Nmap Development mailing list archives
New NSE Scripts
From: Fyodor <fyodor () insecure org>
Date: Fri, 14 Jan 2011 15:10:38 -0800
Hi folks. I've been reviewing our NSE scripts and the improvements since just the 5.35DC1 release last summer are dramatic. Users are going to be very excited about the upcoming release! We've added 46 scripts, bringing the total to 177 that you can find at http://nmap.org/nsedoc/! But before we look at the scripts, let's take a moment to celebrate the authors! Particular credit goes to Patrik, who single-handedly wrote more than half of the new scripts. And Toni has certainly been on a roll for the last month! Here is a list of script authors and their new script counts: 25 Patrik Karlsson 6 Toni Ruottu 4 Mak Kolybabi 3 Kris Katterjohn 2 Henri Doreau 2 Ron Bowes 1 Martin Holst Swende 1 Daniel Miller 1 Carlos Pantelides 1 Ange Gutek 1 Alexander Rudakov 1 Andrew Orr 1 Russ Tait Milne The total is more than 46 because broadcast-dropbox-listener has four authors--the wrote it during some sort of NSE party :). Of course we would have never gotten 46 new scripts integrated without all of David's work reviewing and in many cases improving them. And with that out of the way, here is the list of new scripts for the upcoming release: o broadcast-dns-service-discovery: Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses. [Patrik Karlsson] o broadcast-dropbox-listener: Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more. [Ron Bowes, Mak Kolybabi, Andrew Orr, Russ Tait Milne] o broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the same broadcast domain. [Patrik Karlsson] o broadcast-upnp-info: Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses. [Patrik Karlsson] o broadcast-wsdd-discover: Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later). [Patrik Karlsson] o db2-discover: Attempts to discover DB2 servers on the network by querying open ibm-db2 UDP ports (normally port 523). [Patrik Karlsson] o dns-update.nse: Attempts to perform a dynamic DNS update without authentication. [Patrik Karlsson] o domcon-brute: Performs brute force password auditing against the Lotus Domino Console. [Patrik Karlsson] o domcon-cmd: Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute) [Patrik Karlsson] o domino-enum-users: Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability. [Patrik Karlsson] o firewalk: Tries to discover firewall rules using an IP TTL expiration technique known as firewalking. [Henri Doreau] o ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument. [Mak Kolybabi] o giop-info: Queries a CORBA naming server for a list of objects. [Patrik Karlsson] o gopher-ls: Lists files and directories at the root of a gopher service. [Toni Ruottu] o hddtemp-info: Reads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service. [Toni Ruottu] o hostmap: Tries to find hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html. [Ange Gutek] o http-brute: Performs brute force password auditing against http basic authentication. [Patrik Karlsson] o http-domino-enum-passwords: Attempts to enumerate the hashed Domino Internet Passwords that are accessible by all authenticated users by default. This script can also download any Domino ID Files attached to the Person document. [Patrik Karlsson] o http-form-brute: Performs brute force password auditing against http form-based authentication. [Patrik Karlsson] o http-vhosts: Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames. [Carlos Pantelides] o informix-brute: Performs brute force password auditing against IBM Informix Dynamic Server. [Patrik Karlsson] o informix-query: Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute). [Patrik Karlsson] o informix-tables: Retrieves a list of tables and column definitions for each database on an Informix server. [Patrik Karlsson] o iscsi-brute: Performs brute force password auditing against iSCSI targets. [Patrik Karlsson] o iscsi-info: Collects and displays information from remote iSCSI targets. [Patrik Karlsson] o modbus-discover: Enumerates SCADA Modbus slave ids (sids) and gets their device information. [Alexander Rudakov] o nat-pmp-info: Queries a NAT-PMP service for its external address. [Patrik Karlsson] o netbus-auth-bypass: Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows them to be fully accessed without knowing the password. [Toni Ruottu] o netbus-brute: Performs brute force password auditing about the Netbus backdoor ("remote administration") service. [Toni Ruottu] o netbus-info: Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself. [Toni Ruottu] o netbus-version: Extends version detection to detect NetBuster, a honeypot service that mimes NetBus. [Toni Ruottu] o nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc. [Mak Kolybabi] o oracle-brute: Performs brute force password auditing against Oracle servers. [Patrik Karlsson] o oracle-enum-users: Attempts to enumerate valid Oracle user names against Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update). [Patrik Karlsson] o path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris Katterjohn] o resolveall: Resolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmap's target list. This differs from Nmap's normal host resolution process, which only scans the first address (A or AAAA record) returned for each host name. [Kris Katterjohn] o rmi-dumpregistry: Connects to a remote RMI registry and attempts to dump all its objects. [Martin Holst Swende] o smb-flood: Exhausts the limit of SMB connections on a remote server by opening as many as we can. Most implementations of SMB have a hard global limit of 11 connections for user accounts and 10 connections for anonymous. Once that limit is reached, further connections are denied. This exploits that limit by taking up all the connections and holding them. [Ron Bowes] o ssh2-enum-algos: Reports the number of algorithms (such as encryption, compression, etc.) that the target SSH2 server offers. If verbosity is set, then the offered algorithms are each listed by type. [Kris Katterjohn] o stuxnet-detect: Detects whether a host is infected with the Stuxnet worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi] o svn-brute: Performs brute force password auditing against Subversion source code control servers. [Patrik Karlsson] o targets-traceroute: Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's <code>--traceroute</code> option is used and the <code>newtargets</code> script argument is given. [Henri Doreau] o vnc-brute: Performs brute force password auditing against VNC servers. [Patrik Karlsson] o vnc-info: Queries a VNC server for the protocol version and supported security types. [Patrik Karlsson] o wdb-version: Detects vulnerabilities and gathers information (such as version numbers and hardware support) from a VxWorks Wind DeBug Agent. [Daniel Miller] o wsdd-discover: Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later). [Patrik Karlsson] Now I'm going to get back to working on the release CHANGELOG. But I thought this list of new scripts was impressive enough to be worth sending out on its own. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- New NSE Scripts Fyodor (Jan 14)