Home page logo

nmap-dev logo Nmap Development mailing list archives

New NSE Scripts
From: Fyodor <fyodor () insecure org>
Date: Fri, 14 Jan 2011 15:10:38 -0800

Hi folks.  I've been reviewing our NSE scripts and the improvements
since just the 5.35DC1 release last summer are dramatic.  Users are
going to be very excited about the upcoming release!  We've added 46
scripts, bringing the total to 177 that you can find at

But before we look at the scripts, let's take a moment to celebrate
the authors!  Particular credit goes to Patrik, who single-handedly
wrote more than half of the new scripts.  And Toni has certainly been
on a roll for the last month!  Here is a list of script authors and
their new script counts:

25 Patrik Karlsson
 6 Toni Ruottu
 4 Mak Kolybabi
 3 Kris Katterjohn
 2 Henri Doreau
 2 Ron Bowes
 1 Martin Holst Swende
 1 Daniel Miller
 1 Carlos Pantelides
 1 Ange Gutek
 1 Alexander Rudakov
 1 Andrew Orr
 1 Russ Tait Milne

The total is more than 46 because broadcast-dropbox-listener has four
authors--the wrote it during some sort of NSE party :).

Of course we would have never gotten 46 new scripts integrated without
all of David's work reviewing and in many cases improving them.

And with that out of the way, here is the list of new scripts for the
upcoming release:

o broadcast-dns-service-discovery: Attempts to discover hosts'
  services using the DNS Service Discovery protocol.  It sends a
  multicast DNS-SD query and collects all the responses. [Patrik

o broadcast-dropbox-listener: Listens for the LAN sync information
  broadcasts that the Dropbox.com client broadcasts every 20 seconds,
  then prints all the discovered client IP addresses, port numbers,
  version numbers, display names, and more.  [Ron Bowes, Mak Kolybabi,
  Andrew Orr, Russ Tait Milne]

o broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the
  same broadcast domain. [Patrik Karlsson]

o broadcast-upnp-info: Attempts to extract system information from the
  UPnP service by sending a multicast query, then collecting, parsing,
  and displaying all responses. [Patrik Karlsson]

o broadcast-wsdd-discover: Uses a multicast query to discover devices
  supporting the Web Services Dynamic Discovery (WS-Discovery)
  protocol. It also attempts to locate any published Windows
  Communication Framework (WCF) web services (.NET 4.0 or
  later). [Patrik Karlsson]

o db2-discover: Attempts to discover DB2 servers on the network by
  querying open ibm-db2 UDP ports (normally port 523). [Patrik

o dns-update.nse: Attempts to perform a dynamic DNS update without
  authentication. [Patrik Karlsson]

o domcon-brute: Performs brute force password auditing against the
  Lotus Domino Console. [Patrik Karlsson]

o domcon-cmd: Runs a console command on the Lotus Domino Console using
  the given authentication credentials (see also: domcon-brute)
  [Patrik Karlsson]

o domino-enum-users: Attempts to discover valid IBM Lotus Domino users
  and download their ID files by exploiting the CVE-2006-5835
  vulnerability. [Patrik Karlsson]

o firewalk: Tries to discover firewall rules using an IP TTL
  expiration technique known as firewalking. [Henri Doreau]

o ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c
  backdoor reported as OSVDB-ID 69562. This script attempts to exploit
  the backdoor using the innocuous id command by default, but that can
  be changed with the ftp-proftpd-backdoor.cmd script argument. [Mak

o giop-info: Queries a CORBA naming server for a list of
  objects. [Patrik Karlsson]

o gopher-ls: Lists files and directories at the root of a gopher
  service. [Toni Ruottu]

o hddtemp-info: Reads hard disk information (such as brand, model, and
  sometimes temperature) from a listening hddtemp service. [Toni

o hostmap: Tries to find hostnames that resolve to the target's IP
  address by querying the online database at
  http://www.bfk.de/bfk_dnslogger.html. [Ange Gutek]

o http-brute: Performs brute force password auditing against http
  basic authentication. [Patrik Karlsson]

o http-domino-enum-passwords: Attempts to enumerate the hashed Domino
  Internet Passwords that are accessible by all authenticated users by
  default. This script can also download any Domino ID Files attached
  to the Person document. [Patrik Karlsson]

o http-form-brute: Performs brute force password auditing against http
  form-based authentication. [Patrik Karlsson]

o http-vhosts: Searches for web virtual hostnames by making a large
  number of HEAD requests against http servers using common
  hostnames. [Carlos Pantelides]

o informix-brute: Performs brute force password auditing against IBM
  Informix Dynamic Server. [Patrik Karlsson]

o informix-query: Runs a query against IBM Informix Dynamic Server
  using the given authentication credentials (see also:
  informix-brute). [Patrik Karlsson]

o informix-tables: Retrieves a list of tables and column definitions
  for each database on an Informix server. [Patrik Karlsson]

o iscsi-brute: Performs brute force password auditing against iSCSI
  targets. [Patrik Karlsson]

o iscsi-info: Collects and displays information from remote iSCSI
  targets. [Patrik Karlsson]

o modbus-discover: Enumerates SCADA Modbus slave ids (sids) and gets
  their device information. [Alexander Rudakov]

o nat-pmp-info: Queries a NAT-PMP service for its external
  address. [Patrik Karlsson]

o netbus-auth-bypass: Checks if a NetBus server is vulnerable to an
  authentication bypass vulnerability which allows them to be fully
  accessed without knowing the password. [Toni Ruottu]

o netbus-brute: Performs brute force password auditing about the
  Netbus backdoor ("remote administration") service. [Toni Ruottu]

o netbus-info: Opens a connection to a NetBus server and extracts
  information about the host and the NetBus service itself. [Toni

o netbus-version: Extends version detection to detect NetBuster, a
  honeypot service that mimes NetBus. [Toni Ruottu]

o nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to
  obtain information such as load averages, process counts, logged in
  user information, etc. [Mak Kolybabi]

o oracle-brute: Performs brute force password auditing against Oracle
  servers. [Patrik Karlsson]

o oracle-enum-users: Attempts to enumerate valid Oracle user names
  against Oracle 11g servers (this bug was fixed in Oracle's October
  2009 Critical Patch Update). [Patrik Karlsson]

o path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris

o resolveall: Resolves hostnames and adds every address (IPv4 or IPv6,
  depending on Nmap mode) to Nmap's target list.  This differs from
  Nmap's normal host resolution process, which only scans the first
  address (A or AAAA record) returned for each host name. [Kris

o rmi-dumpregistry: Connects to a remote RMI registry and attempts to
  dump all its objects. [Martin Holst Swende]

o smb-flood: Exhausts the limit of SMB connections on a remote server
  by opening as many as we can.  Most implementations of SMB have a
  hard global limit of 11 connections for user accounts and 10
  connections for anonymous.  Once that limit is reached, further
  connections are denied. This exploits that limit by taking up all
  the connections and holding them. [Ron Bowes]

o ssh2-enum-algos: Reports the number of algorithms (such as
  encryption, compression, etc.) that the target SSH2 server offers.
  If verbosity is set, then the offered algorithms are each listed by
  type. [Kris Katterjohn]

o stuxnet-detect: Detects whether a host is infected with the Stuxnet
  worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]

o svn-brute: Performs brute force password auditing against Subversion
  source code control servers. [Patrik Karlsson]

o targets-traceroute: Inserts traceroute hops into the Nmap scanning
  queue. It only functions if Nmap's <code>--traceroute</code> option
  is used and the <code>newtargets</code> script argument is
  given. [Henri Doreau]

o vnc-brute: Performs brute force password auditing against VNC
  servers. [Patrik Karlsson]

o vnc-info: Queries a VNC server for the protocol version and
  supported security types. [Patrik Karlsson]

o wdb-version: Detects vulnerabilities and gathers information (such
  as version numbers and hardware support) from a VxWorks Wind DeBug
  Agent. [Daniel Miller]

o wsdd-discover: Retrieves and displays information from devices
  supporting the Web Services Dynamic Discovery (WS-Discovery)
  protocol. It also attempts to locate any published Windows
  Communication Framework (WCF) web services (.NET 4.0 or
  later). [Patrik Karlsson]

Now I'm going to get back to working on the release CHANGELOG.  But I
thought this list of new scripts was impressive enough to be worth
sending out on its own.

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • New NSE Scripts Fyodor (Jan 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]