NSE committed

scripts/RealVNC_auth_bypass.nse

@@ -0,0 +1,63 @@
+id="RealVNC Authentication Bypass (CVE-2006-2369)"
+description="Checks to see if the VNC Server is vulnerable to the RealVNC authentication bypass."
+author = "Brandon Enright <bmenrigh@ucsd.edu>" 
+license = "See nmaps COPYING for licence"
+
+categories = {"backdoor"}
+
+portrule = function(host, port)
+	if 	(port.number == 5900
+		or port.service == "vnc")
+		and port.protocol == "tcp"
+		and port.state == "open"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	local result
+	local status = true
+
+	socket:connect(host.ip, port.number, port.protocol)
+	
+	status, result = socket:receive_lines(1)
+
+	if (result == "TIMEOUT") then
+		socket:close()
+		return
+	end
+
+	socket:send("RFB 003.008\n")
+	status, result = socket:receive_bytes(2)
+
+	if (result == "TIMEOUT") then
+		socket:close()
+		return
+	end
+
+	if (result ~= "\001\002") then
+		socket:close()
+		return
+	end	
+
+	socket:send("\001")
+	status, result = socket:receive_bytes(4)
+
+	if (result == "TIMEOUT") then
+		socket:close()
+		return
+	end
+
+	if (result ~= "\000\000\000\000") then
+		socket:close()
+		return
+	end	
+
+	socket:close()
+
+	return "Vulnerable"
+end

scripts/SMTP_openrelay_test.nse

@@ -0,0 +1,114 @@
+-- Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
+-- See Nmap'ss COPYING file for licence details
+-- This is version 20060927.
+-- Changelog: + Added some strings to return in different places.
+--            * Changed "HELO www.insecure.org" to "EHLO insecure.org".
+
+id="Open Relay SMTP"
+description="Checks to see if a SMTP server is an open relay"
+tags = {"intrusive"}
+
+portrule = function(host, port)
+	if 	(port.number == 25
+		or port.service == "smtp")
+		and port.state == "open"
+		and port.protocol == "tcp"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	local result
+	local status = true
+
+	local mailservername
+	local tor = {}
+	local i
+
+	local catch = function()
+		socket:close()
+	end
+
+	local try = nmap.new_try(catch)
+
+	try(socket:connect(host.ip, port.number, port.protocol))
+	
+	result = try(socket:receive_lines(1))
+
+-- Introduce ourselves...
+	try(socket:send("EHLO insecure.org\n"))
+	result = try(socket:receive_lines(1))
+
+-- close socket and return if there's an smtp status code != 250
+	if not string.match(result, "^250") then
+		socket:close()
+		return "EHLO with errors or timeout. Enable --script-trace to see what is happening."
+	end
+
+	mailservername = string.sub(result, string.find(result, '([.%w]+)',4))
+
+-- read the rest of the response, if any
+
+	while true do
+		status, result = socket:receive_lines(1)
+		if not status  then
+			break
+		end
+	end
+
+-- Now that we have the mailservername, fill in the tor table
+	tor[0] = {f = "MAIL FROM:<spamtest@insecure.org>",t="RCPT TO:<relaytest@insecure.org>"}
+	tor[1] = {f = "MAIL FROM:<>",t="RCPT TO:<relaytest@insecure.org>"}
+	tor[2] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest@insecure.org>"}
+	tor[3] = {f = "MAIL FROM:<spamtest@" .. mailservername .. ">",t="RCPT TO:<relaytest@insecure.org>"}
+	tor[4] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest%insecure.org@[" .. host.ip .. "]>"}
+	tor[5] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest%insecure.org@" .. mailservername .. ">"}
+	tor[6] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest@insecure.org\">"}
+	tor[7] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest%insecure.org\">"}
+	tor[8] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest@insecure.org@[" .. host.ip .. "]>"}
+	tor[9] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest@insecure.org\"@[" .. host.ip .. "]>"}
+	tor[10] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest@insecure.org@" .. mailservername .. ">"}
+	tor[11] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<@[" .. host.ip .. "]:relaytest@insecure.org>"}
+	tor[12] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<@" .. mailservername .. ":relaytest@insecure.org>"}
+	tor[13] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<insecure.org!relaytest>"}
+	tor[14] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<insecure.org!relaytest@[" .. host.ip .. "]>"}
+	tor[15] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<insecure.org!relaytest@" .. mailservername .. ">"}
+	
+
+	i = -1
+	while true do
+		i = i+1
+		if i > table.getn(tor) then break end
+
+-- for debugging, uncomment next line
+--		print (tor[i]["f"] .. " -> " .. tor[i]["t"])
+
+-- first, issue a RSET
+		try(socket:send("RSET\n"))
+		result = try(socket:receive_lines(1))
+		if not string.match(result, "^250") then
+			socket:close()
+			return "RSET with errors. Enable --script-trace to see what is happening."
+		end
+
+-- send MAIL FROM....
+		try(socket:send(tor[i]["f"].."\n"))
+		result = try(socket:receive_lines(1))
+		if string.match(result, "^250") then
+-- if we get a 250, then continue with RCPT TO:
+			try(socket:send(tor[i]["t"].."\n"))
+			result = try(socket:receive_lines(1))
+			if string.match(result, "^250") then
+				socket:close()
+				return "OPEN RELAY found."
+			end
+		end
+	end
+
+	socket:close()
+	return "Relaying denied."
+end

scripts/SSHv1-support.nse

@@ -0,0 +1,69 @@
+id="SSH Protocol Version 1"
+description="Checks to see if SSH server supports SSH Protocol Version 1."
+author = "Brandon Enright <bmenrigh@ucsd.edu>"
+license = "See nmaps COPYING for licence"
+categories = {"intrusive"}
+
+portrule = function(host, port)
+	if 	(port.number == 22
+		or port.service == "ssh")
+		and port.protocol == "tcp"
+		and port.state == "open"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	local result;
+	local status = true;
+
+	socket:connect(host.ip, port.number, port.protocol)
+	status, result = socket:receive_lines(1);
+
+	if (not status) then
+		socket:close()
+		return
+	end
+
+	if (result == "TIMEOUT") then
+		socket:close()
+		return
+	end
+
+	if  not string.match(result, "^SSH%-.+\n$") then
+		socket:close()
+		return
+	end
+
+       	socket:send("SSH-1.5-NmapNSE_1.0\n")
+
+	-- should be able to consume at least 13 bytes
+	-- key length is a 4 byte integer
+	-- padding is between 1 and 8 bytes
+	-- type is one byte
+	-- key is at least several bytes
+	status, result = socket:receive_bytes(13);
+
+	if (not status) then
+		socket:close()
+		return
+	end
+
+	if (result == "TIMEOUT") then
+		socket:close()
+		return
+	end
+
+	if  not string.match(result, "^....[%z]+\002") then
+		socket:close()
+		return
+	end
+	
+	socket:close();
+
+	return "Server supports SSHv1"
+end

scripts/SSLv2-support.nse

@@ -0,0 +1,222 @@
+id = "SSLv2"
+description = "determines whether the server (still) supports SSL-v2, and what cyphers it offers."
+author = "Matt <mb2263@bristol.ac.uk>"
+license = "See nmaps COPYING for licence"
+
+categories = {"intrusive"}
+
+portrule = function(host, port)
+	if 	(	port.number == 443
+		or	port.service == "ssl/http"
+		or	port.service == "https")
+		and port.protocol == "tcp"
+		and port.state == "open"
+	then
+		return true
+	else
+		return false
+	end
+
+end
+
+hex2dec = function(hex)
+
+	local byte1, byte2;
+
+	byte1 = string.byte(hex, 1);
+	byte2 = string.byte(hex, 2);
+
+	if (byte1 == nil or byte2 == nil) then return 0; end;
+	
+	return (byte1 * 256) + byte2;
+
+end
+
+cyphers = function(cypher_list, len)
+
+-- returns names of cyphers supported by the server
+
+	local cypher;
+	local cypher_name;
+	local byte1, byte2, byte3;
+	local available_cyphers = "";
+	local idx = 0;
+
+	local ssl_cyphers = {
+-- (cut down) table of codes with their corresponding cyphers.
+-- stolen from wireshark's 'epan/dissectors/packet-ssl-utils.h'
+		[0x010080] = "SSL2_RC4_128_WITH_MD5",
+		[0x020080] = "SSL2_RC4_128_EXPORT40_WITH_MD5",
+		[0x030080] = "SSL2_RC2_CBC_128_CBC_WITH_MD5",
+		[0x040080] = "SSL2_RC2_CBC_128_CBC_WITH_MD5",
+		[0x050080] = "SSL2_IDEA_128_CBC_WITH_MD5",
+		[0x060040] = "SSL2_DES_64_CBC_WITH_MD5",
+		[0x0700c0] = "SSL2_DES_192_EDE3_CBC_WITH_MD5",
+		[0x080080] = "SSL2_RC4_64_WITH_MD5",
+	};
+
+	if (len == 0) then return "\tthe server didn't offer any cyphers"; end
+-- something's got broken along the way if these aren't equal
+	if (len ~= string.len(cypher_list)) then
+		return "";
+	end
+
+	for idx = 1, len, 3 do
+		cypher = string.sub(cypher_list, idx, idx + 2);
+
+		byte1 = string.byte(cypher, 1);
+		byte2 = string.byte(cypher, 2);
+		byte3 = string.byte(cypher, 3);
+
+		cypher = (byte1 * 256 * 256) + (byte2 * 256) + byte3;
+
+		cypher_name = ssl_cyphers[cypher];
+
+		if (cypher_name == nil) then
+			cypher_name = "unknown cypher (" .. byte1 .. "-" .. byte2 .. "-" .. byte3 .. " dec)"
+		end
+	
+		available_cyphers = available_cyphers .. "\t" .. cypher_name .. "\n";
+	
+	end
+
+	return available_cyphers
+
+end
+
+give_n_bytes = function(idx, n, str)
+
+-- returns the next n bytes of a string
+
+	if (idx + (n - 1) > string.len(str)) then
+		return (idx + n), string.rep(string.char(0x00), n);
+	end
+
+	return (idx + n), string.sub(str, idx, (idx + (n - 1)) );
+
+end
+
+action = function(host, port)
+
+	local socket = nmap.new_socket();
+	local status = true;
+	
+	local tmp;
+
+	local idx = 3;	-- start reading after the end of the length record
+
+	local return_string = "";
+	local available_cyphers = "";
+
+	local ssl_v2_hello;
+	local server_hello;
+
+	local server_hello_len;
+	local message_type;
+	local SID_hit;
+	local certificate_type;
+	local ssl_version;
+	local certificate_len;
+	local cyphers_len;
+	local certificate;
+	local connection_ID_len;
+	local cypher_list;
+	local connection_ID;
+
+-- build client hello packet (contents stolen from
+-- http://mail.nessus.org/pipermail/plugins-writers/2004-October/msg00041.html )
+	local t = {};
+	table.insert(t, string.char(0x80, 0x31));
+	table.insert(t, string.char(0x01));
+	table.insert(t, string.char(0x00, 0x02));
+	table.insert(t, string.char(0x00, 0x18));
+	table.insert(t, string.char(0x00, 0x00));
+	table.insert(t, string.char(0x00, 0x10));
+	table.insert(t, string.char(0x07, 0x00, 0xc0));
+	table.insert(t, string.char(0x05, 0x00, 0x80));
+	table.insert(t, string.char(0x03, 0x00, 0x80));
+	table.insert(t, string.char(0x01, 0x00, 0x80));
+	table.insert(t, string.char(0x08, 0x00, 0x80));
+	table.insert(t, string.char(0x06, 0x00, 0x40));
+	table.insert(t, string.char(0x04, 0x00, 0x80));
+	table.insert(t, string.char(0x02, 0x00, 0x80));
+	table.insert(t, string.char(0xe4, 0xbd, 0x00, 0x00));
+	table.insert(t, string.char(0xa4, 0x41, 0xb6, 0x74));
+	table.insert(t, string.char(0x71, 0x2b, 0x27, 0x95));
+	table.insert(t, string.char(0x44, 0xc0, 0x3d, 0xc0));
+	ssl_v2_hello = table.concat(t, "")
+
+	socket:connect(host.ip, port.number, "tcp");
+	socket:send(ssl_v2_hello);
+
+	status, server_hello = socket:receive_bytes(2);
+
+	if (not status) then
+		socket:close();
+		return;
+	end
+
+	server_hello_len = string.sub(server_hello, 1, 2);
+	server_hello_len = hex2dec(server_hello_len);
+-- length record doesn't include its own length, and is "broken".
+	server_hello_len = server_hello_len - (128 * 256) + 2;
+
+-- the hello needs to be at least 13 bytes long to be of any use
+	if (server_hello_len < 13) then
+		socket:close();
+		return;
+	end
+--try to get entire hello, if we don't already
+	if (string.len(server_hello) < server_hello_len) then
+		status, tmp = socket:receive_bytes(server_hello_len - string.len(server_hello));
+
+		if (not status) then
+			socket:close();
+			return;
+		end
+
+		server_hello = server_hello .. tmp;
+	end;
+
+	socket:close();
+
+-- split up server hello into components
+	idx, message_type = 	give_n_bytes(idx, 1, server_hello);
+	idx, SID_hit = 			give_n_bytes(idx, 1, server_hello);
+	idx, certificate_type = 	give_n_bytes(idx, 1, server_hello);
+	idx, ssl_version = 		give_n_bytes(idx, 2, server_hello);
+	idx, certificate_len = 		give_n_bytes(idx, 2, server_hello);
+		certificate_len = hex2dec(certificate_len);
+	idx, cyphers_len = 		give_n_bytes(idx, 2, server_hello);
+		cyphers_len = hex2dec(cyphers_len);
+	idx, connection_ID_len = 	give_n_bytes(idx, 2, server_hello);
+		connection_ID_len = hex2dec(connection_ID_len);
+	idx, certificate = 		give_n_bytes(idx, certificate_len, server_hello);
+	idx, cypher_list = 		give_n_bytes(idx, cyphers_len, server_hello);
+	idx, connection_ID = 		give_n_bytes(idx, connection_ID_len, server_hello);
+
+-- some sanity checks:
+-- is response a server hello?
+	if (message_type ~= string.char(0x04)) then
+		return;
+	end
+-- is certificate in X.509 format?
+	if (certificate_type ~= string.char(0x01)) then
+		return;
+	end
+
+-- actually run some tests:
+	if (ssl_version == string.char(0x00, 0x02)) then
+		return_string = "server still supports SSLv2\n";
+	end
+
+	available_cyphers = cyphers(cypher_list, cyphers_len);
+
+	if (	string.len(return_string) > 0
+	or	string.len(available_cyphers) > 0) then
+			return return_string .. available_cyphers;
+	else
+			return;
+	end
+
+end

scripts/anonFTP.nse

@@ -0,0 +1,46 @@
+id="Anonymous FTP"
+
+description="Checks to see if a FTP server allows anonymous logins"
+
+author = "ejlb <ejlbell@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"intrusive"}
+
+portrule = function(host, port)
+	if 	port.number == 21
+		and port.service == "ftp"
+		and port.protocol == "tcp"
+		and port.state == "open"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	local result;
+	local status = true
+	local isAnon = false
+
+	socket:connect(host.ip, port.number, port.protocol)
+       	socket:send("USER anonymous\r\n")
+	socket:send("PASS IEUser@\r\n")
+
+        while status do
+		status, result = socket:receive_lines(1);
+		if string.match(result, "^230") then
+			isAnon = true;
+			break;
+		end
+	end
+
+	socket:close();
+
+	if(isAnon) then
+		return "FTP: Anonymous login allowed"
+	end
+end

scripts/chargenTest.nse

@@ -0,0 +1,34 @@
+id = "Chargen"
+
+description = "Connects to the UDP chargen service and tries to read some bytes"
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"demo"}
+
+portrule = function(host, port)
+	if 	port.number == 19
+		and port.service == "chargen"
+		and port.protocol == "udp"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	socket:connect(host.ip, port.number, "udp")
+	socket:send("dummy")
+	local status, result = socket:receive_lines(1);
+	socket:close()
+
+	if (result ~= nil) then
+		return "Chargen: success"
+	else
+		return "Chargen: something went wrong"
+	end
+end

scripts/daytimeTest.nse

@@ -0,0 +1,32 @@
+id = "Daytime"
+
+description = "Connects to the UDP daytime service and on success prints the daytime."
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"demo"}
+
+portrule = function(host, port)
+	if 	port.number == 13
+		and port.service == "daytime"
+		and port.protocol == "udp"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	socket:connect(host.ip, port.number, "udp")
+	socket:send("dummy")
+	local status, result = socket:receive_lines(1);
+	socket:close()
+
+	if (result ~= nil) then
+		return "Daytime: " .. result
+	end
+end

scripts/dns-test-open-recursion.nse

@@ -0,0 +1,43 @@
+id = "Nameserver open recursive querys (CVE-1999-0024) (BID 136, 678)"
+
+description = "Checks whether a Nameserver on udp/53 allows querys for third-party names. If is expected that recursion will be enabled on your own internal nameserver."
+
+author = "Felix Groebert <felix@groebert.org>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"intrusive"}
+
+portrule = function(host, port)
+	if 	port.number == 53
+		and port.protocol == "udp"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+
+    -- generate dns query, Transaction-ID 0xdead, isc.sans.org (type A, class IN)
+	local request = string.char(0xde, 0xad, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03) ..  "isc" .. string.char(0x04) .. "sans" .. string.char(0x03) ..  "org" .. string.char(0x00, 0x00, 0x01, 0x00, 0x01)
+
+	local socket = nmap.new_socket()
+	socket:connect(host.ip, port.number, "udp")
+	socket:send(request)
+
+	local status, result = socket:receive();
+	socket:close()
+
+    -- parse response for dns flags
+    if (bit.band(string.byte(result,3), 0x80) == 0x80
+    and bit.band(string.byte(result,4), 0x85) == 0x80)
+    then
+		return "Recursion seems enabled"
+    else
+		return "Recursion not enabled"
+	end
+
+	return
+end

scripts/echoTest.nse

@@ -0,0 +1,36 @@
+id = "Echo"
+
+description = "Connects to the UDP echo service, sends a string, receives a string and if both\
+strings are equal reports success."
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"demo"}
+
+portrule = function(host, port)
+	if 	port.number == 7
+		and port.service == "echo"
+		and port.protocol == "udp"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+	local echostr = "hello there"
+	local socket = nmap.new_socket()
+	socket:connect(host.ip, port.number, "udp")
+	socket:send(echostr)
+	local status, result = socket:receive_lines(1);
+	socket:close()
+
+	if (result == echostr) then
+		return "UDP Echo: correct response"
+	end
+
+	return
+end

scripts/ftpbounce.nse

@@ -0,0 +1,185 @@
+id="FTP bounce check"
+description="Checks to see if a FTP server allows port scanning using FTP bounce method"
+author="Marek Majkowski <majek04<at>gmail.com>"
+license="See nmaps COPYING for licence"
+
+categories = {"intrusive"}
+
+portrule = function(host, port)
+	if 	port.service == "ftp"
+		and port.protocol == "tcp"
+		and port.state == "open"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+line_iterate = function(s)
+	local line
+	for line in string.gmatch(s, "([^\n$]*)") do
+		if #line > 0 then
+			coroutine.yield(line)
+		end
+	end
+end
+
+-- returns last ftp code read, or 000 on timeout
+get_ftp_code = function(socket)
+	local fcode = 000
+	local code  = 0
+	local status
+	local result
+	local co
+	local line
+	local err
+
+	while true do
+		status, result = socket:receive()
+		if not status then
+			break
+		end
+		-- read okay!
+		co = coroutine.create(line_iterate)
+		while coroutine.status(co) ~= 'dead' do
+			err, line = coroutine.resume(co, result)
+			if line then
+				code = string.match(line, "^(%d%d%d) ")
+				if not code then
+					code = "-1"
+				end
+				-- io.write(">" .. code .. ":".. line .. "<\n")
+				if tonumber(code) > 0 then
+					fcode = tonumber(code)
+				end
+			end
+		end
+		-- not received good ftp code, try again
+		if fcode ~= 0 then
+			break
+		end
+	end
+	-- io.write("## " .. fcode .. "\n");
+	return fcode
+end
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	local result;
+	local status = true
+	local isAnon = false
+	local isOk   = false
+	local sendPass = true
+	local fc
+	
+	socket:set_timeout(10000)
+	socket:connect(host.ip, port.number)
+
+	-- BANNER
+	fc = get_ftp_code(socket)
+	if fc == 0 then
+		socket:close()
+		-- no banner
+		return "no banner"
+	end
+	if fc == 421 or (fc >= 500 and fc <= 599) then
+		socket:close()
+	--	return "server says you are not allowed to create connection"
+		return
+	end
+	if fc < 200 or fc > 299 then
+		socket:close()
+		-- bad code
+	--	return "bad banner (code " .. fc .. ")"
+		return
+	end
+	
+	socket:set_timeout(5000)
+	-- USER
+	socket:send("USER anonymous\r\n")
+	fc = get_ftp_code(socket)
+	if (fc >= 400 and fc <= 499) or (fc >= 500 and fc <= 599) then
+		socket:close()
+		-- bad code
+		--return "anonymous user not allowed"
+		return
+	end
+	if fc == 0 then
+		socket:close()
+		-- return "anonymous user timeouted"
+		return 
+	end
+	if fc ~= 230 and fc ~= 331 then
+		socket:close()
+		-- bad code
+		-- return "bad response for anonymous user (code " .. fc .. ")"
+		return 
+	end
+	if fc == 230 then
+		sendPass = false
+	end
+
+	-- PASS
+	if sendPass then
+		socket:send("PASS IEUser@\r\n")
+		fc = get_ftp_code(socket)
+		if (fc >= 500 and fc <= 599) or (fc >= 400 and fc <= 499) then
+			socket:close()
+			-- bad code
+			-- return "anonymous user/pass rejected"
+			return
+		end
+		if fc == 0 then
+			socket:close()
+			-- return "anonymous pass timeouted"
+			return
+		end
+		if fc ~= 230 and fc ~= 200 then
+			socket:close()
+			-- return "answer to PASS not understood (code " .. fc .. ")"
+			return
+		end
+	end
+	
+	-- PORT scanme.nmap.com:highport
+	socket:send("PORT 205,217,153,62,80,80\r\n")
+	fc = get_ftp_code(socket)
+	if (fc >= 500 and fc <= 599) then
+		socket:close()
+		-- return "server forbids bouncing"
+		return
+	end
+	if fc == 0 then
+		socket:close()
+		-- return "PORT command timeouted"
+		return
+	end
+	if not (fc >= 200 and fc<=299) then
+		socket:close()
+		-- return "PORT response not understood (code " .. fc .. ")"
+		return
+	end
+
+	-- PORT scanme.nmap.com:lowport
+	socket:send("PORT 205,217,153,62,0,80\r\n")
+	fc = get_ftp_code(socket)
+	if (fc >= 500 and fc <= 599) then
+		socket:close()
+		return "server forbids bouncing to low ports <1025"
+	end
+	if fc == 0 then
+		socket:close()
+		-- return "PORT command timeouted for low port"
+		return
+	end
+	if not (fc >= 200 and fc<=299) then
+		socket:close()
+		-- return "PORT response not understood for low port (code " .. fc .. ")"
+		return
+	end
+
+	socket:close()
+	return "bounce working!"
+end
+

scripts/ircZombieTest.nse

@@ -0,0 +1,44 @@
+id = "IRC zombie"
+
+description = "If port 113 responds before we ask it then something is fishy.\
+Usually this means that the host is an irc zombie."
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"malware"}
+
+portrule = function(host, port) 
+	if 
+		(	port.number == 113
+			or port.service == "auth")
+		and port.protocol == "tcp" 
+		and port.state == "open"
+	then
+		return true
+	else
+		return false
+	end
+
+end
+
+action = function(host, port)
+	local status = 0
+	local owner = ""
+
+	local client_ident = nmap.new_socket()
+
+	client_ident:connect(host.ip, port.number)
+
+	status, owner = client_ident:receive_lines(1)
+
+	client_ident:close()
+
+	if owner == "TIMEOUT" then
+		return
+	end
+
+	return owner
+end
+

scripts/kibuvDetection.nse

@@ -0,0 +1,53 @@
+id = "Kibuv worm"
+
+description = "\
+A fake FTP server was installed by the KIBUV.B worm \
+on this port. This worm uses known security flaws to \
+infect the system. \
+\
+This machine may already be a 'zombi' used by crackers  \
+to perform distributed denial of service. \
+\
+http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T"
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"malware"}
+
+portrule = function(host, port) 
+	local decision
+	if 
+		(	port.number == 7955
+			or
+			port.number == 14920
+			or
+			port.number == 42260) 
+		and port.service == "ftp"
+		and port.protocol == "tcp" 
+		and port.state == "open"
+	then
+		decision = true
+	else
+		decision = false
+	end
+
+	return decision
+end
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+
+	socket:connect(host.ip, port.number)
+	local status, s = socket:receive_lines(1)
+
+	if	string.match(s, "220 StnyFtpd 0wns j0")
+		or
+		string.match(s, "220 fuckFtpd 0wns j0")
+	then 
+		return "Suspecting that the host is KIBUV.B infected"
+	end
+
+	return 
+end

scripts/mswindowsShell.nse

@@ -0,0 +1,44 @@
+id = "MS Windows shell"
+
+description = "If port 8888 is open and it echos a specific string then we\
+might have found an open MSWindows shell."
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"backdoor"}
+
+portrule = function(host, port) 
+	local decision
+	if 
+		(	port.number == 8888
+			or port.service == "auth")
+		and port.protocol == "tcp" 
+		and port.state == "open"
+	then
+		decision = true
+	else
+		decision = false
+	end
+
+	return decision
+end
+
+action = function(host, port)
+	local status = 0
+	local result = ""
+
+	local client_ident = nmap.new_socket()
+
+	client_ident:connect(host.ip, port.number)
+
+	status, result = client_ident:receive_bytes(4096)
+
+	client_ident:close()
+
+	if string.match(result, "Microsoft Windows") then
+		return "Possible open windows shell found."
+	end
+end
+

scripts/ripeQuery.nse

@@ -0,0 +1,43 @@
+id = "RIPE query"
+description = "Connects to the RIPE database, extracts and prints the role: entry for the IP."
+author = "Diman Todorov <diman.todorov@gmail.com>"
+license = "See nmaps COPYING for licence"
+
+categories = {"discovery"}
+
+hostrule = function(host, port)
+	return true
+end
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	local status, line
+	local result = ""
+
+	socket:connect("whois.ripe.net", 43)
+--	socket:connect("193.0.0.135", 43)
+	socket:send(host.ip .. "\n")
+
+	while true do
+		local status, lines = socket:receive_lines(1)
+
+		if not status then
+			break
+		else
+			result = result .. lines
+		end
+	end
+	socket:close()
+
+	local value  = string.match(result, "role:(.-)\n")
+
+	if (value == "see http://www.iana.org.") then
+		value = nil
+	end
+
+	if (value == nil) then
+		value = ""
+	end
+	
+	return "IP belongs to: " .. value
+end

scripts/script.db

@@ -0,0 +1,23 @@
+Entry{ category = "intrusive", filename = "./scripts//dns-test-open-recursion.nse" }
+Entry{ category = "backdoor", filename = "./scripts//RealVNC_auth_bypass.nse" }
+Entry{ category = "safe", filename = "./scripts//showOwner.nse" }
+Entry{ category = "intrusive", filename = "./scripts//SSLv2-support.nse" }
+Entry{ category = "malware", filename = "./scripts//ircZombieTest.nse" }
+Entry{ category = "version", filename = "./scripts//skype_v2-version.nse" }
+Entry{ category = "demo", filename = "./scripts//echoTest.nse" }
+Entry{ category = "discovery", filename = "./scripts//ripeQuery.nse" }
+Entry{ category = "demo", filename = "./scripts//chargenTest.nse" }
+Entry{ category = "backdoor", filename = "./scripts//strangeSMTPport.nse" }
+Entry{ category = "demo", filename = "./scripts//showSMTPVersion.nse" }
+Entry{ category = "demo", filename = "./scripts//showHTMLTitle.nse" }
+Entry{ category = "safe", filename = "./scripts//showHTMLTitle.nse" }
+Entry{ category = "backdoor", filename = "./scripts//mswindowsShell.nse" }
+Entry{ category = "intrusive", filename = "./scripts//anonFTP.nse" }
+Entry{ category = "malware", filename = "./scripts//kibuvDetection.nse" }
+Entry{ category = "malware", filename = "./scripts//SMTP_openrelay_test.nse" }
+Entry{ category = "", filename = "./scripts//showHTTPVersion.nse" }
+Entry{ category = "intrusive", filename = "./scripts//SSHv1-support.nse" }
+Entry{ category = "intrusive", filename = "./scripts//ftpbounce.nse" }
+Entry{ category = "vulnerability", filename = "./scripts//xamppDefaultPass.nse" }
+Entry{ category = "demo", filename = "./scripts//showSSHVersion.nse" }
+Entry{ category = "demo", filename = "./scripts//daytimeTest.nse" }

scripts/showHTMLTitle.nse

@@ -0,0 +1,65 @@
+-- dvt <diman.todorov@gmail.com>
+-- See nmaps COPYING for licence
+
+id = "HTML title"
+
+description = "Connects to an HTTP server and extracts the title of the default page."
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"demo", "safe"}
+
+portrule = function(host, port) 
+	if 
+		(	port.number == 80
+			or port.service == "http")
+		and port.protocol == "tcp" 
+		and port.state == "open"
+		-- and host.name ~= nil 
+		-- and string.match(host.name, "www.+") 
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+	local url, socket, request, result, status, s, title
+
+	url = "http://" .. host.name
+
+	socket = nmap.new_socket()
+
+	socket:connect(host.ip, port.number)
+	request = "GET /  HTTP/1.0\r\n\r\n"
+	socket:send(request)
+
+	result = ""
+	while true do
+		status, s = socket:receive_lines(1)
+		if not status then
+			break
+		end
+
+		result = result .. s
+	end
+	socket:close()
+	
+	-- watch out, this doesn't really work for all html tags
+	-- also string.lower consumes the /
+	result = string.gsub(result, "</?(%a+)>", function(c) return "<" .. string.lower(c) .. ">" end)
+	
+	title = string.match(result, "<title>(.+)<title>")
+
+	if title ~= nil then
+		result = string.gsub(title , "[\n\r\t]", "")
+	else
+		result = "Site doesn't have a title."
+	end
+
+	return result
+end
+

scripts/showHTTPVersion.nse

@@ -0,0 +1,90 @@
+description = "Demonstration of a version detection NSE script. It checks and reports\
+the version of a remote web server. For real life purposes it is better to use the\
+Nmap version detection.\
+Author: Diman Todorov\
+License: see nmaps' COPYING for license"
+
+id = "HTTP version"
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+-- add this script to "version" if you really want to execute it
+-- keep in mind you can (and should) only execute it with -sV
+categories = {""}
+-- categories = {"version"}
+
+runlevel = 1.0
+
+portrule = function(host, port)
+
+
+	if 
+		-- remove next line if you really want to run this script
+		false and
+		(	port.number == 80
+		or port.service == "http" )
+		and port.protocol == "tcp" 
+		and port.state == "open"
+		-- and host.name ~= nil 
+		-- and string.match(host.name, "www.+") 
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+
+	local query = "GET / HTTP/2.1\r\n"
+	query = query .. "Accept: */*\r\n"
+	query = query .. "Accept-Language: en\r\n"
+	query = query .. "User-Agent: Nmap NSE\r\n"
+	query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n\r\n"
+
+	local socket = nmap.new_socket()
+	local catch = function()
+		socket:close()
+	end
+
+	local try = nmap.new_try(catch)
+
+	try(socket:connect(host.ip, port.number))
+	try(socket:send(query))
+
+	local response = ""
+	local lines
+	local status
+	local value
+
+	while true do
+		status, lines = socket:receive_lines(1)
+
+		if not status or value then
+			break
+		end
+
+		response = response .. lines
+		value = string.match(response, "Server: (.-)\n")
+	end
+
+	try(socket:close())
+	socket:close()
+
+	if value then
+		port.version.name = "[Name]"
+		port.version.confidence = 10
+		port.version.product = "[Product]"
+		port.version.version = "[Version]"
+		port.version.extrainfo = "[ExtraInfo]"
+		port.version.hostname = "[HostName]"
+		port.version.ostype = "[OSType]"
+		port.version.devicetype = "[DeviceType]"
+
+		port.version.service_tunnel = "none"
+		port.version.fingerprint = nil
+		nmap.set_port_version(host, port, "hardmatched")
+	end
+end

scripts/showOwner.nse

@@ -0,0 +1,66 @@
+id = "Service owner"
+
+description = "Opens a connection to the scanned port, opens a connection to port 113, queries the owner\
+of the service on the scanned port and prints it."
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"safe"}
+
+portrule = function(host, port) 
+	local identd, decision
+
+	local auth_port = { number=113, protocol="tcp" }
+	identd = nmap.get_port_state(host, auth_port)
+
+	if 
+		identd ~= nil
+		and identd.state == "open" 
+	then
+		decision = true
+	else
+		decision = false
+	end
+
+	return decision
+end
+
+action = function(host, port)
+	local owner = ""
+
+	local client_ident = nmap.new_socket()
+	local client_service = nmap.new_socket()
+
+	local catch = function()
+		client_ident:close()
+		client_service:close()
+	end
+
+	local try = nmap.new_try(catch)
+
+	try(client_ident:connect(host.ip, 113))
+	try(client_service:connect(host.ip, port.number))
+
+	local localip, localport, remoteip, remoteport = try(client_service:get_info())
+
+	local request = port.number .. ", " .. localport .. "\n"
+
+	try(client_ident:send(request))
+
+	owner = try(client_ident:receive_lines(1))
+
+	if string.match(owner, "ERROR") then 
+		owner = nil
+	--	owner = "Service owner could not be determined: " .. owner
+	else
+		owner = string.match(owner, "USERID : .+ : (.+)\n", 1)
+	end
+
+	try(client_ident:close())
+	try(client_service:close())
+
+	return owner
+end
+

scripts/showSMTPVersion.nse

@@ -0,0 +1,44 @@
+id = "SMTP version"
+
+description = "Simple script which queries and prints the version of an SMTP server."
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"demo"}
+
+portrule = function(host, port) 
+	local decision
+	
+	if 
+		(	port.number == 25
+			or port.service == "smtp")
+		and port.protocol == "tcp" 
+		and port.state == "open"
+	then
+		decision = true
+	else
+		decision = false
+	end
+
+	return decision
+end
+
+action = function(host, port)
+	
+	local client = nmap.new_socket()
+
+	client:connect(host.ip, port.number)
+	
+	local status, result = client:receive_lines(1);
+
+	client:close()	
+
+	if result ~= nil then
+		result = string.gsub(result, "\n", "")
+	end
+
+	return result
+end
+

scripts/showSSHVersion.nse

@@ -0,0 +1,44 @@
+id = "Stealth SSH version"
+
+description = "Connects to an SSH server, queries the version string and echos it back. This tends to result\
+in the scanning attempt not being logged by the ssh daemon on the target."
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"demo"}
+
+portrule = function(host, port) 
+	if 
+		port.service == "ssh"
+		and port.protocol == "tcp" 
+		and port.state == "open" 
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+	local result, socket
+
+	local catch = function()
+		socket:close()
+	end
+
+	local try = nmap.new_try(catch)
+
+	result = ""
+	socket = nmap.new_socket()
+
+	try(socket:connect(host.ip, port.number))
+
+	result = try(socket:receive_lines(1));
+	try(socket:send(result))
+	try(socket:close())
+
+	return "" .. string.gsub(result, "\n", "") 
+end
+

scripts/skype_v2-version.nse

@@ -0,0 +1,72 @@
+id="Skype v2"
+description="Determines if remote service is Skype protocol version 2"
+author = "Brandon Enright <bmenrigh@ucsd.edu>" 
+license = "See nmaps COPYING for licence"
+categories = {"version"}
+
+portrule = function(host, port)
+	if 	(port.number == 80 or
+		port.number == 443 or
+		port.service == nil or
+		port.service == "" or
+		port.service == "unknown")
+		and port.protocol == "tcp"
+		and port.state == "open"
+		and port.service ~= "http"
+		and port.service ~= "ssl/http"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function(host, port)
+
+	local socket = nmap.new_socket()
+	local result;
+	local status = true
+
+	socket:connect(host.ip, port.number, port.protocol)
+       	socket:send("GET / HTTP/1.0\r\n\r\n")
+
+	status, result = socket:receive_bytes(26);
+
+	if (not status) then
+		socket:close()
+		return
+	end
+
+	if (result ~= "HTTP/1.0 404 Not Found\r\n\r\n") then
+		socket:close()
+		return
+	end
+	
+	socket:close();
+	
+	-- So far so good, now see if we get random data for another request
+
+	socket:connect(host.ip, port.number, port.protocol)
+       	socket:send("random data\r\n\r\n")
+
+	status, result = socket:receive_bytes(15);
+
+	if (not status) then
+		socket:close()
+		return
+	end
+
+	if string.match(result, "[^%s!-~].*[^%s!-~].*[^%s!-~].*[^%s!-~]") then
+		socket:close()
+		port.version.name = "skype2"
+		port.version.confidence = 10
+		port.version.fingerprint = nil
+		nmap.set_port_version(host, port, "hardmatched")
+		return	
+		-- return "Skype v2 server detected"
+	end
+
+	socket:close();
+
+	return
+end

scripts/strangeSMTPport.nse

@@ -0,0 +1,35 @@
+id = "Unexpected SMTP"
+
+description = "\
+If smtp is running on a strange port\
+there be a backdoor set up by crackers to send spam\
+or even control your machine."
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"backdoor"}
+
+portrule = function(host, port) 
+	if 
+		(	port.number ~= 25
+			and
+			port.number ~= 465
+			and
+			port.number ~= 587
+			and 
+			port.service == "smtp" )
+		and port.protocol == "tcp" 
+		and port.state == "open"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+action = function()
+	return "Warning: smtp is running on a strange port"
+end
+

scripts/xamppDefaultPass.nse

@@ -0,0 +1,60 @@
+id = "XAMPP default pwd"
+
+description = "If the remote host is running XAMP (an Apache distribution\
+designed for easy installation and administration) and XAMPP's FTP server is\
+allows access with nobody/xampp then we report it."
+
+author = "Diman Todorov <diman.todorov@gmail.com>"
+
+license = "See nmaps COPYING for licence"
+
+categories = {"vulnerability"}
+
+portrule = function(host, port) 
+	if 	port.number == 21
+		and port.service == "ftp"
+		and port.protocol == "tcp" 
+		and port.state == "open"
+	then
+		return true
+	else
+		return false
+	end
+end
+
+login = function(socket, user, pass)
+	res = ""
+	status, err = socket:send("USER " .. user .. "\n")
+	status, err = socket:send("PASS " .. pass .. "\n")
+
+	-- consume the banner and stuff
+	while true do
+		status, res = socket:receive_lines(1)
+		if 
+			not string.match(res, "^220") 
+			and not string.match(res, "^331 ") 
+		then
+			break
+		end
+	end
+
+	-- are we logged in?
+	if string.match(res, "^230") then
+		return "Login success with u/p: " .. user .. "/" .. pass
+	end
+end
+
+action = function(host, port)
+	socket = nmap.new_socket()
+
+	socket:connect(host.ip, port.number)
+	res = login(socket, "nobody", "e0e0e0e0")
+	socket:close()
+
+	socket:connect(host.ip, port.number)
+	res = login(socket, "nobody", "xampp")
+	socket:close()
+	
+	return  res
+end
+