diff --git a/docs/refguide.xml b/docs/refguide.xml
index 097bc5211..194cdc632 100644
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -1893,18 +1893,26 @@ way.
- Malware-detection (categories
- malware and backdoor)- Both attackers
+ Malware-detection (category malware)—Both attackers
and worms often leave backdoors—be it in form of SMTP-servers listening on
uncommon ports mostly used by spammers for mail relay, or in form of an
FTP-server giving crackers access to critical data. A few lines of Lua code
can help to identify those loopholes easily.
+
Vulnerability Detection (category
- vulnerability)- NSE's capacity in detecting risks ranges
- from checking for default passwords on Apache distributions to testing
- whether a SMTP-server supports relaying mail from arbitrary domains.
+ vuln)—NSE's capacity in detecting risks ranges
+ from testing whether an SMTP server supports relaying mail from arbitrary
+ domains to testing whether an HTTP server is vulnerable to directory
+ traversal attacks.
+
+
+
+ Determination of Authentication Credentials (category
+ auth)—NSE can be used for determining authentication
+ credentials on the target's services, with a common method being brute-force
+ attack.
@@ -1918,7 +1926,7 @@ way.
available NFS/SMB/RPC shares, the number of channels of an irc-network or
currently logged on users.
-
+
To reflect those different uses and to simplify the choice of which
scripts to run, each script contains a field associating it with one or more
diff --git a/docs/scripting.xml b/docs/scripting.xml
index 4291b0c73..cf3d1ccdc 100644
--- a/docs/scripting.xml
+++ b/docs/scripting.xml
@@ -185,9 +185,9 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
Currently defined categories are safe,
intrusive, malware,
version, discovery,
- vulnerability and default.
- Categories are not case sensitive. The following list
- describes each category.
+ vuln, auth and
+ default. Categories are not case
+ sensitive. The following list describes each category.
@@ -213,11 +213,12 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
- These are not intended to
- crash or damage anything, but are more likely to leave
- suspicious logs or otherwise arouse sysadmin ire. Scripts
- which attempt to login to services with default passwords
- fall into this class.
+ These are scripts that cannot be classified in the
+ "safe" category because the risks are too high that they
+ will crash the target system, use up significant resources
+ on the target host (such as bandwidth or CPU time), or
+ otherwise be perceived as malicious by the target's
+ system administrators.
@@ -259,10 +260,21 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
-
+
- These scripts check for a specific vulnerability and report results only if it is found.
+ These scripts check for specific known vulnerabilities and
+ generally only report results if it is found.
+
+
+
+
+
+
+
+
+ These scripts try to determine authentication credentials
+ on the target system, often through a brute-force attack.
@@ -272,8 +284,9 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
These scripts are the default set and are run when
- using . This category can also be
- specified like any other with .
+ using , or
+ without any arguments. This category can also be specified
+ explicitly like any other using .
Don't be fooled into thinking that just because these scripts
are run by default that they are all completely unobtrusive:
these scripts should not be run against target networks without
diff --git a/scripts/HTTPAuth.nse b/scripts/HTTPAuth.nse
index 92161e9b3..ce9d24599 100644
--- a/scripts/HTTPAuth.nse
+++ b/scripts/HTTPAuth.nse
@@ -9,9 +9,7 @@ author = "Thomas Buchanan "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- uncomment the following line to enable safe category
--- categories = {"safe"}
-categories = {"default", "intrusive"}
+categories = {"default", "auth", "intrusive"}
require "shortport"
require "http"
diff --git a/scripts/HTTP_open_proxy.nse b/scripts/HTTP_open_proxy.nse
index 9211a0c30..75e81134b 100644
--- a/scripts/HTTP_open_proxy.nse
+++ b/scripts/HTTP_open_proxy.nse
@@ -7,7 +7,7 @@
id="Open Proxy Test"
description="Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: GWS/' header response."
-categories = {"default", "intrusive"}
+categories = {"default", "discovery", "intrusive"}
require "comm"
-- I found a nice explode() function in lua-users' wiki. I had to fix it, though.
diff --git a/scripts/HTTPpasswd.nse b/scripts/HTTPpasswd.nse
index c0ccaf393..d511097d3 100644
--- a/scripts/HTTPpasswd.nse
+++ b/scripts/HTTPpasswd.nse
@@ -16,7 +16,7 @@ author = "Kris Katterjohn "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"intrusive"}
+categories = {"intrusive", "vuln"}
require "shortport"
require "http"
diff --git a/scripts/RealVNC_auth_bypass.nse b/scripts/RealVNC_auth_bypass.nse
index e79ffa99a..11b3c1072 100644
--- a/scripts/RealVNC_auth_bypass.nse
+++ b/scripts/RealVNC_auth_bypass.nse
@@ -3,7 +3,7 @@ description="Checks to see if the VNC Server is vulnerable to the RealVNC authen
author = "Brandon Enright "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"default", "backdoor"}
+categories = {"default", "malware", "vuln"}
require "shortport"
diff --git a/scripts/SQLInject.nse b/scripts/SQLInject.nse
index 86ca7f023..cb69df09c 100644
--- a/scripts/SQLInject.nse
+++ b/scripts/SQLInject.nse
@@ -33,7 +33,7 @@ author = "Eddie Bell "
description = "spiders a http server looking for URLs containing queries \
and tries to determines if they are vulnerable to injection attack"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"vulnerability"}
+categories = {"intrusive", "vuln"}
runlevel = 1.0
-- Change this to increase depth of crawl
diff --git a/scripts/SSHv1-support.nse b/scripts/SSHv1-support.nse
index 489455544..0b12cdd5b 100644
--- a/scripts/SSHv1-support.nse
+++ b/scripts/SSHv1-support.nse
@@ -2,7 +2,7 @@ id="SSH Protocol Version 1"
description="Checks to see if SSH server supports SSH Protocol Version 1."
author = "Brandon Enright "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"default", "intrusive"}
+categories = {"default", "safe"}
require "shortport"
diff --git a/scripts/SSLv2-support.nse b/scripts/SSLv2-support.nse
index 008e5f26b..53ed860dd 100644
--- a/scripts/SSLv2-support.nse
+++ b/scripts/SSLv2-support.nse
@@ -3,7 +3,7 @@ description = "determines whether the server (still) supports SSL-v2, and what c
author = "Matt "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"default", "intrusive"}
+categories = {"default", "safe"}
require "shortport"
diff --git a/scripts/anonFTP.nse b/scripts/anonFTP.nse
index ce4b3b1a8..6b504212f 100644
--- a/scripts/anonFTP.nse
+++ b/scripts/anonFTP.nse
@@ -6,7 +6,7 @@ author = "Eddie Bell "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"default", "intrusive"}
+categories = {"default", "auth", "intrusive"}
require "shortport"
diff --git a/scripts/bruteTelnet.nse b/scripts/bruteTelnet.nse
index 8c4925edf..747ce97f6 100644
--- a/scripts/bruteTelnet.nse
+++ b/scripts/bruteTelnet.nse
@@ -2,7 +2,7 @@ id='bruteforce'
author = 'Eddie Bell '
description='brute force telnet login credientials'
license = 'Same as Nmap--See http://nmap.org/book/man-legal.html'
-categories = {'vulnerability'}
+categories = {'auth', 'intrusive'}
require('shortport')
require('stdnse')
diff --git a/scripts/script.db b/scripts/script.db
index 7cf040735..22f7e5ef2 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -1,70 +1,78 @@
-Entry{ category = "default", filename = "HTTPAuth.nse" }
-Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
-Entry{ category = "default", filename = "HTTP_open_proxy.nse" }
-Entry{ category = "intrusive", filename = "HTTP_open_proxy.nse" }
-Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }
-Entry{ category = "discovery", filename = "HTTPtrace.nse" }
-Entry{ category = "default", filename = "MSSQLm.nse" }
-Entry{ category = "discovery", filename = "MSSQLm.nse" }
-Entry{ category = "intrusive", filename = "MSSQLm.nse" }
-Entry{ category = "default", filename = "MySQLinfo.nse" }
-Entry{ category = "discovery", filename = "MySQLinfo.nse" }
-Entry{ category = "safe", filename = "MySQLinfo.nse" }
-Entry{ category = "version", filename = "PPTPversion.nse" }
-Entry{ category = "default", filename = "RealVNC_auth_bypass.nse" }
-Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
-Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
-Entry{ category = "default", filename = "SMTPcommands.nse" }
-Entry{ category = "discovery", filename = "SMTPcommands.nse" }
-Entry{ category = "safe", filename = "SMTPcommands.nse" }
-Entry{ category = "default", filename = "SNMPsysdesr.nse" }
-Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
-Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
-Entry{ category = "vulnerability", filename = "SQLInject.nse" }
-Entry{ category = "default", filename = "SSHv1-support.nse" }
-Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
-Entry{ category = "default", filename = "SSLv2-support.nse" }
-Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
-Entry{ category = "default", filename = "UPnP-info.nse" }
-Entry{ category = "safe", filename = "UPnP-info.nse" }
-Entry{ category = "default", filename = "anonFTP.nse" }
-Entry{ category = "intrusive", filename = "anonFTP.nse" }
-Entry{ category = "vulnerability", filename = "bruteTelnet.nse" }
-Entry{ category = "demo", filename = "chargenTest.nse" }
+Entry{ category = "default", filename = "showOwner.nse" }
+Entry{ category = "safe", filename = "showOwner.nse" }
Entry{ category = "demo", filename = "daytimeTest.nse" }
+Entry{ category = "default", filename = "RealVNC_auth_bypass.nse" }
+Entry{ category = "malware", filename = "RealVNC_auth_bypass.nse" }
+Entry{ category = "vuln", filename = "RealVNC_auth_bypass.nse" }
+Entry{ category = "intrusive", filename = "SQLInject.nse" }
+Entry{ category = "vuln", filename = "SQLInject.nse" }
+Entry{ category = "auth", filename = "bruteTelnet.nse" }
+Entry{ category = "intrusive", filename = "bruteTelnet.nse" }
+Entry{ category = "discovery", filename = "HTTPtrace.nse" }
+Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
+Entry{ category = "default", filename = "HTTPAuth.nse" }
+Entry{ category = "auth", filename = "HTTPAuth.nse" }
+Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
Entry{ category = "default", filename = "dns-test-open-recursion.nse" }
Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" }
-Entry{ category = "demo", filename = "echoTest.nse" }
-Entry{ category = "default", filename = "finger.nse" }
-Entry{ category = "discovery", filename = "finger.nse" }
-Entry{ category = "default", filename = "ftpbounce.nse" }
-Entry{ category = "intrusive", filename = "ftpbounce.nse" }
-Entry{ category = "version", filename = "iax2Detect.nse" }
-Entry{ category = "default", filename = "ircServerInfo.nse" }
-Entry{ category = "discovery", filename = "ircServerInfo.nse" }
-Entry{ category = "malware", filename = "ircZombieTest.nse" }
-Entry{ category = "default", filename = "nbstat.nse" }
-Entry{ category = "discovery", filename = "nbstat.nse" }
-Entry{ category = "safe", filename = "nbstat.nse" }
-Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }
-Entry{ category = "discovery", filename = "promiscuous.nse" }
-Entry{ category = "discovery", filename = "ripeQuery.nse" }
-Entry{ category = "default", filename = "robots.nse" }
-Entry{ category = "safe", filename = "robots.nse" }
-Entry{ category = "default", filename = "rpcinfo.nse" }
-Entry{ category = "safe", filename = "rpcinfo.nse" }
-Entry{ category = "discovery", filename = "rpcinfo.nse" }
+Entry{ category = "demo", filename = "chargenTest.nse" }
Entry{ category = "default", filename = "showHTMLTitle.nse" }
Entry{ category = "demo", filename = "showHTMLTitle.nse" }
Entry{ category = "safe", filename = "showHTMLTitle.nse" }
-Entry{ category = "", filename = "showHTTPVersion.nse" }
-Entry{ category = "default", filename = "showOwner.nse" }
-Entry{ category = "safe", filename = "showOwner.nse" }
-Entry{ category = "demo", filename = "showSMTPVersion.nse" }
-Entry{ category = "demo", filename = "showSSHVersion.nse" }
-Entry{ category = "version", filename = "skype_v2-version.nse" }
-Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
-Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
+Entry{ category = "default", filename = "MSSQLm.nse" }
+Entry{ category = "discovery", filename = "MSSQLm.nse" }
+Entry{ category = "intrusive", filename = "MSSQLm.nse" }
+Entry{ category = "demo", filename = "echoTest.nse" }
+Entry{ category = "default", filename = "SSHv1-support.nse" }
+Entry{ category = "safe", filename = "SSHv1-support.nse" }
+Entry{ category = "auth", filename = "xamppDefaultPass.nse" }
+Entry{ category = "vuln", filename = "xamppDefaultPass.nse" }
+Entry{ category = "default", filename = "MySQLinfo.nse" }
+Entry{ category = "discovery", filename = "MySQLinfo.nse" }
+Entry{ category = "safe", filename = "MySQLinfo.nse" }
+Entry{ category = "default", filename = "SSLv2-support.nse" }
+Entry{ category = "safe", filename = "SSLv2-support.nse" }
Entry{ category = "default", filename = "zoneTrans.nse" }
Entry{ category = "intrusive", filename = "zoneTrans.nse" }
Entry{ category = "discovery", filename = "zoneTrans.nse" }
+Entry{ category = "default", filename = "ftpbounce.nse" }
+Entry{ category = "intrusive", filename = "ftpbounce.nse" }
+Entry{ category = "version", filename = "skype_v2-version.nse" }
+Entry{ category = "discovery", filename = "promiscuous.nse" }
+Entry{ category = "default", filename = "SNMPsysdesr.nse" }
+Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
+Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
+Entry{ category = "demo", filename = "showSMTPVersion.nse" }
+Entry{ category = "default", filename = "nbstat.nse" }
+Entry{ category = "discovery", filename = "nbstat.nse" }
+Entry{ category = "safe", filename = "nbstat.nse" }
+Entry{ category = "version", filename = "iax2Detect.nse" }
+Entry{ category = "default", filename = "rpcinfo.nse" }
+Entry{ category = "safe", filename = "rpcinfo.nse" }
+Entry{ category = "discovery", filename = "rpcinfo.nse" }
+Entry{ category = "default", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "discovery", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "intrusive", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }
+Entry{ category = "vuln", filename = "HTTPpasswd.nse" }
+Entry{ category = "demo", filename = "showSSHVersion.nse" }
+Entry{ category = "default", filename = "SMTPcommands.nse" }
+Entry{ category = "discovery", filename = "SMTPcommands.nse" }
+Entry{ category = "safe", filename = "SMTPcommands.nse" }
+Entry{ category = "default", filename = "anonFTP.nse" }
+Entry{ category = "auth", filename = "anonFTP.nse" }
+Entry{ category = "intrusive", filename = "anonFTP.nse" }
+Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }
+Entry{ category = "default", filename = "robots.nse" }
+Entry{ category = "safe", filename = "robots.nse" }
+Entry{ category = "default", filename = "finger.nse" }
+Entry{ category = "discovery", filename = "finger.nse" }
+Entry{ category = "default", filename = "UPnP-info.nse" }
+Entry{ category = "safe", filename = "UPnP-info.nse" }
+Entry{ category = "malware", filename = "strangeSMTPport.nse" }
+Entry{ category = "default", filename = "ircServerInfo.nse" }
+Entry{ category = "discovery", filename = "ircServerInfo.nse" }
+Entry{ category = "malware", filename = "ircZombieTest.nse" }
+Entry{ category = "discovery", filename = "ripeQuery.nse" }
+Entry{ category = "demo", filename = "showHTTPVersion.nse" }
+Entry{ category = "version", filename = "PPTPversion.nse" }
diff --git a/scripts/showHTTPVersion.nse b/scripts/showHTTPVersion.nse
index fc8c574bf..84b0f1d98 100644
--- a/scripts/showHTTPVersion.nse
+++ b/scripts/showHTTPVersion.nse
@@ -10,7 +10,7 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-- add this script to "version" if you really want to execute it
-- keep in mind you can (and should) only execute it with -sV
-categories = {""}
+categories = {"demo"}
-- categories = {"version"}
runlevel = 1.0
diff --git a/scripts/strangeSMTPport.nse b/scripts/strangeSMTPport.nse
index f21f81f91..9b155a764 100644
--- a/scripts/strangeSMTPport.nse
+++ b/scripts/strangeSMTPport.nse
@@ -9,7 +9,7 @@ author = "Diman Todorov "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"backdoor"}
+categories = {"malware"}
portrule = function(host, port)
if
diff --git a/scripts/xamppDefaultPass.nse b/scripts/xamppDefaultPass.nse
index c8ebad0a5..6872a3113 100644
--- a/scripts/xamppDefaultPass.nse
+++ b/scripts/xamppDefaultPass.nse
@@ -8,7 +8,7 @@ author = "Diman Todorov "
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"vulnerability"}
+categories = {"auth", "vuln"}
require "shortport"