For a description of this category, see default NSE category in the Nmap documentation.
Scripts
- address-info
Shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available.
- afp-serverinfo
Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example
MacminiorMacBookPro).- ajp-auth
Retrieves the authentication scheme and realm of an AJP service (Apache JServ Protocol) that requires authentication.
- ajp-methods
Discovers which options are supported by the AJP (Apache JServ Protocol) server by sending an OPTIONS request and lists potentially risky methods.
- amqp-info
Gathers information (a list of all server properties) from an AMQP (advanced message queuing protocol) server.
- auth-owners
Attempts to find the owner of an open TCP port by querying an auth daemon which must also be open on the target system. The auth service, also known as identd, normally runs on port 113.
- backorifice-info
Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself.
- bitcoinrpc-info
Obtains information from a Bitcoin server by calling
getinfoon its JSON-RPC interface.- cassandra-info
Attempts to get basic info and server status from a Cassandra database.
- clock-skew
Analyzes the clock skew between the scanner and various services that report timestamps.
- creds-summary
Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.
- dicom-ping
Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not.
- dns-nsid
Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id.server and version.bind values. This script performs the same queries as the following two dig commands: - dig CH TXT bind.version @target - dig +nsid CH TXT id.server @target
- dns-recursion
Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers.
- dns-service-discovery
Attempts to discover target hosts' services using the DNS Service Discovery protocol.
- epmd-info
Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.
- finger
Attempts to retrieve a list of usernames using the finger service.
- flume-master-info
Retrieves information from Flume master HTTP pages.
- freelancer-info
Detects the Freelancer game server (FLServer.exe) service by sending a status query UDP probe.
- ftp-anon
Checks if an FTP server allows anonymous logins.
- ftp-bounce
Checks to see if an FTP server allows port scanning using the FTP bounce method.
- ftp-syst
Sends FTP SYST and STAT commands and returns the result.
- ganglia-info
Retrieves system information (OS version, available memory, etc.) from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon.
- giop-info
Queries a CORBA naming server for a list of objects.
- gopher-ls
Lists files and directories at the root of a gopher service.
- hadoop-datanode-info
Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page.
- hadoop-jobtracker-info
Retrieves information from an Apache Hadoop JobTracker HTTP status page.
- hadoop-namenode-info
Retrieves information from an Apache Hadoop NameNode HTTP status page.
- hadoop-secondary-namenode-info
Retrieves information from an Apache Hadoop secondary NameNode HTTP status page.
- hadoop-tasktracker-info
Retrieves information from an Apache Hadoop TaskTracker HTTP status page.
- hbase-master-info
Retrieves information from an Apache HBase (Hadoop database) master HTTP status page.
- hbase-region-info
Retrieves information from an Apache HBase (Hadoop database) region server HTTP status page.
- hddtemp-info
Reads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service.
- hnap-info
Retrieve hardwares details and configuration information utilizing HNAP, the "Home Network Administration Protocol". It is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which allows for remote topology discovery, configuration, and management of devices (routers, cameras, PCs, NAS, etc.)
- http-auth
Retrieves the authentication scheme and realm of a web service that requires authentication.
- http-cisco-anyconnect
Connect as Cisco AnyConnect client to a Cisco SSL VPN and retrieves version and tunnel information.
- http-cookie-flags
Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.
- http-cors
Tests an http server for Cross-Origin Resource Sharing (CORS), a way for domains to explicitly opt in to having certain methods invoked by another domain.
- http-favicon
Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed.
- http-generator
Displays the contents of the "generator" meta tag of a web page (default: /) if there is one.
- http-git
Checks for a Git repository found in a website's document root /.git/<something>) and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description.
- http-ls
Shows the content of an "index" Web page.
- http-methods
Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method.
- http-ntlm-info
This script enumerates information from remote HTTP services with NTLM authentication enabled.
- http-open-proxy
Checks if an HTTP proxy is open.
- http-robots.txt
Checks for disallowed entries in
/robots.txton a web server.- http-svn-enum
Enumerates users of a Subversion repository by examining logs of most recent commits.
- http-svn-info
Requests information from a Subversion repository.
- http-title
Shows the title of the default page of a web server.
- http-webdav-scan
A script to detect WebDAV installations. Uses the OPTIONS and PROPFIND methods.
- ike-version
Obtains information (such as vendor and device type where available) from an IKE service by sending four packets to the host. This scripts tests with both Main and Aggressive Mode and sends multiple transforms per request.
- imap-capabilities
Retrieves IMAP email server capabilities.
- imap-ntlm-info
This script enumerates information from remote IMAP services with NTLM authentication enabled.
- ip-https-discover
Checks if the IP over HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported.
- ipv6-node-info
Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Node Information Queries.
- irc-info
Gathers information from an IRC server.
- iscsi-info
Collects and displays information from remote iSCSI targets.
- jdwp-info
Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script injects and execute a Java class file that returns remote system information.
- knx-gateway-info
Identifies a KNX gateway on UDP port 3671 by sending a KNX Description Request.
- maxdb-info
Retrieves version and database information from a SAP Max DB database.
- mongodb-databases
Attempts to get a list of tables from a MongoDB database.
- mongodb-info
Attempts to get build info and server status from a MongoDB database.
- ms-sql-info
Attempts to determine configuration and version information for Microsoft SQL Server instances.
- ms-sql-ntlm-info
This script enumerates information from remote Microsoft SQL services with NTLM authentication enabled.
- mysql-info
Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.
- nat-pmp-info
Gets the routers WAN IP using the NAT Port Mapping Protocol (NAT-PMP). The NAT-PMP protocol is supported by a broad range of routers including:
- Apple AirPort Express
- Apple AirPort Extreme
- Apple Time Capsule
- DD-WRT
- OpenWrt v8.09 or higher, with MiniUPnP daemon
- pfSense v2.0
- Tarifa (firmware) (Linksys WRT54G/GL/GS)
- Tomato Firmware v1.24 or higher. (Linksys WRT54G/GL/GS and many more)
- Peplink Balance
- nbns-interfaces
Retrieves IP addresses of the target's network interfaces via NetBIOS NS. Additional network interfaces may reveal more information about the target, including finding paths to hidden non-routed networks via multihomed systems.
- nbstat
Attempts to retrieve the target's NetBIOS names and MAC address.
- ncp-serverinfo
Retrieves eDirectory server information (OS version, server name, mounts, etc.) from the Novell NetWare Core Protocol (NCP) service.
- netbus-info
Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself.
- nntp-ntlm-info
This script enumerates information from remote NNTP services with NTLM authentication enabled.
- ntp-info
Gets the time and configuration variables from an NTP server. We send two requests: a time request and a "read variables" (opcode 2) control message. Without verbosity, the script shows the time and the value of the
version,processor,system,refid, andstratumvariables. With verbosity, all variables are shown.- openflow-info
Queries OpenFlow controllers for information. Newer versions of the OpenFlow protocol (1.3 and greater) will return a list of all protocol versions supported by the controller. Versions prior to 1.3 only return their own version number.
- openlookup-info
Parses and displays the banner information of an OpenLookup (network key-value store) server.
- p2p-conficker
Checks if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication.
- pop3-capabilities
Retrieves POP3 email server capabilities.
- pop3-ntlm-info
This script enumerates information from remote POP3 services with NTLM authentication enabled.
- quake1-info
Extracts information from Quake game servers and other game servers which use the same protocol.
- quake3-info
Extracts information from a Quake3 game server and other games which use the same protocol.
- quake3-master-getservers
Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol).
- rdp-ntlm-info
This script enumerates information from remote RDP services with CredSSP (NLA) authentication enabled.
- rmi-dumpregistry
Connects to a remote RMI registry and attempts to dump all of its objects.
- rpcinfo
Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.
- rtsp-methods
Determines which methods are supported by the RTSP (real time streaming protocol) server.
- servicetags
Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481).
- sip-methods
Enumerates a SIP Server's allowed methods (INVITE, OPTIONS, SUBSCRIBE, etc.)
- smb-os-discovery
Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). This is done by starting a session with the anonymous account (or with a proper user account, if one is given; it likely doesn't make a difference); in response to a session starting, the server will send back all this information.
- smb-security-mode
Returns information about the SMB security level determined by SMB.
- smb2-security-mode
Determines the message signing configuration in SMBv2 servers for all supported dialects.
- smb2-time
Attempts to obtain the current system date and the start date of a SMB2 server.
- smtp-commands
Attempts to use EHLO and HELP to gather the Extended commands supported by an SMTP server.
- smtp-ntlm-info
This script enumerates information from remote SMTP services with NTLM authentication enabled.
- snmp-hh3c-logins
Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the hh3c-user.mib OID
- snmp-info
Extracts basic information from an SNMPv3 GET request. The same probe is used here as in the service version detection scan.
- snmp-interfaces
Attempts to enumerate network interfaces through SNMP.
- snmp-netstat
Attempts to query SNMP for a netstat like output. The script can be used to identify and automatically add new targets to the scan by supplying the newtargets script argument.
- snmp-processes
Attempts to enumerate running processes through SNMP.
- snmp-sysdescr
Attempts to extract system information from an SNMP service.
- snmp-win32-services
Attempts to enumerate Windows services through SNMP.
- snmp-win32-shares
Attempts to enumerate Windows Shares through SNMP.
- snmp-win32-software
Attempts to enumerate installed software through SNMP.
- snmp-win32-users
Attempts to enumerate Windows user accounts through SNMP
- socks-auth-info
Determines the supported authentication mechanisms of a remote SOCKS proxy server. Starting with SOCKS version 5 socks servers may support authentication. The script checks for the following authentication types: 0 - No authentication 1 - GSSAPI 2 - Username and password
- socks-open-proxy
Checks if an open socks proxy is running on the target.
- ssh-hostkey
Shows SSH hostkeys.
- sshv1
Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.
- ssl-cert
Retrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.
- ssl-date
Retrieves a target host's time and date from its TLS ServerHello response.
- ssl-known-key
Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.
- sslv2
Determines whether the server supports obsolete and less secure SSLv2, and discovers which ciphers it supports.
- sstp-discover
Check if the Secure Socket Tunneling Protocol is supported. This is accomplished by trying to establish the HTTPS layer which is used to carry SSTP traffic as described in: - http://msdn.microsoft.com/en-us/library/cc247364.aspx
- telnet-ntlm-info
This script enumerates information from remote Microsoft Telnet services with NTLM authentication enabled.
- tls-alpn
Enumerates a TLS server's supported application-layer protocols using the ALPN protocol.
- tls-nextprotoneg
Enumerates a TLS server's supported protocols by using the next protocol negotiation extension.
- ubiquiti-discovery
Extracts information from Ubiquiti networking devices.
- upnp-info
Attempts to extract system information from the UPnP service.
- uptime-agent-info
Gets system information from an Idera Uptime Infrastructure Monitor agent.
- ventrilo-info
Detects the Ventrilo voice communication server service versions 2.1.2 and above and tries to determine version and configuration information. Some of the older versions (pre 3.0.0) may not have the UDP service that this probe relies on enabled by default.
- vnc-info
Queries a VNC server for its protocol version and supported security types.
- wdb-version
Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.
- weblogic-t3-info
Detect the T3 RMI protocol and Weblogic version
- wsdd-discover
Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).
- x11-access
Checks if you're allowed to connect to the X server.
- xmlrpc-methods
Performs XMLRPC Introspection via the system.listMethods method.
- xmpp-info
Connects to XMPP server (port 5222) and collects server information such as: supported auth mechanisms, compression methods, whether TLS is supported and mandatory, stream management, language, support of In-Band registration, server capabilities. If possible, studies server vendor.