PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Do copyediting of NSEDoc. This is a first pass up to ms-sql-xp-cmdshell.

Browse Source
This commit is contained in:
david
2010-07-09 23:32:18 +00:00
parent 0e7f78bcd0
commit b9633ed69b
47 changed files with 316 additions and 335 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
scripts/afp-path-vuln.nse
View File

@@ -1,7 +1,7 @@
description = [[
Detects the Mac OS X AFP directory traversal vulnerability CVE-2010-0533.
Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
This script attempt to iterate over all AFP shares on the remote
This script attempts to iterate over all AFP shares on the remote
host. For each share it attempts to access the parent directory by
exploiting the directory traversal vulnerability as described in
CVE-2010-0533.
@@ -9,10 +9,8 @@ CVE-2010-0533.
The script reports whether the system is vulnerable or not. In
addition it lists the contents of the parent and child directories to
a max depth of 2.
When running in verbose mode, all items in the listed directories are
shown. In non verbose mode, output is limited to the first 5 items.
If the server is not vulnerable, the script will not return any
information.

2
scripts/afp-serverinfo.nse
View File

@@ -1,7 +1,7 @@
description = [[
Shows AFP server information. This information includes the server's
hostname, IPv4 and IPv6 addresses, and hardware type (for example
Macmini or MacBookPro).
<code>Macmini</code> or <code>MacBookPro</code>).
]]
---

10
scripts/afp-showmount.nse
View File

@@ -1,8 +1,10 @@
description = [[ Shows AFP shares and ACLs ]]
description = [[
Shows AFP shares and ACLs.
]]
---
-- @args afp.username The username to use for authentication. (If unset it first attempts to use credentials found by afp-brute then no credentials)
-- @args afp.password The password to use for authentication. (If unset it first attempts to use credentials found by afp-brute then no credentials)
-- @args afp.username The username to use for authentication. (If unset, first attempt to use credentials found by <code>afp-brute</code>, then no credentials.)
-- @args afp.password The password to use for authentication. (If unset, first attempt to use credentials found by <code>afp-brute</code>, then no credentials.)
--
--@output
-- PORT STATE SERVICE
@@ -95,4 +97,4 @@ action = function(host, port)
end
end
return
end
end

2
scripts/asn-query.nse
View File

@@ -5,10 +5,8 @@ The script works by sending DNS TXT queries to a DNS server which in
turn queries a third-party service provided by Team Cymru
(team-cymru.org) using an in-addr.arpa style zone set up especially for
use by Nmap.
The responses to these queries contain both Origin and Peer ASNs and
their descriptions, displayed along with the BGP Prefix and Country Code.
The script caches results to reduce the number of queries and should
perform a single query for all scanned targets in a BGP Prefix present in
Team Cymru's database.

3
scripts/auth-owners.nse
View File

@@ -1,6 +1,7 @@
description = [[
Attempts to find the owner of an open TCP port by querying an auth
(identd - port 113) daemon which must also be open on the target system.
daemon which must also be open on the target system. The auth service,
also known as identd, normally runs on port 113.
]]
---
--@output

2
scripts/auth-spoof.nse
View File

@@ -3,7 +3,7 @@ Checks for an identd (auth) server which is spoofing its replies.
Tests whether an identd (auth) server responds with an answer before
we even send the query. This sort of identd spoofing can be a sign of
malware infection though it can also be used for legitimate privacy
malware infection, though it can also be used for legitimate privacy
reasons.
]]

14
scripts/citrix-brute-xml.nse
View File

@@ -1,9 +1,11 @@
description = [[ Attempts to guess valid credentials for the Citrix PN Web Agent XML Service.
The XML service authenticates against the local Windows server or the Active Directory.
description = [[
Attempts to guess valid credentials for the Citrix PN Web Agent XML
Service. The XML service authenticates against the local Windows server
or the Active Directory.
CAUTION: This script makes no attempt of preventing account lockout.
If the password list contains more passwords than the lockout-threshold
accounts WILL be locked.
This script makes no attempt of preventing account lockout. If the
password list contains more passwords than the lockout-threshold
accounts will be locked.
]]
---
@@ -157,4 +159,4 @@ action = function(host, port)
end
return create_result_from_table(valid_accounts)
end
end

25
scripts/citrix-enum-apps-xml.nse
View File

@@ -1,8 +1,8 @@
description = [[
Extracts a list of applications, acls and settings from Citrix XML service
Extracts a list of applications, acls, and settings from the Citrix XML
service.
The script returns the shorter, comma separated output per default.
Running nmap with the verbose flag (-v) triggers the detailed output.
The script returns more output with higher verbosity.
]]
---
@@ -13,6 +13,13 @@ Running nmap with the verbose flag (-v) triggers the detailed output.
-- PORT STATE SERVICE
-- 8080/tcp open http-proxy
-- | citrix-enum-apps-xml:
-- | Application: Notepad; Users: Anonymous
-- | Application: iexplorer; Users: Anonymous
-- |_ Application: registry editor; Users: WIN-B4RL0SUCJ29\Joe; Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
--
-- PORT STATE SERVICE
-- 8080/tcp open http-proxy
-- | citrix-enum-apps-xml:
-- | Application: Notepad
-- | Disabled: false
-- | Desktop: false
@@ -44,16 +51,6 @@ Running nmap with the verbose flag (-v) triggers the detailed output.
-- | Remote Access: false
-- | Users: WIN-B4RL0SUCJ29\Joe
-- |_ Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
--
--
-- PORT STATE SERVICE
-- 8080/tcp open http-proxy
-- | citrix-enum-apps-xml:
-- | Application: Notepad; Users: Anonymous
-- | Application: iexplorer; Users: Anonymous
-- |_ Application: registry editor; Users: WIN-B4RL0SUCJ29\Joe; Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
--
---
-- Version 0.2
-- Created 11/26/2009 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
@@ -147,4 +144,4 @@ action = function(host,port)
return stdnse.format_output(true, response)
end
end

2
scripts/citrix-enum-apps.nse
View File

@@ -1,5 +1,5 @@
description = [[
Extract published applications from the ICA Browser service
Extracts a list of published applications from the ICA Browser service.
]]
---

6
scripts/citrix-enum-servers-xml.nse
View File

@@ -1,4 +1,6 @@
description = [[ Extracts the name of the server farm and member severs from Citrix XML service
description = [[
Extracts the name of the server farm and member servers from Citrix XML
service.
]]
---
@@ -11,8 +13,6 @@ description = [[ Extracts the name of the server farm and member severs from Cit
-- | citrix-enum-servers-xml:
-- | CITRIX-SRV01
-- |_ CITRIX-SRV01
--
---
-- Version 0.2

2
scripts/citrix-enum-servers.nse
View File

@@ -1,5 +1,5 @@
description = [[
Extract a list of Citrix servers from the ICA Browser service
Extracts a list of Citrix servers from the ICA Browser service.
]]
---

7
scripts/couchdb-databases.nse
View File

@@ -1,7 +1,7 @@
description = [[
Gets database tables from a CouchDB database
For more info about the CouchDB HTTP Api, see
http://wiki.apache.org/couchdb/HTTP_database_API
Gets database tables from a CouchDB database.
For more info about the CouchDB HTTP API, see
http://wiki.apache.org/couchdb/HTTP_database_API.
]]
---
@@ -18,6 +18,7 @@ http://wiki.apache.org/couchdb/HTTP_database_API
-- | 5 = creditcards
-- | 6 = test_suite_users
-- |_ 7 = test_suite_db_b
-- version 0.2
-- Created 01/12/2010 - v0.1 - created by Martin Holst Swende <martin@swende.se>

9
scripts/couchdb-stats.nse
View File

@@ -1,11 +1,11 @@
description = [[
Gets database statistics from a CouchDB database
For more info about the CouchDB HTTP Api, see
Gets database statistics from a CouchDB database.
For more info about the CouchDB HTTP API, see
http://wiki.apache.org/couchdb/Runtime_Statistics
and
http://wiki.apache.org/couchdb/HTTP_database_API
http://wiki.apache.org/couchdb/HTTP_database_API.
]]
---
-- @usage
-- nmap -p 5984 --script "couchdb-stats.nse" <host>
@@ -30,6 +30,7 @@ http://wiki.apache.org/couchdb/HTTP_database_API
-- | current = 5
-- | count = 1617
-- |_ Authentication : NOT enabled ('admin party')
-- version 0.3
--
-- Created 01/20/2010 - v0.1 - created by Martin Holst Swende <martin@swende.se>

22
scripts/daap-get-library.nse
View File

@@ -1,4 +1,15 @@
description = [[ Retrieves a list of music from a DAAP server including the name of the artist, album and songs ]]
description = [[
Retrieves a list of music from a DAAP server. The list includes artist
names and album and song titles.
Output will be capped to 100 items if not otherwise specified in the
<code>daap_item_limit</code> script argument. A
<code>daap_item_limit</code> below zero outputs the complete contents of
the DAAP library.
Based on documentation found here:
http://www.tapjam.net/daap/.
]]
---
-- @args daap_item_limit Changes the output limit from 100 songs. If set to a negative value, no limit is enforced.
@@ -20,15 +31,6 @@ description = [[ Retrieves a list of music from a DAAP server including the name
-- | Seven
-- | When I Grow Up
-- |_ Coconut
--
--
-- Output will be capped to 100 items if not otherwise specified in the daap_item_limit script argument
-- A daap_item_limit below zero outputs the complete contents of the DAAP library
--
--
-- Based on documentation found here:
-- http://www.tapjam.net/daap/
--
author = "Patrik Karlsson"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

14
scripts/db2-brute.nse
View File

@@ -1,20 +1,20 @@
description = [[
Performs password guessing against IBM DB2
Performs password guessing against IBM DB2.
]]
---
-- @args db2-brute.threads the amount of accounts to attempt to brute
-- force in parallell (default 10).
-- @args db2-brute.dbname the database name against which to guess
-- passwords (default <code>"SAMPLE"</code>).
--
-- @usage
-- nmap -p 50000 --script db2-brute <host>
-- nmap -p 50000 --script db2-brute <target>
--
-- @output
-- 50000/tcp open ibm-db2
-- | db2-brute:
-- |_ db2admin:db2admin => Login Correct
--
--
-- @args db2-brute.threads the amount of accounts to attempt to brute force in parallell (default 10)
-- @args db2-brute.dbname the database name against which to guess passwords (default SAMPLE)
--
author = "Patrik Karlsson"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

51
scripts/dhcp-discover.nse
View File

@@ -1,6 +1,7 @@
description = [[
Sends a DHCPDISCOVER request to a host on UDP port 67. The response come back to UDP port 68, and
is read using PCAP (due to the inability for a script to choose its source port at the moment).
Sends a DHCPDISCOVER request to a host on UDP port 67. The response
comes back to UDP port 68, and
is read using pcap (due to the inability for a script to choose its source port at the moment).
DHCPDISCOVER is a DHCP request that returns useful information from a DHCP server. The request sends
a list of which fields it wants to know (a handful by default, every field if verbosity is turned on), and
@@ -9,10 +10,9 @@ to return every field, nor does it have to return them in the same order, or hon
all. A Linksys WRT54g, for example, completely ignores the list of requested fields and returns a few
standard ones. This script displays every field it receives.
Using various script-args, the type of DHCP request can be changed, which can lead to interesting results.
With script arguments, the type of DHCP request can be changed, which can lead to interesting results.
Additionally, the MAC address can be randomized, which should override the cache on the DHCP server and
assign a new IP address. Extra requests can also be sent to exhaust the IP address range more quickly.
See the 'args' section for more information.
DHCPINFORM is another type of DHCP request that requests the same information, but doesn't reserve
an address. Unfortunately, because many home routers simply ignore DHCPINFORM requests, we opted
@@ -24,14 +24,28 @@ Some of the more useful fields:
* Router
* DNS Servers
* Hostname
The functions for creating and parsing DHCP requests are general, and should be able to create and
parse any DHCP request and response. If other scripts require DHCP support, <code>dhcp_build</code>
and <code>dhcp_parse</code>, with their related functions, can easily be abstracted into a NSELib.
]]
---
--@output
-- @args dhcptype The type of DHCP request to make. By default,
-- DHCPDISCOVER is sent, but this argument can change it to DHCPOFFER,
-- DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, DHCPRELEASE or
-- DHCPINFORM. Not all types will evoke a response from all servers.
-- @args randomize_mac Set to <code>true</code> or <code>1</code> to
-- send a random MAC address with the request (keep in mind that you may
-- not see the response). This should cause the router to reserve a new
-- IP address each time. @args requests Set to an integer to make up to
-- that many requests (and display the results).
-- @args fake_requests Set to an integer to make that many fake requests
-- before the real one(s). This could be useful, for example, if you
-- also use <code>randomize_mac</code> and you want to try exhausting
-- all addresses.
-- @args timeout Set to an integer to use it for a timeout. My router
-- responds to <code>fake_requests</code> rate limited, at about 1
-- response/second. Therefore, timeout has to be at least
-- <code>fake_requests * 1000</code>. Default: 5000.
--
-- @output
-- Interesting ports on 192.168.1.1:
-- PORT STATE SERVICE
-- 67/udp open dhcps
@@ -44,22 +58,13 @@ and <code>dhcp_parse</code>, with their related functions, can easily be abstrac
-- | | Router: 192.168.1.1
-- |_ |_ Domain Name Server: 208.81.7.10, 208.81.7.14
--
--
--@args dhcptype The type of DHCP request to make. By default, DHCPDISCOVER is sent, but this argument
-- can change it to DHCPOFFER, DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, DHCPRELEASE
-- or DHCPINFORM. Not all types will evoke a response from all servers.
--@args randomize_mac Set to 'true' or '1' to send a random MAC address with the request (keep in mind
-- that you may not see the response). This should cause the router to reserve a new IP
-- address each time.
--@args requests Set to an integer to make up to that many requests (and display the results).
--@args fake_requests Set to an integer to make that many fake requests before the real one(s). This could
-- be useful, for example, if you also use <code>randomize_mac</code> and you want to try
-- exhausting all addresses.
--@args timeout Set to an integer to use it for a timeout. My router responds to <code>fake_requests</code>
-- rate limited, at about 1 response/second. Therefore, timeout has to be at least
-- <code>fake_requests * 1000</code>. Default: 5000.
-- The functions for creating and parsing DHCP requests are general, and
-- should be able to create and parse any DHCP request and response. If
-- other scripts require DHCP support, dhcp_build and dhcp_parse, with
-- their related functions, can easily be abstracted into a NSELib.
author = "Ron Bowes"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

14
scripts/dns-cache-snoop.nse
View File

@@ -21,12 +21,17 @@ different list.
---
-- @args dns-cache-snoop.mode which of two supported snooping methods to
-- use:
-- * <code>nonrecursive</code> (default): checks if the server returns results for non-recursive queries. Some servers may disable this.
-- * <code>timed</code>: measures the difference in time taken to resolve cached and non-cached hosts. This mode will pollute the DNS cache and can only be used once reliably.
-- use. <code>nonrecursive</code>, the default, checks if the server
-- returns results for non-recursive queries. Some servers may disable
-- this. <code>timed</code> measures the difference in time taken to
-- resolve cached and non-cached hosts. This mode will pollute the DNS
-- cache and can only be used once reliably.
-- @args dns-cache-snoop.domains an array of domain to check in place of
-- the default list.
--
-- @usage
-- nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>
--
-- @output
-- PORT STATE SERVICE REASON
-- 53/udp open domain udp-response
@@ -41,9 +46,6 @@ different list.
-- | www.google.com.hk
-- | www.google.co.uk
-- |_www.linkedin.com
--
-- @usage
-- nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>
require("shortport")
require("dns")

30
scripts/dns-fuzz.nse
View File

@@ -1,23 +1,27 @@
description = [[
This script launches a DNS fuzzing attack against any DNS server.
Originally designed to test bind10, this script induces several errors
into otherwise valid - randomly generated - DNS packets. The packet
template that we use includes one standard name and one compressed name.
The script induces errors into randomly generated but valid DNS packets.
The packet template that we use includes one uncompressed and one
compressed name.
This script should be run for a long time(TM). It will send a very
large quantity of packets and thus it's pretty invasive, so it
should only be used against private DNS servers as part of a
software development lifecycle.
Use the <code>dns-fuzz.timelimit</code> argument to control how long the
fuzzing lasts. This script should be run for a long time. It will send a
very large quantity of packets and thus it's pretty invasive, so it
should only be used against private DNS servers as part of a software
development lifecycle.
]]
---
-- @usage
-- nmap --script dns-fuzz [--script-args timelimit=2h] target
-- @args timelimit How long to run the fuzz attack. This is a number followed
-- by a suffix: <code>s</code> for seconds, <code>m</code> for minutes, and
-- <code>h</code> for hours. Use <code>0</code> for an unlimited amount of time.
-- Default: <code>10m</code>.
-- @usage
-- nmap --script dns-fuzz --script-args timelimit=2h <target>
--
-- @args dns-fuzz.timelimit How long to run the fuzz attack. This is a
-- number followed by a suffix: <code>s</code> for seconds,
-- <code>m</code> for minutes, and <code>h</code> for hours. Use
-- <code>0</code> for an unlimited amount of time. Default:
-- <code>10m</code>.
--
-- @output
-- Host script results:
-- |_dns-fuzz: Server stopped responding... He's dead, Jim.

6
scripts/dns-recursion.nse
View File

@@ -1,7 +1,7 @@
description = [[
Checks if a DNS server allows queries for third-party names.
It is expected that recursion will be enabled on your own internal nameservers.
Checks if a DNS server allows queries for third-party names. It is
expected that recursion will be enabled on your own internal
nameservers.
]]
---

2
scripts/dns-service-discovery.nse
View File

@@ -9,7 +9,7 @@ get more information.
---
-- @usage
-- nmap --script=dns-service-discovery -p 5353 <host>
-- nmap --script=dns-service-discovery -p 5353 <target>
--
-- @output
-- PORT STATE SERVICE REASON

2
scripts/dns-zone-transfer.nse
View File

@@ -11,7 +11,7 @@ type specific data (SOA/MX/NS/PTR/A).
If we don't have the "true" hostname for the DNS server we cannot
determine a likely zone to perform the transfer on.
Useful resources
Useful resources:
* DNS for rocket scientists: http://www.zytrax.com/books/dns/
* How the AXFR protocol works: http://cr.yp.to/djbdns/axfr-notes.html
]]

6
scripts/ftp-bounce.nse
View File

@@ -5,8 +5,10 @@ author = "Marek Majkowski"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
---
-- @args ftp-bounce.username Username to login with instead of "anonymous"
-- @args ftp-bounce.password Password to login with instead of "IEUser@"
-- @args ftp-bounce.username Username to log in with. Default
-- <code>"anonymous"</code>.
-- @args ftp-bounce.password Password to log in with. Default
-- <code>"IEUser@"</code>.
--
-- @output
-- PORT STATE SERVICE

16
scripts/ftp-brute.nse
View File

@@ -3,13 +3,7 @@ Tries to get FTP login credentials by guessing usernames and passwords.
This uses the standard unpwdb username/password list. However, in tests FTP servers are
significantly slower than other servers when responding, so the number of usernames/passwords
can be artificially limited using script-args.
2008-11-06 Vlatko Kosturjak <kost@linux.hr>
Modified xampp-default-auth script to generic ftp-brute script
2009-09-18 Ron Bowes <ron@skullsecurity.net>
Made into an actual bruteforce script (previously, it only tried one username/password).
can be artificially limited using script arguments.
]]
---
@@ -22,7 +16,13 @@ Made into an actual bruteforce script (previously, it only tried one username/pa
--
-- @args userlimit The number of user accounts to try (default: unlimited).
-- @args passlimit The number of passwords to try (default: unlimited).
-- @args limit Set userlimlt + passlimit at the same time.
-- @args limit Set <code>userlimlt</code> and <code>passlimit</code> at the same time.
-- 2008-11-06 Vlatko Kosturjak <kost@linux.hr>
-- Modified xampp-default-auth script to generic ftp-brute script
--
-- 2009-09-18 Ron Bowes <ron@skullsecurity.net>
-- Made into an actual bruteforce script (previously, it only tried one username/password).
author = "Diman Todorov, Vlatko Kosturjak, Ron Bowes"

2
scripts/ftp-libopie.nse
View File

@@ -1,6 +1,6 @@
description = [[
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow).
Vulnerability discovered by Maksymilian Arciemowicz and Adam 'pi3' Zabrocki.
Vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki.
See also http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc.
Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
]]

38
scripts/http-enum.nse
View File

@@ -1,10 +1,10 @@
description = [[
Enumerates directories used by popular web applications and servers.
This parses fingerprint files that are properly formatted. Multiple files are included
with Nmap, including:
* http-fingerprints: These attempt to find common files and folders. For the most part, they were in the original http-enum.nse.
* yokoso-fingerprints: These are application-specific fingerprints, designed for finding the presense of specific applications/hardware, including Sharepoint, Forigate's Web interface, Arcsight SmartCollector appliances, Outlook Web Access, etc. These are from the Yokoso project, by InGuardians, and included with permission from Kevin Johnson <http://seclists.org/nmap-dev/2009/q3/0685.html>.
This parses fingerprint files that are properly formatted. Multiple
files are included with Nmap, including:
* <code>http-fingerprints</code>: These attempt to find common files and folders.
* <code>yokoso-fingerprints</code>: These are application-specific fingerprints, designed for finding the presense of specific applications/hardware, including Sharepoint, Forigate's Web interface, Arcsight SmartCollector appliances, Outlook Web Access, etc. These are from the Yokoso project, by InGuardians, and included with permission from Kevin Johnson (http://seclists.org/nmap-dev/2009/q3/0685.html).
Initially, this script attempts to access two different random files in order to detect servers
that don't return a proper 404 Not Found status. In the event that they return 200 OK, the body
@@ -17,12 +17,27 @@ this script will also abort. If the root folder has disappeared or requires auth
is little hope of finding anything inside it.
By default, only pages that return 200 OK or 401 Authentication Required are displayed. If the
script-arg <code>displayall</code> is set, however, then all results will be displayed (except
<code>displayall</code> script argument is set, however, then all results will be displayed (except
for 404 Not Found and the status code returned by the random files).
]]
---
--@output
-- @args displayall Set to <code>1</code> or <code>true</code> to display all status codes
-- that may indicate a valid page, not just 200 OK and 401
-- Authentication Required pages. Although this is more likely to find
-- certain hidden folders, it also generates far more false positives.
-- @args limit Limit the number of folders to check. This option is
-- useful if using a list from, for example, the DirBuster projects
-- which can have more than 80,000 entries.
-- @args fingerprints Specify a different file to read fingerprints
-- from. This will be read instead of the default files.
-- @args path The base path to prepend to each request. Leading/trailing
-- slashes are not required.
-- @args variations Set to <code>1</code> or <code>true</code> to
-- attempt variations on the files, adding prefixes and suffixes such as
-- <code>.bak</code>, <code>~</code>, and <code>Copy of </code>.
--
-- @output
-- Interesting ports on test.skullsecurity.org (208.81.2.52):
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
@@ -34,17 +49,6 @@ for 404 Not Found and the status code returned by the random files).
-- | | /images/outlook.jpg: Outlook Web Access
-- | | /nfservlets/servlet/SPSRouterServlet/: netForensics
-- |_ |_ /nfservlets/servlet/SPSRouterServlet/: netForensics
--
--
--@args displayall Set to '1' or 'true' to display all status codes that may indicate a valid page, not just
-- "200 OK" and "401 Authentication Required" pages. Although this is more likely to find certain
-- hidden folders, it also generates far more false positives.
--@args limit Limit the number of folders to check. This option is useful if using a list from, for example,
-- the DirBuster projects which can have 80,000+ entries.
--@args fingerprints Specify a different file to read fingerprints from. This will be read instead of the default
-- files.
--@args path The base path to prepend to each request. Leading/trailing slashes are not required.
--@args variations Set to '1' or 'true' to attempt variations on the files such as .bak, ~, Copy of", etc.
author = "Ron Bowes, Andrew Orr, Rob Nicholls"

22
scripts/http-favicon.nse
View File

@@ -4,30 +4,26 @@ database of the icons of known web applications. If there is a match, the name
of the application is printed; otherwise the MD5 hash of the icon data is
printed.
If the script arg <code>favicon.uri</code> is given, that relative URI is
If the script argument <code>favicon.uri</code> is given, that relative URI is
always used to find the favicon. Otherwise, first the page at the root of the
web server is retrieved and parsed for a <code><link rel="icon"></code>
element. If that fails, the icon is looked for in <code>/favicon.ico</code>.
Obtains the favicon.ico from the root of a web service (or with the html link
rel attribute if that fails) and tries to identify its source (such as a
certain web application) using a database lookup.
If a <code><link></code> favicon points to a different host or port, it is
ignored.
element. If that fails, the icon is looked for in <code>/favicon.ico</code>. If
a <code><link></code> favicon points to a different host or port, it is ignored.
]]
---
-- @args favicon.uri Uri that will be requested for favicon
-- @args favicon.root Webserver path to search for favicon
-- @args favicon.uri URI that will be requested for favicon.
-- @args favicon.root Web server path to search for favicon.
--
-- @usage
-- nmap --script=http-favicon.nse \
-- --script-args favicon.root=<root>,favicon.uri=<uri>
-- @output
-- |_ http-favicon: Socialtext
-- HTTP default favicon enumeration script
-- rev 1.2 (2009-03-11)
-- Original NASL script by Javier Fernandez-Sanguino Pena
--@usage
-- nmap --script=http-favicon.nse \
-- --script-args favicon.root=<root>,favicon.uri=<uri>
author = "Vlatko Kosturjak"

4
scripts/http-headers.nse
View File

@@ -3,7 +3,7 @@ Performs a GET request for the root folder ("/") of a web server and displays th
]]
---
--@output
-- @output
-- Interesting ports on scanme.nmap.org (64.13.134.52):
-- PORT STATE SERVICE
-- 80/tcp open http syn-ack
@@ -19,7 +19,7 @@ Performs a GET request for the root folder ("/") of a web server and displays th
-- | | Content-Type: text/html
-- |_ |_ (Request type: HEAD)
--
--@args path The path to request, such as '/index.php'. Default: '/'.
--@args path The path to request, such as <code>/index.php</code>. Default <code>/</code>.
--@args useget Set to force GET requests instead of HEAD.
author = "Ron Bowes"

4
scripts/http-iis-webdav-vuln.nse
View File

@@ -21,9 +21,9 @@ For more information on this vulnerability and script, see:
-- 80/tcp open http syn-ack
-- |_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav
--
-- @args webdavfolder Selects a single folder to use, instead of using a built-in list
-- @args webdavfolder Selects a single folder to use, instead of using a built-in list.
-- @args folderdb The filename of an alternate list of folders.
-- @args basefolder The folder to start in; eg, "/web" will try "/web/xxx"
-- @args basefolder The folder to start in; eg, <code>"/web"</code> will try <code>"/web/xxx"</code>.
-----------------------------------------------------------------------
author = "Ron Bowes and Andrew Orr"

14
scripts/http-malware-host.nse
View File

@@ -1,12 +1,12 @@
description = [[
Looks for signature of known server compromises. Currently, the only signature it looks for is
the one discussed here:
<http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/>
Looks for signature of known server compromises.
This is done by requesting the page /ts/in.cgi?open2 and looking for an errant 302 (it attempts
to detect srevers that always return 302).
Thanks to Denis from the above link for finding this technique!
Currently, the only signature it looks for is the one discussed here:
http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/.
This is done by requesting the page <code>/ts/in.cgi?open2</code> and
looking for an errant 302 (it attempts to detect servers that always
return 302). Thanks to Denis from the above link for finding this
technique!
]]
---

11
scripts/http-open-proxy.nse
View File

@@ -1,13 +1,10 @@
description=[[
Checks if an HTTP proxy is open.
The script attempts to connect to www.google.com through the (possible) proxy and checks
for a valid HTTP response code.
Valid HTTP response codes are actually: 200, 301, 302.
If the target is an open proxy, this script causes the target to retrieve a
web page from www.google.com.
The script attempts to connect to www.google.com through the proxy and
checks for a valid HTTP response code. Valid HTTP response codes are
200, 301, and 302. If the target is an open proxy, this script causes
the target to retrieve a web page from www.google.com.
]]
---

16
scripts/http-userdir-enum.nse
View File

@@ -8,7 +8,8 @@ module or similar enabled.
The Apache mod_userdir module allows user-specific directories to be accessed
using the http://example.com/~user/ syntax. This script makes http requests in
order to discover valid user-specific directories and infer valid usernames. By
default, the script will use Nmaps nselib/data/usernames.lst An http response
default, the script will use Nmap's
<code>nselib/data/usernames.lst</code>. An HTTP response
status of 200 or 403 means the username is likely a valid one and the username
will be output in the script results along with the status code (in parentheses).
@@ -16,22 +17,17 @@ This script makes an attempt to avoid false positives by requesting a directory
which is unlikely to exist. If the server responds with 200 or 403 then the
script will not continue testing it.
Ref: CVE-2001-1013 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1013
CVE-2001-1013: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1013.
]]
---
-- @args
-- users=path/to/custom/usernames.list or
-- userdir.users=path/to/custom/usernames.list
-- limit=max number of users to check. This option is useful if using a list from,
-- for example, the DirBuster projects which can have 80,000+ entries.
--
-- @args userdir.users The filename of a username list.
-- @args limit The maximum number of users to check.
--
-- @output
-- 80/tcp open http syn-ack Apache httpd 2.2.9
-- |_ apache-userdir-enum: Potential Users: root (403), user (200), test (200)
local http = require 'http'
local stdnse = require 'stdnse'
local datafiles = require 'datafiles'

20
scripts/http-vmware-path-vuln.nse
View File

@@ -1,5 +1,5 @@
description = [[
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse (justin.morehouse[at)gmail.com) and Tony Flick (tony.flick(at]fyrmassociates.com), and presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse and Tony Flick, presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).
]]
---
@@ -7,15 +7,15 @@ Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2
-- nmap --script http-vmware-path-vuln -p80,443,8222,8333 <host>
--
-- @output
--| http-vmware-path-vuln:
--| VMWare path traversal (CVE-2009-3733): VULNERABLE
--| /vmware/Windows 2003/Windows 2003.vmx
--| /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx
--| /vmware/Pentest/Pentest - Windows/Windows 2003.vmx
--| /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx
--| /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx
--| /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx
--|_ /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx
-- | http-vmware-path-vuln:
-- | VMWare path traversal (CVE-2009-3733): VULNERABLE
-- | /vmware/Windows 2003/Windows 2003.vmx
-- | /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx
-- | /vmware/Pentest/Pentest - Windows/Windows 2003.vmx
-- | /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx
-- | /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx
-- | /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx
-- |_ /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx
-----------------------------------------------------------------------
author = "Ron Bowes"

7
scripts/ipidseq.nse
View File

@@ -1,10 +1,11 @@
description = [[
Classifies a host's IP ID sequence (e.g. test for Idle Scan suitability).
Classifies a host's IP ID sequence (test for susceptability to idle
scan).
Sends six probes to obtain IP IDs from the target and classifies them
similiarly to Nmap's method. This is useful for finding suitable zombies
for Nmap's Idle Scan (-sI) as Nmap itself doesn't provide a way to scan
*for* these hosts.
for Nmap's idle scan (-sI) as Nmap itself doesn't provide a way to scan
for these hosts.
]]
---

16
scripts/irc-unrealircd-backdoor.nse
View File

@@ -2,9 +2,9 @@ description = [[
Checks if an IRC server is backdoored by running a time-based command (ping)
and checking how long it takes to respond.
The script-arg <code>irc-unrealircd-backdoor.command</code> can be used to
The <code>irc-unrealircd-backdoor.command</code> script argument can be used to
run an arbitrary command on the remote system. Because of the nature of
this vulnerability -- the output is never returned -- we have no way of
this vulnerability (the output is never returned) we have no way of
getting the output of the command. It can, however, be used to start a
netcat listener as demonstrated here:
<code>
@@ -21,19 +21,19 @@ netcat listener as demonstrated here:
Metasploit can also be used to exploit this vulnerability.
In addition to running arbitrary commands, the
<code>irc-unrealircd-backdoor.kill</code> script-arg can be passed, which
<code>irc-unrealircd-backdoor.kill</code> script argument can be passed, which
simply kills the UnrealIRCd process.
Reference:
http://seclists.org/fulldisclosure/2010/Jun/277
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
http://www.metasploit.com/modules/exploit/unix/irc/unreal_ircd_3281_backdoor
* http://seclists.org/fulldisclosure/2010/Jun/277
* http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
* http://www.metasploit.com/modules/exploit/unix/irc/unreal_ircd_3281_backdoor
]]
---
-- @args irc-unrealircd-backdoor.command An arbitrary command to run on the remote system (note, however, that you won't see the output of your command). This will always be attempted, even if the host isn't vulnerable. The pattern %IP% will be replaced with the ip address of the target host.
-- @args irc-unrealircd-backdoor.kill If set to '1' or 'true', kill the backdoored UnrealIRCd running.
-- @args irc-unrealircd-backdoor.command An arbitrary command to run on the remote system (note, however, that you won't see the output of your command). This will always be attempted, even if the host isn't vulnerable. The pattern <code>%IP%</code> will be replaced with the ip address of the target host.
-- @args irc-unrealircd-backdoor.kill If set to <code>1</code> or <code>true</code>, kill the backdoored UnrealIRCd running.
-- @args irc-unrealircd-backdoor.wait Wait time in seconds before executing the check. This is recommended to set for more reliable check (100 is good value).
--
-- @output

61
scripts/ldap-brute.nse
View File

@@ -1,10 +1,28 @@
description = [[
Performs password guessing against LDAP
This script makes attempts to brute force LDAP authentication. By default
it uses the builtin username and password lists to do so. In order to use your
own lists use the <code>userdb</code> and <code>passdb</code> script arguments.
This script does not make any attempt to prevent account lockout!
If the number of passwords in the dictionary exceed the amount of
allowed tries, accounts will be locked out. This usually happens
very quickly.
Authenticating against Active Directory using LDAP does not use the
Windows user name but the user accounts distinguished name. LDAP on Windows
2003 allows authentication using a simple user name rather than using the
fully distinguished name. E.g., "Patrik Karlsson" vs.
"cn=Patrik Karlsson,cn=Users,dc=cqure,dc=net"
This type of authentication is not supported on e.g. OpenLDAP.
This script uses some AD-specific support and optimizations:
* LDAP on Windows 2003 reports different error messages depending on whether an account exists or not. If the script recieves an error indicating that the username does not exist it simply stops guessing passwords for this account and moves on to the next.
* The script attempts to authenticate with the username only if no LDAP base is specified. The benefit of authenticating this way is that the LDAP path of each account does not need to be known in advance as it's looked up by the server.
]]
---
-- @usage
-- nmap -p 389 --script ldap-brute --script-args
-- nmap -p 389 --script ldap-brute --script-args \
-- ldap.base='"cn=users,dc=cqure,dc=net"' <host>
--
-- @output
@@ -15,44 +33,7 @@ Performs password guessing against LDAP
-- @args ldap.base If set, the script will use it as a base for the password
-- guessing attempts. If unset the user list must either contain the
-- distinguished name of each user or the server must support
-- authentication using a simple user name. See AD discussion below.
--
-- Additional information
-- ----------------------
-- This script makes attempts to brute force LDAP authentication. By default
-- it uses the builtin user- and password-list to do so. In order to use your
-- own lists use the userdb and passdb script arguments.
--
-- WARNING: This script does not make ANY attempt to prevent account lockout!
-- If the number of passwords in the dictionary exceed the amount of
-- allowed tries, accounts will be locked out. This usually happens
-- *VERY* quickly.
--
-- Active Directory and LDAP
-- -------------------------
-- Note: Authenticating against Active Directory using LDAP does not use the
-- Windows user name but the user accounts distinguished name. LDAP on Windows
-- 2003 allows authentication using a simple user name rather than using the
-- fully distinguished name. Eg:
-- - Patrik Karlsson vs. cn=Patrik Karlsson,cn=Users,dc=cqure,dc=net
-- This type of authentication is not supported on eg. OpenLDAP
--
-- This script uses some AD specific support and optimizations:
--
-- o LDAP on Windows 2003 reports different error messages depending on whether
-- an account exists or not. If the script recieves an error indicating that
-- the username does not exist it simply stops guessing passwords for this
-- account and moves on to the next.
--
-- o The script attempts to authenticate with the username only if no LDAP base
-- is specified. The benefit of authenticating this way is that the LDAP path
-- of each account does not need to be known in advance as it's looked up by
-- the server.
--
-- Credits
-- -------
-- o The get_random_string function was borrowed from the smb-psexec script.
--
-- authentication using a simple user name. See the AD discussion in the description.
author = "Patrik Karlsson"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

39
scripts/ldap-search.nse
View File

@@ -1,8 +1,23 @@
description = [[
Attempts to perform an LDAP search and returns all matches.
If no username and password is supplied to the script the Nmap registry
is consulted. If the <code>ldap-brute</code> script has been selected
and it found a valid account, this account will be used. If not
anonymous bind will be used as a last attempt.
]]
---
-- @args ldap.username If set, the script will attempt to perform an LDAP bind using the username and password
-- @args ldap.password If set, used together with the username to authenticate to the LDAP server
-- @args ldap.qfilter If set, specifies a quick filter. The library does not support parsing real LDAP filters.
-- The following values are valid for the filter parameter: computer, users or all. If no value is specified it defaults to all.
-- @args ldap.base If set, the script will use it as a base for the search. By default the defaultNamingContext is retrieved and used.
-- If no defaultNamingContext is available the script iterates over the available namingContexts
-- @args ldap.attrib If set, the search will include only the attributes specified. For a single attribute a string value can be used, if
-- multiple attributes need to be supplied a table should be used instead.
-- @args ldap.maxobjects If set, overrides the number of objects returned by the script (default 20).
-- The value -1 removes the limit completely.
-- @usage
-- nmap -p 389 --script ldap-search --script-args ldap.username="'cn=ldaptest,cn=users,dc=cqure,dc=net'",ldap.password=ldaptest,
-- ldap.qfilter=users,ldap.attrib=sAMAccountName <host>
@@ -28,30 +43,10 @@ Attempts to perform an LDAP search and returns all matches.
-- | sAMAccountName: VMABUSEXP008$
-- | dn: CN=ldaptest,CN=Users,DC=cqure,DC=net
-- |_ sAMAccountName: ldaptest
--
--
-- @args ldap.username If set, the script will attempt to perform an LDAP bind using the username and password
-- @args ldap.password If set, used together with the username to authenticate to the LDAP server
-- @args ldap.qfilter If set, specifies a quick filter. The library does not support parsing real LDAP filters.
-- The following values are valid for the filter parameter: computer, users or all. If no value is specified it defaults to all.
-- @args ldap.base If set, the script will use it as a base for the search. By default the defaultNamingContext is retrieved and used.
-- If no defaultNamingContext is available the script iterates over the available namingContexts
-- @args ldap.attrib If set, the search will include only the attributes specified. For a single attribute a string value can be used, if
-- multiple attributes need to be supplied a table should be used instead.
-- @args ldap.maxobjects If set, overrides the number of objects returned by the script (default 20).
-- The value -1 removes the limit completely.
--
--
-- Authentication
-- --------------
-- If no username and password is supplied to the script the Nmap registry is consulted.
-- If the ldap-brute script has been selected and it found a valid account, this account will be used.
-- If not anonymous bind will be used as a last attempt.
--
-- Credit
-- ------
-- o Martin Swende who provided me with the initial code that got me started writing this.
--
-- Version 0.4
-- Created 01/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
@@ -239,4 +234,4 @@ function action(host,port)
end
return output
end
end

15
scripts/lexmark-config.nse
View File

@@ -1,9 +1,14 @@
description = [[ Retrieve Lexmark S300-S400 Configuration ]]
description = [[
Retrieves configuration information from a Lexmark S300-S400 printer.
The Lexmark S302 responds to the NTPRequest version probe with its
configuration. The response decodes as mDNS, so the request was modified
to resemble an mDNS request as close as possible. However, the port
(9100/udp) is listed as something completely different (HBN3) in
documentation from Lexmark. See
http://www.lexmark.com/vgn/images/portal/Security%20Features%20of%20Lexmark%20MFPs%20v1_1.pdf.
]]
-- The Lexmark S302 was found to respond with it's configuration to the NTPRequest probe
-- As the response decodes as MDNS the request was modified to resemble a MDNS request as close as possible
-- However, the port (9100/udp) is listed as something completely different (HBN3) in documentation from Lexmark
-- http://www.lexmark.com/vgn/images/portal/Security%20Features%20of%20Lexmark%20MFPs%20v1_1.pdf
---
--@output

3
scripts/mongodb-databases.nse
View File

@@ -1,5 +1,5 @@
description = [[
Attempts to get tables from a MongoDB
Attempts to get a list of tables from a MongoDB database.
]]
---
@@ -28,6 +28,7 @@ Attempts to get tables from a MongoDB
-- | sizeOnDisk = 1
-- | name = admin
-- |_ totalSize = 167772160
-- version 0.1
-- Created 01/12/2010 - v0.1 - created by Martin Holst Swende <martin@swende.se>

3
scripts/mongodb-info.nse
View File

@@ -1,5 +1,5 @@
description = [[
Attempts to get build info and server status from a MongoDB
Attempts to get build info and server status from a MongoDB database.
]]
---
@@ -40,6 +40,7 @@ Attempts to get build info and server status from a MongoDB
-- | heap_usage_bytes = 117120
-- | note = fields vary by platform
-- |_ page_faults = 0
-- version 0.2
-- Created 01/12/2010 - v0.1 - created by Martin Holst Swende <martin@swende.se>

7
scripts/ms-sql-brute.nse
View File

@@ -1,5 +1,5 @@
description = [[
Performs password guessing against Microsoft SQL Server (mssql)
Performs password guessing against Microsoft SQL Server (ms-sql).
]]
author = "Patrik Karlsson"
@@ -12,16 +12,13 @@ require 'mssql'
require 'unpwdb'
---
--
-- @output
-- PORT STATE SERVICE
-- 1433/tcp open ms-sql-s
-- | mssql-brute:
-- | ms-sql-brute:
-- | webshop_reader:secret => Login Success
-- | testuser:secret1234 => Must change password at next logon
-- |_ lordvader:secret1234 => Login Success
--
--
-- Version 0.1
-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>

6
scripts/ms-sql-config.nse
View File

@@ -1,8 +1,6 @@
description = [[
Queries Microsoft SQL Server (MSSQL) for a list of:
* Databases
* Linked Servers
* Configuration settings
Queries Microsoft SQL Server (ms-sql) for a list of databases, linked
servers, and configuration settings.
]]
author = "Patrik Karlsson"

2
scripts/ms-sql-empty-password.nse
View File

@@ -15,7 +15,7 @@ require 'mssql'
-- @output
-- PORT STATE SERVICE
-- 1433/tcp open ms-sql-s
-- | mssql-empty-password:
-- | ms-sql-empty-password:
-- |_ sa:<empty> => Login Correct
--
--

29
scripts/ms-sql-hasdbaccess.nse
View File

@@ -1,5 +1,14 @@
description = [[
Queries Microsoft SQL Server (MSSQL) for a list of databases a user has access to.
Queries Microsoft SQL Server (ms-sql) for a list of databases a user has
access to.
The script needs an account with the sysadmin server role to work.
It needs to be fed credentials through the script arguments or from
the scripts <code>mssql-brute</code> or <code>mssql-empty-password</code>.
When run, the script iterates over the credentials and attempts to run
the command until either all credentials are exhausted or until the
command is executed.
]]
author = "Patrik Karlsson"
@@ -14,11 +23,11 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
---
-- @args mssql.username specifies the username to use to connect to
-- the server. This option overrides any accounts found by
-- the mssql-brute and mssql-empty-password scripts.
-- the <code>mssql-brute</code> and <code>mssql-empty-password</code> scripts.
--
-- @args mssql.password specifies the password to use to connect to
-- the server. This option overrides any accounts found by
-- the mssql-brute and mssql-empty-password scripts.
-- the <code>ms-sql-brute</code> and <code>ms-sql-empty-password</code> scripts.
--
-- @args mssql-hasdbaccess.limit limits the amount of databases per-user
-- that are returned (default 5). If set to zero or less all
@@ -27,7 +36,7 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
-- @output
-- PORT STATE SERVICE
-- 1433/tcp open ms-sql-s
-- | mssql-hasdbaccess:
-- | ms-sql-hasdbaccess:
-- | webshop_reader
-- | dbname owner
-- | hr sa
@@ -38,16 +47,6 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
-- | testdb CQURE-NET\Administr
-- |_ webshop sa
--
-- The script needs an account with the sysadmin server role to work.
-- It needs to be fed credentials through the script arguments or from
-- the scripts mssq-brute or mssq-empty-password.
--
-- When run, the script iterates over the credentials and attempts to run
-- the command until either all credentials are exhausted or until the
-- command is executed.
--
-- Version 0.1
-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
@@ -140,4 +139,4 @@ action = function( host, port )
return stdnse.format_output( true, output )
end
end

7
scripts/ms-sql-query.nse
View File

@@ -1,5 +1,5 @@
description = [[
Runs a Query against Microsoft SQL Server (MSSQL).
Runs a query against Microsoft SQL Server (ms-sql).
]]
author = "Patrik Karlsson"
@@ -17,17 +17,14 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
-- (default SELECT @@version version)
--
-- @output
--
-- PORT STATE SERVICE
-- 1433/tcp open ms-sql-s
-- | mssql-query:
-- | ms-sql-query:
-- |
-- | Microsoft SQL Server 2005 - 9.00.3068.00 (Intel X86)
-- | Feb 26 2008 18:15:01
-- | Copyright (c) 1988-2005 Microsoft Corporation
-- |_ Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
--
--
-- Version 0.1
-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>

40
scripts/ms-sql-tables.nse
View File

@@ -1,5 +1,19 @@
description = [[
Queries Microsoft SQL Server (MSSQL) for a list of tables per database.
Queries Microsoft SQL Server (ms-sql) for a list of tables per database.
The sysdatabase table should be accessible by more or less everyone
The script attempts to use the sa account over any other if it has
the password in the registry. If not the first account in the
registry is used.
Once we have a list of databases we iterate over it and attempt to extract
table names. In order for this to succeed we need to have either
sysadmin privileges or an account with access to the db. So, each
database we successfully enumerate tables from we mark as finished, then
iterate over known user accounts until either we have exhausted the users
or found all tables in all the databases.
Tables installed by default are excluded.
]]
author = "Patrik Karlsson"
@@ -15,11 +29,11 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
---
-- @args mssql.username specifies the username to use to connect to
-- the server. This option overrides any accounts found by
-- the mssql-brute and mssql-empty-password scripts.
-- the <code>ms-sql-brute</code> and <code>ms-sql-empty-password</code> scripts.
--
-- @args mssql.password specifies the password to use to connect to
-- the server. This option overrides any accounts found by
-- the mssql-brute and mssql-empty-password scripts.
-- the <code>ms-sql-brute</code> and <code>ms-sql-empty-password</code> scripts.
--
-- @args mssql-tables.maxdb Limits the amount of databases that are
-- processed and returned (default 5). If set to zero or less
@@ -34,7 +48,7 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
-- @output
-- PORT STATE SERVICE
-- 1433/tcp open ms-sql-s
-- | mssql-tables:
-- | ms-sql-tables:
-- | webshop
-- | table column type length
-- | payments user_id int 4
@@ -57,22 +71,6 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
-- | users username varchar 50
-- | users password varchar 50
-- |_ users fullname varchar 100
--
--
-- The sysdatabase table should be accessible by more or less everyone
-- The script attempts to use the sa account over some n00b if it has
-- the password in the registry. If not the first account in the
-- registry is used.
--
-- Once we have a list of DBs we iterate over it and attempt to extract
-- table names. In order for this to succeed we need to have either
-- sysadmin privileges or an account with access to the db. So, for each
-- db we successfully enumerate tables from we mark as finnished, we then
-- iterate over our know user accounts until either we exhausted our users
-- or we found all tables in all dbs.
--
-- Oh, and exclude all MS default dbs from this excercise.
--
-- Version 0.1
-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
@@ -248,4 +246,4 @@ action = function( host, port )
return output
end
end

29
scripts/ms-sql-xp-cmdshell.nse
View File

@@ -1,5 +1,15 @@
description = [[
Queries Microsoft SQL Server (MSSQL) for a list of tables per database.
Attempts to run a command using the command shell of Microsoft SQL
Server (ms-sql).
The script needs an account with the sysadmin server role to work.
It needs to be fed credentials through the script arguments or from
the scripts <code>ms-sql-brute</code> or
<code>ms-sql-empty-password</code>.
When run, the script iterates over the credentials and attempts to run
the command until either all credentials are exhausted or until the
command is executed.
]]
author = "Patrik Karlsson"
@@ -14,11 +24,11 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
---
-- @args mssql.username specifies the username to use to connect to
-- the server. This option overrides any accounts found by
-- the mssql-brute and mssql-empty-password scripts.
-- the <code>ms-sql-brute</code> and <code>ms-sql-empty-password</code> scripts.
--
-- @args mssql.password specifies the password to use to connect to
-- the server. This option overrides any accounts found by
-- the mssql-brute and mssql-empty-password scripts.
-- the <code>ms-sql-brute</code> and <code>ms-sql-empty-password</code> scripts.
--
-- @args mssql-xp-cmdshell.cmd specifies the OS command to run.
-- (default is ipconfig /all)
@@ -26,7 +36,7 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
-- @output
-- PORT STATE SERVICE
-- 1433/tcp open ms-sql-s
-- | mssql-xp-cmdshell:
-- | ms-sql-xp-cmdshell:
-- | Command: ipconfig /all; User: sa
-- | output
-- |
@@ -53,15 +63,6 @@ dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
-- | Lease Obtained. . . . . . . . . . : den 21 mars 2010 00:12:10
-- | Lease Expires . . . . . . . . . . : den 21 mars 2010 01:12:10
-- |_
--
-- The script needs an account with the sysadmin server role to work.
-- It needs to be fed credentials through the script arguments or from
-- the scripts mssq-brute or mssq-empty-password.
--
-- When run, the script iterates over the credentials and attempts to run
-- the command until either all credentials are exhausted or until the
-- command is executed.
--
-- Version 0.1
-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
@@ -143,4 +144,4 @@ action = function( host, port )
return output
end
end

3
scripts/smtp-open-relay.nse
View File

@@ -31,7 +31,7 @@ printed with the list of any combinations that were found prior to the error.
-- antispam)
-- @args smtp-open-relay.to Define the destination email address to be used (without the domain, default is
-- relaytest)
--
-- changelog
-- 2007-05-16 Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
-- + Added some strings to return in different places
@@ -63,7 +63,6 @@ printed with the list of any combinations that were found prior to the error.
-- * Minor comments changes
-- 2010-03-14 Duarte Silva <duarte.silva@myf00.net>
-- * Made the script a little more verbose
-----------------------------------------------------------------------
author = "Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"