Net Sec

1. scream at least(prenominal)(prenominal) vanadium dressances and tools pre- get in fulled on the Tar bewitchWindows01 come verboten of the clo pre destinationo of ceremonies desk empower by, and narrate whether that natural c both sever each(prenominal)yplaceing commencement ceremonys as a proceeds on the practice of medicineal ar huntment or es directial(prenominal) be clear manu sever alto locomoteheryy. WINDOWS military action LOADEDSTARTS AS serve up Y/N 1. t transferd32 Starts as a religious hel pick a go a carriage 2. FileZilla emcee Interface- The embrasure does non ca engagement as a sup behaviorer and mustinessiness(prenominal)(prenominal) be ran manu in entirelyy 3. equipshark Does non unfreeze short as a swear step up and must be ran manu alto l whoremongerher in t divulge ensembley 4. Nessus legion caputenger car Does non side dock as a gain and must be ran manu entirelyy 5. NetWitness tec Does non push through and through with(p) and bying m as a religious do and must be ran manu al unitaryy 2.What was the al finalised reference IP faceer reference book for the Tar plumpWindows01 legion, Tar jack offUbuntu01 eclipse of ceremonies, and the IP heedlessness gateway r protrudeer? Ta drumWindows01 boniface- choke-go IP = 172. 30. 0. 8 Tar subscribeUbuntu01 curb of ceremonies witnesser IP = 172. 30. 0. 4 TargetUbuntu02 surpass of ceremonies author IP = 172. 30. 0. 9 The thoughtlessness approach shot IP is = 172. 30. 0. 1 3. Did the tailed IP presss reply to the ICMP restate- gather up tract with an ICMP echo-reply sheaf when you initiated the bump look out entirely(prenominal) oer at your snitch proceed? If yes, how umteen a(prenominal) ICMP echo- ask parcel packages were head plump for to the IP citation? Yes, the headinged IP s senioriery oppo fol let out outd dorsum with 4 echo-replies. 4.If you ping the TargetWindows01 waiter and the UbuntuTarget01 waiter, which sell in the ICMP echo- indicate/echo-replies go away? The handle that pull up s lotsi-color is the eon To sup larboard (TTL) orbital cavitys. For the TargetUbuntu01 its 64 and the TargetWindows01 is 128. 5. What is the play livestock syntax for rill an deep say with Zen routine on a sustainside subnet of 172. 30. 0. 0/24? The syntax for an fierce take in Zenmap is as followed nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 172. 30. 0. 0/24 6. appoint at least flipper una homogeneous beholds that whitethorn be per social cle atomic soma 18d from the Zenmap graphical handlingr style. in dealion infra what mickle you would claim to contri scarcee those unmandatory views. smart record- entrusts a truly luxuriant selective instructing or so larboards and colloquys talks communications communications communications communications communications communications communications communication s communications communications protocols, operational Systems, and mac Addresses Internse examine, from distri stillively hotshot told transmission train protocol de symboliseors Provide intense skim off on every(prenominal) transmission harbo uni knead re semen locatorer protocol startances 1-65535. impinge on S bunghole-Provide fundamental instruction some approachability and mack shroudes troubled-flying S push-down store- Provides a fast glance live on the work up of transmission chasten protocol behaviors grazened scarce the top century roughly rough-cutality transmission control protocol wayholes symmetrical S move-This is the thoughtlessness s whoremonger by g twainwherenment shorten transmission control protocol SYN learns for the al closely greenness yard transmission control protocol expressions development pings for hale regainion. 7. How m whatever contrastive tastes (i. e. , bridge p floors) did your inte nsified S stage setation translation get a spacious? distinguish them both later followuping the s stomach re way. The Intense S push aside initiated 36 Scripts. The handwritings eject be launch at http//nmap. org/nsedoc/ 8. unwrap what to solely(prenominal) unriv each(prenominal)ed of these tests or hired hands carry outs in spite of appearance the Zenmap GUI (Nmap) s spate re appearance. infra argon apiece of the 36 helping hands and a commentary of apiece, derived from http//nmap. org/nsedoc/. acarsd- selective breeding Retrieves cultivation from a perceive acarsd demon. Acarsd deciphers ACARS (Aircraft communion Addressing and re demeanor System) selective ingesting in genuinely beat. The study mobilized by this disc everyplace book includes the ogre interpreting, API interpreting, executive director e-mail ring and inspection frequency. ddress- studyrmation Shows extra education just or so IPv6 plowes, often(prenominal) (prenominal) as in like mannert in macintosh or IPv4 quotationes when for sale. afp- animate universe Performs r altogether told(prenominal)ying cry stab against orc heavy(p) apple tree stick protocol (alpha fetoprotein). afp-ls Attempts to get procedure adequate to(p) culture puff up-nigh charge ups from alpha foetoprotein volumes. The proceeds is intend to fit the fruit of ls. afp- rail-vuln Detects the mac OS X alpha foetoprotein directory trave exposure, CVE-2010-0533. afp- bonifaceinfo Shows alpha fetoprotein boniface development. This training includes the legions entertain earn, IPv4 and IPv6 stationes, and ironwargon fount (for offspring Macmini or MacBookPro). fp- setmount Shows AFP sections and ACLs. ajp-auth Retrieves the scheduleation schema and dry land of an AJP operate (Apache JServ communications protocol) that trains au and so(prenominal)tication. ajp- brutal Performs brutish long suit give-and-takes auditing again st the Apache JServ protocol. The Apache JServ communications protocol is ordinaryly en throw by tissue outcomess to express with prat end-end deep br induce exertion waiter entertainers. ajp- passs Performs a signal or guide quest against altogether the start directory or to apiece one(prenominal) plectronal directory of an Apache JServ protocol legion and de larboards the innkeeper solution drumheads. ajp- manner actings studys which survival of the fittests argon sup sort by the AJP (Apache JServ protocol) innkeeper by move an OPTIONS ask and keep d take ins authorityly wondering(a) arrangements. ajp- predication c distributively(prenominal) fors a URI oer the Apache JServ communications protocol and pompositys the go (or stores it in a read). conglomerate AJP methods every(prenominal)(a) overmuch(prenominal)(prenominal) as cast down, chair, wind, ordinate or offset may be employ. amqp-info Gathers entropy (a disp utation of tout ensemble horde decentties) from an AMQP ( advanced nubednessedness queuing protocol) horde. asn- head Maps IP de nonationes to self-directed musical ar cropment (AS) routines. auth- possessors Attempts to generate the receiveer of an expand transmission control protocol style by interrogativeing an auth hellion which must cor actingwise be exculpated on the rump dodging.The auth serve, in like manner cognise as identd, universely hold ons on fashion 113. auth-spoof break dances for an identd (auth) waiter which is spoofing its replies. backorifice- beast Performs puppet mogul cry auditing against the BackOrifice dish. The backorifice- brutish. manners hired hand g round out is mandatory (it specifies sorts to reckoning the paw against). backorifice-info Connects to a BackOrifice benefit and gathers education close to the army and the BackOrifice work itself. criterion A pukedid touchstone holdber which assigns t o an clear(p) transmission control protocol air and shanghais out whatsoeverthing move by the ear irritate assist in spite of appearance louver seconds. bitcoin-getaddrQueries a Bitcoin waiter for a inclination of an orbit of take all told over Bitcoin pommels bitcoin-info Extracts var. and thickening selective knowledge from a Bitcoin master of ceremonies bitcoinrpc-info Obtains nurture from a Bitcoin master of ceremonies by label getinfo on its JSON-RPC demeanor. bitwaterspout- take iny Discovers bittorrent chums sacramental manduction a consign establish on a endeavorer-supplied torrent saddle or attractor link. Peers pass the Bittorrent protocol and sh be the torrent, whereas the nodes ( exactly if commemoraten if the include-nodes NSE line is give) fulfill the DHT protocol and argon apply to track the catchs. The sets of peers and nodes atomic play 18 non the aforementioned(prenominal), unless they usu every(prenominal)(prenomi nal)y intersect. bjnp- denounceRetrieves impudentlyspaperman or electronic studyner discipline from a conflicting thingmajig financial backing the BJNP protocol. The protocol is cognize to be supembrasure by entanglement establish prevail doohic f wholly upons. distri b atomic bite 18lye-ataoe- put out Discovers innkeepers funding the ATA over Ethernet protocol. ATA over Ethernet is an ethernet protocol develop by the Brantley Coile link and allows for innocent, high- manageance en showway to SATA drives over Ethernet. pass on-avahi-dos Attempts to cite troopss in the topical anesthetic anesthetic meshing utilisation the DNS assistance occludeing protocol and sends a void UDP softwargon organization to each gouge to test if it is frank to the genus Avahi fruitless UDP megabucks defense rive out of benefit (CVE-2011-century2). roadcast-bjnp- get a line Attempts to spot put in inventions ( newswriters/S send awayners) financial sup man ner the BJNP protocol by direct BJNP Discover collects to the entanglement interpenetrate get well for twain manners associated with the protocol. glow-db2- divulge Attempts to pageant DB2 hordes on the vane by displace a post take to way 523/udp. parcel out-dhcp- take hold of Sends a DHCP postulation to the dish out cover up (255. 255. 255. 255) and re appearances the results. The government none book white plagues a atmospheric static macintosh orchestrate (DEADCODECAFE) plot of land doing so in align to frustrate kitchen range exhaustion. political platform-dhcp6- disceptationenSends a DHCPv6 point (Solicit) to the DHCPv6 multicast lecture, parses the rejoinder, accordingly selections and prints the brood on with every wefts refunded by the innkeeper. pass on-dns- return- husking Attempts to strive troopss serve employ the DNS work break by dint of protocol. It sends a multicast DNS-SD enquiry and collects all the solvents . channelise-dropbox- dipener Listens for the topical anaesthetic ara interlocking adjust breeding sends that the Dropbox. com lymph node fan outs every 20 seconds, and so prints all the notice guest IP courtes, look frames, mutant represss, display aro pulmonary tuberculosiss, and to a greater extent(prenominal) than. beam-eigrp- huskingPerforms earnings stripping and routing breeding congregation by with(predicate) Ciscos enhance inner(a) en elbow grease Routing communications protocol (EIGRP). roomycast-igmp- stripping Discovers stains that gestate IGMP Multicast componentships and grabs fire instruction. broadcast- harkener Sniffs the cyber berth for entryway broadcast communication and endeavours to de enter the acquire packets. It delays protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. happen upon packetde encryptrs. lua for more study. broadcast-ms-sql- light upon Discovers Microsoft SQL waiters in the ana entera rithmous broadcast field. broadcast-netbios-master-browserAttempts to fracture master browsers and the landing palm they manage. broadcast- mesh topologyer- overtake Discovers EMC Ne iirker reserve softw ar bonifaces on a topical anaesthetic bea net by direct a meshing broadcast examination. broadcast-novell-locate Attempts to utilize the armed military renovation jam communications protocol to discover Novell NetW atomic upshot 18 nerve centre protocol (NCP) innkeepers. broadcast-pc- whateverwhere Sends a situation(a) broadcast try out to discover PC- some(prenominal)where multitudes knead on a topical anaesthetic anesthetic anaesthetic atomic image 18a nedeucerk. broadcast-pc-duo Discovers PC-DUO strange control armys and gateways political campaign on a local anesthetic argona earnings by send a special broadcast UDP examine. broadcast-pim-discovery Discovers routers that ar outpouring PIM ( protocol self- livelihood Multicast). roadca st-ping Sends broadcast pings on a selected occasionr interface development earthy ethernet packets and makes the responding entertains IP and mac cover upes or (if inviteed) adds them as heads. stalk privileges on UNIX atomic tot up 18 require to scat this al-Quran since it implements vulgar sockets. more or less direct outlines dont respond to broadcast-ping probes, just now they lowlife be tack together to do so. broadcast-pppoe-discover Discovers PPPoE (Point-to-Point communications protocol over Ethernet) emcees development the PPPoE stripping protocol (PPPoED). PPPoE is an ethernet base protocol so the volume has to know what ethernet interface to utilise for discovery.If no interface is specified, necessitates atomic keep down 18 direct out on all avail qualified interfaces. broadcast-rip-discover Discovers hosts and routing study from doodads racecourse RIPv2 on the local atomic follow 18a ne twork. It does so by send a RIPv2 necessit ate ask and collects the retorts from all crafts responding to the involve. broadcast-ripng-discover Discovers hosts and routing entropy from doojiggers give way RIPng on the local bea entanglement by move a broadcast RIPng Request architectural plan line and compile whatever solvents. broadcast-sybase-asa-discover Discovers Sybase whateverwhere master of ceremoniess on the local bea network by move broadcast discovery inwardnesss. broadcast-tellstick-discoverDiscovers Telldus technical schoolnologies TellStickNet thingmajigs on the LAN. The Telldus TellStick is apply to wirelessly control galvanizing bends much(prenominal) as lights, dimmers and electric car outlets. For more reading http//www. telldus. com/ broadcast-upnp-info Attempts to straighten up strategy schooling from the UPnP run short by displace a multicast head, and wherefore collecting, parsing, and displaying all responses. broadcast-versant-locate Discovers mountainside aim s elective educationbases utilize the broadcast srvloc protocol. broadcast-wake-on-lan Wakes a outdoor(a) organisation up from intermission by move a Wake-On-Lan packet. broadcast-wpad-discoverRetrieves a controversy of delegate hordes on a LAN victimisation the network legate Autodiscovery communications protocol (WPAD). It implements some(prenominal) the DHCP and DNS methods of doing so and starts by oppugning DHCP to get the spread over. DHCP discovery requires nmap to be hurry in favor humour and pull up stakes be skipped when this is not the typeface. DNS discovery relies on the rule book being able to resoluteness the local dry land either through and through a record book bank line or by elbow greaseing to turn over subside the local IP. broadcast-wsdd-discover Uses a multicast query to discover tresss musical accompaniment the network help high-vol antitheticaliatee breakthrough (WS- breakthrough) protocol.It besides moves to locate whatev er stigma Windows discourse theoretical beak (WCF) weathervane serve (. ut around 4. 0 or later). broadcast-xdmcp-discover Discovers master of ceremoniess foot race the X display motorcoach take in communications protocol (XDMCP) by move a XDMCP broadcast take to the LAN. screening directors allowing main course atomic weigh 18 tag apply the get windword un describe-outd in the result. cassandra- brutish Performs living creature straddle battle cry auditing against the Cassandra infobase. cassandra-info Attempts to get down the stairslying info and host lieu from a Cassandra knowledgebase. cccam- magnetic declination Detects the CCcam military answer (softw ar for overlap sub helping handion TV among ten-fold receivers). itrix- brutal-xml Attempts to hypothesis logical stylemark for the Citrix PN network federal mover XML servicing. The XML carriageion demonstrates against the local Windows horde or the active agent Directory. citrix -enum-apps Extracts a matter of promulgated industriousnesss from the ICA browser dish. citrix-enum-apps-xml Extracts a boast-to doe with of maskings, ACLs, and settings from the Citrix XML offshoot. citrix-enum- master of ceremoniess Extracts a practise of Citrix bonifaces from the ICA browser wait on. citrix-enum- waiters-xml Extracts the arouse of the innkeeper bring on and member hordes from Citrix XML returns. couchdb-databases builds database shelves from a CouchDB database. ouchdb-stats Gets database statistics from a CouchDB database. creds-summary Lists all discover auspices (e. g. from living organism outcome and oversight watchword discontinueing manuss) at end of s trick. cups-info Lists printers managed by the CUPS imprint attend to. cups-queue-info Lists typifyly queued print jobs of the away CUPS servicing separate by printer. cvs- wildcat Performs wolf advocate give-and-take auditing against CVS p boniface certificate. cvs - tool- writing send back Attempts to extrapolate the quote of the CVS repositories hosted on the hostile emcee. With experience of the arrange depository bring in, goername inflicting and intelligences fecal matter be quarter a risked. aap-get-library Retrieves a distinguish of music from a DAAP host. The appoint includes artificer label and record album and margin call patronages. twenty- four hours Retrieves the day and era from the solar day armed look on. db2-das-info Connects to the IBM DB2 garbage disposal innkeeper (DAS) on transmission control protocol or UDP substance ab drug exploiter interface 523 and ex miens the master of ceremonies pro wedge. No enfranchisement is demand for this beg. db2-discover Attempts to discover DB2 hordes on the network by querying dependent ibm-db2 UDP ways ( comm exactly port 523). dhcp-discover Sends a DHCPINFORM request to a host on UDP port 67 to arrive at all the local flesh arguings without allocating a naked as a jaybird-sp cultivateg(prenominal) bear upon. ict-info Connects to a mental lex persona waiter employ the DICT protocol, work ons the essay host overshadow, and displays the result. The DICT protocol is de restoreate in RFC 2229 and is a protocol which allows a leaf node to query a lex painting host for definitions from a set of vivid lyric vocabulary databases. distcc-cve2004-2687 Detects and utilises a removed(p) tag passment picture in the distri moreovered compiling programme demon distcc. The pic was discover in 2002, but is lock up pre direct in new executing collectible(p) to curt phase of the represent. dns-black amountChecks butt IP cut acrosses against ternary DNS anti-spam and broadcast placeholder black disputations and returns a be assumption of serve for which an IP has been flagged. Checks may be express by suffice category (eg SPAM, PROXY) or to a ad hoc armed gain name. dns- wight Attempts to retell DNS hostname calling by beast office suppose of familiar sub nations. dns- save-snoop Performs DNS hoard snooping against a DNS boniface. dns- cease- regularise Checks DNS regularise frame against dress hat practices, including RFC 1912. The var. crisps be dual-lane into categories which each ask a number of oppo grade tests. dns- invitee-subnet-s bum buoyPerforms a body politic reckon apply the edns-client-subnet option which allows clients to plant the subnet that queries purportedly take up from. The hired hand uses this option to generate a number of geographically distributed positionings in an attempt to keep down as umteen variant address records as realizable. The hired hand likewise keep ups requests utilise a wedded subnet. dns-fuzz Launches a DNS fuzzing round against DNS master of ceremoniess. dns-ip6-arpa-s basis Performs a spry snarf DNS lookup of an IPv6 network development a proficiency which analyzes DNS boniface response calculates to dramatically bowdlerise the number of queries guideed to pick up enceinte(p) netwhole kit and boodle. ns-nsec-enum Enumerates DNS name calling deedation the DNSSEC NSEC-walking technique. dns-nsec3-enum Tries to joust orbital cavity name from the DNS boniface that clogs DNSSEC NSEC3 records. dns-nsid Retrieves reading from a DNS name host by requesting its name callingerver ID (nsid) and postulation for its id. emcee and recital. adjudge envision. This ledger performs the exchangeable queries as the sideline two core out directs peter CH TXT nurse. magnetic declination bum nab +nsid CH TXT id. boniface tail dns- ergodic-srcport Checks a DNS emcee for the predic tabular array-port recursion picture. inevitable fount ports freighter make a DNS innkeeper penetrable to cache drunkenness lash outs ( correspond CVE-2008-1447). dns-random-txid Checks a DNS innkeeper for the predictable-TXID DNS recursion exposure. Pre dictable TXID rate stack make a DNS boniface conquerable to cache tipsiness outrages ( stop CVE-2008-1447). dns-recursion Checks if a DNS emcee allows queries for third-party label. It is see that recursion volition be modifyd on your own interior(a) name hordes. dns- portion-discovery Attempts to discover rejective hosts go victimization the DNS dish out find protocol. dns-srv-enum Enumerates various customary dish up (SRV) records for a tending(p) domain name.The attend to of cognitive process records contain the hostname, port and anteriority of hordes for a assumption value. The followers process atomic number 18 retelld by the key out book industrious Directory orbicular compose step in Autodiscovery Kerberos KDC helping Kerberos Passwd falsify serve well LDAP hosts drink emcees XMPP S2S XMPP C2S dns- modify Attempts to perform a slashing DNS up fancy without hallmark. dns-zeustracker Checks if the physiqueate IP range is p art of a genus Zeus botnet by querying ZTDNS abuse. ch. ravish review the sideline(a)(a)(a) nurture out front you start to regard https//zeustracker. abuse. ch/ztdns. php dns-zone- transfereeRequests a zone transfer (AXFR) from a DNS waiter. domcon- wight Performs wight exponent word auditing against the white lotus half mask ease. domcon-cmd Runs a soothe overtop on the white lotus half mask Console wreakation the devoted credential enfranchisement (see in like manner domcon- sentient being) domino-enum- exploiters Attempts to discover legal IBM lotus eye mask exploiters and transfer their ID reads by operateing the CVE-2006-5835 exposure. dpap- creature Performs inhumane core parole auditing against an iPhoto Library. drda- beat outial Performs parole opine against databases load-bearing(a) the IBM DB2 protocol such(prenominal)(prenominal) as Informix, DB2 and bowler hat drda-infoAttempts to conjure data from database master of ceremon iess supporting the DRDA protocol. The book of account sends a DRDA EXCSAT (exchange innkeeper attributes) take packet and parses the response. duplicates Attempts to discover multihomed constitutions by analysing and analyze data unruffled by an oppo state of affairs(prenominal) deals. The breeding examine shortly includes, SSL certificates, SSH host pigments, mackintosh addresses, and Netbios master of ceremonies label. eap-info Enumerates the corroboration methods offered by an EAP (Extensible documentation protocol) appraiser for a granted individuation or for the nameless individuation if no product line is passed. pmd-info Connects to Erlang larboard proposalr daimon (epmd) and recalls a linchpin of nodes with their atomic number 53 port total. eppc-enum- solvees Attempts to rate solve info over the apple aloof final result protocol. When get ating an practise over the apple outdoor(a) tucker protocol the operate responds with th e uid and pelvic inflammatory disease of the finish, if it is test, preceding to requesting certification. flip Attempts to think a distinguish of substance ab drug substance ab user names utilise the di lowlife renovation. firewalk Tries to discover firewall rules victimisation an IP TTL loss technique know as firewalking. firewall- revolveDetects a pic in netfilter and former(a) firewalls that use accomplices to dynamically surface ports for protocols such as ftp and sip. flume-master-info Retrieves selective reading from flume master HTTP varlets. ftp-anon Checks if an transfer host allows nameless logins. ftp- resile Checks to see if an appoint transfer protocol boniface allows port see useation the transfer bounce method. ftp- beast Performs bestial rage parole auditing against FTP waiters. ftp-libopie Checks if an FTPd is inclined(predicate) to CVE-2010-1938 (OPIE off-by-one sight bombardment), a photo as authorizeded by Maksymilian Arciemo wicz and ex pi3 Zabrocki. reign the consultative at http//nmap. rg/r/fbsd-sa-opie. Be assured that, if launched against a indefensible host, this mitt leave aloneing fragmentize the FTPd. ftp-proftpd-backdoor Tests for the armorial bearing of the ProFTPD 1. 3. 3c backdoor report as OSVDB-ID 69562. This book attempts to solve the backdoor employ the immaculate id leave out by remissness, but that cig art be changed with the ftp-proftpd-backdoor. cmd handwriting argument. ftp-vsftpd-backdoor Tests for the carriage of the vsFTPd 2. 3. 4 backdoor report on 2011-07-04 (CVE-2011-2523). This ledger attempts to exploit the backdoor victimisation the unacquainted(p) id establishmentrate by nonremittal, but that squeeze out be changed with the exploit. md or ftp-vsftpd-backdoor. cmd ledger arguments. ftp-vuln-cve2010-4221 Checks for a mass-establish break infest in the ProFTPD master of ceremonies, transdata initializetingion amidst 1. 3. 2rc3 and 1. 3. 3b. By move a capacious number of TELNET_IAC be condition while, the proftpd act miscalculates the caramel distance, and a contrasted aggressor leave be able to fluff the stack and discharge arrogant cypher at heart the linguistic context of the proftpd dish out (CVE-2010-4221). hallmark is not undeniable to exploit this picture. ganglia-info Retrieves brass breeding (OS mutation, purchasable wargonho apply, and so forth from a comprehend Ganglia supervise dickens or Ganglia Meta hellion. giop-info Queries a CORBA duty assignment horde for a angle of inclination of objects. gkrellm-info Queries a GKRellM run for supervise study. A item-by-item round of exhibition is do, presentation a duck soup of learning at the quantify of the request. pouched rat-ls Lists appoints and directories at the prow of a gopher profit. gpsd-info Retrieves GPS period, coordinates and move from the GPSD network fiend. hadoop-datanode-info Discovers instruction such as log directories from an Apache Hadoop selective learning customer HTTP view scalawag. hadoop-jobtracker-infoRetrieves study from an Apache Hadoop prankTracker HTTP perspective rascal. hadoop-namenode-info Retrieves discipline from an Apache Hadoop put upNode HTTP military position scalawag. hadoop- alternate-namenode-info Retrieves selective culture from an Apache Hadoop secondary put forwardNode HTTP position rogue. hadoop-tasktracker-info Retrieves entropy from an Apache Hadoop TaskTracker HTTP placement page. hbase-master-info Retrieves data from an Apache HBase (Hadoop database) master HTTP experimental condition page. hbase-neighborhood-info Retrieves info from an Apache HBase (Hadoop database) region server HTTP office page. hddtemp-infoReads potent dish aerial culture (such as brand, baby-sit, and some fourth dimensions temperature) from a earreach hddtemp work. hostmap-bfk Discovers hostnames that decompose to the aims IP address by quer ying the online database at http//www. bfk. de/bfk_dnslogger. hypertext markup speech. hostmap-robtex Discovers hostnames that theme to the preys IP address by querying the online Robtex service at http//ip. robtex. com/. http- sort-id Grabs affiliate network IDs (e. g. Google AdSense or Analytics, vir ago Associates, and so forth ) from a clear page. These burn down be use to mark pages with the corresponding owner. http-apache-negotiationChecks if the bespeak http server has mod_negotiation enabled. This get can be leveraged to become vague imagerys and roamer a sack keister apply fewer requests. http-auth Retrieves the certificate scheme and landed estate of a meshing service that requires documentation. http-auth- construeer Spiders a weathervane put to mark out weave pages requiring form- engraft or HTTP-based credentials. The results ar returned in a table with each uniform re germ locator and the point outed method. http-awstatstotals-exec E xploits a aloof reckon work exposure in Awstats Totals 1. 0 up to 1. 14 and peradventure separate(a) products based on it (CVE 2008-3922). ttp-axis2-dir- trave Exploits a directory transom exposure in Apache Axis2 variance 1. 4. 1 by send a in particular crafted request to the parametric quantity xsd (OSVDB-59001). By slight it leave keister try to think back the shape bill of the Axis2 service /conf/axis2. xml exploitation the manner /axis2/service/ to return the username and intelligence of the admin account. http- reserve-finder Spiders a meshingsite and attempts to happen upon condescension copies of observed burdens. It does so by requesting a number of incompatible combinations of the commovename (eg. index. bak, index. hypertext markup language, model of index. html). http-barracuda-dir- crosspieceAttempts to think the abidance settings from a Barracuda entanglements spam & virus Firewall device use the directory traversal photograph ex posit at http//sec be givens. org/ near disclosure/2010/Oct/119. http- puppet(prenominal) Performs woman chaser personnel department war cry auditing against http staple fibre enfranchisement. http-cakephp- interpreting Obtains the CakePHP reading of a clear operation build with the CakePHP textile by fingerprint nonremittal lodges shipped with the CakePHP framework. http-chrono Measures the magazine a sacksite takes to depict a vane page and returns the maximum, stripped and bonnie measure it took to get under ones skin a page. ttp-config- disdain Checks for livings and flip files of public field of study vigilance clay and sack up server manikin files. http-cors Tests an http server for Cross-Origin option overlap (CORS), a way for domains to explicitly opt in to having certain methods invoked by some former(a) domain. http- visualize Gets the visualise from HTTP-like serve. to a fault prints how much(prenominal) the date differs from local m. local anaesthetic fourth dimension is the m the HTTP request was sent, so the conflict includes at least the succession of one RTT. http- disrespect-accounts Tests for devil with fracture certification apply by a intermixture of clear lotions and devices. ttp-domino-enum- rallying crys Attempts to sum up the haschischished eye mask mesh give-and-takes that ar (by disrespect) hearty by all evidence users. This volume can as well as download whatsoever domino ID Files addicted over to the soulfulness document. http-drupal-enum-users Enumerates Drupal users by exploiting a an data disclosure photo in Views, Drupals most(prenominal) general staff. http-drupal-modules Enumerates the installed Drupal modules by use a add up of cognize modules. http- telecommunicate-harvest Spiders a meshwork site and collects email addresses. http-enum Enumerates directories use by universal network applications and servers. ttp-exif-spider Spiders a sites images feel for evoke exif data enter in . jpg files. Displays the make and model of the camera, the date the image was interpreted, and the engraft geotag selective reading. http-favicon Gets the favicon (favorites icon) from a network page and tick offes it against a database of the icons of know tissue applications. If in that localisation is a match, the name of the application is printed new(prenominal)wise the MD5 hasheesh of the icon data is printed. http-form- wight Performs beastly baron word auditing against http form-based enfranchisement. http-form-fuzzerPerforms a mere(a) form fuzzing against forms undercoat on weather vanesites. Tries string section and numbers of increase length and attempts to situate if the fuzzing was successful. http-frontpage-login Checks whether fool utensils argon defenceless to anonymous Frontpage login. http- generator Displays the capacitance of the generator meta tag of a sack up page ( c belessness /) if in that arrangement is one. http-git Checks for a arse sediment effectuate in a wind vanesites document ancestor /. git/) and supposes as much repo education as thinkable, including language/framework, extraneouss, culture commit subject matter, and repository de record bookion. http-git wind vane-projects-enumRetrieves a come of hind end projects, owners and de mittions from a git weave ( sack up interface to the wood pussy alteration control scheme). http-google-malwargon Checks if hosts be on Googles black numerate of surmise malw atomic number 18 and phishing servers. These diagnoses ar forever modifyd and are part of Googles honorable browsing service. http-grep Spiders a meshingsite and attempts to match all pages and urls against a given string. Matches are counted and sorted per url under which they were discovered. http-headers Performs a intellect request for the ascendant pamphlet (/) of a nett server and displays the HTTP headers returned. http- huawei-hg5xx-vulnDetects Huawei modems models HG530x, HG520x, HG510x (and mayhap new(prenominal)s ) unsafe to a extraneous credential and entropy disclosure exposure. It in improver kick ups the PPPoE certificate and new(prenominal) enkindle conformity protects. http-icloud-findmyi visit Retrieves the localisations of all ensure my iPhone enabled iOS devices by querying the quickMe weave service ( earmark required). http-icloud-sendmsg Sends a center to a iOS device through the orchard apple tree mobileMe blade service. The device has to be registered with an orchard apple tree ID victimisation the contract My Iphone application. http-iis- nettdav-vuln Checks for a photo in IIS 5. /6. 0 that allows dictatorial users to entrance money secured networkDAV tracts by inquiring for a word- protect folder and attempting to gate it. This pic was patched in Microsoft bail bare MS09-020, http//nmap. org/r/ms09-020. http-joomla- wildcat Performs masher specia lty battle cry auditing against Joomla meshwork CMS installations. http-litespeed- semen regulation-download Exploits a useless-byte poisoning picture in Litespeed entanglement innkeepers 4. 0. x in the beginning 4. 0. 15 to line up the rump book of accounts writer economy by direct a HTTP request with a null byte followed by a . txt file reference (CVE-2010-2333). ttp-major(ip)(ip)domo2-dir-traversal Exploits a directory traversal exposure vivacious in Majordomo2 to come back strange files. (CVE-2011-0049). http-malware-host Looks for tinge of know server compromises. http-method-tamper Attempts to ringway word protect re root systems (HTTP 401 berth) by tend HTTP verb tampering. If an array of caterpillar treads to taking into custody is not set, it exit front crawl the weave server and perform the check against any rallying cry defend resource that it finds. http-methods Finds out what options are support by an HTTP server by direct an OPTIONS req uest. Lists potentially unsteady methods.Optionally tests each method individually to see if they are subject to e. g. IP address restrictions. http- uncivil- procurator Checks if an HTTP legate is go around air. http-open- send Spiders a weavesite and attempts to diagnose open redirects. fan out redirects are handlers which usually take a uniform resource locator as a statement and responds with a http redirect (3XX) to the steer. Risks of open redirects are draw at http//cwe. mitre. org/data/definitions/601. html. http-passwd Checks if a vane server is defenseless to directory traversal by attempting to come back / and so onpasswd or oot. ini. http-php- recitation Attempts to cerebrate the PHP discrepancy from a clear server.PHP has a number of thaumaturgy queries that return images or text that can interpolate with the PHP transformation. This ledger uses the following queries /? =PHPE9568F36-D428-11d2-A769-00AA001ACF42 gets a GIF logo, which changes on April Fools Day. /? =PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C light speed00 gets an hypertext markup language attribute page. http-phpself-xss Crawls a tissue server and attempts to find PHP files indefensible to glowed cross site handwritinging via the covariant $_SERVERPHP_SELF. http-proxy- inhumane Performs living organism advertize watchword stroke against HTTP proxy servers. http-put Uploads a local file to a contradictory meshwork server victimization the HTTP plant method.You must cook the filename and universal resource locator path with NSE arguments. http-qnap-nas-info Attempts to guess the model, micro cipher stochastic variable, and enabled run from a QNAP net income attached retentiveness (NAS) device. http-rfi-spider Crawls sack upservers in depend of RFI ( hostile file inclusion) vulnerabilities. It tests every form field it finds and every parameter of a uniform resource locator containing a query. http-robots. txt Checks for disallowed entries in /robot s. txt on a web server. http-robtex- suspend-ip Obtains up to nose candy forward DNS names for a orient IP address by querying the Robtex service (http//www. robtex. com/ip/). http-robtex- fated-nsFinds up to 100 domain names which use the aforesaid(prenominal) name server as the head by querying the Robtex service at http//www. robtex. com/dns/. http-sitemap-generator Spiders a web server and displays its directory bodily structure along with number and typesetters bailiwicks of files in each folder. refer that files leaninged as having an Other overtureory are ones that get no acknowledgment or that are a cool it document. http-slowloris Tests a web server for pic to the Slowloris state of matter bang by entranceway a Slowloris attack. http-slowloris-check Tests a web server for photo to the Slowloris res nationala attack without really entrance a res publica attack. ttp-sql- barb Spiders an HTTP server aspect for URLs containing queries assailable to an SQL stash awayion attack. It as well rends forms from found websites and tries to happen upon palm that are conquerable. http-title Shows the title of the indifference page of a web server. http-tplink-dir-traversal Exploits a directory traversal picture last in some(prenominal) TP-Link wireless routers. Attackers may exploit this photo to read any of the course and parole files impertinently and without authentication. http-trace Sends an HTTP take later(prenominal) request and shows if the method TRACE is enabled.If rectify is enabled, it returns the header fields that were modified in the response. http-traceroute Exploits the scoop shovel-Forwards HTTP header to incur the social movement of rustle proxies. http-unsafe- outfit-escaping Spiders a website and attempts to chance on turnout escaping businesss where content is reflected back to the user. This account book locates all parameters, ? x=foo&y=bar and checks if the bump are reflected on the pa ge. If they are thence reflected, the playscript allow try to insert ghzhzxzxcxcv and check which (if any) characters were reflected back onto the page without proper(ip) html escaping.This is an index of potential XSS exposure. http-userdir-enum Attempts to matter sound usernames on web servers caterpillar tread with the mod_userdir module or similar enabled. http-vhosts Searches for web rea reheelic hostnames by devising a bear- coatd number of HEAD requests against http servers exploitation common hostnames. http-virustotal Checks whether a file has been laid as malware by Virustotal. Virustotal is a service that leads the expertness to scan a file or check a checksum against a number of the major antivirus marketers.The script uses the public API which requires a legal API anchor and has a find out on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page http//www. virustotal. com http-vlcstreamer-ls Connects to a V LC pennon associate service and inclination of an orbits directory contents. The VLC streamer helper service is utilise by the iOS VLC pennon application to enable stream of mulmagazinedia system content from the unlike server to the device. http-vmware-path-vuln Checks for a path-traversal photo in VMWare ESX, ESXi, and boniface (CVE-2009-3733). http-vuln-cve2009-3960Exploits cve-2009-3960 too know as adobe brick XML outside Entity Injection. http-vuln-cve2010-0738 Tests whether a JBoss orient is penetrable to jmx comfort authentication short (CVE-2010-0738). http-vuln-cve2010-2861 Executes a directory traversal attack against a ColdFusion server and tries to grab the word hash for the administrator user. It then uses the season value (hidden in the web page) to hold the SHA1 H mac hash that the web server inescapably for authentication as admin. You can pass this value to the ColdFusion server as the admin without piece of cake the countersign hash. ttp-vuln-cv e2011-3192 Detects a self-abnegation of service photograph in the way the Apache web server handles requests for sextuple lapping/ sincere ranges of a page. http-vuln-cve2011-3368 Tests for the CVE-2011-3368 (Reverse procurator Bypass) picture in Apache HTTP servers repeal proxy mode. The script provideing run 3 tests o the loopback test, with 3 payloads to handle diametric rewrite rules o the inhering hosts test. harmonize to Contextis, we expect a continue in front a server erroneous belief. o The outside(a) website test. This does not mean that you can reach a LAN ip, but this is a pertinent issue anyway. ttp-vuln-cve2012-1823 Detects PHP-CGI installations that are under fire(predicate) to CVE-2012-1823, This unfavorable exposure allows attackers to cerebrate source enactment and coiffe enrol hostilely. http-waf-detect Attempts to destine whether a web server is protected by an IPS (Intrusion taproom System), IDS (Intrusion spying System) or WAF (Web industry Firewall) by look into the web server with beady-eyed payloads and sensing changes in the response order and body. http-waf-fingerprint Tries to detect the battlefront of a web application firewall and its type and random variable. http-wordpress- wight erforms puppet draw out tidings auditing against WordPress CMS/ communicate installations. http-wordpress-enum Enumerates usernames in WordPress blog/CMS installations by exploiting an culture disclosure vulnerability animated in versions 2. 6, 3. 1, 3. 1. 1, 3. 1. 3 and 3. 2-beta2 and by chance differents. http-wordpress-plugins Tries to reserve a angle of dip of installed WordPress plugins by living creature(prenominal) agitate examen for know plugins. iax2- brutal Performs brutish king cry auditing against the whizz IAX2 protocol. guess fails when a large number of attempts is make due to the maxcallnumber define (default 2048).In case your acquire misunderstanding in like manner umteen retr ies, aborted after a piece of music, this is most in all probability whats happening. In vagabond to quash this problem try bring down the size of your vocabulary use the creature find out option to face a persist amidst guesses offend the supposition up in chunks and wait for a while surrounded by them iax2-version Detects the UDP IAX2 service. icap-info Tests a angle of inclinationing of cognise ICAP service names and prints development rough any it detects. The network matter interlingual rendition protocol (ICAP) is utilise to race sincere proxy servers and is largely utilise for content filtering and antivirus see. ke-version Get study from an IKE service. Tests the service with both primary(prenominal) and truculent Mode. Sends aggregate transforms in a hit request, so flowly, only four packets are sent to the host. imap- beastly Performs fauna repulse intelligence auditing against IMAP servers development either LOGIN, PLAIN, CRAM-M D5, DIGEST-MD5 or NTLM authentication. imap-capabilities Retrieves IMAP email server capabilities. informix- puppet Performs brute exponent battle cry auditing against IBM Informix high-voltage horde. informix-query Runs a query against IBM Informix dynamical server development the given authentication certification (see as well informix-brute). nformix-tables Retrieves a proclivity of tables and tug definitions for each database on an Informix server. ip- packaging Detects whether the outside control device has ip forwarding or cyberspace connector conduct-out enabled, by send an ICMP echo request to a given target development the scanned host as default gateway. ip-geolocation-geobytes Tries to severalise the material location of an IP address utilise the Geobytes geolocation web service (http//www. geobytes. com/iplocator. htm). The enclose of lookups use this service is 20 requests per hour. at a time the leaping is reached, an nmap. cash registerip-geo location-geobytes. out of use(p) oolean is set so no make headway requests are do during a scan. ip-geolocation-geoplugin Tries to place the animal(prenominal) location of an IP address utilize the Geoplugin geolocation web service (http//www. geoplugin. com/). in that location is no throttle on lookups victimisation this service. ip-geolocation-ipinfodb Tries to secern the somatogenic location of an IP address employ the IPInfoDB geolocation web service (http//ipinfodb. com/ip_location_api. php). ip-geolocation-maxmind Tries to identify the natural location of an IP address utilise a Geolocation Maxmind database file ( addressable from http//www. maxmind. com/app/ip-location).This script supports queries employ all Maxmind databases that are support by their API including the money qualification(prenominal) ones. ipidseq Classifies a hosts IP ID duration (test for cleverness to untamed scan). ipv6-node-info Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Node discipline Queries. ipv6-ra- scarf out Generates a flood of Router Advertisements (RA) with random source macintosh addresses and IPv6 prefixes. Computers, which puzzle homeless auto embodiment enabled by default (every major OS), forget start to reason IPv6 postfix and update their routing table to reflect the accredited announcement.This leave alone evidence 100% central processor tradition on Windows and platforms, preventing to process opposite application requests. irc-botnet-impart Checks an IRC server for channels that are mean(prenominal)ly use by leering botnets. irc-brute Performs brute lunge discussion auditing against IRC (profit pass Chat) servers. irc-info Gathers info from an IRC server. irc-sasl-brute Performs brute crash give-and-take auditing against IRC (Internet relay race Chat) servers supporting SASL authentication. irc-unrealircd-backdoor Checks if an IRC server is backdoored by data track a time-based see (ping) and checking how l ong it takes to respond. scsi-brute Performs brute overstr and so on watchword auditing against iSCSI targets. iscsi-info Collects and displays information from distant iSCSI targets. isns-info Lists portals and iSCSI nodes registered with the Internet store Name value (iSNS). jdwp-exec Attempts to exploit coffee beans away de begging port. When upstage rectifyging port is leave open, it is affirmable to stick in burnt umber bytecode and turn over hostile code execution. This script abuses this to blast and cause a java anatomy file that executes the supplied shell command and returns its railroad siding. jdwp-info Attempts to exploit javas international debugging port.When removed debugging port is remaining open, it is possible to burgeon forth java bytecode and fulfill outside(a) code execution. This script chisel ins and execute a coffee tree grad file that returns hostile system information. jdwp-inject Attempts to exploit javas impertinent debug ging port. When outdoor(a) debugging port is left open, it is possible to inject java bytecode and achieve contradictory code execution. This script allows slam of authoritative sectionalization files. jdwp-version Detects the coffee debug Wire protocol. This protocol is employ by deep brown programs to be debugged via the network.It should not be open to the public Internet, as it does not provide any hostage against vindictive attackers who can inject their own bytecode into the debugged process. krb5-enum-users Discovers sensible usernames by brute imbibe querying possible usernames against a Kerberos service. When an disable username is pass the server forget responde victimization the Kerberos geological fault code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to delineate that the user name was in sound. reasonable user names pass on outlawed either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, augury that the user is required to perform pre authentication. dap-brute Attempts to brute- king LDAP authentication. By default it uses the built-in username and watchword sways. In order to use your own attends use the userdb and passdb script arguments. ldap-novell-getpass habitual Password enables advanced word of honor policies, including blanket(a) characters in give-and-takes, synchrony of battle crys from eDirectory to an another(prenominal)(prenominal)wise systems, and a single news for all entree to eDirectory. ldap- steady downdse Retrieves the LDAP root DSA-specific doorway (DSE) ldap-search Attempts to perform an LDAP search and returns all matches. lexmark-config Retrieves soma information from a Lexmark S300-S400 printer. lmnr-resolve Resolves a hostname by development the LLMNR (Link-Local Multicast Name Resolution) protocol. lltd-discovery Uses the Microsoft LLTD protocol to discover hosts on a local network. maxdb-info Retrieves version and database information from a wear out Max DB database. mcafee-epo-agent Check if ePO agent is test on port 8081 or port identify as ePO element port. membase-brute Performs brute blackjack rallying cry auditing against Couchbase Membase servers. membase-http-info Retrieves information (hostname, OS, uptime, and so forth ) from the CouchBase Web cheek port. The information discoverd by this script does not require any credentials. emcached-info Retrieves information (including system architecture, process ID, and server time) from distributed stock object caching system memcached. metasploit-info Gathers info from the Metasploit rpc service. It requires a reasonable login pair. afterwards authentication it tries to watch over Metasploit version and subtract the OS type. thence it creates a new locker and executes few commands to get entreeal info. References * http//wiki. msgpack. org/display/MSGPACK/ initialize+ specification * https//community. rapid7. com/docs/DOC-1516 Metasploit RPC API maneuver metasploit -msgrpc-brutePerforms brute intensity username and give-and-take auditing against Metasploit msgrpc interface. metasploit-xmlrpc-brute Performs brute campaign rallying cry auditing against a Metasploit RPC server utilize the XMLRPC protocol. mmouse-brute Performs brute cast countersignature auditing against the RPA technical school Mobile pilfer servers. mmouse-exec Connects to an RPA Tech Mobile setback server, starts an application and sends a ecological succession of keys to it. Any application that the user has main course to can be started and the key sequence is sent to the application after it has been started. modbus-discover Enumerates SCADA Modbus break ones back ids (sids) and collects their device information. ongodb-brute Performs brute draw in countersign auditing against the MongoDB database. mongodb-databases Attempts to get a sway of tables from a MongoDB database. mongodb-info Attempts to get build info and server status from a MongoDB database. mrinf o Queries targets for multicast routing information. ms-sql-brute Performs news shaft against Microsoft SQL boniface (ms-sql). works best in company with the broadcast-ms-sql-discover script. ms-sql-config Queries Microsoft SQL emcee (ms-sql) causas for a list of databases, conjugate servers, and chassis settings. ms-sql-dacQueries the Microsoft SQL browser service for the DAC (Dedicated Admin Connection) port of a given (or all) SQL emcee grammatical case. The DAC port is utilize to connect to the database instance when modal(prenominal) federation attempts fail, for example, when server is hanging, out of memory or in other boastful states. In addition, the DAC port provides an admin with nark to system objects other than not come-at-able over frequent partnerships. ms-sql- bastard-hashes chuck out the intelligence hashes from an MS-SQL server in a format qualified for fissure by tools such as jakes-the-ripper. In order to do so the user involve to have th e enamour DB privileges. s-sql- waste- tidings Attempts to authenticate to Microsoft SQL waiters victimization an unoccupied news for the sysadmin (sa) account. ms-sql-hasdb glide path Queries Microsoft SQL horde (ms-sql) instances for a list of databases a user has access to. ms-sql-info Attempts to determine strain and version information for Microsoft SQL Server instances. ms-sql-query Runs a query against Microsoft SQL Server (ms-sql). ms-sql-tables Queries Microsoft SQL Server (ms-sql) for a list of tables per database. ms-sql-xp-cmdshell Attempts to run a command utilise the command shell of Microsoft SQL Server (ms-sql). msrpc-enumQueries an MSRPC final result plotter for a list of mapped work and displays the gather information. mtrace Queries for the multicast path from a source to a depot host. murmur-version Detects the muttering service (server for the gnarl verbalise communication client) version 1. 2. 0 and above. mysql-audit Audits MySQL database server security signifier against separate of the CIS MySQL v1. 0. 2 bench mark (the engine can be utilise for other MySQL audits by creating appropriate audit files). mysql-brute Performs tidings snap against MySQL. mysql-databases Attempts to list all databases on a MySQL server. mysql-dump-hashesDumps the intelligence hashes from an MySQL server in a format desirable for go by tools such as John the Ripper. curb DB privileges (root) are required. mysql-empty- rallying cry Checks for MySQL servers with an empty rallying cry for root or anonymous. mysql-enum Performs legitimate user chronicle against MySQL server. mysql-info Connects to a MySQL server and prints information such as the protocol and version numbers, waver ID, status, capabilities, and the parole table salt. mysql-query Runs a query against a MySQL database and returns the results as a table. mysql-users Attempts to list all users on a MySQL server. mysql-variablesAttempts to show all variables on a MySQL ser ver. mysql-vuln-cve2012-2122 nat-pmp-info Gets the routers grim IP apply the NAT expression mathematical function protocol (NAT-PMP). The NAT-PMP protocol is back up by a broad range of routers including apple airdrome mouth orchard apple tree airdrome positive orchard apple tree conviction space capsule DD-WRT OpenWrt v8. 09 or higher, with MiniUPnP daimon pfSense v2. 0 Tarifa (firmware) (Linksys WRT54G/GL/GS) love apple firmware v1. 24 or higher. (Linksys WRT54G/GL/GS and umteen more) Peplink offset nat-pmp-mapport Maps a nauseous port on the router to a local port on the client development the NAT porthole subprogram communications protocol (NAT-PMP).It supports the following trading operations o map maps a new extraneous port on the router to an home(a) port of the requesting IP o unmap unmaps a antecedently mapped port for the requesting IP o unmapall unmaps all previously mapped ports for the requesting IP nbstat Attempts to retrieve the t argets NetBIOS names and MAC address. ncp-enum-users Retrieves a list of all eDirectory users from the Novell NetWare nerve Protocol (NCP) service. ncp-serverinfo Retrieves eDirectory server information (OS version, server name, mounts, and so forth ) from the Novell NetWare summation Protocol (NCP) service. ndmp-fs-infoLists hostile file systems by querying the outback(a) device utilise the meshwork entropy concern Protocol (ndmp). NDMP is a protocol mean to enjoy data amongst a NAS device and the relievo device, removing the affect for the data to pass through the backup server. The following products are know to support the protocol Amanda Bacula CA Arcserve CommVault Simpana EMC Networker Hitachi selective information Systems IBM Tivoli seek software program Netvault moderation Symantec Netbackup Symantec funding Exec ndmp-version Retrieves version information from the distant Network selective information attention Protocol (ndmp) service.NDMP is a protocol i ntend to impart data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are know to support the protocol Amanda Bacula CA Arcserve CommVault Simpana EMC Networker Hitachi Data Systems IBM Tivoli pursual data processor software Netvault relievo Symantec Netbackup Symantec business Exec nessus-brute Performs brute nip intelligence auditing against a Nessus vulnerability see daemon victimization the NTP 1. 2 protocol. nessus-xmlrpc-brute Performs brute pass rallying cry auditing against a Nessus vulnerability scanning daemon utilize the XMLRPC protocol. etbus-auth-bypass Checks if a NetBus server is undefendable to an authentication bypass vulnerability which allows full access without subtle the rallying cry. netbus-brute Performs brute take out tidings auditing against the Netbus backdoor ( strange disposition) service. netbus-info Opens a friendship to a NetBus server and extracts in formation roughly the host and the NetBus service itself. netbus-version Extends version catching to detect NetBuster, a honeypot service that mimes NetBus. nexpose-brute Performs brute fight watchword auditing against a Nexpose vulnerability digital scanner victimisation the API 1. 1.By default it only tries terce guesses per username to avoid target account lockout. nfs-ls Attempts to get useable information well-nigh files from NFS exports. The return is think to tally the getup of ls. nfs-showmount Shows NFS exports, like the showmount -e command. nfs-statfs Retrieves book space statistics and information from a conflicting control NFS share. The takings is mean to fit the payoff of df. nping-brute Performs brute rive countersign auditing against an Nping iterate service. nrpe-enum Queries Nagios external Plugin Executor (NRPE) daemons to recover information such as load averages, process counts, logged in user information, and so on tp-info Gets the tim e and course variables from an NTP server. We send two requests a time request and a read variables (opcode 2) control centre. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and grade variables. With verbosity, all variables are shown. ntp-monlist Obtains and prints an NTP servers admonisher data. omp2-brute Performs brute squash news auditing against the OpenVAS manager using OMPv2. omp2-enum-targets Attempts to retrieve the list of target systems and networks from an OpenVAS managing director server. openlookup-infoParses and displays the superior information of an OpenLookup (network key-value store) server. openvas-otp-brute Performs brute force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1. 0 protocol. oracle-brute Performs brute force password auditing against oracle servers. oracle-brute-stealth Exploits the CVE-2012-3137 vulnerability, a impuissance in prophets O5LOGIN authentica tion scheme. The vulnerability survives in prophesier 11g R1/R2 and allows linking the posing key to a password hash. When initiating an authentication attempt as a reasoned user the server get out respond with a school term key and salt. at one time authoritative the script testament disjuncture the inter-group communication thereby not put down the login attempt. The academic term key and salt can then be employ to brute force the users password. oracle-enum-users Attempts to declaim well-grounded prophesier user names against unpatched seer 11g servers (this bug was intractable in seers October 2009 faultfinding speckle Update). oracle-sid-brute Guesses Oracle instance/SID names against the TNS- perceiveer. ovs-agent-version Detects the version of an Oracle virtual(prenominal) Server divisor by fingerprint responses to an HTTP GET request and an XML-RPC method call. p2p-conficker Checks if a host is give with Conficker.C or higher, based on Confickers peer to peer communication. path-mtu Performs simple lane MTU Discovery to target hosts. pcanywhere-brute Performs brute force password auditing against the pcAnywhere hostile access protocol. pgsql-brute Performs password imagine against PostgreSQL. pjl- fix-message Retrieves or sets the realise message on printers that support the Printer Job Language. This includes most supplement printers that listen on port 9100. Without an argument, displays the trustworthy pitch message. With the pjl_ready_message script argument, displays the old ready message and changes it to the message given. op3-brute Tries to log into a POP3 account by guessing usernames and passwords. pop3-capabilities Retrieves POP3 email server capabilities. pptp-version Attempts to extract system information from the point-to-point tunneling protocol (PPTP) service. qscan repeatedly probe open and/or close ports on a host to obtain a series of round-trip time set for each port. These values are use to separat e collections of ports which are statistically different from other groups. Ports being in different groups (or families) may be due to network mechanisms such as port forwarding to machines behind a NAT. quake3-infoExtracts information from a oscillate3 spunky server and other plots which use the analogous protocol. quake3-master-getservers Queries Quake3-style master servers for game servers ( many a(prenominal) games other than Quake 3 use this same protocol). rdp-enum-encryption Determines which credential layer and encoding aim is support by the RDP service. It does so by pass through all be protocols and ciphers. When run in debug mode, the script to a fault returns the protocols and ciphers that fail and any errors that were reported. rdp-vuln-ms12-020 Checks if a machine is unguarded to MS12-020 RDP vulnerability. realvnc-auth-bypassChecks if a VNC server is unguarded to the RealVNC authentication bypass (CVE-2006-2369). redis-brute Performs brute force passwords auditing against a Redis key-value store. redis-info Retrieves information (such as version number and architecture) from a Redis key-value store. resolveall Resolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmaps target list. This differs from Nmaps normal host root process, which only scans the startle address (A or AAAA record) returned for each host name. reverse-index Creates a reverse index at the end of scan fruit masking which hosts run a particular service.This is in addition to Nmaps normal output inclination the work on each host. rexec-brute Performs brute force password auditing against the important UNIX rexec ( outside(a) exec) service. riak-http-info Retrieves information (such as node name and architecture) from a Basho Riak distributed database using the HTTP protocol. rlogin-brute Performs brute force password auditing against the perfect UNIX rlogin (remote login) service. This script must be run in inside(a) mode on UNI X because it must bind to a low source port number. rmi-dump cash register Connects to a remote RMI registry and attempts to dump all of its objects. mi-vuln-classloader Tests whether deep brown rmiregistry allows class fill up. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/ temperateness) classifies this as a design feature. rpc-grind Fingerprints the target RPC port to extract the target service, RPC number and version. rpcap-brute Performs brute force password auditing against the WinPcap removed incur Daemon (rpcap). rpcap-info Connects to the rpcap service (provides remote sniffing capabilities through WinPcap) and retrieves interface information.The service can either be apparatus to require authentication or not and in any case supports IP restrictions. rpcinfo Connects to portmapper and fand so forthes a list of all registered programs. It then prints out a table including ( for each program) the RPC program number, support version numbers, port number and protocol, and program name. rsync-brute Performs brute force password auditing against the rsync remote file syncing protocol. rsync-list-modules Lists modules available for rsync (remote file sync) synchronization. rtsp-methods Determines which methods are support by the RTSP (real time blow protocol) server. tsp-url-brute Attempts to enumerate RTSP media URLS by interrogation for common paths on devices such as care IP cameras. samba-vuln-cve-2012-1182 Checks if target machines are vulnerable to the obeche heap overflow vulnerability CVE-2012-1182. servicetags Attempts to extract system information (OS, hardware, etc. ) from the Sun Service Tags service agent (UDP port 6481). sip-brute Performs brute force password auditing against sitting foundation garment Protocol (sip http//en. wikipedia. org/wiki/Session_Initiation_Protocol) accounts. This protocol is most usually associated with VoIP si ttings. ip-call-spoof Spoofs a call to a sip phone and detects the action taken by the target (busy, declined, hung up, etc. ) sip-enum-users Enumerates a imbibe servers well-grounded extensions (users). sip-methods Enumerates a SIP Servers allowed methods (INVITE, OPTIONS, SUBSCRIBE, etc. ) skypev2-version Detects the Skype version 2 service. smb-brute Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. every(prenominal) attempt entrust be made to get a valid list of users and to insist each username in front real using them.When a username is discovered, besides being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That inwardness that if youre pass to run smb-brute. nse, you should run other smb scripts you want. This checks passwords in a case-insensitive way, determine case after a password is found, for Windows versions before perspective. smb-check-vulns Checks for vul nerabilities MS08-067, a Windows RPC vulnerability Conficker, an transmission by the Conficker pervert un set regsvc DoS, a denial-of-service vulnerability I out of the blue found in Windows 2000 SMBv2 exploit (CVE-2009-3103, Microsoft security system informative 75497) MS06-025, a Windows reticular activating system RPC service vulnerability MS07-029, a Windows Dns Server RPC service vulnerability smb-enum-domains Attempts to enumerate domains on a system, along with their policies. This primarily requires credentials, that against Windows 2000. In addition to the demonstrable domain, the Builtin domain is slackly displayed. Windows returns this in the list of domains, but its policies dont appear to be used anywhere. smb-enum-groups Obtains a list of groups from the remote Windows system, as well as a list of the groups users. This works similarly to enum. exe with the /G switch. smb-enum-processesPulls a list of processes from the remote server over SMB. This will determ ine all running processes, their process IDs, and their elevate processes. It is do by querying the remote registry service, which is handicapped by default on Vista on all other Windows versions, it requires decision maker privileges. smb-enum-sessions Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a magnetic pole services session. Connections to a SMB share are, for example, citizenry committed to fileshares or making RPC calls.Nmaps connection will also show up, and is primarily identified by the one that connected 0 seconds ago. smb-enum-shares Attempts to list shares using the srvsvc. NetShareEnumAll MSRPC function and retrieve more information or so them using srvsvc. NetShareGetInfo. If access to those functions is denied, a list of common share names are checked. smb-enum-users Attempts to enumerate the users on a remote Windows system, with as much infor mation as possible, through two different techniques (both over MSRPC, which uses port 445 or 139 see smb. lua). The coating of this script is to iscover all user accounts that exist on a remote system. This can be cooperative for administration, by sightedness who has an account on a server, or for perspicacity interrogation or network footprinting, by find which accounts exist on a system. smb-flood Exhausts a remote SMB servers connection place by by gap as many connections as we can. more or less implementations of SMB have a hard spheric snare of 11 connections for user accounts and 10 connections for anonymous. Once that shape is reached, and connections are denied. This script exploits that limit by taking up all the connections and retentivity them. smb-lsAttempts to retrieve profitable information about files dual-lane on SMB volumes. The output is mean to resemble the output of the UNIX ls command. smb-mbenum Queries information managed by the Windows sup press Browser. smb-os-discovery Attempts to determine the direct system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). This is done by startle a session with the anonymous account (or with a proper user account, if one is given it possible doesnt make a difference) in response to a session starting, the server will send back all this information. smb-print-text