Vuln Category

afp-path-vuln :Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.

broadcast-avahi-dos : Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).

clamav-exec : Exploits ClamAV servers vulnerable to unauthenticated clamavcomand execution.

distcc-cve2004-2687: Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.

dns-update: Attempts to perform a dynamic DNS update without authentication.

firewall-bypass : Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.

**Ftp-libopie : Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow).

ftp-proftpd-backdoor : Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.

ftp-vsftpd-backdoor: Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.

ftp-vuln-cve2010-4221: Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.

http-adobe-coldfusion-apsa1301: Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator's session cookie.

http-aspnet-debug:Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.

http-avaya-ipoffice-users:Attempts to enumerate users in Avaya IP Office systems 7.x.

http-awstatstotals-exec : Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).

http-axis2-dir-traversal: Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.

http-cookie-flags: Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.

http-cross-domain-policy: Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.

http-csrf:This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.

http-dlink-backdoor: Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a "secret" value. Using the "secret" User-Agent bypasses authentication and allows admin access to the router.

http-dombased-xss: It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml

http-enum: Enumerates directories used by popular web applications and servers.

http-fileupload-exploiter: Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.

http-frontpage-login: Checks whether target machines are vulnerable to anonymous Frontpage login.

http-git: Checks for a Git repository found in a website's document root /.git/<something>) and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description.

http-huawei-hg5xx-vuln: Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others...) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.

http-iis-webdav-vuln: Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020.

http-internal-ip-disclosure: Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.

http-jsonp-detection: Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers.

http-litespeed-sourcecode-download: Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).

http-majordomo2-dir-traversal: Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files.(CVE-2011-0049).

http-method-tamper: Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.

http-passwd: Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or oot.ini.

http-phpmyadmin-dir-traversal: Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.

http-phpself-xss: Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER["PHP_SELF"].

http-shellshock: Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.

http-slowloris-check: Tests a web server for vulnerability to the SlowlorisDoS attack without actually launching a DoS attack.

http-sql-injection: Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.

http-stored-xss: Unfiltered '>' (greater than sign).An indication of potential XSS vulnerability.

http-tplink-dir-traversal: Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.

http-trace: Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.

http-vmware-path-vuln : Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).

http-vuln-cve2006-3392 : Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)

http-vuln-cve2009-3960 : Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.

http-vuln-cve2010-0738 : Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).

http-vuln-cve2010-2861 :Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.

http-vuln-cve2011-3192 : Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.

http-vuln-cve2011-3368 :Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server's reverse proxy mode. The script will run 3 tests:

the loopback test, with 3 payloads to handle different rewrite rules

the internal hosts test. According to Contextis, we expect a delay before a server error.

The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.

http-vuln-cve2012-1823 : Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.

http-vuln-cve2013-0156 :Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)

http-vuln-cve2013-6786 :Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786.

http-vuln-cve2013-7091 :An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.

http-vuln-cve2014-2126 :Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).

http-vuln-cve2014-2127 :Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).

http-vuln-cve2014-2128 :Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).

http-vuln-cve2014-2129 :Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).

http-vuln-cve2014-3704 :Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions < 7.32 of Drupal core are known to be affected.

http-vuln-cve2014-8877 :Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected.

http-vuln-cve2015-1427 :This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).

http-vuln-cve2015-1635 :Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).

http-vuln-cve2017-1001000: Attempts to detect a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 that allows unauthenticated users to inject content in posts.

http-vuln-cve2017-5638 :Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).

http-vuln-cve2017-5689 :Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2017-5689).

http-vuln-cve2017-8917 :An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 allows for unauthenticated users to execute arbitrary SQL commands. This vulnerability was caused by a new component, com_fields, which was introduced in version 3.7. This component is publicly accessible, which means this can be exploited by any malicious individual visiting the site.

http-vuln-misfortune-cookie :Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.

http-vuln-wnr1000-creds :A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA

http-wordpress-users: Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.

ipmi-cipher-zero :IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.

irc-botnet-channels: Checks an IRC server for channels that are commonly used by malicious botnets.

irc-unrealircd-backdoor: Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.

mysql-vuln-cve2012-2122: **

netbus-auth-bypass: Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.

puppet-naivesigning: Detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, allowing them to impersonate as a puppet agent. This can leak the configuration of the agents as well as any other sensitive information found in the configuration files.

qconn-exec :Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.

rdp-vuln-ms12-020:Checks if a machine is vulnerable to MS12-020 RDP vulnerability.

realvnc-auth-bypass: Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

rmi-vuln-classloader: Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature.

rsa-vuln-roca: Detects RSA keys vulnerable to Return Of Coppersmith Attack (ROCA) factorization.

samba-vuln-cve-2012-1182: Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.

smb-double-pulsar-backdoor: Checks if the target machine is running the Double Pulsar SMB backdoor.

smb-vuln-conficker: Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems.

smb-vuln-cve-2017-7494:Checks if target machines are vulnerable to the arbitrary shared library load vulnerability CVE-2017-7494.

smb-vuln-cve2009-3103 :Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.

smb-vuln-ms06-025: Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.

smb-vuln-ms07-029: Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.

smb-vuln-ms08-067: Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems.

smb-vuln-ms10-054: Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability.

smb-vuln-ms10-061:Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.

smb-vuln-ms17-010: Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

smb-vuln-regsvc-dos: Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.

smb2-vuln-uptime:Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation.

smtp-vuln-cve2010-4344:Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).

smtp-vuln-cve2011-1720 : Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution.

smtp-vuln-cve2011-1764 : Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.

ssl-ccs-injection: Detects whether a server is vulnerable to the SSL/TLS "CCS Injection" vulnerability (CVE-2014-0224), first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon de C Valle (https://gist.github.com/rcvalle/71f4b027d61a78c42607)

ssl-cert-intaddr: Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service's certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.

ssl-dh-params: Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.

ssl-heartbleed: Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160). The code is based on the Python script ssltest.py authored by Jared Stafford (jspenguin@jspenguin.org)

ssl-known-key: Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.

ssl-poodle: Checks whether SSLv3 CBC ciphers are allowed (POODLE)

sslv2-drown : Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)

supermicro-ipmi-conf :Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable SupermicroOnboard IPMI controllers.

tls-ticketbleed: Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).

wdb-version: Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.

DOS NSE Scripts

Script Name Description 1. broadcast-avahi-dos Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service . 2. http-slowloris Tests a web server for vulnerability to the Slowloris DoS attack by launching a Slowloris attack. 3. ipv6-ra-flood Generates a flood of Router Advertisements (RA) with random source MAC addresses and IPv6 prefixes.This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests. 4. smb-flood Exhausts a remote SMB server's connection limit by by opening as many connections as we can. This script exploits that limit by taking up all the connections and holding them. 5. smb-vuln-conficker Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems. 6. smb-vuln-cve2009-3103 Detects Microsoft Windows systems vulnerable to denial of service. This script will crash the service if it is vulnerable. 7. smb-vuln-ms06-025 Detects Microsoft Windows systems with Ras RPC service vulnerable to Vulnerability in Routing and Remote Access Could Allow Remote Code Execution. 8. smb-vuln-ms07-029 Detects Microsoft Windows systems with Dns Server RPC vulnerable to Remote Code Execution. 9. smb-vuln-ms08-067 Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability. This check is dangerous and it may crash systems. 10. smb-vuln-ms10-054 Tests whether target machines are vulnerable to the remote memory corruption vulnerability. 11. smb-vuln-regsvc-dos Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.

Exploit NSE Scripts

Script Name Description 1. afp-path-vuln Detects the Mac OS X AFP directory traversal vulnerability. 2. clamav-exec Exploits ClamAV servers vulnerable to unauthenticated clamav command execution. 3. distcc-cve2004-2687 Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. 4. ftp-proftpd-backdoor Tests for the presence of the ProFTPD 1.3.3c backdoor. This script attempts to exploit the backdoor using the offensive id command by default. 5. ftp-vsftpd-backdoor Tests for the presence of the vsFTPd 2.3.4 backdoor. This script attempts to exploit the backdoor using the offensive id command by default. 6. http-adobe-coldfusion-apsa1301 Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator's session cookie. 7. http-avaya-ipoffice-users Attempts to enumerate users in Avaya IP Office systems 7.x. 8. http-awstatstotals-exec Exploits a remote code execution vulnerability in Awstats Totals. 9. http-axis2-dir-traversal Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd. 10. http-barracuda-dir-traversal Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability. 11. http-coldfusion-subzero Attempts to retrieve version, absolute path of administration panel and the file 'password.properties' from vulnerable installations of ColdFusion 9 and 10. 12. http-csrf This script detects Cross Site Request Forgeries (CSRF) vulnerabilities. 13. http-dlink-backdoor Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a "secret" value. Using the "secret" User-Agent bypasses authentication and allows admin access to the router. 14. http-dombased-xss it looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. 15. http-fileupload-exploiter Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment. 16. http-huawei-hg5xx-vuln Detects Huawei modems models vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values. 17. http-litespeed-sourcecode-download Exploits a null-byte poisoning vulnerability in Litespeed Web Servers. 18. http-majordomo2-dir-traversal Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. 19. http-phpmyadmin-dir-traversal Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 to retrieve remote files on the web server. 20. http-shellshock Attempts to exploit the "shellshock" vulnerability in web applications. 21. http-stored-xss Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability. 22. http-tplink-dir-traversal Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication. 23. http-vuln-cve2006-3392 Exploits a file disclosure vulnerability in Webmin. 24. http-vuln2009-3960 Exploits Adobe XML External Entity Injection. 25. http-vuln-cve2012-1823 Detects PHP-CGI installations that are vulnerable to the vulnerability that allows attackers to retrieve source code and execute code remotely. 26. http-vuln-cve2013-0156 Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. 27. http-vuln2013-6786 Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. 28. http-vuln-cve2013-7091 Allows remote attackers to read arbitrary files. 29. http-vuln-cve2014-3704 Versions < 7.32 of Drupal core are known to be affected. 30. http-vuln-cve2014-8877 Exploits a remote code injection vulnerability in Wordpress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected. 31. http-vuln-cve2017-5689 Detects if a system with Intel Active Management Technology is vulnerable to the privilege escalation vulnerability. 32. http-vuln-wnr1000-creds This vulnerability allows an attacker to retrieve administrator credentials with the router interface. 33. irc-unrealircd-backdoor Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond. 34. jdwp-exec Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. 35. jdwp-inject Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. 36. qconn-exec Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands. 37. smb-vuln-conficker Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems. 38. smb-vuln-cve2009-3103 Detects Microsoft Windows systems vulnerable to denial of service. This script will crash the service if it is vulnerable. 39. smb-vuln-ms06-025 Detects Microsoft Windows systems with Ras RPC service vulnerable to Vulnerability in Routing and Remote Access Could Allow Remote Code Execution. 40. smb-vuln-ms07-029 Detects Microsoft Windows systems with Dns Server RPC vulnerable to Remote Code Execution 41. smb-vuln-ms08-067 Detects Microsoft Windows systems vulnerable to the remote code execution. This check is dangerous and it may crash systems. 42. smb-vuln-regsvc-dos Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work. 43. smtp-vuln-cve2010-4344 Checks for and/or exploits a heap overflow within versions of Exim(OS). 44. supermicro-ipmi-conf attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.



External:

asn-query Maps IP addresses to autonomous system (AS) numbers. dns-blacklist Checks target IP addresses against multiple DNS and open proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category (eg: SPAM, PROXY) or to a specific service name. dns-check-zone Checks DNS zone configuration against best practices. The configuration checks are divided into categories which each have a number of different tests. dns-random-srcport Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks. dns-zeustracker Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch hostmap-bfk Discovers hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html. hostmap-ip2hosts Finds hostnames that resolve to the target's IP address by querying the online database: http://www.ip2hosts.com ( Bing Search Results ) hostmap-robtex Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at http://ip.robtex.com/. http-cross-domain-policy Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. http-google-malware Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service. http-icloud-findmyiphone Retrieves the locations of all "Find my iPhone" enabled iOS devices by querying the MobileMe web service (authentication required). http-icloud-sendmsg Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application. http-open-proxy Checks if an HTTP proxy is open. http-proxy-brute Performs brute force password guessing against HTTP proxy servers. http-robtex-reverse-ip Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service (https://www.robtex.com/ip-lookup/). http-robtex-shared-ns Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at http://www.robtex.com/dns/. http-virustotal Checks whether a file has been determined as malware by Virustotal. Virustotal is a service http://www.virustotal.com http-xssed This script searches the xssed.com database and outputs the result. ip-geolocation-geoplugin Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). There is no limit on lookups using this service. ip-geolocation-ipinfodb Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service (http://ipinfodb.com/ip_location_api.php). ip-geolocation-map-bing This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Bing Map of markers representing the targets. ip-geolocation-map-google This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Google Map of markers representing the targets. ip-geolocation-maxmind Tries to identify the physical location of an IP address using a Geolocation Maxmind database file (available from http://www.maxmind.com/app/ip-location). This script supports queries using all Maxmind databases that are supported by their API including the commercial ones. shodan-api Queries Shodan API for given targets and produces similar output to a -sV nmap scan. The ShodanAPI key can be set with the 'apikey' script argument, or hardcoded in the .nse file itself. You can get a free key fromhttps://developer.shodan.io smtp-enum-users Attempts to enumerate the users on a SMTP server The goal of this script is to discover all the user accounts in the remote system. smtp-open-relay Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal of this script is to tell if a SMTP server is vulnerable to mail relaying. socks-open-proxy (Socket Secure) Checks if an open socks proxy is running on the target. targets-asn Produces a list of IP prefixes for a given routing AS number (ASN). tor-consensus-checker Checks if a target is a known Tor node. traceroute-geolocation Lists the geographic locations of each hop in a traceroute plottable on Google earth and maps. whois-domain Attempts to retrieve information about the domain name of the target whois-ip Queries the WHOIS services.

Scripts-Fuzzer !