scripts are:
- ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
- ms-sql-config retrieves various configuration details from the server
- ms-sql-empty-password checks if the sa account has an empty password
- ms-sql-hasdbaccess lists database access per user
- ms-sql-query add support for running custom queries against the database
- ms-sql-tables lists databases, tables, columns and datatypes with optional
keyword filtering
- ms-sql-xp-cmdshell adds support for OS command execution to privileged
users
[Patrik]
Andrew Orr, reworked by Patrik Karlsson and David Fifield.
Among other things, this function gets the servers hostname, IPv4 and
IPv6 addresses, and potentially hardware type.
authentication support. Updated the afp-showmount script and added two new
scripts:
- afp-brute attempts to guess passwords against the AFP service
- afp-path-vuln detects the AFP directory traversal vulnerability
CVE-2010-0533
[Patrik]
usernames and passwords iterators. This will prevent brute force
scripts from running for a long time when a service is slow. These
new script arguments control the limits:
unpwdb.userlimit Limit on number of usernames.
unpwdb.passlimit Limit on number of passwords.
unpwdb.timelimit Time limit in seconds.
Pass 0 for any of these limits to disable it. [David]
nfs-showmount scripts to use the new library. The new scripts are:
- nfs-acls shows the owner and directory mode of NFS exports
- nfs-dirlist lists the contents of NFS exports
- nfs-statfs shows file system statistics for NFS exports
[Patrik]
faithwriters, hotmail, myspace, phpbb, and rockyou. I kept the output at
200 lines for now until we have more comprehensive limits on the unpwdb
module.
The only password that didn't come straight out of the databases was the
empty password. I added it manually at the top. The previous version of
passwords.lst had it too.
entries:
o [NSE] Raw packet sending at the IP layer is now supported, in addition to
the Ethernet sending functionality. Packets to send start with an IPv4
header and can be sent to arbitrary hosts. [Kris]
o [NSE] Added the ipidseq script to classify a host's IP ID sequence numbers
in the same way Nmap does. This can be used to test hosts' suitability for
Nmap's Idle Scan (-sI), i.e. check if a host is an idle zombie. This is
the first script to use the new raw IP sending functionality in NSE. [Kris]
o [NSE] Added the function nmap.is_privileged() to tell a script if, as far
as Nmap's concerned, it can do privileged operations. For instance, this
can be used to see if a script should be able to open a raw socket or
Ethernet interface. [Kris]
o [NSE] Added the function nmap.get_ports() to allow a script to iterate
over a host's port tables matching a certain protocol and state. [Kris,
Patrick]
buildGet/buildRequest with a one-step build_request. Provide a new
function generic_request that can do a request for any given method
(get, head, and post are now defined in terms of this function).
options table, in http functions. It was unreasonable that this
yet-unused feature was given a more prominent place than even the header
and request body, both of which are in the options table.
This change doesn't affect any other scripts or libraries because none
of them use cookies. In the cases, like http.get, where cookies was an
optional final parameter, I just removed it. Where it was not the final
parameter, as in http.post and http.pGet, I left the parameter in place
but documented that it is ignored for backwards compatibility.
make use of it. Added 5 scripts that use the new libraries:
- snmp-netstat shows listening and connected sockets
- snmp-processes shows process information including name, pid, path and
parameters
- snmp-win32-services shows the names of running Windows services
- snmp-win32-shares shows the names and path of Windows shares
- snmp-win32-software shows a list of installed Windows software
- snmp-win32-users shows a list of local Windows users
the script indicating where to download it if it is not available. Make
the script check whether the file is the normal binary from 5.20 or
before, or the XOR-encoded binary from 5.21.
it was returning an empty string, causing blank output entries for
scripts with no output:
80/tcp open http
|_citrix-enum-apps-xml:
|_citrix-enum-servers-xml:
| http-headers:
| Date: Sun, 31 Jan 2010 19:28:13 GMT
| Server: Apache/2.2.3 (CentOS)
| Accept-Ranges: bytes
| Content-Length: 739
| Connection: close
| Content-Type: text/html; charset=UTF-8
|
|_ (Request type: HEAD)
|_http-date: Sun, 31 Jan 2010 19:28:14 GMT; +1s from local time.
|_html-title: Go ahead and ScanMe!
Holst Swende. mongodb-info gets information like the version number,
memory use, and operating system. mongodb-databases lists the
databases and their size on disk.
