diff --git a/scripts/broadcast-bjnp-discover.nse b/scripts/broadcast-bjnp-discover.nse index 9ad099fb9..d26f3109e 100644 --- a/scripts/broadcast-bjnp-discover.nse +++ b/scripts/broadcast-bjnp-discover.nse @@ -1,7 +1,7 @@ description = [[ -Attempts to discover Canon devices (Printers/Scanners) supporting the BJNP -protocol. Discovery is performed by sending BJNP Discover requests to the -network broadcast address for both ports associated with the protocol. +Attempts to discover Canon devices (Printers/Scanners) supporting the +BJNP protocol by sending BJNP Discover requests to the network +broadcast address for both ports associated with the protocol. The script then attempts to retrieve the model, version and some additional information for all discovered devices. diff --git a/scripts/broadcast-eigrp-discovery.nse b/scripts/broadcast-eigrp-discovery.nse index 9d6f78732..505e0611d 100644 --- a/scripts/broadcast-eigrp-discovery.nse +++ b/scripts/broadcast-eigrp-discovery.nse @@ -11,7 +11,8 @@ local coroutine = require "coroutine" local string = require "string" description = [[ -Network discovery and routing information gathering through Cisco's EIGRP. +Performs network discovery and routing information gathering through +Cisco's EIGRP protocol. The script works by sending an EIGRP Hello packet with the specified Autonomous System value to the 224.0.0.10 multicast address and listening for EIGRP Update diff --git a/scripts/dns-check-zone.nse b/scripts/dns-check-zone.nse index 4deab6db7..8cc835404 100644 --- a/scripts/dns-check-zone.nse +++ b/scripts/dns-check-zone.nse @@ -5,7 +5,7 @@ local ipOps = require "ipOps" description = [[ Checks DNS zone configuration against best practices, including RFC 1912. -The configuration checks are divided into categories that each have a number +The configuration checks are divided into categories which each have a number of different tests. ]] diff --git a/scripts/eppc-enum-processes.nse b/scripts/eppc-enum-processes.nse index 1dd47f4ec..80afac5b4 100644 --- a/scripts/eppc-enum-processes.nse +++ b/scripts/eppc-enum-processes.nse @@ -5,7 +5,7 @@ local stdnse = require('stdnse') local tab = require('tab') description = [[ -Attempt to enumerate process info over the Apple Remote Event protocol. +Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication. diff --git a/scripts/http-frontpage-login.nse b/scripts/http-frontpage-login.nse index e099febb9..06a187df1 100644 --- a/scripts/http-frontpage-login.nse +++ b/scripts/http-frontpage-login.nse @@ -7,7 +7,7 @@ local vulns = require "vulns" description = [[ -Check if target machines are vulnerable to anonymous Frontpage login. +Checks whether target machines are vulnerable to anonymous Frontpage login. Older, default configurations of Frontpage extensions allow remote user to login anonymously which may lead to server compromise. diff --git a/scripts/http-git.nse b/scripts/http-git.nse index 89d720df9..a9e5181ff 100644 --- a/scripts/http-git.nse +++ b/scripts/http-git.nse @@ -23,9 +23,7 @@ local stdnse = require("stdnse") local strbuf = require("strbuf") local string = require("string") local table = require("table") -description = [[ Checks for a Git repository found in a website's document root (GET /.git/ HTTP/1.1) -Gets as much information about the repository as possible, including language/framework, Github -username, last commit message, and repository description. +description = [[ Checks for a Git repository found in a website's document root (/.git/) then retrieves as much repo information as possible, including language/framework, Github username, last commit message, and repository description. ]] categories = { "safe", "vuln", "default" } diff --git a/scripts/http-rfi-spider.nse b/scripts/http-rfi-spider.nse index 68cc245f1..5f4171114 100644 --- a/scripts/http-rfi-spider.nse +++ b/scripts/http-rfi-spider.nse @@ -1,7 +1,5 @@ description = [[ -Crawls webservers in search of RFI vulnerabilities. -It tests every form field it finds and -every parameter of a URL containing a query. +Crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query. ]] --- diff --git a/scripts/http-sitemap-generator.nse b/scripts/http-sitemap-generator.nse index 4b2bdaf4d..e4b94f789 100644 --- a/scripts/http-sitemap-generator.nse +++ b/scripts/http-sitemap-generator.nse @@ -1,7 +1,8 @@ description = [[ -Spiders a web server and displays its directory structure along with number and types -of files in each folder. Note that files listed as having an 'Other' extension are ones -that have no extension or that are a root document. +Spiders a web server and displays its directory structure along with +number and types of files in each folder. Note that files listed as +having an 'Other' extension are ones that have no extension or that +are a root document. ]] --- diff --git a/scripts/http-slowloris-check.nse b/scripts/http-slowloris-check.nse index c0def6788..d8d57005b 100644 --- a/scripts/http-slowloris-check.nse +++ b/scripts/http-slowloris-check.nse @@ -9,7 +9,7 @@ local http = require "http" description = [[ -Tests a web server for vulnerability to the Slowloris DoS attack. +Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack. Slowloris was described at Defcon 17 by RSnake (see http://ha.ckers.org/slowloris/). diff --git a/scripts/http-slowloris.nse b/scripts/http-slowloris.nse index 19ddfb5fb..08adf85f1 100644 --- a/scripts/http-slowloris.nse +++ b/scripts/http-slowloris.nse @@ -8,7 +8,7 @@ local http = require "http" local comm = require "comm" description = [[ -Tests a web server for vulnerability to the Slowloris DoS attack. +Tests a web server for vulnerability to the Slowloris DoS attack by launching a Slowlaris attack. Slowloris was described at Defcon 17 by RSnake (see http://ha.ckers.org/slowloris/). diff --git a/scripts/ipv6-ra-flood.nse b/scripts/ipv6-ra-flood.nse index 5a27c102e..24ac5a666 100644 --- a/scripts/ipv6-ra-flood.nse +++ b/scripts/ipv6-ra-flood.nse @@ -6,7 +6,7 @@ local string = require "string" local os = require "os" description = [[ Generates a flood of Router Adverisments (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS), -will start to compute IPv6 suffix and update their routing table to reflect the accepted annoucement. This will cause 100% CPU usage, thus preventing to process other application requests. +will start to compute IPv6 suffix and update their routing table to reflect the accepted annoucement. This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests. Vulnerable platforms: * All Cisco IOS ASA with firmware < November 2010 diff --git a/scripts/jdwp-exec.nse b/scripts/jdwp-exec.nse index 36e3ec0ee..c450ea262 100644 --- a/scripts/jdwp-exec.nse +++ b/scripts/jdwp-exec.nse @@ -7,13 +7,11 @@ local shortport = require "shortport" local string = require "string" description = [[ -Script to exploit java's remote debugging port. - -When remote debugging port is left open, it is possible to inject -java bytecode and achieve remote code execution. - -Script abuses this to inject and execute Java class file that -executes the supplied shell command and returns its output. +Attempts to exploit java's remote debugging port. When remote debugging +port is left open, it is possible to inject java bytecode and achieve +remote code execution. This script abuses this to inject and execute +a Java class file that executes the supplied shell command and returns +its output. The script injects the JDWPSystemInfo class from nselib/jdwp-class/ and executes its run() method which diff --git a/scripts/jdwp-info.nse b/scripts/jdwp-info.nse index 7127ee310..627412d59 100644 --- a/scripts/jdwp-info.nse +++ b/scripts/jdwp-info.nse @@ -7,13 +7,10 @@ local shortport = require "shortport" local string = require "string" description = [[ -Script to exploit java's remote debugging port. - -When remote debugging port is left open, it is possible to inject -java bytecode and achieve remote code execution. - -Script abuses this to inject and execute Java class file that -returns remote system information. +Attempts to exploit java's remote debugging port. When remote +debugging port is left open, it is possible to inject java bytecode +and achieve remote code execution. This script injects and execute a +Java class file that returns remote system information. ]] author = "Aleksandar Nikolic" diff --git a/scripts/jdwp-inject.nse b/scripts/jdwp-inject.nse index e67ae91e7..5827130c8 100644 --- a/scripts/jdwp-inject.nse +++ b/scripts/jdwp-inject.nse @@ -7,10 +7,7 @@ local shortport = require "shortport" local string = require "string" description = [[ -Script to exploit java's remote debugging port. - -When remote debugging port is left open, it is possible to inject -java bytecode and achieve remote code execution. +Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script allows injection of arbitrary class files. After injection, class' run() method is executed. Method run() has no parameters, and is expected to return a string. diff --git a/scripts/mcafee-epo-agent.nse b/scripts/mcafee-epo-agent.nse index b40cd0d39..6b5dd664b 100644 --- a/scripts/mcafee-epo-agent.nse +++ b/scripts/mcafee-epo-agent.nse @@ -9,7 +9,7 @@ -- 2012/06/20: new portrule by Daniel Miller description = [[ -Check if ePO agent is running on port 8081 or port identified as ePO Agent port +Check if ePO agent is running on port 8081 or port identified as ePO Agent port. ]] --- diff --git a/scripts/metasploit-msgrpc-brute.nse b/scripts/metasploit-msgrpc-brute.nse index fd755ae14..167305126 100644 --- a/scripts/metasploit-msgrpc-brute.nse +++ b/scripts/metasploit-msgrpc-brute.nse @@ -7,7 +7,7 @@ local bin = require "bin" local creds = require "creds" description = [[ -Performs brute force username and password guessing against +Performs brute force username and password auditing against Metasploit msgrpc interface. ]] diff --git a/scripts/ms-sql-dac.nse b/scripts/ms-sql-dac.nse index d92a62ff5..52030e8bd 100644 --- a/scripts/ms-sql-dac.nse +++ b/scripts/ms-sql-dac.nse @@ -6,17 +6,21 @@ local string = require "string" local table = require "table" description = [[ -Queries the Microsoft SQL Browser service for the DAC (Dedicated Admin Connection) port -of a given, or all SQL Server instances. The DAC port is used to connect to the database -instance when normal connection attempts fail, for example, when server is hanging, out -of memory or in other bad states. In addition, the DAC port provides an admin with -access to system objects otherwise not accessible over normal connections. +Queries the Microsoft SQL Browser service for the DAC (Dedicated Admin +Connection) port of a given (or all) SQL Server instance. The DAC port +is used to connect to the database instance when normal connection +attempts fail, for example, when server is hanging, out of memory or +in other bad states. In addition, the DAC port provides an admin with +access to system objects otherwise not accessible over normal +connections. -The DAC feature is accessible on the loopback adapter per default, but can be activated -for remote access by setting the 'remote admin connection' configuration value to 1. In -some cases, when DAC has been remotely enabled but later disabled, the sql browser -service may incorrectly report it as available. The script therefore attempts to connect -to the reported port in order to verify whether it's accessible or not. +The DAC feature is accessible on the loopback adapter per default, but +can be activated for remote access by setting the 'remote admin +connection' configuration value to 1. In some cases, when DAC has been +remotely enabled but later disabled, the sql browser service may +incorrectly report it as available. The script therefore attempts to +connect to the reported port in order to verify whether it's +accessible or not. ]] --- diff --git a/scripts/msrpc-enum.nse b/scripts/msrpc-enum.nse index 1263ec37f..721deb88f 100644 --- a/scripts/msrpc-enum.nse +++ b/scripts/msrpc-enum.nse @@ -5,7 +5,7 @@ local stdnse = require "stdnse" local table = require "table" description = [[ -Script queries MSRPC endpoint mapper for a list of mapped +Queries an MSRPC endpoint mapper for a list of mapped services and displays the gathered information. As it is using smb library, you can specify optional diff --git a/scripts/mysql-dump-hashes.nse b/scripts/mysql-dump-hashes.nse index 959ad85a7..25b8b3148 100644 --- a/scripts/mysql-dump-hashes.nse +++ b/scripts/mysql-dump-hashes.nse @@ -5,8 +5,7 @@ local stdnse = require "stdnse" description = [[ Dumps the password hashes from an MySQL server in a format suitable for -cracking by tools such as John-the-ripper. In order to do so the user -needs to have the appropriate DB privileges (root). +cracking by tools such as John the Ripper. Appropriate DB privileges (root) are required. The username and password arguments take precedence over credentials discovered by the mysql-brute and mysql-empty-password diff --git a/scripts/mysql-vuln-cve2012-2122.nse b/scripts/mysql-vuln-cve2012-2122.nse index 5dbc444b8..e0b484cad 100644 --- a/scripts/mysql-vuln-cve2012-2122.nse +++ b/scripts/mysql-vuln-cve2012-2122.nse @@ -1,19 +1,25 @@ description = [[ -Attempts to bypass authentication in MySQL and MariaDB servers by exploiting CVE2012-2122. If its vulnerable, it will also attempt to dump the MySQL usernames and password hashes. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are -vulnerable but depending if memcmp() returns an arbitrary integer outside of -128..127 range. -"When a user connects to MariaDB/MySQL, a token (SHA -over a password and a random scramble string) is calculated and compared -with the expected value. Because of incorrect casting, it might've -happened that the token and the expected value were considered equal, -even if the memcmp() returned a non-zero value. In this case -MySQL/MariaDB would think that the password is correct, even while it is -not. Because the protocol uses random strings, the probability of -hitting this bug is about 1/256. -Which means, if one knows a user name to connect (and "root" almost -always exists), she can connect using *any* password by repeating -connection attempts. ~300 attempts takes only a fraction of second, so -basically account password protection is as good as nonexistent." +Attempts to bypass authentication in MySQL and MariaDB servers by +exploiting CVE2012-2122. If its vulnerable, it will also attempt to +dump the MySQL usernames and password hashes. + +All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are +vulnerable but exploitation depends on whether memcmp() returns an +arbitrary integer outside of -128..127 range. + +"When a user connects to MariaDB/MySQL, a token (SHA over a password +and a random scramble string) is calculated and compared with the +expected value. Because of incorrect casting, it might've happened +that the token and the expected value were considered equal, even if +the memcmp() returned a non-zero value. In this case MySQL/MariaDB +would think that the password is correct, even while it is not. +Because the protocol uses random strings, the probability of hitting +this bug is about 1/256. Which means, if one knows a user name to +connect (and "root" almost always exists), she can connect using *any* +password by repeating connection attempts. ~300 attempts takes only a +fraction of second, so basically account password protection is as +good as nonexistent." Original public advisory: * http://seclists.org/oss-sec/2012/q2/493 diff --git a/scripts/oracle-brute-stealth.nse b/scripts/oracle-brute-stealth.nse index 7ce38cc6c..9d186cc5c 100644 --- a/scripts/oracle-brute-stealth.nse +++ b/scripts/oracle-brute-stealth.nse @@ -12,11 +12,14 @@ local unpwdb = require "unpwdb" local openssl = stdnse.silent_require "openssl" description = [[ -Exploits the CVE-2012-3137 vulnerability, a weaknes in Oracle's O5LOGIN authentication scheme. -The vulnerability exists in Oracle 11g R1,R2 and allows linking the session key to a password hash. -When initiating an authentication attempt as a valid user the server will respond with a session key and salt. -Once received the script will disconnect the connection thereby not recording the login attempt. -The session key and salt can then be used to brute force the users password. +Exploits the CVE-2012-3137 vulnerability, a weaknes in Oracle's +O5LOGIN authentication scheme. The vulnerability exists in Oracle 11g +R1/R2 and allows linking the session key to a password hash. When +initiating an authentication attempt as a valid user the server will +respond with a session key and salt. Once received the script will +disconnect the connection thereby not recording the login attempt. +The session key and salt can then be used to brute force the users +password. ]] --- diff --git a/scripts/rdp-enum-encryption.nse b/scripts/rdp-enum-encryption.nse index 405174084..512923210 100644 --- a/scripts/rdp-enum-encryption.nse +++ b/scripts/rdp-enum-encryption.nse @@ -1,5 +1,5 @@ description = [[ -Determines what Security layer and Encryption level that is supported by the +Determines which Security layer and Encryption level is supported by the RDP service. It does so by cycling through all existing protocols and ciphers. When run in debug mode, the script also returns the protocols and ciphers that fail and any errors that were reported. diff --git a/scripts/rmi-vuln-classloader.nse b/scripts/rmi-vuln-classloader.nse index 449a0dd51..60ac91ab4 100644 --- a/scripts/rmi-vuln-classloader.nse +++ b/scripts/rmi-vuln-classloader.nse @@ -6,11 +6,11 @@ local string = require "string" local vulns = require "vulns" description = [[ -Checks if rmiregistry allows class loading. +Tests whether Java rmiregistry allows class loading. The default +configuration of rmiregistry allows loading classes from remote URLs, +which can lead to remote code execution. The vendor (Oracle/Sun) +classifies this as a design feature. -The default configuration of rmiregistry allows loading classes from remote -URLs which can lead to remote code execution. This is considered as "by -design". Based on original Metasploit module by mihi. diff --git a/scripts/sip-call-spoof.nse b/scripts/sip-call-spoof.nse index a2375a9a8..10e32a681 100644 --- a/scripts/sip-call-spoof.nse +++ b/scripts/sip-call-spoof.nse @@ -5,7 +5,7 @@ local stdnse = require "stdnse" local table = require "table" description = [[ -Spoofs a call to a SIP phone and detects the action taken by the target. +Spoofs a call to a SIP phone and detects the action taken by the target (busy, declined, hung up, etc.) This works by sending a fake sip invite request to the target phone and checking the responses. A response with status code 180 means that the phone is ringing. diff --git a/scripts/sip-methods.nse b/scripts/sip-methods.nse index cbb95fa5d..2885f9b7f 100644 --- a/scripts/sip-methods.nse +++ b/scripts/sip-methods.nse @@ -5,7 +5,7 @@ local stdnse = require "stdnse" local table = require "table" description = [[ -Enumerates a SIP Server's allowed methods. +Enumerates a SIP Server's allowed methods (INVITE, OPTIONS, SUBSCRIBE, etc.) The script works by sending an OPTION request to the server and checking for the value of the Allow header in the response. diff --git a/scripts/smb-ls.nse b/scripts/smb-ls.nse index 4a7d90e39..e7c556711 100644 --- a/scripts/smb-ls.nse +++ b/scripts/smb-ls.nse @@ -7,7 +7,7 @@ local openssl= stdnse.silent_require 'openssl' description = [[ Attempts to retrieve useful information about files shared on SMB volumes. -The output is intended to resemble the output of ls. +The output is intended to resemble the output of the UNIX ls command. ]] --- diff --git a/scripts/smb-print-text.nse b/scripts/smb-print-text.nse index 2be2d345e..c52ee3c92 100644 --- a/scripts/smb-print-text.nse +++ b/scripts/smb-print-text.nse @@ -6,8 +6,7 @@ local string = require "string" local stdnse = require "stdnse" description = [[ -Script calls Print Spooler Service RPC functions to a shared printer -to make it print text. +Attempts to print text on a shared printer by calling Print Spooler Service RPC functions. In order to use the script, at least one printer needs to be shared over SMB. If no printer is specified, script tries to enumerate existing diff --git a/scripts/smb-vuln-ms10-054.nse b/scripts/smb-vuln-ms10-054.nse index 79d06bed6..cfbd03daa 100644 --- a/scripts/smb-vuln-ms10-054.nse +++ b/scripts/smb-vuln-ms10-054.nse @@ -6,7 +6,7 @@ local vulns = require "vulns" local stdnse = require "stdnse" description = [[ -Checks if target machines are vulnerable to the ms10-054 SMB remote memory +Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability. The vulnerable machine will crash with BSOD. diff --git a/scripts/smb-vuln-ms10-061.nse b/scripts/smb-vuln-ms10-061.nse index ab8e70a0a..5820e9ceb 100644 --- a/scripts/smb-vuln-ms10-061.nse +++ b/scripts/smb-vuln-ms10-061.nse @@ -6,17 +6,19 @@ local vulns = require "vulns" local stdnse = require "stdnse" description = [[ -Checks if target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability. +Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability. -This vulnerability was used in Stuxnet worm. -The script checks for the vuln in a safe way without a possibility of crashing the remote system -as this is not a memory corruption vulnerability. -In order for the check to work it needs access to at least one shared printer on the remote system. -By default it tries to enumerate printers by using LANMAN API which on some systems is not -available by default. In that case user should specify printer share name as printer script argument. -To find a printer share, smb-enum-shares can be used. -Also, on some systems, accessing shares requires valid credentials which can be specified with -smb library arguments smbuser and smbpassword. +This vulnerability was used in Stuxnet worm. The script checks for +the vuln in a safe way without a possibility of crashing the remote +system as this is not a memory corruption vulnerability. In order for +the check to work it needs access to at least one shared printer on +the remote system. By default it tries to enumerate printers by using +LANMAN API which on some systems is not available by default. In that +case user should specify printer share name as printer script +argument. To find a printer share, smb-enum-shares can be used. +Also, on some systems, accessing shares requires valid credentials +which can be specified with smb library arguments smbuser and +smbpassword. References: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2729 diff --git a/scripts/ssl-date.nse b/scripts/ssl-date.nse index 58d87a989..37bf90875 100644 --- a/scripts/ssl-date.nse +++ b/scripts/ssl-date.nse @@ -8,7 +8,7 @@ local string = require "string" local sslcert = require "sslcert" description = [[ -Gets the remote host's time from its TLS ServerHello response. +Retrieves a target host's time and date from its TLS ServerHello response. In many TLS implementations, the first four bytes of server randomness