Do copyediting of NSEDoc. This is a first pass up to ms-sql-xp-cmdshell.

2025-12-06 04:31:29 +00:00 · 2010-07-09 23:32:18 +00:00
parent 0e7f78bcd0
commit b9633ed69b
47 changed files with 316 additions and 335 deletions
--- a/scripts/afp-path-vuln.nse
+++ b/scripts/afp-path-vuln.nse
@@ -1,7 +1,7 @@
 description = [[ 
-Detects the Mac OS X AFP directory traversal vulnerability CVE-2010-0533.
+Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
-This script attempt to iterate over all AFP shares on the remote
+This script attempts to iterate over all AFP shares on the remote
 host. For each share it attempts to access the parent directory by
 exploiting the directory traversal vulnerability as described in
 CVE-2010-0533.
@@ -9,10 +9,8 @@ CVE-2010-0533.
 The script reports whether the system is vulnerable or not. In
 addition it lists the contents of the parent and child directories to
 a max depth of 2.
 When running in verbose mode, all items in the listed directories are
 shown.  In non verbose mode, output is limited to the first 5 items.
 If the server is not vulnerable, the script will not return any
 information.
--- a/scripts/afp-serverinfo.nse
+++ b/scripts/afp-serverinfo.nse
@@ -1,7 +1,7 @@
 description = [[
 Shows AFP server information. This information includes the server's
 hostname, IPv4 and IPv6 addresses, and hardware type (for example
-Macmini or MacBookPro).
+<code>Macmini</code> or <code>MacBookPro</code>).
 ]]
 ---
--- a/scripts/afp-showmount.nse
+++ b/scripts/afp-showmount.nse
@@ -1,8 +1,10 @@
-description = [[ Shows AFP shares and ACLs ]]
+description = [[
 Shows AFP shares and ACLs.
 ]]
 ---
-- @args afp.username The username to use for authentication. (If unset it first attempts to use credentials found by afp-brute then no credentials)
+-- @args afp.username The username to use for authentication. (If unset, first attempt to use credentials found by <code>afp-brute</code>, then no credentials.)
-- @args afp.password The password to use for authentication. (If unset it first attempts to use credentials found by afp-brute then no credentials)
+-- @args afp.password The password to use for authentication. (If unset, first attempt to use credentials found by <code>afp-brute</code>, then no credentials.)
 --
 --@output
 -- PORT    STATE SERVICE
--- a/scripts/asn-query.nse
+++ b/scripts/asn-query.nse
@@ -5,10 +5,8 @@ The script works by sending DNS TXT queries to a DNS server which in
 turn queries a third-party service provided by Team Cymru
 (team-cymru.org) using an in-addr.arpa style zone set up especially for
 use by Nmap.
 The responses to these queries contain both Origin and Peer ASNs and
 their descriptions, displayed along with the BGP Prefix and Country Code.
 The script caches results to reduce the number of queries and should
 perform a single query for all scanned targets in a BGP Prefix present in
 Team Cymru's database.
--- a/scripts/auth-owners.nse
+++ b/scripts/auth-owners.nse
@@ -1,6 +1,7 @@
 description = [[
 Attempts to find the owner of an open TCP port by querying an auth
-(identd - port 113) daemon which must also be open on the target system.
+daemon which must also be open on the target system. The auth service,
 also known as identd, normally runs on port 113.
 ]]
 ---
 --@output
--- a/scripts/auth-spoof.nse
+++ b/scripts/auth-spoof.nse
@@ -3,7 +3,7 @@ Checks for an identd (auth) server which is spoofing its replies.
 Tests whether an identd (auth) server responds with an answer before
 we even send the query.  This sort of identd spoofing can be a sign of
-malware infection though it can also be used for legitimate privacy
+malware infection, though it can also be used for legitimate privacy
 reasons.
 ]]
--- a/scripts/citrix-brute-xml.nse
+++ b/scripts/citrix-brute-xml.nse
@@ -1,9 +1,11 @@
-description = [[ Attempts to guess valid credentials for the Citrix PN Web Agent XML Service.
+description = [[
-The XML service authenticates against the local Windows server or the Active Directory.
+Attempts to guess valid credentials for the Citrix PN Web Agent XML
 Service. The XML service authenticates against the local Windows server
 or the Active Directory.
-CAUTION: This script makes no attempt of preventing account lockout. 
+This script makes no attempt of preventing account lockout. If the
-	     If the password list contains more passwords than the lockout-threshold
+password list contains more passwords than the lockout-threshold
-		 accounts WILL be locked.
+accounts will be locked.
 ]]
 ---
--- a/scripts/citrix-enum-apps-xml.nse
+++ b/scripts/citrix-enum-apps-xml.nse
@@ -1,8 +1,8 @@
 description = [[ 
-Extracts a list of applications, acls and settings from Citrix XML service
+Extracts a list of applications, acls, and settings from the Citrix XML
 service.
-The script returns the shorter, comma separated output per default. 
+The script returns more output with higher verbosity.
 Running nmap with the verbose flag (-v) triggers the detailed output. 
 ]]
 ---
@@ -13,6 +13,13 @@ Running nmap with the verbose flag (-v) triggers the detailed output.
 -- PORT     STATE SERVICE
 -- 8080/tcp open  http-proxy
 -- | citrix-enum-apps-xml:  
 -- |   Application: Notepad; Users: Anonymous
 -- |   Application: iexplorer; Users: Anonymous
 -- |_  Application: registry editor; Users: WIN-B4RL0SUCJ29\Joe; Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
 --
 -- PORT     STATE SERVICE
 -- 8080/tcp open  http-proxy
 -- | citrix-enum-apps-xml:  
 -- |   Application: Notepad
 -- |     Disabled: false
 -- |     Desktop: false
@@ -44,16 +51,6 @@ Running nmap with the verbose flag (-v) triggers the detailed output.
 -- |     Remote Access: false
 -- |     Users: WIN-B4RL0SUCJ29\Joe
 -- |_    Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
 -- 
 --
 -- PORT     STATE SERVICE
 -- 8080/tcp open  http-proxy
 -- | citrix-enum-apps-xml:  
 -- |   Application: Notepad; Users: Anonymous
 -- |   Application: iexplorer; Users: Anonymous
 -- |_  Application: registry editor; Users: WIN-B4RL0SUCJ29\Joe; Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
 --
 ---
 -- Version 0.2
 -- Created 11/26/2009 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
--- a/scripts/citrix-enum-apps.nse
+++ b/scripts/citrix-enum-apps.nse
@@ -1,5 +1,5 @@
 description = [[ 
-Extract published applications from the ICA Browser service
+Extracts a list of published applications from the ICA Browser service.
 ]]
 ---
--- a/scripts/citrix-enum-servers-xml.nse
+++ b/scripts/citrix-enum-servers-xml.nse
@@ -1,4 +1,6 @@
-description = [[ Extracts the name of the server farm and member severs from Citrix XML service
+description = [[
 Extracts the name of the server farm and member servers from Citrix XML
 service.
 ]]
 ---
@@ -11,8 +13,6 @@ description = [[ Extracts the name of the server farm and member severs from Cit
 -- | citrix-enum-servers-xml:  
 -- |   CITRIX-SRV01
 -- |_  CITRIX-SRV01
 --
 ---
 -- Version 0.2
--- a/scripts/citrix-enum-servers.nse
+++ b/scripts/citrix-enum-servers.nse
@@ -1,5 +1,5 @@
 description = [[ 
-Extract a list of Citrix servers from the ICA Browser service
+Extracts a list of Citrix servers from the ICA Browser service.
 ]]
 ---
--- a/scripts/couchdb-databases.nse
+++ b/scripts/couchdb-databases.nse
@@ -1,7 +1,7 @@
 description = [[
-Gets database tables from a CouchDB database
+Gets database tables from a CouchDB database.
-For more info about the CouchDB HTTP Api, see 
+For more info about the CouchDB HTTP API, see 
-http://wiki.apache.org/couchdb/HTTP_database_API
+http://wiki.apache.org/couchdb/HTTP_database_API.
 ]]
 ---
@@ -18,6 +18,7 @@ http://wiki.apache.org/couchdb/HTTP_database_API
 -- |   5 = creditcards
 -- |   6 = test_suite_users
 -- |_  7 = test_suite_db_b
 -- version 0.2
 -- Created 01/12/2010 - v0.1 - created by Martin Holst Swende <martin@swende.se>
--- a/scripts/couchdb-stats.nse
+++ b/scripts/couchdb-stats.nse
@@ -1,11 +1,11 @@
 description = [[
-Gets database statistics from a CouchDB database
+Gets database statistics from a CouchDB database.
-For more info about the CouchDB HTTP Api, see 
+For more info about the CouchDB HTTP API, see 
 http://wiki.apache.org/couchdb/Runtime_Statistics
 and
-http://wiki.apache.org/couchdb/HTTP_database_API
+http://wiki.apache.org/couchdb/HTTP_database_API.
 ]]
 ---
 -- @usage
 -- nmap -p 5984 --script "couchdb-stats.nse" <host>
@@ -30,6 +30,7 @@ http://wiki.apache.org/couchdb/HTTP_database_API
 -- |       current = 5
 -- |       count = 1617
 -- |_  Authentication : NOT enabled ('admin party')
 -- version 0.3
 --
 -- Created 01/20/2010 - v0.1 - created by Martin Holst Swende <martin@swende.se>
--- a/scripts/daap-get-library.nse
+++ b/scripts/daap-get-library.nse
@@ -1,4 +1,15 @@
-description = [[ Retrieves a list of music from a DAAP server including the name of the artist, album and songs ]]
+description = [[
 Retrieves a list of music from a DAAP server. The list includes artist
 names and album and song titles.
 Output will be capped to 100 items if not otherwise specified in the
 <code>daap_item_limit</code> script argument. A
 <code>daap_item_limit</code> below zero outputs the complete contents of
 the DAAP library.
 Based on documentation found here:
 http://www.tapjam.net/daap/.
 ]]
 ---
 -- @args daap_item_limit Changes the output limit from 100 songs. If set to a negative value, no limit is enforced.
@@ -20,15 +31,6 @@ description = [[ Retrieves a list of music from a DAAP server including the name
 -- |         Seven
 -- |         When I Grow Up
 -- |_        Coconut
 --
 --
 -- Output will be capped to 100 items if not otherwise specified in the daap_item_limit script argument
 -- A daap_item_limit below zero outputs the complete contents of the DAAP library
 --
 --
 -- Based on documentation found here:
 -- http://www.tapjam.net/daap/
 --
 author = "Patrik Karlsson"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/db2-brute.nse
+++ b/scripts/db2-brute.nse
@@ -1,20 +1,20 @@
 description = [[
-Performs password guessing against IBM DB2
+Performs password guessing against IBM DB2.
 ]]
 ---
 -- @args db2-brute.threads the amount of accounts to attempt to brute
 -- force in parallell (default 10).
 -- @args db2-brute.dbname the database name against which to guess
 -- passwords (default <code>"SAMPLE"</code>).
 --
 -- @usage
-- nmap -p 50000 --script db2-brute <host>
+-- nmap -p 50000 --script db2-brute <target>
 --
 -- @output
 -- 50000/tcp open  ibm-db2
 -- | db2-brute:  
 -- |_  db2admin:db2admin => Login Correct
 --
 --
 -- @args db2-brute.threads the amount of accounts to attempt to brute force in parallell (default 10)
 -- @args db2-brute.dbname the database name against which to guess passwords (default SAMPLE)
 --
 author = "Patrik Karlsson"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/dhcp-discover.nse
+++ b/scripts/dhcp-discover.nse
@@ -1,6 +1,7 @@
 description = [[
-Sends a DHCPDISCOVER request to a host on UDP port 67. The response come back to UDP port 68, and
+Sends a DHCPDISCOVER request to a host on UDP port 67. The response
-is read using PCAP (due to the inability for a script to choose its source port at the moment). 
+comes back to UDP port 68, and
 is read using pcap (due to the inability for a script to choose its source port at the moment). 
 DHCPDISCOVER is a DHCP request that returns useful information from a DHCP server. The request sends 
 a list of which fields it wants to know (a handful by default, every field if verbosity is turned on), and
@@ -9,10 +10,9 @@ to return every field, nor does it have to return them in the same order, or hon
 all. A Linksys WRT54g, for example, completely ignores the list of requested fields and returns a few 
 standard ones. This script displays every field it receives. 
-Using various script-args, the type of DHCP request can be changed, which can lead to interesting results. 
+With script arguments, the type of DHCP request can be changed, which can lead to interesting results. 
 Additionally, the MAC address can be randomized, which should override the cache on the DHCP server and
 assign a new IP address. Extra requests can also be sent to exhaust the IP address range more quickly. 
 See the 'args' section for more information. 
 DHCPINFORM is another type of DHCP request that requests the same information, but doesn't reserve
 an address. Unfortunately, because many home routers simply ignore DHCPINFORM requests, we opted
@@ -24,14 +24,28 @@ Some of the more useful fields:
 * Router
 * DNS Servers
 * Hostname
 The functions for creating and parsing DHCP requests are general, and should be able to create and
 parse any DHCP request and response. If other scripts require DHCP support, <code>dhcp_build</code>
 and <code>dhcp_parse</code>, with their related functions, can easily be abstracted into a NSELib. 
 ]]
 ---
--@output
+-- @args dhcptype The type of DHCP request to make. By default,
 -- DHCPDISCOVER is sent, but this argument can change it to DHCPOFFER,
 -- DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, DHCPRELEASE or
 -- DHCPINFORM. Not all types will evoke a response from all servers. 
 -- @args randomize_mac Set to <code>true</code> or <code>1</code> to
 -- send a random MAC address with the request (keep in mind that you may
 -- not see the response). This should cause the router to reserve a new
 -- IP address each time. @args requests Set to an integer to make up to
 -- that many requests (and display the results). 
 -- @args fake_requests Set to an integer to make that many fake requests
 -- before the real one(s). This could be useful, for example, if you
 -- also use <code>randomize_mac</code> and you want to try exhausting
 -- all addresses. 
 -- @args timeout  Set to an integer to use it for a timeout. My router
 -- responds to <code>fake_requests</code> rate limited, at about 1
 -- response/second. Therefore, timeout has to be at least
 -- <code>fake_requests * 1000</code>. Default: 5000. 
 --
 -- @output
 -- Interesting ports on 192.168.1.1:
 -- PORT   STATE SERVICE
 -- 67/udp open  dhcps
@@ -44,22 +58,13 @@ and <code>dhcp_parse</code>, with their related functions, can easily be abstrac
 -- |  |  Router: 192.168.1.1
 -- |_ |_ Domain Name Server: 208.81.7.10, 208.81.7.14
 -- 
 --
 --@args dhcptype The type of DHCP request to make. By default, DHCPDISCOVER is sent, but this argument
 --               can change it to DHCPOFFER, DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, DHCPRELEASE
 --               or DHCPINFORM. Not all types will evoke a response from all servers. 
 --@args randomize_mac Set to 'true' or '1' to send a random MAC address with the request (keep in mind
 --               that you may not see the response). This should cause the router to reserve a new IP
 --               address each time. 
 --@args requests Set to an integer to make up to that many requests (and display the results). 
 --@args fake_requests Set to an integer to make that many fake requests before the real one(s). This could
 --               be useful, for example, if you also use <code>randomize_mac</code> and you want to try
 --               exhausting all addresses. 
 --@args timeout  Set to an integer to use it for a timeout. My router responds to <code>fake_requests</code>
 --               rate limited, at about 1 response/second. Therefore, timeout has to be at least 
 --               <code>fake_requests * 1000</code>. Default: 5000. 
 -- The functions for creating and parsing DHCP requests are general, and
 -- should be able to create and parse any DHCP request and response. If
 -- other scripts require DHCP support, dhcp_build and dhcp_parse, with
 -- their related functions, can easily be abstracted into a NSELib. 
 author = "Ron Bowes"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/dns-cache-snoop.nse
+++ b/scripts/dns-cache-snoop.nse
@@ -21,12 +21,17 @@ different list.
 ---
 -- @args dns-cache-snoop.mode which of two supported snooping methods to
-- use:
+-- use. <code>nonrecursive</code>, the default, checks if the server
-- * <code>nonrecursive</code> (default): checks if the server returns results for non-recursive queries. Some servers may disable this.
+-- returns results for non-recursive queries. Some servers may disable
-- * <code>timed</code>: measures the difference in time taken to resolve cached and non-cached hosts. This mode will pollute the DNS cache and can only be used once reliably.
+-- this. <code>timed</code> measures the difference in time taken to
 -- resolve cached and non-cached hosts. This mode will pollute the DNS
 -- cache and can only be used once reliably.
 -- @args dns-cache-snoop.domains an array of domain to check in place of
 -- the default list.
 --
 -- @usage
 -- nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>
 --
 -- @output
 -- PORT   STATE SERVICE REASON
 -- 53/udp open  domain  udp-response
@@ -41,9 +46,6 @@ different list.
 -- | www.google.com.hk
 -- | www.google.co.uk
 -- |_www.linkedin.com
 --
 -- @usage
 -- nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>
 require("shortport")
 require("dns")
--- a/scripts/dns-fuzz.nse
+++ b/scripts/dns-fuzz.nse
@@ -1,23 +1,27 @@
 description = [[
 This script launches a DNS fuzzing attack against any DNS server. 
-Originally designed to test bind10, this script induces several errors
+The script induces errors into randomly generated but valid DNS packets.
-into otherwise valid - randomly generated - DNS packets. The packet
+The packet template that we use includes one uncompressed and one
-template that we use includes one standard name and one compressed name.
+compressed name.
-This script should be run for a long time(TM). It will send a very
+Use the <code>dns-fuzz.timelimit</code> argument to control how long the
-large quantity of packets and thus it's pretty invasive, so it
+fuzzing lasts. This script should be run for a long time. It will send a
-should only be used against private DNS servers as part of a
+very large quantity of packets and thus it's pretty invasive, so it
-software development lifecycle.
+should only be used against private DNS servers as part of a software
 development lifecycle.
 ]]
 ---
 -- @usage
-- nmap --script dns-fuzz [--script-args timelimit=2h] target
+-- nmap --script dns-fuzz --script-args timelimit=2h <target>
-- @args timelimit How long to run the fuzz attack. This is a number followed
+--
-- by a suffix: <code>s</code> for seconds, <code>m</code> for minutes, and
+-- @args dns-fuzz.timelimit How long to run the fuzz attack. This is a
-- <code>h</code> for hours. Use <code>0</code> for an unlimited amount of time.
+-- number followed by a suffix: <code>s</code> for seconds,
-- Default: <code>10m</code>.
+-- <code>m</code> for minutes, and <code>h</code> for hours. Use
 -- <code>0</code> for an unlimited amount of time. Default:
 -- <code>10m</code>.
 --
 -- @output
 -- Host script results:
 -- |_dns-fuzz: Server stopped responding... He's dead, Jim.
--- a/scripts/dns-recursion.nse
+++ b/scripts/dns-recursion.nse
@@ -1,7 +1,7 @@
 description = [[
-Checks if a DNS server allows queries for third-party names.
+Checks if a DNS server allows queries for third-party names. It is
-
+expected that recursion will be enabled on your own internal
-It is expected that recursion will be enabled on your own internal nameservers.
+nameservers.
 ]]
 ---
--- a/scripts/dns-service-discovery.nse
+++ b/scripts/dns-service-discovery.nse
@@ -9,7 +9,7 @@ get more information.
 ---
 -- @usage
-- nmap --script=dns-service-discovery -p 5353 <host>
+-- nmap --script=dns-service-discovery -p 5353 <target>
 --
 -- @output
 -- PORT     STATE SERVICE  REASON
--- a/scripts/dns-zone-transfer.nse
+++ b/scripts/dns-zone-transfer.nse
@@ -11,7 +11,7 @@ type specific data (SOA/MX/NS/PTR/A).
 If we don't have the "true" hostname for the DNS server we cannot
 determine a likely zone to perform the transfer on.
-Useful resources
+Useful resources:
 * DNS for rocket scientists: http://www.zytrax.com/books/dns/
 * How the AXFR protocol works: http://cr.yp.to/djbdns/axfr-notes.html
 ]]
--- a/scripts/ftp-bounce.nse
+++ b/scripts/ftp-bounce.nse
@@ -5,8 +5,10 @@ author = "Marek Majkowski"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 ---
-- @args ftp-bounce.username Username to login with instead of "anonymous"
+-- @args ftp-bounce.username Username to log in with. Default
-- @args ftp-bounce.password Password to login with instead of "IEUser@"
+-- <code>"anonymous"</code>.
 -- @args ftp-bounce.password Password to log in with. Default
 -- <code>"IEUser@"</code>.
 --
 -- @output
 -- PORT   STATE SERVICE
--- a/scripts/ftp-brute.nse
+++ b/scripts/ftp-brute.nse
@@ -3,13 +3,7 @@ Tries to get FTP login credentials by guessing usernames and passwords.
 This uses the standard unpwdb username/password list. However, in tests FTP servers are 
 significantly slower than other servers when responding, so the number of usernames/passwords
-can be artificially limited using script-args.
+can be artificially limited using script arguments.
 2008-11-06 Vlatko Kosturjak <kost@linux.hr>
 Modified xampp-default-auth script to generic ftp-brute script
 2009-09-18 Ron Bowes <ron@skullsecurity.net>
 Made into an actual bruteforce script (previously, it only tried one username/password). 
 ]]
 ---
@@ -22,7 +16,13 @@ Made into an actual bruteforce script (previously, it only tried one username/pa
 --
 -- @args userlimit The number of user accounts to try (default: unlimited).
 -- @args passlimit The number of passwords to try (default: unlimited).
-- @args limit     Set userlimlt + passlimit at the same time.
+-- @args limit     Set <code>userlimlt</code> and <code>passlimit</code> at the same time.
 -- 2008-11-06 Vlatko Kosturjak <kost@linux.hr>
 -- Modified xampp-default-auth script to generic ftp-brute script
 --
 -- 2009-09-18 Ron Bowes <ron@skullsecurity.net>
 -- Made into an actual bruteforce script (previously, it only tried one username/password). 
 author = "Diman Todorov, Vlatko Kosturjak, Ron Bowes"
--- a/scripts/ftp-libopie.nse
+++ b/scripts/ftp-libopie.nse
@@ -1,6 +1,6 @@
 description = [[
 Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow).
-Vulnerability discovered by Maksymilian Arciemowicz and Adam 'pi3' Zabrocki.
+Vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki.
 See also http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc.
 Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
 ]]
--- a/scripts/http-enum.nse
+++ b/scripts/http-enum.nse
@@ -1,10 +1,10 @@
 description = [[
 Enumerates directories used by popular web applications and servers.
-This parses fingerprint files that are properly formatted. Multiple files are included
+This parses fingerprint files that are properly formatted. Multiple
-with Nmap, including:
+files are included with Nmap, including:
-* http-fingerprints: These attempt to find common files and folders. For the most part, they were in the original http-enum.nse. 
+* <code>http-fingerprints</code>: These attempt to find common files and folders.
-* yokoso-fingerprints: These are application-specific fingerprints, designed for finding the presense of specific applications/hardware, including Sharepoint, Forigate's Web interface, Arcsight SmartCollector appliances, Outlook Web Access, etc. These are from the Yokoso project, by InGuardians, and included with permission from Kevin Johnson <http://seclists.org/nmap-dev/2009/q3/0685.html>. 
+* <code>yokoso-fingerprints</code>: These are application-specific fingerprints, designed for finding the presense of specific applications/hardware, including Sharepoint, Forigate's Web interface, Arcsight SmartCollector appliances, Outlook Web Access, etc. These are from the Yokoso project, by InGuardians, and included with permission from Kevin Johnson (http://seclists.org/nmap-dev/2009/q3/0685.html). 
 Initially, this script attempts to access two different random files in order to detect servers
 that don't return a proper 404 Not Found status. In the event that they return 200 OK, the body
@@ -17,12 +17,27 @@ this script will also abort. If the root folder has disappeared or requires auth
 is little hope of finding anything inside it. 
 By default, only pages that return 200 OK or 401 Authentication Required are displayed. If the
-script-arg <code>displayall</code> is set, however, then all results will be displayed (except
+<code>displayall</code> script argument is set, however, then all results will be displayed (except
 for 404 Not Found and the status code returned by the random files). 
 ]]
 ---
--@output
+-- @args displayall Set to <code>1</code> or <code>true</code> to display all status codes
 -- that may indicate a valid page, not just 200 OK and 401
 -- Authentication Required pages. Although this is more likely to find
 -- certain hidden folders, it also generates far more false positives. 
 -- @args limit Limit the number of folders to check. This option is
 -- useful if using a list from, for example, the DirBuster projects
 -- which can have more than 80,000 entries. 
 -- @args fingerprints Specify a different file to read fingerprints
 -- from. This will be read instead of the default files. 
 -- @args path The base path to prepend to each request. Leading/trailing
 -- slashes are not required. 
 -- @args variations Set to <code>1</code> or <code>true</code> to
 -- attempt variations on the files, adding prefixes and suffixes such as
 -- <code>.bak</code>, <code>~</code>, and <code>Copy of </code>.
 --
 -- @output
 -- Interesting ports on test.skullsecurity.org (208.81.2.52):
 -- PORT   STATE SERVICE REASON
 -- 80/tcp open  http    syn-ack
@@ -34,17 +49,6 @@ for 404 Not Found and the status code returned by the random files).
 -- |  |  /images/outlook.jpg: Outlook Web Access
 -- |  |  /nfservlets/servlet/SPSRouterServlet/: netForensics
 -- |_ |_ /nfservlets/servlet/SPSRouterServlet/: netForensics
 -- 
 --
 --@args displayall    Set to '1' or 'true' to display all status codes that may indicate a valid page, not just
 --                    "200 OK" and "401 Authentication Required" pages. Although this is more likely to find certain
 --                    hidden folders, it also generates far more false positives. 
 --@args limit         Limit the number of folders to check. This option is useful if using a list from, for example, 
 --                    the DirBuster projects which can have 80,000+ entries. 
 --@args fingerprints  Specify a different file to read fingerprints from. This will be read instead of the default
 --                    files. 
 --@args path          The base path to prepend to each request. Leading/trailing slashes are not required. 
 --@args variations    Set to '1' or 'true' to attempt variations on the files such as .bak, ~, Copy of", etc.
 author = "Ron Bowes, Andrew Orr, Rob Nicholls"
--- a/scripts/http-favicon.nse
+++ b/scripts/http-favicon.nse
@@ -4,30 +4,26 @@ database of the icons of known web applications. If there is a match, the name
 of the application is printed; otherwise the MD5 hash of the icon data is
 printed.
-If the script arg <code>favicon.uri</code> is given, that relative URI is
+If the script argument <code>favicon.uri</code> is given, that relative URI is
 always used to find the favicon. Otherwise, first the page at the root of the
 web server is retrieved and parsed for a <code><link rel="icon"></code>
-element. If that fails, the icon is looked for in <code>/favicon.ico</code>.
+element. If that fails, the icon is looked for in <code>/favicon.ico</code>. If
-Obtains the favicon.ico from the root of a web service (or with the html link
+a <code><link></code> favicon points to a different host or port, it is ignored.
 rel attribute if that fails) and tries to identify its source (such as a
 certain web application) using a database lookup.
 If a <code><link></code> favicon points to a different host or port, it is
 ignored.
 ]]
 ---
-- @args favicon.uri Uri that will be requested for favicon
+-- @args favicon.uri URI that will be requested for favicon.
-- @args favicon.root Webserver path to search for favicon
+-- @args favicon.root Web server path to search for favicon.
 --
 -- @usage
 -- nmap --script=http-favicon.nse \
 --		--script-args favicon.root=<root>,favicon.uri=<uri>
 -- @output
 -- |_ http-favicon: Socialtext
 -- HTTP default favicon enumeration script
 -- rev 1.2 (2009-03-11)
 -- Original NASL script by Javier Fernandez-Sanguino Pena
 --@usage
 -- nmap --script=http-favicon.nse \
 --		--script-args favicon.root=<root>,favicon.uri=<uri>
 author = "Vlatko Kosturjak"
--- a/scripts/http-headers.nse
+++ b/scripts/http-headers.nse
@@ -3,7 +3,7 @@ Performs a GET request for the root folder ("/") of a web server and displays th
 ]]
 ---
--@output
+-- @output
 -- Interesting ports on scanme.nmap.org (64.13.134.52):
 -- PORT   STATE SERVICE
 -- 80/tcp open  http    syn-ack
@@ -19,7 +19,7 @@ Performs a GET request for the root folder ("/") of a web server and displays th
 -- |  |  Content-Type: text/html
 -- |_ |_ (Request type: HEAD)
 -- 
--@args path The path to request, such as '/index.php'. Default: '/'. 
+--@args path The path to request, such as <code>/index.php</code>. Default <code>/</code>. 
 --@args useget Set to force GET requests instead of HEAD. 
 author = "Ron Bowes"
--- a/scripts/http-iis-webdav-vuln.nse
+++ b/scripts/http-iis-webdav-vuln.nse
@@ -21,9 +21,9 @@ For more information on this vulnerability and script, see:
 -- 80/tcp open  http    syn-ack
 -- |_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav
 --
-- @args webdavfolder Selects a single folder to use, instead of using a built-in list
+-- @args webdavfolder Selects a single folder to use, instead of using a built-in list.
 -- @args folderdb The filename of an alternate list of folders.
-- @args basefolder The folder to start in; eg, "/web" will try "/web/xxx"
+-- @args basefolder The folder to start in; eg, <code>"/web"</code> will try <code>"/web/xxx"</code>.
 -----------------------------------------------------------------------
 author = "Ron Bowes and Andrew Orr"
--- a/scripts/http-malware-host.nse
+++ b/scripts/http-malware-host.nse
@@ -1,12 +1,12 @@
 description = [[
-Looks for signature of known server compromises. Currently, the only signature it looks for is
+Looks for signature of known server compromises.
 the one discussed here:
 <http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/>
-This is done by requesting the page /ts/in.cgi?open2 and looking for an errant 302 (it attempts 
+Currently, the only signature it looks for is the one discussed here:
-to detect srevers that always return 302). 
+http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/.
-
+This is done by requesting the page <code>/ts/in.cgi?open2</code> and
-Thanks to Denis from the above link for finding this technique! 
+looking for an errant 302 (it attempts to detect servers that always
 return 302). Thanks to Denis from the above link for finding this
 technique! 
 ]]
 ---
--- a/scripts/http-open-proxy.nse
+++ b/scripts/http-open-proxy.nse
@@ -1,13 +1,10 @@
 description=[[
 Checks if an HTTP proxy is open.
-The script attempts to connect to www.google.com through the (possible) proxy and checks
+The script attempts to connect to www.google.com through the proxy and
-for a valid HTTP response code.
+checks for a valid HTTP response code. Valid HTTP response codes are
-
+200, 301, and 302. If the target is an open proxy, this script causes
-Valid HTTP response codes are actually: 200, 301, 302.
+the target to retrieve a web page from www.google.com.
 If the target is an open proxy, this script causes the target to retrieve a
 web page from www.google.com.
 ]]
 ---
--- a/scripts/http-userdir-enum.nse
+++ b/scripts/http-userdir-enum.nse
@@ -8,7 +8,8 @@ module or similar enabled.
 The Apache mod_userdir module allows user-specific directories to be accessed
 using the http://example.com/~user/ syntax.  This script makes http requests in
 order to discover valid user-specific directories and infer valid usernames.  By
-default, the script will use Nmaps nselib/data/usernames.lst  An http response
+default, the script will use Nmap's
 <code>nselib/data/usernames.lst</code>.  An HTTP response
 status of 200 or 403 means the username is likely a valid one and the username
 will be output in the script results along with the status code (in parentheses).
@@ -16,22 +17,17 @@ This script makes an attempt to avoid false positives by requesting a directory
 which is unlikely to exist.  If the server responds with 200 or 403 then the
 script will not continue testing it.
-Ref: CVE-2001-1013 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1013
+CVE-2001-1013: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1013.
 ]]
 ---
-- @args
+-- @args userdir.users The filename of a username list.
-- users=path/to/custom/usernames.list or
+-- @args limit The maximum number of users to check.
 -- userdir.users=path/to/custom/usernames.list
 -- limit=max number of users to check. This option is useful if using a list from,
 --       for example, the DirBuster projects which can have 80,000+ entries. 
 --
 --
 -- @output
 -- 80/tcp open  http    syn-ack Apache httpd 2.2.9
 -- |_ apache-userdir-enum: Potential Users: root (403), user (200), test (200)
 local http      = require 'http'
 local stdnse    = require 'stdnse'
 local datafiles = require 'datafiles'
--- a/scripts/http-vmware-path-vuln.nse
+++ b/scripts/http-vmware-path-vuln.nse
@@ -1,5 +1,5 @@
 description = [[
-Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse (justin.morehouse[at)gmail.com) and Tony Flick (tony.flick(at]fyrmassociates.com), and presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).
+Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse and Tony Flick, presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).
 ]]
 ---
@@ -7,15 +7,15 @@ Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2
 -- nmap --script http-vmware-path-vuln -p80,443,8222,8333 <host>
 --
 -- @output
--| http-vmware-path-vuln:  
+-- | http-vmware-path-vuln:  
--|   VMWare path traversal (CVE-2009-3733): VULNERABLE
+-- |   VMWare path traversal (CVE-2009-3733): VULNERABLE
--|     /vmware/Windows 2003/Windows 2003.vmx
+-- |     /vmware/Windows 2003/Windows 2003.vmx
--|     /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx
+-- |     /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx
--|     /vmware/Pentest/Pentest - Windows/Windows 2003.vmx
+-- |     /vmware/Pentest/Pentest - Windows/Windows 2003.vmx
--|     /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx
+-- |     /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx
--|     /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx
+-- |     /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx
--|     /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx
+-- |     /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx
--|_    /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx
+-- |_    /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx
 -----------------------------------------------------------------------
 author = "Ron Bowes"
--- a/scripts/ipidseq.nse
+++ b/scripts/ipidseq.nse
@@ -1,10 +1,11 @@
 description = [[
-Classifies a host's IP ID sequence (e.g. test for Idle Scan suitability).
+Classifies a host's IP ID sequence (test for susceptability to idle
 scan).
 Sends six probes to obtain IP IDs from the target and classifies them
 similiarly to Nmap's method.  This is useful for finding suitable zombies
-for Nmap's Idle Scan (-sI) as Nmap itself doesn't provide a way to scan
+for Nmap's idle scan (-sI) as Nmap itself doesn't provide a way to scan
-*for* these hosts.
+for these hosts.
 ]]
 ---
--- a/scripts/irc-unrealircd-backdoor.nse
+++ b/scripts/irc-unrealircd-backdoor.nse
@@ -2,9 +2,9 @@ description = [[
 Checks if an IRC server is backdoored by running a time-based command (ping)
 and checking how long it takes to respond. 
-The script-arg <code>irc-unrealircd-backdoor.command</code> can be used to 
+The <code>irc-unrealircd-backdoor.command</code> script argument can be used to 
 run an arbitrary command on the remote system. Because of the nature of
-this vulnerability -- the output is never returned -- we have no way of
+this vulnerability (the output is never returned) we have no way of
 getting the output of the command. It can, however, be used to start a
 netcat listener as demonstrated here:
 <code>
@@ -21,19 +21,19 @@ netcat listener as demonstrated here:
 Metasploit can also be used to exploit this vulnerability. 
 In addition to running arbitrary commands, the
-<code>irc-unrealircd-backdoor.kill</code> script-arg can be passed, which
+<code>irc-unrealircd-backdoor.kill</code> script argument can be passed, which
 simply kills the UnrealIRCd process. 
 Reference:
-http://seclists.org/fulldisclosure/2010/Jun/277
+* http://seclists.org/fulldisclosure/2010/Jun/277
-http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
+* http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
-http://www.metasploit.com/modules/exploit/unix/irc/unreal_ircd_3281_backdoor
+* http://www.metasploit.com/modules/exploit/unix/irc/unreal_ircd_3281_backdoor
 ]]
 ---
-- @args irc-unrealircd-backdoor.command An arbitrary command to run on the remote system (note, however, that you won't see the output of your command). This will always be attempted, even if the host isn't vulnerable. The pattern %IP% will be replaced with the ip address of the target host. 
+-- @args irc-unrealircd-backdoor.command An arbitrary command to run on the remote system (note, however, that you won't see the output of your command). This will always be attempted, even if the host isn't vulnerable. The pattern <code>%IP%</code> will be replaced with the ip address of the target host. 
-- @args irc-unrealircd-backdoor.kill If set to '1' or 'true', kill the backdoored UnrealIRCd running. 
+-- @args irc-unrealircd-backdoor.kill If set to <code>1</code> or <code>true</code>, kill the backdoored UnrealIRCd running. 
 -- @args irc-unrealircd-backdoor.wait Wait time in seconds before executing the check. This is recommended to set for more reliable check (100 is good value). 
 --
 -- @output
--- a/scripts/ldap-brute.nse
+++ b/scripts/ldap-brute.nse
@@ -1,10 +1,28 @@
 description = [[
-Performs password guessing against LDAP
+This script makes attempts to brute force LDAP authentication. By default
 it uses the builtin username and password lists to do so. In order to use your
 own lists use the <code>userdb</code> and <code>passdb</code> script arguments.
 This script does not make any attempt to prevent account lockout!
 If the number of passwords in the dictionary exceed the amount of
 allowed tries, accounts will be locked out. This usually happens 
 very quickly.
 Authenticating against Active Directory using LDAP does not use the
 Windows user name but the user accounts distinguished name. LDAP on Windows
 2003 allows authentication using a simple user name rather than using the
 fully distinguished name. E.g., "Patrik Karlsson" vs.
 "cn=Patrik Karlsson,cn=Users,dc=cqure,dc=net"
 This type of authentication is not supported on e.g. OpenLDAP.
 This script uses some AD-specific support and optimizations:
 * LDAP on Windows 2003 reports different error messages depending on whether an account exists or not. If the script recieves an error indicating that the username does not exist it simply stops guessing passwords for this account and moves on to the next.
 * The script attempts to authenticate with the username only if no LDAP base is specified. The benefit of authenticating this way is that the LDAP path of each account does not need to be known in advance as it's looked up by the server.
 ]]
 ---
 -- @usage
-- nmap -p 389 --script ldap-brute --script-args 
+-- nmap -p 389 --script ldap-brute --script-args \
 --  ldap.base='"cn=users,dc=cqure,dc=net"' <host>
 --
 -- @output
@@ -15,44 +33,7 @@ Performs password guessing against LDAP
 -- @args ldap.base If set, the script will use it as a base for the password
 --       guessing attempts. If unset the user list must either contain the
 --       distinguished name of each user or the server must support
--       authentication using a simple user name. See AD discussion below.
+--       authentication using a simple user name. See the AD discussion in the description.
 --
 -- Additional information
 -- ----------------------
 -- This script makes attempts to brute force LDAP authentication. By default
 -- it uses the builtin user- and password-list to do so. In order to use your
 -- own lists use the userdb and passdb script arguments.
 --
 -- WARNING: This script does not make ANY attempt to prevent account lockout!
 --          If the number of passwords in the dictionary exceed the amount of
 --          allowed tries, accounts will be locked out. This usually happens 
 --          *VERY* quickly.
 --
 -- Active Directory and LDAP
 -- -------------------------
 -- Note: Authenticating against Active Directory using LDAP does not use the
 -- Windows user name but the user accounts distinguished name. LDAP on Windows
 -- 2003 allows authentication using a simple user name rather than using the
 -- fully distinguished name. Eg:
 --  - Patrik Karlsson vs. cn=Patrik Karlsson,cn=Users,dc=cqure,dc=net
 -- This type of authentication is not supported on eg. OpenLDAP
 --
 -- This script uses some AD specific support and optimizations:
 --
 -- o LDAP on Windows 2003 reports different error messages depending on whether
 --   an account exists or not. If the script recieves an error indicating that
 --   the username does not exist it simply stops guessing passwords for this
 --   account and moves on to the next.
 --
 -- o The script attempts to authenticate with the username only if no LDAP base
 --   is specified. The benefit of authenticating this way is that the LDAP path
 --   of each account does not need to be known in advance as it's looked up by
 --   the server.
 --
 -- Credits
 -- -------
 --   o The get_random_string function was borrowed from the smb-psexec script.
 --
 author = "Patrik Karlsson"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
--- a/scripts/ldap-search.nse
+++ b/scripts/ldap-search.nse
@@ -1,8 +1,23 @@
 description = [[
 Attempts to perform an LDAP search and returns all matches.
 If no username and password is supplied to the script the Nmap registry
 is consulted. If the <code>ldap-brute</code> script has been selected
 and it found a valid account, this account will be used. If not
 anonymous bind will be used as a last attempt.
 ]]
 ---
 -- @args ldap.username If set, the script will attempt to perform an LDAP bind using the username and password
 -- @args ldap.password If set, used together with the username to authenticate to the LDAP server
 -- @args ldap.qfilter If set, specifies a quick filter. The library does not support parsing real LDAP filters.
 --       The following values are valid for the filter parameter: computer, users or all. If no value is specified it defaults to all.
 -- @args ldap.base If set, the script will use it as a base for the search. By default the defaultNamingContext is retrieved and used.
 --       If no defaultNamingContext is available the script iterates over the available namingContexts
 -- @args ldap.attrib If set, the search will include only the attributes specified. For a single attribute a string value can be used, if
 --       multiple attributes need to be supplied a table should be used instead.
 -- @args ldap.maxobjects If set, overrides the number of objects returned by the script (default 20). 
 --       The value -1 removes the limit completely.
 -- @usage
 -- nmap -p 389 --script ldap-search --script-args ldap.username="'cn=ldaptest,cn=users,dc=cqure,dc=net'",ldap.password=ldaptest,
 -- ldap.qfilter=users,ldap.attrib=sAMAccountName <host>
@@ -28,30 +43,10 @@ Attempts to perform an LDAP search and returns all matches.
 -- |         sAMAccountName: VMABUSEXP008$
 -- |     dn: CN=ldaptest,CN=Users,DC=cqure,DC=net
 -- |_        sAMAccountName: ldaptest
--
+
 --
 -- @args ldap.username If set, the script will attempt to perform an LDAP bind using the username and password
 -- @args ldap.password If set, used together with the username to authenticate to the LDAP server
 -- @args ldap.qfilter If set, specifies a quick filter. The library does not support parsing real LDAP filters.
 --       The following values are valid for the filter parameter: computer, users or all. If no value is specified it defaults to all.
 -- @args ldap.base If set, the script will use it as a base for the search. By default the defaultNamingContext is retrieved and used.
 --       If no defaultNamingContext is available the script iterates over the available namingContexts
 -- @args ldap.attrib If set, the search will include only the attributes specified. For a single attribute a string value can be used, if
 --       multiple attributes need to be supplied a table should be used instead.
 -- @args ldap.maxobjects If set, overrides the number of objects returned by the script (default 20). 
 --       The value -1 removes the limit completely.
 --
 --
 -- Authentication
 -- --------------
 -- If no username and password is supplied to the script the Nmap registry is consulted.
 -- If the ldap-brute script has been selected and it found a valid account, this account will be used.
 -- If not anonymous bind will be used as a last attempt.
 -- 
 -- Credit 
 -- ------
 -- o Martin Swende who provided me with the initial code that got me started writing this.
 --
 -- Version 0.4
 -- Created 01/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
--- a/scripts/lexmark-config.nse
+++ b/scripts/lexmark-config.nse
@@ -1,9 +1,14 @@
-description = [[ Retrieve Lexmark S300-S400 Configuration ]]
+description = [[
 Retrieves configuration information from a Lexmark S300-S400 printer.
 The Lexmark S302 responds to the NTPRequest version probe with its
 configuration. The response decodes as mDNS, so the request was modified
 to resemble an mDNS request as close as possible. However, the port
 (9100/udp) is listed as something completely different (HBN3) in
 documentation from Lexmark. See
 http://www.lexmark.com/vgn/images/portal/Security%20Features%20of%20Lexmark%20MFPs%20v1_1.pdf.
 ]]
 -- The Lexmark S302 was found to respond with it's configuration to the NTPRequest probe
 -- As the response decodes as MDNS the request was modified to resemble a MDNS request as close as possible
 -- However, the port (9100/udp) is listed as something completely different (HBN3) in documentation from Lexmark
 -- http://www.lexmark.com/vgn/images/portal/Security%20Features%20of%20Lexmark%20MFPs%20v1_1.pdf
 ---
 --@output
--- a/scripts/mongodb-databases.nse
+++ b/scripts/mongodb-databases.nse
@@ -1,5 +1,5 @@
 description = [[
-Attempts to get tables from a MongoDB
+Attempts to get a list of tables from a MongoDB database.
 ]]
 ---
@@ -28,6 +28,7 @@ Attempts to get tables from a MongoDB
 -- |       sizeOnDisk = 1
 -- |       name = admin
 -- |_  totalSize = 167772160
 -- version 0.1
 -- Created 01/12/2010 - v0.1 - created by Martin Holst Swende <martin@swende.se>
--- a/scripts/mongodb-info.nse
+++ b/scripts/mongodb-info.nse
@@ -1,5 +1,5 @@
 description = [[
-Attempts to get build info and server status from a MongoDB
+Attempts to get build info and server status from a MongoDB database.
 ]]
 ---
@@ -40,6 +40,7 @@ Attempts to get build info and server status from a MongoDB
 -- |       heap_usage_bytes = 117120
 -- |       note = fields vary by platform
 -- |_      page_faults = 0
 -- version 0.2
 -- Created 01/12/2010 - v0.1 - created by Martin Holst Swende <martin@swende.se>
--- a/scripts/ms-sql-brute.nse
+++ b/scripts/ms-sql-brute.nse
@@ -1,5 +1,5 @@
 description = [[
-Performs password guessing against Microsoft SQL Server (mssql)
+Performs password guessing against Microsoft SQL Server (ms-sql).
 ]]
 author = "Patrik Karlsson"
@@ -12,16 +12,13 @@ require 'mssql'
 require 'unpwdb'
 ---
 --
 -- @output
 -- PORT     STATE SERVICE
 -- 1433/tcp open  ms-sql-s
-- | mssql-brute:  
+-- | ms-sql-brute:  
 -- |   webshop_reader:secret => Login Success
 -- |   testuser:secret1234 => Must change password at next logon
 -- |_  lordvader:secret1234 => Login Success
 --
 --
 -- Version 0.1
 -- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
--- a/scripts/ms-sql-config.nse
+++ b/scripts/ms-sql-config.nse
@@ -1,8 +1,6 @@
 description = [[
-Queries Microsoft SQL Server (MSSQL) for a list of:
+Queries Microsoft SQL Server (ms-sql) for a list of databases, linked
-* Databases
+servers, and configuration settings.
 * Linked Servers
 * Configuration settings
 ]]
 author = "Patrik Karlsson"
--- a/scripts/ms-sql-empty-password.nse
+++ b/scripts/ms-sql-empty-password.nse
@@ -15,7 +15,7 @@ require 'mssql'
 -- @output
 -- PORT     STATE SERVICE
 -- 1433/tcp open  ms-sql-s
-- | mssql-empty-password:  
+-- | ms-sql-empty-password:  
 -- |_  sa:<empty> => Login Correct
 --
 --
--- a/scripts/ms-sql-hasdbaccess.nse
+++ b/scripts/ms-sql-hasdbaccess.nse
@@ -1,5 +1,14 @@
 description = [[
-Queries Microsoft SQL Server (MSSQL) for a list of databases a user has access to.
+Queries Microsoft SQL Server (ms-sql) for a list of databases a user has
 access to.
 The script needs an account with the sysadmin server role to work.
 It needs to be fed credentials through the script arguments or from
 the scripts <code>mssql-brute</code> or <code>mssql-empty-password</code>.
 When run, the script iterates over the credentials and attempts to run
 the command until either all credentials are exhausted or until the
 command is executed.
 ]]
 author = "Patrik Karlsson"
@@ -14,11 +23,11 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
 ---
 -- @args mssql.username specifies the username to use to connect to
 --       the server. This option overrides any accounts found by
--       the mssql-brute and mssql-empty-password scripts.
+--       the <code>mssql-brute</code> and <code>mssql-empty-password</code> scripts.
 --
 -- @args mssql.password specifies the password to use to connect to
 --       the server. This option overrides any accounts found by
--       the mssql-brute and mssql-empty-password scripts.
+--       the <code>ms-sql-brute</code> and <code>ms-sql-empty-password</code> scripts.
 --
 -- @args mssql-hasdbaccess.limit limits the amount of databases per-user
 --       that are returned (default 5). If set to zero or less all 
@@ -27,7 +36,7 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
 -- @output
 -- PORT     STATE SERVICE
 -- 1433/tcp open  ms-sql-s
-- | mssql-hasdbaccess:  
+-- | ms-sql-hasdbaccess:  
 -- |   webshop_reader
 -- |     dbname	owner
 -- |     hr	sa
@@ -38,16 +47,6 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
 -- |     testdb	CQURE-NET\Administr
 -- |_    webshop	sa
 --
 -- The script needs an account with the sysadmin server role to work.
 -- It needs to be fed credentials through the script arguments or from
 -- the scripts mssq-brute or mssq-empty-password.
 --
 -- When run, the script iterates over the credentials and attempts to run
 -- the command until either all credentials are exhausted or until the
 -- command is executed.
 --
 -- Version 0.1
 -- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
--- a/scripts/ms-sql-query.nse
+++ b/scripts/ms-sql-query.nse
@@ -1,5 +1,5 @@
 description = [[
-Runs a Query against Microsoft SQL Server (MSSQL).
+Runs a query against Microsoft SQL Server (ms-sql).
 ]]
 author = "Patrik Karlsson"
@@ -17,17 +17,14 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
 --       (default SELECT @@version version)
 --
 -- @output
 --
 -- PORT     STATE SERVICE
 -- 1433/tcp open  ms-sql-s
-- | mssql-query:  
+-- | ms-sql-query:  
 -- |   
 -- |   Microsoft SQL Server 2005 - 9.00.3068.00 (Intel X86) 
 -- | 	Feb 26 2008 18:15:01 
 -- | 	Copyright (c) 1988-2005 Microsoft Corporation
 -- |_	Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
 --
 --
 -- Version 0.1
 -- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
--- a/scripts/ms-sql-tables.nse
+++ b/scripts/ms-sql-tables.nse
@@ -1,5 +1,19 @@
 description = [[
-Queries Microsoft SQL Server (MSSQL) for a list of tables per database.
+Queries Microsoft SQL Server (ms-sql) for a list of tables per database.
 The sysdatabase table should be accessible by more or less everyone
 The script attempts to use the sa account over any other if it has
 the password in the registry. If not the first account in the
 registry is used.
 Once we have a list of databases we iterate over it and attempt to extract
 table names. In order for this to succeed we need to have either
 sysadmin privileges or an account with access to the db. So, each
 database we successfully enumerate tables from we mark as finished, then
 iterate over known user accounts until either we have exhausted the users
 or found all tables in all the databases.
 Tables installed by default are excluded.
 ]]
 author = "Patrik Karlsson"
@@ -15,11 +29,11 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
 ---
 -- @args mssql.username specifies the username to use to connect to
 --       the server. This option overrides any accounts found by
--       the mssql-brute and mssql-empty-password scripts.
+--       the <code>ms-sql-brute</code> and <code>ms-sql-empty-password</code> scripts.
 --
 -- @args mssql.password specifies the password to use to connect to
 --       the server. This option overrides any accounts found by
--       the mssql-brute and mssql-empty-password scripts.
+--       the <code>ms-sql-brute</code> and <code>ms-sql-empty-password</code> scripts.
 --
 -- @args mssql-tables.maxdb Limits the amount of databases that are
 --       processed and returned (default 5). If set to zero or less 
@@ -34,7 +48,7 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
 -- @output
 -- PORT     STATE SERVICE
 -- 1433/tcp open  ms-sql-s
-- | mssql-tables:  
+-- | ms-sql-tables:  
 -- |   webshop
 -- |     table	column	type	length
 -- |     payments	user_id	int	4
@@ -57,22 +71,6 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
 -- |     users	username	varchar	50
 -- |     users	password	varchar	50
 -- |_    users	fullname	varchar	100
 --
 --
 -- The sysdatabase table should be accessible by more or less everyone
 -- The script attempts to use the sa account over some n00b if it has
 -- the password in the registry. If not the first account in the
 -- registry is used.
 --
 -- Once we have a list of DBs we iterate over it and attempt to extract
 -- table names. In order for this to succeed we need to have either
 -- sysadmin privileges or an account with access to the db. So, for each
 -- db we successfully enumerate tables from we mark as finnished, we then
 -- iterate over our know user accounts until either we exhausted our users
 -- or we found all tables in all dbs.
 --
 -- Oh, and exclude all MS default dbs from this excercise.
 -- 
 -- Version 0.1
 -- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
--- a/scripts/ms-sql-xp-cmdshell.nse
+++ b/scripts/ms-sql-xp-cmdshell.nse
@@ -1,5 +1,15 @@
 description = [[
-Queries Microsoft SQL Server (MSSQL) for a list of tables per database.
+Attempts to run a command using the command shell of Microsoft SQL
 Server (ms-sql).
 The script needs an account with the sysadmin server role to work.
 It needs to be fed credentials through the script arguments or from
 the scripts <code>ms-sql-brute</code> or
 <code>ms-sql-empty-password</code>.
 When run, the script iterates over the credentials and attempts to run
 the command until either all credentials are exhausted or until the
 command is executed.
 ]]
 author = "Patrik Karlsson"
@@ -14,11 +24,11 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
 ---
 -- @args mssql.username specifies the username to use to connect to
 --       the server. This option overrides any accounts found by
--       the mssql-brute and mssql-empty-password scripts.
+--       the <code>ms-sql-brute</code> and <code>ms-sql-empty-password</code> scripts.
 --
 -- @args mssql.password specifies the password to use to connect to
 --       the server. This option overrides any accounts found by
--       the mssql-brute and mssql-empty-password scripts.
+--       the <code>ms-sql-brute</code> and <code>ms-sql-empty-password</code> scripts.
 --
 -- @args mssql-xp-cmdshell.cmd specifies the OS command to run.
 --       (default is ipconfig /all)
@@ -26,7 +36,7 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
 -- @output
 -- PORT     STATE SERVICE
 -- 1433/tcp open  ms-sql-s
-- | mssql-xp-cmdshell:  
+-- | ms-sql-xp-cmdshell:  
 -- |   Command: ipconfig /all; User: sa
 -- |   output
 -- |   
@@ -53,15 +63,6 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
 -- |      Lease Obtained. . . . . . . . . . : den 21 mars 2010 00:12:10
 -- |      Lease Expires . . . . . . . . . . : den 21 mars 2010 01:12:10
 -- |_
 --
 -- The script needs an account with the sysadmin server role to work.
 -- It needs to be fed credentials through the script arguments or from
 -- the scripts mssq-brute or mssq-empty-password.
 --
 -- When run, the script iterates over the credentials and attempts to run
 -- the command until either all credentials are exhausted or until the
 -- command is executed.
 --
 -- Version 0.1
 -- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
--- a/scripts/smtp-open-relay.nse
+++ b/scripts/smtp-open-relay.nse
@@ -31,7 +31,7 @@ printed with the list of any combinations that were found prior to the error.
 -- antispam)
 -- @args smtp-open-relay.to Define the destination email address to be used (without the domain, default is
 -- relaytest)
--
+
 -- changelog
 -- 2007-05-16 Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
 --   + Added some strings to return in different places
@@ -63,7 +63,6 @@ printed with the list of any combinations that were found prior to the error.
 --   * Minor comments changes
 -- 2010-03-14 Duarte Silva <duarte.silva@myf00.net>
 --   * Made the script a little more verbose
 -----------------------------------------------------------------------
 author = "Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"