Attempts to run system commands using Microsoft SQL Server Machine Learning Services with sp_execute_external_script.

Gathers information (a list of server properties) from an Eclipse Equinoxe OSGi (Open Service Gateway initiative) console.

Looks for webvpn cookies that could denote a Cisco ASA SSL VPN WebVPN Service is enabled on a port. This may also apply to a Cisco IOS based router running the Client SSLVPN Service which is rare but possible.

NagiosXI versions before 5.4.13 are vulnerable to an unauthenticated remote root exploit. This unobtrusive script simply sends a single HTTP GET request for /nagiosxi/login.php and matches strings to identify the product and version.

Weblogic Console Brute Script

Shell command injection vulnerability on D-Link routers:

Unauthenticated arbitrary file upload vulnerability on jQuery-File-Upload <= v9.22.0.

A Remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

Checks for presence of Calibre e-book web server. It will check if Calibre requires authentication and will attempt to enumerate how many books are available.

Collects device information for Unitronics PLCs via PCOM protocol.

Executes remote code by exploiting the CVE-2015-6396 vulnerability in the following Cisco devices:

A remote code execution vulnerability exists in the web-based management interface of Cisco RV320 and RV325 routers, which allows an authenticated user to execute arbitrary commands on the underlying Linux shell as root by sending malicious HTTP POST requests to the web-based management interface.

Detects whether the specified URL is vulnerable to the Apache Strut2 Namespace Redirect OGNL Injection Remote Code Execution Vulnerability (CVE-2018-11776).

Detects whether the specified URL is vulnerable to the Apache Struts REST Plugin XStream Remote Code Execution Vulnerability (CVE-2017-9805).

Discovers MikroTik devices on a LAN by sending a MikroTik Neighbor Discovery Protocol (MNDP) network broadcast probe.

Collects all tag names and types for Allen-Bradley Logix 5000 PLCs via CIP Service Code 0x55 - Get_Instance_Attribute_List

Attempts to detect the Kubernetes API version.

Checks if ANY dns type is allowed.

A file inclusion vulnerability affecting Pulse Secure Pulse Connect Secure (PCS) SSLVPN appliance versions before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 allows an unauthenticated remote attacker to send a specially crafted URI to perform an arbitrary file read.

Performs a scan to check whether the scanned server is vulnerable to CVE-2018-13379

Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. This exploit reads /etc/passwd as a proof of concept This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4

Script attempts to see whether Cisco device allows us to download config using smart install protocol (4786/tcp). If script confirms that test is successfull and that user has passed get option, script will start tftp server and issue commands to device to copy currently running config to us.

Sends a DCP identify request to the Profinet DCP identification MAC address 01:0e:cf:00:00:00 and reports the resulsts. The script displays information about the responding Profinet devices which can contain the station name, vendor information and IP address configuration.

This NSE script checks whether the target server is vulnerable to CVE-2019-19781

Detects Drayteks devices vulnerable to CVE-2020-8515 This script uses a safe check to confirm the vulnerability Then dumps the device's /etc/passwd file References: * https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/, * https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices/, * https://github.com/imjdl/CVE-2020-8515-PoC

This script will spider a website and look for any sensitive API Keys or secrets

Sample script to detect the presence of a Ruby on Rails rack-mini-profiler gem that is used to provide performance metrics for Rails applications. This simple detection script finds the environment variables page and looks for exposed API keys and other sensitive data such as credentials at '?pp=env' appended to default host URL. It is possible that Rails developers can expose environment variables through the gem without fully understanding their implications.

Script for exploiting CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities in outdated versions of SAP IGS servers. You can now exploit these vulnerabilities by using this script to read arbitrary files on vulnerable systems as the user who installed the SAP IGS server.

Detects the unauthenticated RCE in the Console component of Oracle WebLogic Server (CVE-2020-14882).

Queries Apache Zookeeper on port 2181 to get information about the instance.

Retrieve system boot-time via TCP-options. This information would be used for detecting NAT, balancing or other information.

CVE-2019-14322 - A vulnerability was found in Pallets Werkzeug up to 0.15.4. It has been declared as critical. This vulnerability affects the function SharedDataMiddleware of the component Windows. The manipulation with an unknown input leads to a directory traversal vulnerability. The CWE definition for the vulnerability is CWE-22. This script reads c:/windows/win.ini as a proof of concept. This vulnerability is running on (cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*, cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:x64:*)

Checks if an X3 AdxSrv service is present and vulnerable to a directory disclosure vulnerability.

The IIS Web Server contains a RCE vulnerability. This script exploits this vulnerability with a DOS attack (causes a Blue Screen).

The Apache Web Server contains a RCE vulnerability. This script detects and exploits this vulnerability with RCE attack (execute commands) and local file disclosure.

2451-RCE_CVE2021_41773

Check Fortinet Critical Authentication Bypass Vulnerability (CVE-2022-40684) [Exploit ] POC for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances.

This script is an adaptation of <bittorent-discovery.nse> and can be used to retrieve the number of [seeders] and [leeches] for a variable number of .torrent files. User must specify the root directory then the script will recursively load and test each .torrent file found. DHT discovery will not be performed and no target machine will be investigated for open ports. IPs read from communicated data can be printed on standard output using the -d debug feature (or -v). The idea is to have a statistic of data available/requested. A report is printed on standard output, a list of files and their values. Note: HTTP values are guessed and may be incorrect.

548-tftp-fingerprints

Obtains information (such as vendor and device type where available) from a TFTP service. Software vendor information is deduced based on error messages.

Detects the TNS Poison vulnerability.

Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.

ASUSWRT is a wireless router operating system that powers many routers produced by ASUS.

ASUSWRT is a wireless router operating system that powers many routers produced by ASUS.

dnaLIMS is prone to the Directory Traversal attack.

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.

Returns authentication methods a winrm server supports.

Module Author: r00t-3xp10it {Disclosure = Eldar Marcussen} NSE script to detect if target [ip]:[port][/url] its affected by CVE-2019-7226 (Improper Authentication) The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass authentication and gain access to privileged functions. Specifically, /cgi/loginDefaultUser creates a session in an authenticated state and returns the session ID along with what may be the username and cleartext password of the user. An attacker can then supply an IDALToken value in a cookie, which will allow them to perform privileged operations such as restarting the service with /cgi/restart.

Module Author: r00t-3xp10it {Disclosure = Eldar Marcussen} NSE script to detect if target [ip]:[port][/url] its affected by CVE-2019-7226 (Improper Authentication) The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass authentication and gain access to privileged functions. Specifically, /cgi/loginDefaultUser creates a session in an authenticated state and returns the session ID along with what may be the username and cleartext password of the user. An attacker can then supply an IDALToken value in a cookie, which will allow them to perform privileged operations such as restarting the service with /cgi/restart.

Retrieves information from a listening acarsd daemon. Acarsd decodes ACARS (Aircraft Communication Addressing and Reporting System) data in real time. The information retrieved by this script includes the daemon version, API version, administrator e-mail address and listening frequency.

Shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available.

Performs password guessing against Apple Filing Protocol (AFP).

Attempts to get useful information about files from AFP volumes. The output is intended to resemble the output of ls .

Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.

Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example Macmini or MacBookPro ).

Shows AFP shares and ACLs.

Retrieves the authentication scheme and realm of an AJP service (Apache JServ Protocol) that requires authentication.

Performs brute force passwords auditing against the Apache JServ protocol. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers.

Performs a HEAD or GET request against either the root directory or any optional directory of an Apache JServ Protocol server and returns the server response headers.

Discovers which options are supported by the AJP (Apache JServ Protocol) server by sending an OPTIONS request and lists potentially risky methods.

Requests a URI over the Apache JServ Protocol and displays the result (or stores it in a file). Different AJP methods such as; GET, HEAD, TRACE, PUT or DELETE may be used.

Detects the All-Seeing Eye service. Provided by some game servers for querying the server's status.

Gathers information (a list of all server properties) from an AMQP (advanced message queuing protocol) server.

Maps IP addresses to autonomous system (AS) numbers.

Attempts to find the owner of an open TCP port by querying an auth daemon which must also be open on the target system. The auth service, also known as identd, normally runs on port 113.

Checks for an identd (auth) server which is spoofing its replies.

Module Author: r00t-3xp10it & Cleiton Pinheiro NSE script to detect if target [ip]:[port][/url] its an AXIS Network Camera transmiting (live). This script also allow is users to send a fake User-Agent in the tcp packet <agent=User-Agent-String> and also allow is users to input a diferent uri= [/url] link to be scan, IF none uri= value its inputed, then this script tests a List of AXIS default [/url's] available in our database to brute force the HTML TITLE tag. 'Remark: This nse script will NOT execute againts webcams found that require authentication logins'

Module Author: r00t-3xp10it & Cleiton Pinheiro NSE script to detect if target [ip]:[port][/url] its an AXIS Network Camera transmiting (live). This script also allow is users to send a fake User-Agent in the tcp packet <agent=User-Agent-String> and also allow is users to input a diferent uri= [/url] link to be scan, IF none uri= value its inputed, then this script tests a List of AXIS default [/url's] available in our database to brute force the HTML TITLE tag. 'Remark: This nse script will NOT execute againts webcams found that require authentication logins'

Performs brute force password auditing against the BackOrifice service. The backorifice-brute.ports script argument is mandatory (it specifies ports to run the script against).

Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself.

Discovers and enumerates BACNet Devices collects device information based off standard requests. In some cases, devices may not strictly follow the specifications, or may comply with older versions of the specifications, and will result in a BACNET error response. Presence of this error positively identifies the device as a BACNet device, but no enumeration is possible.

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

Queries a Bitcoin server for a list of known Bitcoin nodes

Extracts version and node information from a Bitcoin server

Obtains information from a Bitcoin server by calling getinfo on its JSON-RPC interface.

Discovers bittorrent peers sharing a file based on a user-supplied torrent file or magnet link. Peers implement the Bittorrent protocol and share the torrent, whereas the nodes (only shown if the include-nodes NSE argument is given) implement the DHT protocol and are used to track the peers. The sets of peers and nodes are not the same, but they usually intersect.

Retrieves printer or scanner information from a remote device supporting the BJNP protocol. The protocol is known to be supported by network based Canon devices.

Discovers servers supporting the ATA over Ethernet protocol. ATA over Ethernet is an ethernet protocol developed by the Brantley Coile Company and allows for simple, high-performance access to SATA drives over Ethernet.

Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).

Attempts to discover Canon devices (Printers/Scanners) supporting the BJNP protocol by sending BJNP Discover requests to the network broadcast address for both ports associated with the protocol.

Attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp.

Sends a DHCP request to the broadcast address (255.255.255.255) and reports the results. By default, the script uses a static MAC address (DE:AD:CO:DE:CA:FE) in order to prevent IP pool exhaustion.

Sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address, parses the response, then extracts and prints the address along with any options returned by the server.

Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.

Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more.

Performs network discovery and routing information gathering through Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP).

Discovers HID devices on a LAN by sending a discoveryd network broadcast probe.

Discovers targets that have IGMP Multicast memberships and grabs interesting information.

Discovers Jenkins servers on a LAN by sending a discovery broadcast probe.

Sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more information.

Discovers Microsoft SQL servers in the same broadcast domain.

Attempts to discover master browsers and the domains they manage.

Discovers EMC Networker backup software servers on a LAN by sending a network broadcast query.

Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers.

Discover IPv4 networks using Open Shortest Path First version 2(OSPFv2) protocol.

Sends a special broadcast probe to discover PC-Anywhere hosts running on a LAN.

Discovers PC-DUO remote control hosts and gateways running on a LAN by sending a special broadcast UDP probe.

Discovers routers that are running PIM (Protocol Independent Multicast).

Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes, but they can be configured to do so.

Discovers PPPoE (Point-to-Point Protocol over Ethernet) servers using the PPPoE Discovery protocol (PPPoED). PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery. If no interface is specified, requests are sent out on all available interfaces.

Discovers hosts and routing information from devices running RIPv2 on the LAN. It does so by sending a RIPv2 Request command and collects the responses from all devices responding to the request.

Discovers hosts and routing information from devices running RIPng on the LAN by sending a broadcast RIPng Request command and collecting any responses.

Discovers Sonicwall firewalls which are directly attached (not routed) using the same method as the manufacturers own 'SetupTool'. An interface needs to be configured, as the script broadcasts a UDP packet.

Discovers Sybase Anywhere servers on the LAN by sending broadcast discovery messages.

Discovers Telldus Technologies TellStickNet devices on the LAN. The Telldus TellStick is used to wirelessly control electric devices such as lights, dimmers and electric outlets. For more information: http://www.telldus.com/

Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses.

Discovers Versant object databases using the broadcast srvloc protocol.

Wakes a remote system up from sleep by sending a Wake-On-Lan packet.

Retrieves a list of proxy servers on a LAN using the Web Proxy Autodiscovery Protocol (WPAD). It implements both the DHCP and DNS methods of doing so and starts by querying DHCP to get the address. DHCP discovery requires nmap to be running in privileged mode and will be skipped when this is not the case. DNS discovery relies on the script being able to resolve the local domain either through a script argument or by attempting to reverse resolve the local IP.

Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).

Discovers servers running the X Display Manager Control Protocol (XDMCP) by sending a XDMCP broadcast request to the LAN. Display managers allowing access are marked using the keyword Willing in the result.

Performs brute force password auditing against the Cassandra database.

Performs brute force password auditing against the Cassandra database.

Attempts to get basic info and server status from a Cassandra database.

Attempts to get basic info and server status from a Cassandra database.

Detects the CCcam service (software for sharing subscription TV among multiple receivers).

CICS transaction ID enumerator for IBM mainframes. This script is based on mainframe_brute by Dominic White ( https://github.com/sensepost/mainframe_brute ). However, this script doesn't rely on any third party libraries or tools and instead uses the NSE TN3270 library which emulates a TN3270 screen in lua.

Using the CICS transaction CEMT, this script attempts to gather information about the current CICS transaction server region. It gathers OS information, Datasets (files), transactions and user ids. Based on CICSpwn script by Ayoub ELAASSAL.

CICS User ID brute forcing script for the CESL login screen.

CICS User ID enumeration script for the CESL/CESN Login screen.

Module Author: r00t-3xp10it {Disclosure = Pedro Ribeiro} A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.

Module Author: r00t-3xp10it {Disclosure = Pedro Ribeiro} A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.

Attempts to guess valid credentials for the Citrix PN Web Agent XML Service. The XML service authenticates against the local Windows server or the Active Directory.

Extracts a list of published applications from the ICA Browser service.

Extracts a list of applications, ACLs, and settings from the Citrix XML service.

Extracts a list of Citrix servers from the ICA Browser service.

Extracts the name of the server farm and member servers from Citrix XML service.

Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.

Analyzes the clock skew between the scanner and various services that report timestamps.

Dumps list of available resources from CoAP endpoints.

Gets database tables from a CouchDB database.

Gets database statistics from a CouchDB database.

Scan by country.

Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.

Lists printers managed by the CUPS printing service.

Lists currently queued print jobs of the remote CUPS service grouped by printer.

smb-protocols script modified to apply check for CVE-2020-0796 by psc4re. Attempts to list the supported protocols and dialects of a SMB server. Packet check based on https://github.com/ollypwn/SMBGhost/ The script attempts to initiate a connection using the dialects: * NT LM 0.12 (SMBv1) * 2.02 (SMBv2) * 2.10 (SMBv2) * 3.00 (SMBv3) * 3.02 (SMBv3) * 3.11 (SMBv3)

Retrieves information from a DNS nameserver and also checks against CVE-2020-1350 for Microsoft SigRED issue This script performs the same queries as the following dig commands: - dig CH TXT bind.version @target

VMware vCenter Server CVE-2021-21972 Remote Code Execution Vulnerability

Script by @psc4re for checking against CVE-2021-21972, CVE-2021-21973 Vulnerability in vCenter. The script also additionally prints the vSphere Version and Build Number

Performs brute force password auditing against CVS pserver authentication.

Attempts to guess the name of the CVS repositories hosted on the remote server. With knowledge of the correct repository name, usernames and passwords can be guessed.

Retrieves a list of music from a DAAP server. The list includes artist names and album and song titles.

Retrieves the day and time from the Daytime service.

Connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request.

Performs brute force password auditing against the DelugeRPC daemon.

Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a new address.

Attempts to brute force the Application Entity Title of a DICOM server (DICOM Service Provider).

Attempts to brute force the Application Entity Title of a DICOM server (DICOM Service Provider).

Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not.

Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not.

Connects to a dictionary server using the DICT protocol, runs the SHOW SERVER command, and displays the result. The DICT protocol is defined in RFC 2229 and is a protocol which allows a client to query a dictionary server for definitions from a set of natural language dictionary databases.

Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.

Module Author: r00t-3xp10it {Disclosure = Devendra Singh} Detects whether the D-Link DIR-600 or DIR-615 router is vulnerable to Incorrect Access Control Vulnerability (CVE-2019-13101). A remote vulnerability was discovered on D-Link DIR-600M/DIR-615 Wireless Home Router in multiple respective firmware versions (3.02 up to 3.06). The vulnerability provides unauthenticated remote access to the routers WAN configuration page i.e. '/wan.htm' which leads to disclosure of sensitive user info about the WAN, including but not limited to PPPoE, DNS configuration etc, also allowing us to change the router configuration settings.

Module Author: r00t-3xp10it {Disclosure = Devendra Singh} Detects whether the D-Link DIR-600 or DIR-615 router is vulnerable to Incorrect Access Control Vulnerability (CVE-2019-13101). A remote vulnerability was discovered on D-Link DIR-600M/DIR-615 Wireless Home Router in multiple respective firmware versions (3.02 up to 3.06). The vulnerability provides unauthenticated remote access to the routers WAN configuration page i.e. '/wan.htm' which leads to disclosure of sensitive user info about the WAN, including but not limited to PPPoE, DNS configuration etc, also allowing us to change the router configuration settings.

Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has been flagged. Checks may be limited by service category (eg: SPAM, PROXY) or to a specific service name.

Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records.

Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the <code>dns-brute.srv</code> argument, dns-brute will also try to enumerate common DNS SRV records.

Performs DNS cache snooping against a DNS server.

Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests.

Performs a domain lookup using the edns-client-subnet option which allows clients to specify the subnet that queries supposedly originate from. The script uses this option to supply a number of geographically distributed locations in an attempt to enumerate as many different address records as possible. The script also supports requests using a given subnet.

Launches a DNS fuzzing attack against DNS servers.

Performs a quick reverse DNS lookup of an IPv6 network using a technique which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks.

Enumerates DNS names using the DNSSEC NSEC-walking technique.

Tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records.

Tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records.

Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id.server and version.bind values. This script performs the same queries as the following two dig commands: - dig CH TXT bind.version @target - dig +nsid CH TXT id.server @target

dns-openresolvers-check looks up the database "dnsbl.openresolvers.org" to detect DNS servers known to allow open recursion. If the DNS server is found, it will be marked as vulnerable as it can be abused via DNS amplification attacks.

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers.

Attempts to discover target hosts' services using the DNS Service Discovery protocol.

Enumerates various common service (SRV) records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: - Active Directory Global Catalog - Exchange Autodiscovery - Kerberos KDC Service - Kerberos Passwd Change Service - LDAP Servers - SIP Servers - XMPP S2S - XMPP C2S

Attempts to perform a dynamic DNS update without authentication.

Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan: https://zeustracker.abuse.ch/ztdns.php

Requests a zone transfer (AXFR) from a DNS server.

Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp), an attacker can create a Docker container with the '/' path mounted with read/write permissions on the host server that is running the Docker container. As the Docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owned by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server. The Docker image should exist on the target system or be a valid image from hub.docker.com.

Detects the Docker service version.

Performs brute force password auditing against the Lotus Domino Console.

Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute)

Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability.

Performs brute force password auditing against an iPhoto Library.

Performs password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby

Attempts to extract information from database servers supporting the DRDA protocol. The script sends a DRDA EXCSAT (exchange server attributes) command packet and parses the response.

Attempts to discover multihomed systems by analysing and comparing information collected by other scripts. The information analyzed currently includes, SSL certificates, SSH host keys, MAC addresses, and Netbios server names.

Enumerates the authentication methods offered by an EAP (Extensible Authentication Protocol) authenticator for a given identity or for the anonymous identity if no argument is passed.

This NSE script is used to send a EtherNet/IP packet to a remote device that has TCP 44818 open. The script will send a Request Identity Packet and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. Information that is parsed includes Device Type, Vendor ID, Product name, Serial Number, Product code, Revision Number, status, state, as well as the Device IP.

Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.

Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication.

Performs a Forward-confirmed Reverse DNS lookup and reports anomalous results.

Author: r00t-3xp10it NSE script to check/read contents of the selected file/path in target webserver. This module will search if 'index' exists, and if used --script-args read=true then file-checker.nse script will read/display the contents of the 'index' file.

Author: r00t-3xp10it NSE script to check/read contents of the selected file/path in target webserver. This module will search if 'index' exists, and if used --script-args read=true then file-checker.nse script will read/display the contents of the 'index' file.

Attempts to retrieve a list of usernames using the finger service.

Prints the readable strings from service fingerprints of unknown services.

Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.

Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.

Retrieves information from Flume master HTTP pages.

Tridium Niagara Fox is a protocol used within Building Automation Systems. Based off Billy Rios and Terry McCorkle's work this Nmap NSE will collect information from A Tridium Niagara system.

Detects the Freelancer game server (FLServer.exe) service by sending a status query UDP probe.

This script [Version 1.1.8] allows you to automatically search for CVEs using the API of https://www.circl.lu/services/cve-search/ in connection with the found CPEs using the parameter -sV in NMAP.

Checks if an FTP server allows anonymous logins.

Checks to see if an FTP server allows port scanning using the FTP bounce method.

Performs brute force password auditing against FTP servers.

Performs brute force password auditing against FTP servers.

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie . Be advised that, if launched against a vulnerable host, this script will crash the FTPd.

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as BID 45150. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.

Sends FTP SYST and STAT commands and returns the result.

Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.

Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.

Retrieves system information (OS version, available memory, etc.) from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon.

Queries a CORBA naming server for a list of objects.

Queries a GKRellM service for monitoring information. A single round of collection is made, showing a snapshot of information at the time of the request.

Attempts to enumerate valid email addresses using Google's Internal People API. If a valid email address is found, it also grabs the display name and photo from the profile.

Lists files and directories at the root of a gopher service.

Retrieves GPS time, coordinates and speed from the GPSD network daemon.

Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page.

Retrieves information from an Apache Hadoop JobTracker HTTP status page.

Retrieves information from an Apache Hadoop NameNode HTTP status page.

Retrieves information from an Apache Hadoop secondary NameNode HTTP status page.

Retrieves information from an Apache Hadoop TaskTracker HTTP status page.

This NSE script is used to send a HART-IP packet to a HART device that has TCP 5094 open. The script will establish Session with HART device, then Read Unique Identifier and Read Long Tag packets are sent to parse the required HART device information. Read Sub-Device Identity Summary packet with Sub-Device index 00 01 is sent to request information on Sub-Device, if any available. If the response code differs from 0 (success), the error code is passed as Sub-Device Information. Otherwise, the required Sub-Device information is parsed from response packet.

Retrieves information from an Apache HBase (Hadoop database) master HTTP status page.

Retrieves information from an Apache HBase (Hadoop database) region server HTTP status page.

Reads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service.

Retrieve hardwares details and configuration information utilizing HNAP, the "Home Network Administration Protocol". It is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which allows for remote topology discovery, configuration, and management of devices (routers, cameras, PCs, NAS, etc.)

Finds hostnames that resolve to the target's IP address by querying the online databases: * http://www.bfk.de/bfk_dnslogger.html * http://www.whataremyhosts.com ( Bing Search Results )

Finds hostnames that resolve to the target's IP address by querying the online databases: * http://www.bfk.de/bfk_dnslogger.html * http://www.ip2hosts.com ( Bing Search Results )

Discovers hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html .

Finds subdomains of a web server by querying Google's Certificate Transparency logs database ( https://crt.sh ).

Finds subdomains of a web server by querying Google's Certificate Transparency logs database (https://crt.sh).

Discovers hostnames (DNS A records) that resolve to the target's IP address by querying the online reverse IP lookup at http://hackertarget.com/reverse-ip-lookup/.

Finds hostnames that resolve to the target's IP address by querying the online database: * http://www.ip2hosts.com ( Bing Search Results )

Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at http://ip.robtex.com/ .

Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator's session cookie.

Attempts to exploit an authentication bypass vulnerability (apsa13-01) to retrieve the administrator's session cookie of Adobe Coldfusion servers.

Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon Associates, etc.) from a web page. These can be used to identify pages with the same owner.

Checks if the target http server has mod_negotiation enabled. This feature can be leveraged to find hidden resources and spider a web site using fewer requests.

Attempts to retrieve the server-status page for Apache webservers that have mod_status enabled. If the server-status page exists and appears to be from mod_status the script will parse useful information such as the system uptime, Apache version and recent HTTP requests.

Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.

Retrieves the authentication scheme and realm of a web service that requires authentication.

Spiders a web site to find web pages requiring form-based or HTTP-based authentication. The results are returned in a table with each url and the detected method.

Attempts to enumerate users in Avaya IP Office systems 7.x.

Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).

http-awstatstotals-exec exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it. [CVE: 2008-3922]

Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (BID 40343). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.

http-axis2-dir-traversal exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter <code>xsd</code> (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service <code>'/conf/axis2.xml'</code> using the path <code>'/axis2/services/'</code> to return the username and password of the admin account.

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter <code>xsd</code> (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service <code>'/conf/axis2.xml'</code> using the path <code>'/axis2/services/'</code> to return the username and password of the admin account.

Spiders a website and attempts to identify backup copies of discovered files. It does so by requesting a number of different combinations of the filename (eg. index.bak, index.html~, copy of index.html).

Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119 .

Decodes any unencrypted F5 BIG-IP cookies in the HTTP response. BIG-IP cookies contain information on backend systems such as internal IP addresses and port numbers. See here for more info: https://support.f5.com/csp/article/K6917

Attempts to partially detect the BREACH HTTP compression vulnerability (CVE-2013-3587).

Performs brute force password auditing against http basic, digest and ntlm authentication.

Performs brute force password auditing against http basic authentication.

Performs brute force password auditing against http basic authentication.

Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework.

Obtains the CakePHP version of a web application built with the CakePHP framework. This script depends on default files shipped with the CakePHP framework.

Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework.

Measures the time a website takes to deliver a web page and returns the maximum, minimum and average time it took to fetch a page.

Connect as Cisco AnyConnect client to a Cisco SSL VPN and retrieves version and tunnel information.

Attempts to retrieve version, absolute path of administration panel and the file 'password.properties' from vulnerable installations of ColdFusion 9 and 10.

Attempts to retrieve the version, installation path and password.properties files in vulnerable ColdFusion 9/10 installations.

Extracts and outputs HTML and JavaScript comments from HTTP responses.

Checks for backups and swap files of common content management system and web server configuration files.

Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.

Tests an http server for Cross-Origin Resource Sharing (CORS), a way for domains to explicitly opt in to having certain methods invoked by another domain.

Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.

This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.

Shows the title of the default page of a web server. If customtitle argument is give the script searches and only titles matching the provided argument. The script also writes matched output if outputfile argument is provided.

Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT.

Tests for access with default credentials used by a variety of web applications and devices.

http-default-accounts tests for access with default credentials in a variety of web applications and devices.

Tests for access with default credentials used by a variety of web applications and devices.

Tries to find out the technology behind the target website.

Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a "secret" value. Using the "secret" User-Agent bypasses authentication and allows admin access to the router.

It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml

Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. Passwords are presented in a form suitable for running in John the Ripper.

Enumerates the installed Drupal modules/themes by using a list of known modules and themes.

Enumerates Drupal users by exploiting an information disclosure vulnerability in Views, Drupal's most popular module.

Checks if a website is running Drupal and possibly detect it's version.

http-email-harvest returns a list of email accounts found in the body text of all URIs found in the web server.

Spiders a web site and collects e-mail addresses.

Enumerates directories used by popular web applications and servers.

Script to detect disclosure information vulnerability from Comtrend VG 8050 Telefonica Spain.

Script to detect disclosure information vulnerability from ADB P.DGA4001N aka (HomeStation) Telefonica Spain.

Script to detect the pre-schooler vulnerability from HG253s v2 Vodafone Spain.

This script crawls through the website and returns any error pages.

Spiders a site's images looking for interesting exif data embedded in .jpg files. Displays the make and model of the camera, the date the photo was taken, and the embedded geotag information.

Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed.

This script crawls through the website to find any rss or atom feeds.

The script is used to fetch files from servers.

Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.

Performs brute force password auditing against http form-based authentication.

Performs brute force password auditing against http form-based authentication.

Performs brute force password auditing against http form-based authentication.

Performs a simple form fuzzing against forms found on websites. Tries strings and numbers of increasing length and attempts to determine if the fuzzing was successful.

Checks whether target machines are vulnerable to anonymous Frontpage login.

Check if target machines are vulnerable to anonymous Frontpage login.

Displays the contents of the "generator" meta tag of a web page (default: /) if there is one.

Checks for a Git repository found in a website's document root /.git/<something>) and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description.

Retrieves a list of Git projects, owners and descriptions from a gitweb (web interface to the Git revision control system).

Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.

http-google-malware checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.

Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.

Spiders a website and attempts to match all pages and urls against a given string. Matches are counted and grouped per url under which they were discovered.

Performs a HEAD request for the root folder ("/") of a web server and displays the HTTP headers returned.

Attempts to extract information from HP iLO boards including versions and addresses.

Attempts to detect web applications vulnerable to "httpoxy" (CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388, CVE-2016-1000109, CVE-2016-1000110).

Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others...) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.

Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others...) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.

Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others...) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.

Retrieves the locations of all "Find my iPhone" enabled iOS devices by querying the MobileMe web service (authentication required).

Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application.

Attempts to brute force the 8.3 filenames (commonly known as short names) of files and directories in the root folder of vulnerable IIS servers. This script is an implementation of the PoC "iis shortname scanner".

Attempts to brute force the 8.3 filenames (commonly known as short names) of files and directories in the root folder of vulnerable IIS servers. This script is an implementation of the PoC "iis shortname scanner".

http-iis-shortname-dos launches a Denial of Service attack that exploits a vulnerability in IIS/.NET installations with shortname support enabled.

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020 .

Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.

Performs brute force password auditing against Joomla web CMS installations.

Performs a brute force password attack against Joomla installations.

Performs brute force password auditing against Joomla web CMS installations.

Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers.

"http-lfi.nse can discover LFI exploit in a web server using the resource value provided. this supports LFI discovery in both windows and linux servers, at the same time, it also supports LFI in private pages using a given cookie value. It hopes 20 times backword in the directory and looks for either boot.ini or /etc/passwd file in the webserver and extract the vulnerable path."

Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).

http-litespeed-sourcecode-download.nse exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).

Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).

performs brute force password auditing against livestreet CMS installations.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Shows the content of an "index" Web page.

Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).

Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).

Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).

Looks for signature of known server compromises.

Checks if the webserver allows mod_cluster management protocol (MCMP) methods.

Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.

Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.

Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method.

Checks if the website holds a mobile version.

"This script will run nikto on web servers found"

This script enumerates information from remote HTTP services with NTLM authentication enabled.

Checks if an HTTP proxy is open.

Spiders a website and attempts to identify open redirects. Open redirects are handlers which commonly take a URL as a parameter and responds with a HTTP redirect (3XX) to the target. Risks of open redirects are described at http://cwe.mitre.org/data/definitions/601.html .

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini .

Attempts to retrieve the PHP version from a web server. PHP has a number of magic queries that return images or text that can vary with the PHP version. This script uses the following queries: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 : gets a GIF logo, which changes on April Fool's Day. /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : gets an HTML credits page. A list of magic queries is at http://www.0php.com/php_easter_egg.php . The script also checks if any header field value starts with "PHP" and reports that value if found.

Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.

Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER["PHP_SELF"] .

Crawls a web server looking for PHP files that use the variable $_SERVER["PHP_SELF"] unsafely.

Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER["PHP_SELF"].

Crawls a web server looking for PHP files vulnerable to PHP_SELF cross site scripting vulnerabilities.

Performs brute force password guessing against HTTP proxy servers.

Uploads a local file to a remote web server using the HTTP PUT method. You must specify the filename and URL path with NSE arguments.

Attempts to retrieve the model, firmware version, and enabled services from a QNAP Network Attached Storage (NAS) device.

Informs about cross-domain include of scripts. Websites that include external javascript scripts are delegating part of their security to third-party entities.

Crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query.

Checks for disallowed entries in /robots.txt on a web server.

Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service ( https://www.robtex.com/ip-lookup/ ).

Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at http://www.robtex.com/dns/ .

This exploits /rom-0 information disclosure present in RomPager Embedded Web Server Affected devices include ZTE, TP-Link, ZynOS, Huawei and many others.

URL redirection and reflected XSS vulnerability in Allegro RomPager Web server

Detects SAP Netweaver Portal instances that allow anonymous access to the KM unit navigation page. This page leaks file names, ldap users, etc.

This script uses PhantomJS to connect to all dicovered HTTP services and save a rendered image of the website to a file and print a snippet of the visible text on the rendered page. An HTML file is produced to display all captured images and provide links to their targets

Makes a request to the root folder ("/") of a web server and reports on the security headers that are missing from the data. This script mimics the functionality of https://securityheaders.io and is modeled after http-headers.nse.

Checks for the HTTP response headers related to security given in OWASP Secure Headers Project and gives a brief description of the header and its configuration value.

Uses the HTTP Server header for missing version info. This is currently infeasible with version probes because of the need to match non-HTTP services correctly.

Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.

"This script will spider the given URL (or you can give specific URL to test), and test for shell shock vulnerbility by accessible /etc/passwd file on the remote machine.

http-shellshock-spider

http-shellshock-spider

Returns a list of all web pages and files found in the web server.

This script will crawl a web server and display a list of all the files found. This script is useful to determine all the possible file-targets/attack-surface when auditing web applications.

Spiders a web server and displays its directory structure along with number and types of files in each folder. Note that files listed as having an 'Other' extension are ones that have no extension or that are a root document.

Tests a web server for vulnerability to the Slowloris DoS attack by launching a Slowloris attack.

Tests a web server for vulnerability to the Slowloris DoS attack.

Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.

Tests a web server for vulnerability to the Slowloris DoS attack.

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.

Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.

Enumerates users of a Subversion repository by examining logs of most recent commits.

Requests information from a Subversion repository.

Tenda W309R allows an attacker to access the configuration detailed with no authentication. Firmware Tested : V5.07.46

Shows the title of the default page of a web server.

Performs a brute force password attack against Apache Tomcat installations.

Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.

Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.

Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.

Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.

Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.

Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies.

Attempts to obtain information from Trane Tracer SC devices. Trane Tracer SC is an intelligent field panel for communicating with HVAC equipment controllers deployed across several sectors including commercial facilities and others.

Attempts to find Trendnet TVIP110W webcams vulnerable to unauthenticated access to the video stream by querying the URI "/anony/mjpg.cgi".

Spiders a website and attempts to identify output escaping problems where content is reflected back to the user. This script locates all parameters, ?x=foo&y=bar and checks if the values are reflected on the page. If they are indeed reflected, the script will try to insert ghz>hzx"zxc'xcv and check which (if any) characters were reflected back onto the page without proper html escaping. This is an indication of potential XSS vulnerability.

Checks if various crawling utilities are allowed by the host.

Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.

Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames.

Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page: http://www.virustotal.com The scripts supports both sending a file to the server for analysis or checking whether a checksum (supplied as an argument or calculated from a local file) was previously discovered as malware.

Connects to a VLC Streamer helper service and lists directory contents. The VLC Streamer helper service is used by the iOS VLC Streamer application to enable streaming of multimedia content from the remote server to the device.

Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).

Check for OWA and checks banner of Exchange server for CVE-2020-0688. Original source code here : https://github.com/onSec-fr/CVE-2020-0688-Scanner/

Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)

Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.

Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).

Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.

Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.

Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server's reverse proxy mode. The script will run 3 tests: the loopback test, with 3 payloads to handle different rewrite rules the internal hosts test. According to Contextis, we expect a delay before a server error. The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This vulnerability is critical and it allows attackers to retrieve source code and execute code remotely.

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.

Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)

Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)

Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786.

An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).