on a strange port"
+	return "Mail server on unusual port: possible malware"
 end
 

scripts/sniffer-detect.nse

@@ -1,7 +1,7 @@
 description = [[
 Checks if a target on a local Ethernet has its network card in promiscuous mode.
 
-The technique is described at
+The techniques used are described at
 http://www.securityfriday.com/promiscuous_detection_01.pdf.
 ]]
 

scripts/snmp-brute.nse

@@ -1,5 +1,5 @@
 description = [[
-Attempts to find an SNMP community string by brute force.
+Attempts to find an SNMP community string by brute force guessing.
 ]]
 -- 2008-07-03
 

scripts/sql-injection.nse

@@ -6,14 +6,11 @@ The script spiders an HTTP server looking for URLs containing queries. It then
 proceeds to combine crafted SQL commands with susceptible URLs in order to
 obtain errors. The errors are analysed to see if the URL is vulnerable to
 attack. This uses the most basic form of SQL injection but anything more
-complication is more suited to a standalone tool. Both meta and HTTP redirects
+complicated is better suited to a standalone tool. Both meta-style and HTTP redirects
 are supported.
 
-It is not advisable to run this against unknown hosts.
+We may not have access to the target web server's true hostname, which can prevent access to
-
+virtually hosted sites.  This script only follows absolute links when the host name component is the same as the target server's reverse-DNS name.
-We may not have access to the server's true hostname. This means we cannot
-access virtually hosted sites and cannot follow absolute links when the
-hostname is different from the resolved IP address
 ]]
 
 require('url')

scripts/ssh-hostkey.nse

@@ -1,9 +1,7 @@
 description = [[
 Shows SSH hostkeys.
 
-Shows fingerprint or fingerprint and key depending on verbosity level. Puts the
+Shows the target SSH server's key fingerprint and (with high enough verbosity level) the public key itself.  It records the discovered host keys in <code>nmap.registry</code> for use by other scripts.  Output can be controlled with the <code>ssh_hostkey</code> script argument.
-found hostkeys in nmap.registry for other scripts to use them. You can control
-the output with the <code>ssh_hostkey</code> script argument.
 ]]
 
 ---

scripts/sshv1.nse

@@ -1,5 +1,5 @@
 description = [[
-Checks if an SSH server supports SSH Protocol Version 1.
+Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.
 ]]
 author = "Brandon Enright <bmenrigh@ucsd.edu>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

scripts/sslv2.nse

@@ -1,6 +1,6 @@
 description = [[
-Determines whether the server (still) supports SSL-v2, and what ciphers it
+Determines whether the server supports obsolete and less secure SSL-v2, and discovers which ciphers it
-offers.
+supports.
 ]]
 
 ---