Nmap To Reconscan Mapping

nmap mapping
Script Without NSE

http-adobe-coldfusion-apsa1301.nse Implemented where Where to Go?
http-adobe-coldfusion-apsa1301
http-affiliate-id.nse httpVulns
http-affiliate-id
http-apache-negotiation.nse webRecon (turned off)
http-apache-negotiation
http-apache-server-status.nse webRecon
http-apache-server-status
http-aspnet-debug.nse webRecon
http-aspnet-debug
http-auth-finder.nse webRecon
http-auth-finder
http-auth.nse webRecon
http-auth
http-avaya-ipoffice-users.nse webRecon
http-avaya-ipoffice-users
http-awstatstotals-exec.nse webRecon (turned off)
http-awstatstotals-exec
http-axis2-dir-traversal.nse httpVulns
http-axis2-dir-traversal
http-backup-finder.nse httpVulns
http-backup-finder
http-barracuda-dir-traversal.nse webRecon
http-barracuda-dir-traversal
http-bigip-cookie.nse httpVulns
http-bigip-cookie
http-brute.nse webRecon
http-brute
http-cakephp-version.nse webRecon (turned off)
http-cakephp-version
http-chrono.nse webRecon
http-chrono
http-cisco-anyconnect.nse webRecon (turned off)
http-cisco-anyconnect
http-coldfusion-subzero.nse webRecon
http-coldfusion-subzero
http-comments-displayer.nse httpVulns
http-comments-displayer
http-config-backup.nse webRecon
http-config-backup
http-cookie-flags.nse webRecon
http-cookie-flags
http-cors.nse webRecon
http-cors
http-cross-domain-policy.nse webRecon
http-cross-domain-policy
http-csrf.nse webRecon
http-csrf
http-date.nse httpVulns
http-date
http-default-accounts.nse webRecon (turned off)
http-default-accounts
http-devframework.nse webRecon
http-devframework
http-dlink-backdoor.nse webRecon (turned off)
http-dlink-backdoor
http-dombased-xss.nse httpVulns (turned off)
http-dombased-xss
http-domino-enum-passwords.nse httpVulns
http-domino-enum-passwords
http-drupal-enum-users.nse httpVulns (turned off)
http-drupal-enum-users
http-drupal-enum.nse httpVulns
http-drupal-enum
http-enum.nse webRecon
http-enum
http-errors.nse webRecon (turned off)
http-errors
http-exif-spider.nse webRecon (turned off)
http-exif-spider
http-favicon.nse webRecon (turned off)
http-favicon
http-feed.nse webRecon
http-feed
http-fetch.nse webRecon (turned off)
http-fetch
http-fileupload-exploiter.nse webRecon (turned off)
http-fileupload-exploiter
http-form-brute.nse webRecon (turned off)
http-form-brute
http-form-fuzzer.nse webRecon (turned off)
http-form-fuzzer
http-frontpage-login.nse webRecon (turned off)
http-frontpage-login
http-generator.nse httpVulns
http-generator
http-git.nse webRecon
http-git
http-gitweb-projects-enum.nse webRecon
http-gitweb-projects-enum
http-google-malware.nse webRecon (turned off)
http-google-malware
http-grep.nse webRecon (turned off)
http-grep
http-headers.nse webRecon
http-headers
http-huawei-hg5xx-vuln.nse webRecon
http-huawei-hg5xx-vuln
http-icloud-findmyiphone.nse httpVulns (turned off)
http-icloud-findmyiphone
http-icloud-sendmsg.nse webRecon (turned off)
http-icloud-sendmsg
http-iis-short-name-brute.nse webRecon (turned off)
http-iis-short-name-brute httpVulns (turned off)
Page 1
nmap mapping
http-iis-webdav-vuln.nse
http-iis-webdav-vuln
http-internal-ip-disclosure.nse httpVulns
http-internal-ip-disclosure
http-joomla-brute.nse webRecon (turned off)
http-joomla-brute
http-jsonp-detection.nse webRecon (turned off)
http-jsonp-detection
http-litespeed-sourcecode-download.nse webRecon
http-litespeed-sourcecode-download
http-ls.nse httpVulns
http-ls
http-majordomo2-dir-traversal.nse webRecon
http-majordomo2-dir-traversal
http-malware-host.nse httpVulns
http-malware-host
http-mcmp.nse webRecon (turned off)
http-mcmp
http-method-tamper.nse webRecon
http-method-tamper
http-methods.nse webRecon
http-methods
http-mobileversion-checker.nse webRecon
http-mobileversion-checker
http-ntlm-info.nse webRecon
http-ntlm-info
http-open-proxy.nse webRecon
http-open-proxy
http-open-redirect.nse webRecon (turned off)
http-open-redirect
http-passwd.nse httpVulns
http-passwd
http-php-version.nse webRecon
http-php-version
http-phpmyadmin-dir-traversal.nse webRecon
http-phpmyadmin-dir-traversal
http-phpself-xss.nse httpVulns
http-phpself-xss
http-proxy-brute.nse httpVulns (turned off)
http-proxy-brute
http-put.nse webRecon (turned off)
http-put
http-qnap-nas-info.nse webRecon (turned off)
http-qnap-nas-info
http-referer-checker.nse webRecon (turned off)
http-referer-checker
http-rfi-spider.nse webRecon (turned off)
http-rfi-spider
http-robots.txt.nse webRecon (turned off)
http-robots.txt
http-robtex-reverse-ip.nse webRecon
http-robtex-reverse-ip
http-robtex-shared-ns.nse webRecon (turned off)
http-robtex-shared-ns
http-security-headers.nse webRecon (turned off)
http-security-headers
http-server-header.nse webRecon (turned off)
http-server-header
http-shellshock.nse webRecon (turned off)
http-shellshock
http-sitemap-generator.nse httpVulns
http-sitemap-generator
http-slowloris-check.nse webRecon (turned off)
http-slowloris-check
http-slowloris.nse httpVulns (turned off)
http-slowloris
http-sql-injection.nse httpVulns (turned off)
http-sql-injection
http-stored-xss.nse httpVulns
http-stored-xss
http-svn-enum.nse httpVulns (turned off)
http-svn-enum
http-svn-info.nse webRecon (turned off)
http-svn-info
http-title.nse webRecon (turned off)
http-title
http-tplink-dir-traversal.nse webRecon
http-tplink-dir-traversal
http-trace.nse httpVulns (turned off)
http-trace
http-traceroute.nse webRecon (turned off)
http-traceroute
http-trane-info.nse webRecon
http-trane-info
http-unsafe-output-escaping.nse webRecon (turned off)
http-unsafe-output-escaping
http-useragent-tester.nse webRecon
http-useragent-tester
http-userdir-enum.nse webRecon
http-userdir-enum
http-vhosts.nse webRecon
http-vhosts
http-virustotal.nse webRecon
http-virustotal
http-vlcstreamer-ls.nse webRecon (turned off)
http-vlcstreamer-ls
http-vmware-path-vuln.nse webRecon
http-vmware-path-vuln
http-vuln-cve2006-3392.nse httpVulns
http-vuln-cve2006-3392
http-vuln-cve2010-2861 httpVulns
Page 2
nmap mapping
http-vuln-cve2011-3192.nse
http-vuln-cve2011-3368.nse httpVulns (turned off)
http-vuln-misfortune-cookie.nse httpVulns
http-vuln-misfortune-cookie
http-vuln-wnr1000-creds.nse httpVulns
http-vuln-wnr1000-creds
http-waf-detect.nse httpVulns
http-waf-detect
http-waf-fingerprint.nse webRecon
http-waf-fingerprint
http-webdav-scan.nse webRecon
http-webdav-scan
http-wordpress-brute.nse webRecon
http-wordpress-brute
http-wordpress-enum.nse webRecon (turned off)
http-wordpress-enum
http-wordpress-users.nse webRecon (turned off)
http-wordpress-users
http-xssed.nse webRecon (turned off)
http-xssed
https-redirect.nse webRecon (turned off)
https-redirect webRecon (turned off)
nfs-ls.nse
nfs-ls nfsRecon
nfs-showmount.nse
nfs-showmount nfsRecon
nfs-statfs.nse
nfs-statfs nfsRecon
ftp-anon.nse
ftp-anon ftpRecon
ftp-bounce.nse
ftp-bounce ftpRecon
ftp-brute.nse
ftp-brute ftpRecon (turned off)
ftp-libopie.nse
ftp-libopie ftpRecon (turned off)
ftp-proftpd-backdoor.nse
ftp-proftpd-backdoor ftpRecon
ftp-syst.nse
ftp-syst ftpRecon
ftp-vsftpd-backdoor.nse
ftp-vsftpd-backdoor ftpRecon
ftp-vuln-cve2010-4221.nse
ftp-vuln-cve2010-4221 ftpRecon
ms-sql-brute.nse
ms-sql-brute mssqlrecon (turned off)
ms-sql-config.nse
ms-sql-config mssqlrecon (turned off)
ms-sql-dac.nse
ms-sql-dac mssqlrecon
ms-sql-dump-hashes.nse
ms-sql-dump-hashes mssqlrecon
ms-sql-empty-password.nse
ms-sql-empty-password mssqlrecon
ms-sql-hasdbaccess.nse
ms-sql-hasdbaccess mssqlrecon (turned off)
ms-sql-info.nse
ms-sql-info mssqlrecon
ms-sql-ntlm-info.nse
ms-sql-ntlm-info mssqlrecon
ms-sql-query.nse
ms-sql-query mssqlrecon (turned off)
ms-sql-tables.nse
ms-sql-tables mssqlrecon (turned off)
ms-sql-xp-cmdshell.nse
ms-sql-xp-cmdshell mssqlrecon (turned off)
mysql-audit.nse
mysql-audit mysql (turned off)
mysql-brute.nse
mysql-brute mysql (turned off)
mysql-databases.nse
mysql-databases mysql
Page 3
nmap mapping
mysql-dump-hashes.nse
mysql-dump-hashes mysql
mysql-empty-password.nse
mysql-empty-password mysql
mysql-enum.nse
mysql-enum mysql
mysql-info.nse
mysql-info mysql
mysql-query.nse
mysql-query mysql (turned off)
mysql-users.nse
mysql-users mysql (turned off)
mysql-variables.nse
mysql-variables mysql
mysql-vuln-cve2012-2122.nse
mysql-vuln-cve2012-2122 mysql
rdp-enum-encryption.nse
rdp-enum-encryption rdpRecon
rdp-vuln-ms12-020.nse
rdp-vuln-ms12-020 rdpRecon
telnet-brute.nse
telnet-brute telnetRecon (turned off)
telnet-encryption.nse
telnet-encryption telnetRecon
telnet-ntlm-info.nse
telnet-ntlm-info telnetRecon
ssh-auth-methods.nse
ssh-auth-methods sshrecon
ssh-brute.nse
ssh-brute sshrecon (turned off)
ssh-hostkey.nse
ssh-hostkey sshrecon (turned off)
ssh-publickey-acceptance.nse
ssh-publickey-acceptance sshrecon (turned off)
ssh-run.nse
ssh-run sshrecon (turned off)
ssh2-enum-algos.nse
ssh2-enum-algos sshrecon
sshv1.nse
sshv1 sshrecon
snmp-brute.nse
snmp-brute snmprecon (turned off)
snmp-hh3c-logins.nse
snmp-hh3c-logins snmprecon
snmp-info.nse
snmp-info snmprecon
snmp-interfaces.nse
snmp-interfaces snmprecon (turned off)
snmp-ios-config.nse
snmp-ios-config snmprecon
snmp-netstat.nse
snmp-netstat snmprecon
snmp-processes.nse
snmp-processes snmprecon
snmp-sysdescr.nse
snmp-sysdescr snmprecon
snmp-win32-services.nse
snmp-win32-services snmprecon
snmp-win32-shares.nse
snmp-win32-shares snmprecon
snmp-win32-software.nse
snmp-win32-software snmprecon
snmp-win32-users.nse
snmp-win32-users snmprecon
smtp-brute.nse
smtp-brute smtprecon (turned off)
smtp-commands.nse
smtp-commands snmprecon
smtp-enum-users.nse
smtp-enum-users snmprecon
smtp-ntlm-info.nse
smtp-ntlm-info snmprecon
smtp-open-relay.nse
smtp-open-relay smtprecon (turned off)
smtp-strangeport.nse
smtp-strangeport smtprecon (turned off)
smtp-vuln-cve2010-4344.nse
smtp-vuln-cve2010-4344 smtprecon (turned off)
smtp-vuln-cve2011-1720 smtprecon (turned off)
smtp-vuln-cve2011-1764 snmprecon
smb-brute.nse
smb-brute smbrecon
smb-double-pulsar-backdoor.nse
smb-double-pulsar-backdoor smbrecon
smb-enum-domains.nse
smb-enum-domains smbrecon
smb-enum-groups.nse
smb-enum-groups smbrecon
smb-enum-processes.nse
smb-enum-processes smbrecon
smb-enum-services.nse
smb-enum-services smbrecon (turned off)
smb-enum-sessions.nse
smb-enum-sessions smbrecon
smb-enum-shares.nse
smb-enum-shares smbrecon
smb-enum-users.nse
smb-enum-users smbrecon
smb-flood.nse
smb-flood smbrecon (turned off)
smb-ls.nse
smb-ls smbrecon
smb-mbenum.nse
smb-mbenum smbrecon (turned off)
Page 4
nmap mapping
smb-os-discovery.nse
smb-os-discovery smbrecon
smb-print-text.nse
smb-print-text smbrecon (turned off)
smb-protocols.nse
smb-protocols smbrecon
smb-psexec.nse
smb-psexec smbrecon (turned off)
smb-security-mode.nse
smb-security-mode smbrecon
smb-server-stats.nse
smb-server-stats smbrecon (turned off)
smb-system-info.nse
smb-system-info smbrecon
smb-vuln-conficker.nse
smb-vuln-conficker smbrecon (turned off)
smb-vuln-cve-2017-7494.nse
smb-vuln-cve-2017-7494 smbrecon
smb-vuln-cve2009-3103.nse
smb-vuln-cve2009-3103 smbrecon (turned off)
smb-vuln-ms06-025.nse
smb-vuln-ms06-025 smbrecon (turned off)
smb-vuln-ms10-061 smbrecon
smb-vuln-ms17-010 smbrecon
smb-vuln-regsvc-dos.nse
smb-vuln-regsvc-dos smbrecon (turned off)
smb2-capabilities.nse
smb2-capabilities smbrecon (turned off)
smb2-security-mode.nse
smb2-security-mode smbrecon
smb2-time.nse
smb2-time smbrecon (turned off)
smb2-vuln-uptime.nse
smb2-vuln-uptime smbrecon
samba-vuln-cve-2012-1182.nse
samba-vuln-cve-2012-1182 smbrecon
ldap-brute.nse
ldap-brute ldaprecon (turned off)
ldap-novell-getpass.nse
ldap-novell-getpass ldaprecon
ldap-rootdse.nse
ldap-rootdse ldaprecon
ldap-search.nse
ldap-search ldaprecon (turned off)
rpc-grind.nse
rpc-grind rpcbindRecon (reconscan)
rpcap-brute.nse
rpcap-brute rpcbindRecon (turned off) (reconscan)
rpcap-info.nse
rpcap-info rpcbindRecon (turned off) (reconscan)
rpcinfo.nse
rpcinfo rpcbindRecon (reconscan)
ajp-auth.nse
ajp-auth jserverecon
ajp-brute.nse
ajp-brute jserverecon (turned off)
ajp-headers.nse
ajp-headers jserverecon
ajp-methods.nse
ajp-methods jserverecon
ajp-request.nse
ajp-request jserverecon
broadcast-ataoe-discover.nse
broadcast-ataoe-discover Broadcast
broadcast-avahi-dos.nse
broadcast-avahi-dos Broadcast (turned off)
broadcast-bjnp-discover.nse
broadcast-bjnp-discover Broadcast
broadcast-db2-discover.nse
broadcast-db2-discover Broadcast
broadcast-dhcp-discover.nse
broadcast-dhcp-discover Broadcast
broadcast-dhcp6-discover.nse
broadcast-dhcp6-discover Broadcast
broadcast-dns-service-discovery.nse
broadcast-dns-service-discovery Broadcast
broadcast-dropbox-listener.nse
broadcast-dropbox-listener Broadcast
broadcast-eigrp-discovery.nse
broadcast-eigrp-discovery Broadcast
broadcast-hid-discoveryd.nse
broadcast-hid-discoveryd Broadcast
broadcast-igmp-discovery.nse
broadcast-igmp-discovery Broadcast
broadcast-jenkins-discover.nse
broadcast-jenkins-discover Broadcast
broadcast-listener.nse
broadcast-listener Broadcast
broadcast-ms-sql-discover.nse
broadcast-ms-sql-discover Broadcast
broadcast-netbios-master-browser.nse
broadcast-netbios-master-browser Broadcast
broadcast-networker-discover.nse
broadcast-networker-discover Broadcast
broadcast-novell-locate.nse
broadcast-novell-locate Broadcast
broadcast-ospf2-discover.nse
broadcast-ospf2-discover Broadcast
Page 5
nmap mapping
broadcast-pc-anywhere.nse
broadcast-pc-anywhere Broadcast
broadcast-pc-duo.nse
broadcast-pc-duo Broadcast
broadcast-pim-discovery.nse
broadcast-pim-discovery Broadcast
broadcast-ping.nse
broadcast-ping Broadcast
broadcast-pppoe-discover.nse
broadcast-pppoe-discover Broadcast
broadcast-rip-discover.nse
broadcast-rip-discover Broadcast
broadcast-ripng-discover.nse
broadcast-ripng-discover Broadcast
broadcast-sonicwall-discover.nse
broadcast-sonicwall-discover Broadcast
broadcast-sybase-asa-discover.nse
broadcast-sybase-asa-discover Broadcast
broadcast-tellstick-discover.nse
broadcast-tellstick-discover Broadcast
broadcast-upnp-info.nse
broadcast-upnp-info Broadcast
broadcast-versant-locate.nse
broadcast-versant-locate Broadcast
broadcast-wake-on-lan.nse
broadcast-wake-on-lan Broadcast
broadcast-wpad-discover.nse
broadcast-wpad-discover Broadcast
broadcast-wsdd-discover.nse
broadcast-wsdd-discover Broadcast
broadcast-xdmcp-discover.nse
broadcast-xdmcp-discover
url-snarf.nse Broadcast
url-snarf Broadcast
targets-sniffer.nse
targets-sniffer Broadcast
lltd-discovery.nse
lltd-discovery Broadcast
llmnr-resolve.nse
llmnr-resolve Broadcast (turned off)
targets-asn.nse
targets-asn aliverecon (turned off)
targets-ipv6-map4to6.nse
targets-ipv6-map4to6 aliverecon (turned off)
targets-ipv6-multicast-echo.nse
targets-ipv6-multicast-echo aliverecon
targets-ipv6-multicast-invalid-dst.nse
targets-ipv6-multicast-invalid-dst aliverecon
targets-ipv6-multicast-mld.nse
targets-ipv6-multicast-mld aliverecon
targets-ipv6-multicast-slaac.nse
targets-ipv6-multicast-slaac aliverecon (turned off)
targets-ipv6-wordlist.nse
targets-ipv6-wordlist aliverecon (turned off)
citrix-brute-xml.nse
citrix-brute-xml Citrix (turned off)
citrix-enum-apps-xml.nse
citrix-enum-apps-xml Citrix
citrix-enum-apps.nse
citrix-enum-apps Citrix
citrix-enum-servers-xml.nse
citrix-enum-servers-xml Citrix
citrix-enum-servers.nse
citrix-enum-servers Citrix
dns-blacklist.nse
dns-blacklist DNS (turned off)
dns-brute.nse
dns-brute DNS (turned off)
dns-cache-snoop.nse
dns-cache-snoop DNS
dns-check-zone.nse
dns-check-zone DNS
dns-client-subnet-scan.nse
dns-client-subnet-scan DNS (turned off)
dns-fuzz.nse
dns-fuzz DNS (turned off)
dns-ip6-arpa-scan.nse
dns-ip6-arpa-scan DNS
dns-nsec-enum.nse
dns-nsec-enum DNS
dns-nsec3-enum.nse
dns-nsec3-enum DNS
dns-nsid.nse
dns-nsid DNS
dns-random-srcport.nse
dns-random-srcport DNS
dns-random-txid.nse
dns-random-txid DNS
dns-recursion.nse
dns-recursion DNS
dns-service-discovery.nse
dns-service-discovery DNS
dns-srv-enum.nse
dns-srv-enum DNS
dns-update.nse
dns-update DNS
dns-zeustracker.nse
dns-zeustracker DNS (turned off)
dns-zone-transfer.nse
dns-zone-transfer
whois-domain.nse DNS
whois-domain DNS
jdwp-exec.nse
jdwp-exec Java (turned off)
jdwp-info.nse
jdwp-info Java
Page 6
nmap mapping
jdwp-inject.nse
jdwp-inject Java (turned off)
jdwp-version.nse
jdwp-version Java
mongodb-brute.nse
mongodb-brute MongoDB (turned off)
mongodb-databases.nse
mongodb-databases MongoDB
mongodb-info.nse
mongodb-info MongoDB
oracle-brute-stealth.nse
oracle-brute-stealth Oracle
oracle-brute.nse
oracle-brute Oracle (turned off)
oracle-enum-users.nse
oracle-enum-users Oracle
oracle-sid-brute.nse
oracle-sid-brute Oracle
oracle-tns-version.nse
oracle-tns-version Oracle
pop3-brute.nse
pop3-brute pop3 (turned off)
pop3-capabilities.nse
pop3-capabilities pop3
pop3-ntlm-info.nse
pop3-ntlm-info pop3
vnc-brute.nse
vnc-brute VNC (turned off)
vnc-info.nse
vnc-info VNC
vnc-title.nse
vnc-title VNC
ssl-ccs-injection.nse
ssl-ccs-injection sslrecon (turned off)
ssl-cert-intaddr.nse
ssl-cert-intaddr sslrecon
ssl-cert.nse
ssl-cert sslrecon
ssl-date.nse
ssl-date sslrecon (turned off)
ssl-dh-params.nse
ssl-dh-params sslrecon (turned off)
ssl-enum-ciphers.nse
ssl-enum-ciphers sslrecon (turned off)
ssl-heartbleed.nse
ssl-heartbleed sslrecon
ssl-known-key.nse
ssl-known-key sslrecon (turned off)
ssl-poodle.nse
ssl-poodle sslrecon (turned off)
sslv2-drown.nse
sslv2-drown sslrecon (turned off)
sslv2.nsesslv2 sslrecon (turned off)
sstp-discover.nse
sstp-discover sslrecon (turned off)
afp-ls.nse
afp-ls nfsRecon
afp-path-vuln.nse
afp-path-vuln nfsRecon
afp-serverinfo.nse
afp-serverinfo nfsRecon
afp-showmount.nse
afp-showmount
tls-ticketbleed.nse nfsRecon
tls-ticketbleed
tls-nextprotoneg.nse httpVulns
tls-nextprotoneg
tls-alpn.nse webrecon
tls-alpn
sip-brute.nse webrecon
sip-brute
sip-call-spoof.nse siprecon
sip-call-spoof
sip-enum-users.nse siprecon
sip-enum-users siprecon (turned off)
sip-methods.nse
sip-methods
pop3-brute.nse siprecon (turned off)
pop3-brute
pop3-capabilities.nse smtprecon (turned off)
pop3-capabilities smtprecon
pop3-ntlm-info.nse
pop3-ntlm-info smtprecon
nbstat.nse
nbstat smbrecon
krb5-enum-users.nse
krb5-enum-users
tftp-enum.nse ??
tftp-enum
hadoop-datanode-info.nse reconscan
hadoop-datanode-info
hadoop-jobtracker-info.nse ??
hadoop-jobtracker-info
hadoop-namenode-info.nse ??
hadoop-namenode-info
hadoop-secondary-namenode-info.nse ??
hadoop-secondary-namenode-info ??
hadoop-tasktracker-info.nse
hadoop-tasktracker-info ??
firewalk.nse
firewalk ??
Page 7
nmap mapping
Description / Notes Comment Block
Exploit an auth bypass in Coldfusion #http-adobe-coldfusion-apsa1301: Exploit an auth bypass in Coldfusion
Grab affiliate network IDs (AdSense, anal#http-affiliate-id: Grab affiliate network IDs (AdSense, analytics, amazon, etc)
check for mod_negotiation. If GET index,#http-apache-negotiation: check for mod_negotiation. If GET index, does site return
attempt to retrieve server-status if mod_s#http-apache-server-status: attempt to retrieve server-status if mod_status is enabled
Determines if an ASP.NET has debuggi #http-aspnet-debug: Determines if an ASP.NET has debugging enabled using HTTP
Spiders a site to find web pages requiri #http-auth-finder: Spiders a site to find web pages requiring form-based or HTTP-bas
Retrieves the authentication scheme and#http-auth: Retrieves the authentication scheme and realm of a web services that req
Enumerate users in Avaya IP office syst #http-avaya-ipoffice-users: Enumerate users in Avaya IP office systems
Exploits RCE in Awstats Totals 1-1.14 #http-awstatstotals-exec: Exploits RCE in Awstats Totals 1-1.14
Exploits a dirTrav vuln in Apache Axis2 v#http-axis2-dir-traversal: Exploits a dirTrav vuln in Apache Axis2 version 1.4.1
attempt to identify backup copies of discove#http-backup-finder: attempt to identify backup copies of discovered files (.bak, ~ file
Attempts to retrieve conf from Barracuda#http-barracuda-dir-traversal: Attempts to retrieve conf from Barracuda Networks Spa
Decodes unencrypted F5 BIG-IP cookies#http-bigip-cookie: Decodes unencrypted F5 BIG-IP cookies in HTTP responses
Brute against http basic, digest, and ntlm#http-brute: Brute against http basic, digest, and ntlm auth
Version CakePHP by detecting certain fil#http-cakephp-version: Version CakePHP by detecting certain files
Measure time it takes for website to deliv#http-chrono: Measure time it takes for website to deliver a page and returns statistic
Connect as Cisco AnyConnect client to C#http-cisco-anyconnect: Connect as Cisco AnyConnect client to Cisco SSL VPN and
Retrieve version, abs path of admin pane#http-coldfusion-subzero: Retrieve version, abs path of admin panel from vulnerable
Extract and output HTML and JavaScrip #http-comments-displayer: Extract and output HTML and JavaScript comments from
checks for backups and swap files of co #http-config-backup: checks for backups and swap files of common CMS and web co
Examines cookies and reports on flags a#http-cookie-flags: Examines cookies and reports on flags and paths
tests for CORS by sending Access-Cont #http-cors: tests for CORS by sending Access-Control-Request-Method headers
checks for /crossdomain.xml and /clientac#http-cross-domain-policy: checks for /crossdomain.xml and /clientaccesspolicy.xml
Detects CSRF (possibly unreliable) #http-csrf: Detects CSRF (possibly unreliable)
Gets date from services and prints diff #http-date: Gets date from services and prints diff
test for access with default creds used b #http-default-accounts: test for access with default creds used by a variety of web ap
attempt to spider and identify devframewo#http-devframework: attempt to spider and identify devframeworks (better tools to mo
Detects firmware backdoor on some D-Lin #http-dlink-backdoor: Detects firmware backdoor on some D-Link routers via User-Ag
Looks where attacker-controlled info in #http-dombased-xss: Looks where attacker-controlled info in DOM may be used to a
Enum hashed Domino Internet Passwords #http-domino-enum-passwords: Enum hashed Domino Internet Passwords (authenti
Enumerates Drual users by exploiting inf #http-drupal-enum-users: Enumerates Drual users by exploiting information disclosu
Enum installed Drupal modules/themes by #http-drupal-enum: Enum installed Drupal modules/themes by using a list of known m
Enumerates directories used by popular we #http-enum: Enumerates directories used by popular web applications and servers (a
Crawls and reports on error pages #http-errors: Crawls and reports on error pages
Spider images looking for ‘interesting’ exi#http-exif-spider: Spider images looking for ‘interesting’ exif data
Gets the favicon, hashes it, and checks a#http-favicon: Gets the favicon, hashes it, and checks against known applications for
Crawls for RSS or atom feeds #http-feed: Crawls for RSS or atom feeds
used to fetch files from servers #http-fetch: used to fetch files from servers
tries 3 methods to exploit upload forms #http-fileupload-exploiter: tries 3 methods to exploit upload forms
Brute force pass against http form-based#http-form-brute: Brute force pass against http form-based auth
Fuzz fields in forms it detects (requires s #http-form-fuzzer: Fuzz fields in forms it detects (requires specific args/setup)
Checks whether target machiens are vul #http-frontpage-login: Checks whether target machiens are vuln to anonymous Front
Displays contents of the “generator” meta#http-generator: Displays contents of the “generator” meta tag of a web page if it exis
check for .git and retrieve as much repo #http-git: check for .git and retrieve as much repo information as possible
Retrieves a list of Git projects, owners, #http-gitweb-projects-enum: Retrieves a list of Git projects, owners, and descriptions
Checks if hosts are on Google’s blacklist #http-google-malware: Checks if hosts are on Google’s blacklist
spider and attempt to match pages/urls ag #http-grep: spider and attempt to match pages/urls against a given string. Search for
Performs a HEAD request and displays #http-headers: Performs a HEAD request and displays headers
Detects Huawei modem models vulnerable #http-huawei-hg5xx-vuln:
t Detects Huawei modem models vulnerable to information d
Retrieves locations of all “find my ipho #http-icloud-findmyiphone: Retrieves locations of all “find my iphone” enabled iOS de
Sennds message to iOS through MobleM#http-icloud-sendmsg: Sennds message to iOS through MobleMe
(DoS) brute force short names of files and#http-iis-short-name-brute: (DoS) brute force short names of files and dirs in the root
Page 8
nmap mapping
IIS vuln 5.1/6.0 access to secured WebD#http-iis-webdav-vuln: IIS vuln 5.1/6.0 access to secured WebDAV folders
send HTTP/1.0 request without host header #http-internal-ip-disclosure: send HTTP/1.0 request without host header to see if web
Joomla auth brute #http-joomla-brute: Joomla auth brute
Attempt to discover JSONP endpoints (po#http-jsonp-detection: Attempt to discover JSONP endpoints (possible use for bypas
Exploits null-byte poisoning in Litespeed #http-litespeed-sourcecode-download: Exploits null-byte poisoning in Litespeed 4-4.0
shows content of an "index" page #http-ls: shows content of an "index" page
Exploits dirTrav in Majordomo2 #http-majordomo2-dir-traversal: Exploits dirTrav in Majordomo2
Looks for signature of known server comp#http-malware-host: Looks for signature of known server compromises (attempts to d
Checks if server allows mod_cluster m #http-mcmp: Checks if server allows mod_cluster management protocol (MCMP) me
Attempt to verb tamper to access protect#http-method-tamper: Attempt to verb tamper to access protected resources
find what options are supported by a se #http-methods: find what options are supported by a server by sending OPTIONS re
check to see if a mobile UA will redirect #http-mobileversion-checker: check to see if a mobile UA will redirect to a mobile spe
sends HTTP NTLM auth request with null#http-ntlm-info: sends HTTP NTLM auth request with null domain and user, obtain N
Attempt to connect to google through the#http-open-proxy: Attempt to connect to google through the proxy
Spiders and attempts to identify open red#http-open-redirect: Spiders and attempts to identify open redirects
check if vuln to dir traversal #http-passwd: check if vuln to dir traversal
Attempts to retrieve PHP version through#http-php-version: Attempts to retrieve PHP version through use of Magic Queries
Exploits dirTrav in phpMyAdmin 2.6.4 #http-phpmyadmin-dir-traversal: Exploits dirTrav in phpMyAdmin 2.6.4
Crawls for php and texts XSS via $_S #http-phpself-xss: Crawls for php and texts XSS via $_SERVER[“PHP_SELF”]
Brute against HTTP proxy servers #http-proxy-brute: Brute against HTTP proxy servers
Upload local file using HTTP PUT #http-put: Upload local file using HTTP PUT
Retrieve model, firmware, and enabled #http-qnap-nas-info: Retrieve model, firmware, and enabled services from a QNAP N
Spiders and informs about cross-domain #http-referer-checker:
i Spiders and informs about cross-domain include of scripts
crawls for RFI vulns. tests every form fiel #http-rfi-spider: crawls for RFI vulns. tests every form field and every param in URL (
checks for disallowed entries in robots.txt#http-robots.txt: checks for disallowed entries in robots.txt
Obtains up to 100 forward DNS for target#http-robtex-reverse-ip: Obtains up to 100 forward DNS for target IP by querying Rob
Obtains up to 100 domain names which u#http-robtex-shared-ns: Obtains up to 100 domain names which use same name ser
checks headers for security related heade#http-security-headers: checks headers for security related headers (headers could b
HTTP server header for missing version in #http-server-header: HTTP server header for missing version info (infeasible with ver
Attempt to exploit CVE-2014-6271 and CVE #http-shellshock: Attempt to exploit CVE-2014-6271 and CVE-2014-7169 Shellshock
spider site and display dir structure with #http-sitemap-generator: spider site and display dir structure with number and types
(DoS) Checks if vulnerable to Slowloris #http-slowloris-check: (DoS) Checks if vulnerable to Slowloris
(DoS) Execute a slowloris attack #http-slowloris: (DoS) Execute a slowloris attack
Very basic attempt to show SQL errors in#http-sql-injection: Very basic attempt to show SQL errors in forms.
Spiders forms, posts, and searches for s #http-stored-xss: Spiders forms, posts, and searches for stored XSS
Enum users of Subversion repo by examin #http-svn-enum: Enum users of Subversion repo by examining logs of recent commit
Requests information from subversion re#http-svn-info: Requests information from subversion repo
Shows the title of the default page of a w#http-title: Shows the title of the default page of a web server
Exploit dirTrav in TP-Link wireless router #http-tplink-dir-traversal: Exploit dirTrav in TP-Link wireless routers
Identifies if TRACE is enabled #http-trace: Identifies if TRACE is enabled
Detect the presence of reverse proxies #http-traceroute: Detect the presence of reverse proxies
Obtain info from HVAC equipment control#http-trane-info: Obtain info from HVAC equipment controllers
fuzz parameters and checks to see if they#http-unsafe-output-escaping: fuzz parameters and checks to see if they are reflecte
test for various tool UA headers to see if #http-useragent-tester: test for various tool UA headers to see if they are allowed or
attempt to enum valid usernames on serv#http-userdir-enum: attempt to enum valid usernames on servers running mod_userd
search for web virtual hostnames by se #http-vhosts: search for web virtual hostnames by sending HEAD requests
Checks whether file has been determined#http-virustotal: Checks whether file has been determined as malware by Virustotal
Connects to a VLC Streamer helper servic #http-vlcstreamer-ls: Connects to a VLC Streamer helper service and lists dir conten
Checks for dirTrav in VMWare ESX, ESXi#http-vmware-path-vuln: Checks for dirTrav in VMWare ESX, ESXi, and Server (200
Webmin before 1.290 and Usermin before #http-vuln-cve2006-3392: Webmin before 1.290 and Usermin before 1.220 file disclo
Adobe XML External Entity Injection. Read #http-vuln-cve2009-3960: Adobe XML External Entity Injection. Read local files in Bla
JBoss target is vulnerable to JMX conso #http-vuln-cve2010-0738: JBoss target is vulnerable to JMX console auth bypass via
Dir trav against ColdFusion to grab pass #http-vuln-cve2010-2861: Dir trav against ColdFusion to grab password hash for adm
Page 9
nmap mapping
Denial of service against Apache handlin#http-vuln-cve2011-3192: Denial of service against Apache handling multiple overlap
Reverse Proxy Bypass vuln in Apache. Loop #http-vuln-cve2011-3368: Reverse Proxy Bypass vuln in Apache. Loopback test, inte
PHP-CGI installations that are vuln to th #http-vuln-cve2012-1823: PHP-CGI installations that are vuln to this cve. Retrieve so
Ruby on Rails object injection, remote com #http-vuln-cve2013-0156: Ruby on Rails object injection, remote command exec, and
URL redirection and reflected XSS vuln #http-vuln-cve2013-6786: URL redirection and reflected XSS vuln in Allegro RomPag
Zimbra 7.2.6 local file inclusion #http-vuln-cve2013-7091: Zimbra 7.2.6 local file inclusion
Cisco ASA ASDM Priv Esc #http-vuln-cve2014-2126: Cisco ASA ASDM Priv Esc
Cisco ASA ASDM Priv Esc #http-vuln-cve2014-2127: Cisco ASA ASDM Priv Esc
Cisco ASA SSL VPN Auth bypass #http-vuln-cve2014-2128: Cisco ASA SSL VPN Auth bypass
Cisco ASA DoS #http-vuln-cve2014-2129: Cisco ASA DoS
Drupalgeddon < 7.32, injects new admin #ahttp-vuln-cve2014-3704: Drupalgeddon < 7.32, injects new admin and attempt to lo
Wordpress CM Download Manager plugin#http-vuln-cve2014-8877:
< Wordpress CM Download Manager plugin <= 2.0.0 remote
Elasticsearch 1.3.0-1.3.7 1.4.0-1.4.2 RC #http-vuln-cve2015-1427: Elasticsearch 1.3.0-1.3.7 1.4.0-1.4.2 RCE in groovy
RCE in Windows Systems. HTTP request#http-vuln-cve2015-1635:
w RCE in Windows Systems. HTTP request with no impact o
Wordpress 4.7.0 4.7.1 priv esc #http-vuln-cve2017-1001000: Wordpress 4.7.0 4.7.1 priv esc
Apache Struts RCE #http-vuln-cve2017-5638: Apache Struts RCE
Intel AMT priv esc #http-vuln-cve2017-5689: Intel AMT priv esc
Joomla 3.7 - 3.7.1 SQLi #http-vuln-cve2017-8917: Joomla 3.7 - 3.7.1 SQLi
RomPager 4.07 Misfortune Cookie RCE #http-vuln-misfortune-cookie: RomPager 4.07 Misfortune Cookie RCE
WNR admin creds 1.0.260_60-0.86 and 1#http-vuln-wnr1000-creds: WNR admin creds 1.0.260_60-0.86 and 1.0.2.54_60.0.82
attempt to detect IPS/IDS/WAF. args: ag #http-waf-detect: attempt to detect IPS/IDS/WAF. args: aggro,uri,detectBodyChange
attempt to fingerprint WAF if exists. args #http-waf-fingerprint: attempt to fingerprint WAF if exists. args: intensive=1
detect WebDAV installations using OP #http-webdav-scan: detect WebDAV installations using OPTIONS and PROPFIND m
Brute wordpress auth #http-wordpress-brute: Brute wordpress auth
Brute wordpress themes/plugins #http-wordpress-enum: Brute wordpress themes/plugins
Enum wordpress users #http-wordpress-users: Enum wordpress users
Searches xssed.com database and output #http-xssed: Searches xssed.com database and outputs results
Checks for HTTP redirects to HTTPS on #https-redirect: Checks for HTTP redirects to HTTPS on same port
Attempts to get useful info about files f #nfs-ls: Attempts to get useful info about files from NFS Exports
Show NFS explorts like ‘showmount -e’ #nfs-showmount: Show NFS explorts like ‘showmount -e’
Retrieves disk space from NFS like ‘df’ #nfs-statfs: Retrieves disk space from NFS like ‘df’
checks if FTP server allows anonymous logi #ftp-anon: checks if FTP server allows anonymous logins, if so, get a dir listing
checks if FTP server allows port scanni #ftp-bounce: checks if FTP server allows port scanning using the FTP bounce metho
perform brute force against FTP #ftp-brute: perform brute force against FTP
check for CVE-2010-1938, WARNING will#ftp-libopie:
cr check for CVE-2010-1938, WARNING will crash if vulnerable, better to m
check for ProFTPD 1.3.3c backdoor, OSV#ftp-proftpd-backdoor: check for ProFTPD 1.3.3c backdoor, OSVDB-ID 69562. If vuln
sends SYST and STAT commands and returns #ftp-syst: sends SYST and STAT commands and returns result. SYST asks for OS in
check for vsFTPd 2.3.4 backdoor CVE-20#ftp-vsftpd-backdoor: check for vsFTPd 2.3.4 backdoor CVE-2011-2523, send a :) an
heck for stack-based buffer overflow in P#ftp-vuln-cve2010-4221: heck for stack-based buffer overflow in ProFTPD server bet
brute #ms-sql-brute: brute
queries for databases, linked servers, set#ms-sql-config: queries for databases, linked servers, settings. auth required.
queries for the DAC (admin) port of an in#ms-sql-dac: queries for the DAC (admin) port of an instance
dump hashes in format for john. requires #ms-sql-dump-hashes: dump hashes in format for john. requires admin.
attempts to auth using empty password for #ms-sql-empty-password: attempts to auth using empty password for the 'sa' accoun
queries for list of databases a user has a#ms-sql-hasdbaccess: queries for list of databases a user has access to. auth requir
query browser server (UDP 1434) for info#ms-sql-info: query browser server (UDP 1434) for info. no auth required.
enum info from services with NTLM auth #ms-sql-ntlm-info: enum info from services with NTLM auth enabled
runs a query against server. auth require#ms-sql-query: runs a query against server. auth required.
queries for a list of tables per database. #ms-sql-tables: queries for a list of tables per database. auth required.
runs a command. requires admin. args 'u#ms-sql-xp-cmdshell: runs a command. requires admin. args 'username''password''c
audit security config against parts of C #mysql-audit: audit security config against parts of CIS MySQL 1.0.2 benchmark --sc
brute guess against mySQL, seems benefici #mysql-brute: brute guess against mySQL, seems beneficial to let nmap brute instea
attempts to list databases. args mysqlus #mysql-databases: attempts to list databases. args mysqluser,mysqlpass. will use em
Page 10
nmap mapping
dumps hashes for John. requires root. #mysql-dump-hashes: dumps hashes for John. requires root. args username,passwo
checks for Mysql servers with an empty p#mysql-empty-password: checks for Mysql servers with an empty password for 'root'
performs user enum using a bug. 5.x are #mysql-enum: performs user enum using a bug. 5.x are susceptible when using old a
connects and prints proto, version, thread, #mysql-info: connects and prints proto, version, thread, status, capabilities, password
runs a query and returns the table args ' #mysql-query: runs a query and returns the table args 'query''username''password'
List all users (requires auth) #mysql-users: List all users (requires auth)
attempt to show variables on a server. re#mysql-variables: attempt to show variables on a server. requires auth. will use empt
auth bypass in versions up to 5.1.61, 5.2.#mysql-vuln-cve2012-2122: auth bypass in versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.2
determines which Security layer and Encr#rdp-enum-encryption: determines which Security layer and Encryption level is suppo
checks for CVE-2012-0002 by checking for #rdp-vuln-ms12-020: checks for CVE-2012-0002 by checking for CVE-2012-0152 (D
brute-force password auditing #telnet-brute: brute-force password auditing
determines whether encryption is support#telnet-encryption: determines whether encryption is supported. Some implement inc
enum information from Microsoft Telnet #telnet-ntlm-info: enum information from Microsoft Telnet with NTLM auth enabled.
Returns authentication methods that the #ssh-auth-methods: Returns authentication methods that the SSH server supports
Brute-force login against ssh servers #ssh-brute: Brute-force login against ssh servers
Shows target's key fingerprint and (with hi#ssh-hostkey: Shows target's key fingerprint and (with high verbosity) the public key
Brute-force with private keys, passphras #ssh-publickey-acceptance: Brute-force with private keys, passphrases, and usernam
runs a remote command on the ssh serve#ssh-run: runs a remote command on the ssh server and returns the command outpu
reports number of algorithms that the serv#ssh2-enum-algos: reports number of algorithms that the server offers.
Check if server supports obsolete less s #sshv1: Check if server supports obsolete less secure SSH Protocol Version 1
attempts to enum nework interfaces thro #snmp-brute: attempts to enum nework interfaces through SNMP. snmp-interfaces.h
Attempts to enum Huawei / HP/H3c Locall #snmp-hh3c-logins: Attempts to enum Huawei / HP/H3c Locally defined users throug
extract basic information from SNMPv3 #snmp-info: extract basic information from SNMPv3 GET request
Attempt to find community string by brut #snmp-interfaces: Attempt to find community string by brute force guessing. default w
attempt to download CISCO router IOS co #snmp-ios-config: attempt to download CISCO router IOS config files using SNMP R
attempt to query for netstat like output. #snmp-netstat: attempt to query for netstat like output. Can be used to identify and a
attempt to enumerate running processe #snmp-processes: attempt to enumerate running processes through SNMP
attempt to extract system information f #snmp-sysdescr: attempt to extract system information from SNMP v1 service
attempt to enumerate windows services #snmp-win32-services: attempt to enumerate windows services through SNMP
attempt to enumerate windows shares t #snmp-win32-shares: attempt to enumerate windows shares through SNMP
attempt
attempts to enumerate
to use EHLO andinstalled
HELP tosoftware
gather #snmp-win32-software: attempt to enumerate installed software through SNMP
attempt to enumerate winodws users
Extended commands supported by a server ac #snmp-win32-users: attempt to enumerate winodws users accounts through SNMP
Brute force login/plain/cram-md5/diges
[--script-args smtp- #smtp-brute: Brute force login/plain/cram-md5/digest-md5/NTLM
commands.domain=<domain>] #smtp-commands: attempts to use EHLO and HELP to gather Extended commands
attempt to enumerate users by using VRF#smtp-enum-users: attempt to enumerate users by using VRFY, EXPN, or RCPT TO
enumerate servers that allow NTLM auth#smtp-ntlm-info: enumerate servers that allow NTLM auth. Sending NULL NTLM will
attempt to relay mail by issuing combin #smtp-open-relay: attempt to relay mail by issuing combination of SMTP commands.
check if SMTP is running on non-standard #smtp-strangeport: check if SMTP is running on non-standard port.
check for Heap overflow within versions #smtp-vuln-cve2010-4344: check for Heap overflow within versions of EXIM prior to 4
check for memory corruption in Postfix #smtp-vuln-cve2011-1720: check for memory corruption in Postfix server when using
check for format string vuln in Exim 4.7 #smtp-vuln-cve2011-1764: check for format string vuln in Exim 4.70-4.75 with DKIM
Attempt to guess login over SMB #smb-brute: Attempt to guess login over SMB
check if target is running Double Pulsar #smb-double-pulsar-backdoor: check if target is running Double Pulsar SMB backdoo
attempt to enum domains on a system with #smb-enum-domains: attempt to enum domains on a system with policies. generally
obtain a list of grous from remote system #smb-enum-groups: obtain a list of grous from remote system as well as a list of grou
pull list of processes from remote server #smb-enum-processes: pull list of processes from remote server over SMB. Done by
retries list of services running. Requires #smb-enum-services: retries list of services running. Requires Admin. No longer defa
enumerate users logged in locally or thro#smb-enum-sessions: enumerate users logged in locally or through share. reading re
attempt to list shares using srvsvc.Ne #smb-enum-shares: attempt to list shares using srvsvc.NetShareEnumAll MSRPC an
attempt to enum users on remote syste #smb-enum-users: attempt to enum users on remote system through MSRPC over 4
exhausts a remote SMB server's connecti#smb-flood: exhausts a remote SMB server's connection limit by opening as many as
attempts to retrieve useful information #smb-ls: attempts to retrieve useful information about files shared on SMB volumes.
queries information managed by the Wi #smb-mbenum: queries information managed by the Windows Master Browser
Page 11
nmap mapping
attempt to determine OS, computer name#smb-os-discovery: attempt to determine OS, computer name, domain, workgroup, a
attempt to print test on a shared printer #smb-print-text: attempt to print test on a shared printer by calling Printer Spooler Se
attempts to initiate a connection using ea#smb-protocols: attempts to initiate a connection using each version of SMB. if SMBv
arguably most powerful module. requires #smb-psexec: arguably most powerful module. requires configuration. config places
returns information about the SMB securi#smb-security-mode: returns information about the SMB security level determined by
requires Admin. grab server stats. #smb-server-stats: requires Admin. grab server stats.
pulls info from registry. Requires Admin, #smb-system-info: pulls info from registry. Requires Admin, though auth user should
Detects systems infected by conficker #smb-vuln-conficker: Detects systems infected by conficker worm. dangerous check
check if vuln to Arbitrary Shared Librar #smb-vuln-cve-2017-7494: check if vuln to Arbitrary Shared Library Load vuln CVE-2
detects if vuln to DoS CVE-2009-3103. Will #smb-vuln-cve2009-3103: detects if vuln to DoS CVE-2009-3103. Will crash the serv
check if vuln to MS06-025 RasRPCSubm#smb-vuln-ms06-025: check if vuln to MS06-025 RasRPCSubmitRequest RPC meth
check if vuln to MS07-029 DNS RPC vulnera #smb-vuln-ms07-029: check if vuln to MS07-029 DNS RPC vulnerability. Will crash t
check if vuln to MS08-067. Dangerous a #smb-vuln-ms08-067: check if vuln to MS08-067. Dangerous and may crash systems
check if vuln to MS10-054. Dangerous a #smb-vuln-ms10-054: check if vuln to MS10-054. Dangerous and will BSOD system
check if vuln to ms10-061 Printer Spooler#smb-vuln-ms10-061: check if vuln to ms10-061 Printer Spooler impersonation. used
check if vuln to MS17-010 aka EternalBlu#smb-vuln-ms17-010: check if vuln to MS17-010 aka EternalBlue. Connects to $IPC
check if vuln to null pointer dereference in#smb-vuln-regsvc-dos: check if vuln to null pointer dereference in regsvc. Will crash
attempt to list supported cabilities in a #smb2-capabilities: attempt to list supported cabilities in a SMBv2 server for each en
determines mesage signing config in SMBv #smb2-security-mode: determines mesage signing config in SMBv2 servers for all su
attempt to obtain the current system date#smb2-time: attempt to obtain the current system date and start date of a SMB2 serv
attempt to detect missing patches in win #smb2-vuln-uptime: attempt to detect missing patches in windows sytems by checkin
RCE as root from anonymous connection#samba-vuln-cve-2012-1182: RCE as root from anonymous connection
Brute LDAP auth #ldap-brute: Brute LDAP auth
Retrieve Novell Universal Password for a#ldap-novell-getpass: Retrieve Novell Universal Password for a user (requires admin
Retrieves LDAP root DSA-specific Entry #ldap-rootdse: Retrieves LDAP root DSA-specific Entry
Attempts to perform an LDAP search and#ldap-search: Attempts to perform an LDAP search and returns all matches (requires
Fingerprints target RPC port to extract s #rpc-grind: Fingerprints target RPC port to extract service, rpc number, and version
Brute against WinPcap Remote Capture #rpcap-brute: Brute against WinPcap Remote Capture
Retrieve interface information through rp #rpcap-info: Retrieve interface information through rpcap service
Connects to portmapper and fetches a list#rpcinfo: Connects to portmapper and fetches a list of all registered programs
Retrieve auth scheme and realm of AJP s#ajp-auth: Retrieve auth scheme and realm of AJP service
Brute auth against AJP #ajp-brute: Brute auth against AJP
HEAD or GET against root and returns r #ajp-headers: HEAD or GET against root and returns response headers
Discovers which options are supported b#ajp-methods: Discovers which options are supported by AJP
Requests a URI and displays results #ajp-request: Requests a URI and displays results
discover servers supporting ATA over ethe #broadcast-ataoe-discover: discover servers supporting ATA over ethernet. requires
Exploits DoS #broadcast-avahi-dos: Exploits DoS
Discover Canon (printer/scanner) suppor#broadcast-bjnp-discover: Discover Canon (printer/scanner) supporting BJNP
attempt to discover DB2 servers on netw#broadcast-db2-discover: attempt to discover DB2 servers on network by sending br
send DHCP request to broadcast address#broadcast-dhcp-discover: send DHCP request to broadcast address and reports res
send DHCPv6 request to multicast and pri #broadcast-dhcp6-discover: send DHCPv6 request to multicast and prints address w
discover hosts' services using DNS Servi#broadcast-dns-service-discovery: discover hosts' services using DNS Service Disco
Listen for LAN sync Dropbox client broadc #broadcast-dropbox-listener: Listen for LAN sync Dropbox client broadcasts (already
discover through CISCO's EIGRP, needs#broadcast-eigrp-discovery:
a discover through CISCO's EIGRP, needs a A.S. value o
Discovers HID devices by sending a disc#broadcast-hid-discoveryd: Discovers HI
Discovers targets that have IGMP Multica#broadcast-igmp-discovery: Discovers targets that have IGMP Multicast membership
Discovers Jenkins on a LAN by sending a#broadcast-jenkins-discover: Discovers
sniffs for broadcast communication and #broadcast-listener: sniffs for broadcast communication and attempts to decode rece
broadcast version uses roadcast and onl #broadcast-ms-sql-discover: broadcast version uses roadcast and only SQL Server B
attempt to discovery master browser an #broadcast-netbios-master-browser: attempt to discovery master browser and the do
Discovers EMC Networker backup softwar #broadcast-networker-discover: Discovers EMC Networker backup software servers
Attempts to use Service Location Protoco#broadcast-novell-locate: Attempts to use Service Location Protocol to discover Nove
discover IPv4 network using OSPFv2, sni#broadcast-ospf2-discover: discover IPv4 network using OSPFv2, sniff for OSPF He
Page 12
nmap mapping
sends a special broadcast to check for #broadcast-pc-anywhere: sends a special broadcast to check for PC Anywhere hosts
Discovers PC-DUO remote control hosts #broadcast-pc-duo: Discovers PC-DUO remote control hosts and gateways by sendi
Discovers routers that are running PIM (p#broadcast-pim-discovery: Discovers routers that are running PIM (protocol Independ
Sends broadcast pings and outputs resp #broadcast-ping: Sends broadcast pings and outputs responding hosts IP and MAC
Discovers PPPoE servers using PPPoE D #broadcast-pppoe-discover: Discovers PPPoE servers using PPPoE Discovery proto
discover hosts and routing using RIPv2. #broadcast-rip-discover: discover hosts and routing using RIPv2. Send RIPv2 Reque
Discovers hosts and routing information #broadcast-ripng-discover: Discovers hosts and routing information from devices run
Discovers Sonicwall firewalls using sam #broadcast-sonicwall-discover: Discovers Sonicwall firewalls using same method as
Discovers Sybase Anywhere Servers on #broadcast-sybase-asa-discover: Discovers Sybase Anywhere Servers on LAN
Discovers Telldus Technologies TellStick#broadcast-tellstick-discover: Discovers Telldus Technologies TellStickNet
attempt to extract system information fr #broadcast-upnp-info: attempt to extract system information from UPnP service by se
Discovers Versant object databases usin#broadcast-versant-locate: Discovers Versant object databases using broadcast srvl
Wakes a remote system from sleep usin #broadcast-wake-on-lan: Wakes a remote system from sleep using WoL packet
Retrieve a list of proxy servers on la #broadcast-wpad-discover: Retrieve a list of proxy servers on lan using WPAD. Both
multicast discover supporting Web Servi #broadcast-wsdd-discover: multicast discover supporting Web Services Dynamic Dis
discovers servers running XDMCP #broadcast-xdmcp-discover: discovers servers running XDMCP
Sniff interface for HTTP traffic and dum #url-snarf: Sniff interface for HTTP traffic and dumps URLs
Sniff interface for IP addresses #targets-sniffer: Sniff interface for IP addresses
Use Microsoft LLTD protocol to discover #lltd-discovery: Use Microsoft LLTD protocol to discover hosts on a local network
Resolve a hostname using LLMNR. Requir #llmnr-resolve: Resolve a hostname using LLMNR. Requires –script-arg ‘llmnr-resolv
List of IP prefixes for a given routing A #targets-asn: List of IP prefixes for a given routing AS number –script-args targets-as
Runs in pre-scanning to map IPv4 to IPv6#targets-ipv6-map4to6: Runs in pre-scanning to map IPv4 to IPv6 and add them to s
Sends ICMPv6 echo to all nodes link-local #targets-ipv6-multicast-echo: Sends ICMPv6
Sends ICMPv6 with invalid extension to all #targets-ipv6-multicast-invalid-dst: Sends
Sends multicast listener discovery to link #targets-ipv6-multicast-mld: Sends multica
Sends ICMPv6 router advertisement with#targets-ipv6-multicast-slaac: Sends ICM
Adds IPv6 addresses to scan queue using #targets-ipv6-wordlist:
w Adds IPv6 addresse
Brute auth for Citrix PN Web Agent XML #citrix-brute-xml: Brute auth for Citrix PN Web Agent XML
Extracts list of applications, ACLs, and s #citrix-enum-apps-xml: Extracts list of applications, ACLs, and settings from Citrix XM
Extracts a list of published applications #citrix-enum-apps: Extracts a list of published applications from the ICA Browser serv
Extracts name of server farm and member #citrix-enum-servers-xml: Extracts name of server farm and member servers from Ci
Extracts a list of Citrix servers from the #citrix-enum-servers: Extracts a list of Citrix servers from the ICA Browser service
Checks target IP addresses against multi#dns-blacklist: Checks target IP addresses against multiple DNS anti-spam and othe
Enum DNS by brute force #dns-brute: Enum DNS by brute force
Performs DNS cache snooping against #dns-cache-snoop: Performs DNS cache snooping against DNS
Checks DNS zone config against best pra#dns-check-zone: Checks DNS zone config against best practices
Perform domain lookup using the edns-cl#dns-client-subnet-scan: Perform domain lookup using the edns-client-subnet option
Launch DNS fuzzing attack against DNS #dns-fuzz: Launch DNS fuzzing attack against DNS
Performs reverse lookup of IPv6 using sp#dns-ip6-arpa-scan: Performs reverse lookup of IPv6 using special technique
Enumerate DNS using the DNSSEC NSEC #dns-nsec-enum: Enumerate DNS using the DNSSEC NSEC-walking technique
Tries to enum domain names from DNS #dns-nsec3-enum: Tries to enum domain names from DNS server that supports DNS
Retrieves information from DNS by reques #dns-nsid: Retrieves information from DNS by requesting nameserver ID and asking
Check DNS for predictable-port recursion#dns-random-srcport: Check DNS for predictable-port recursion Vuln
Check DNS for predictable TXID DNS rec#dns-random-txid: Check DNS for predictable TXID DNS recursion Vuln
Checks if DNS allows queries for third-p #dns-recursion: Checks if DNS allows queries for third-party names
Attempts to discover target hosts’ servi #dns-service-discovery: Attempts to discover target hosts’ services using DNS
Enumerates various common SRV records #dns-srv-enum: Enumerates various common SRV records for a given domain name
Perform dynamic DNS update without aut#dns-update: Perform dynamic DNS update without authentication
Check if IP range is part of Zeus #dns-zeustracker: Check if IP range is part of Zeus
Requests a zone transfer from DNS serv#dns-zone-transfer: Requests a zone transfer from DNS server
Queries whois.iana.org, #whois-domain: Queries whois.iana.org,
Exploit java remote debugging port (req #jdwp-exec: Exploit java remote debugging port (requires cmd as argument)
Detect java remote debugging port #jdwp-info: Detect java remote debugging port
Page 13
nmap mapping
Exploit java remote debugging port (requ#jdwp-inject: Exploit java remote debugging port (requires user passed java class)
Detects Java Debug Wire Protocol #jdwp-version: Detects Java Debug Wire Protocol
Auth Brute #mongodb-brute: Auth Brute
Get a list of tables from a mongo db #mongodb-databases: Get a list of tables from a mongo db
Get build info and server status from mo #mongodb-info: Get build info and server status from mongo db
Exploit vuln to steal session key and salt #f oracle-brute-stealth: Exploit vuln to steal session key and salt for offline brute
Auth brute #oracle-brute: Auth brute
Enumerate valid oracle users against un #oracle-enum-users: Enumerate valid oracle users against unpatched Oracle 11g
Guesses oracle instance/SID names agai#oracle-sid-brute: Guesses oracle instance/SID names against TNS listener
Decodes the VSNNUM version from TNS#oracle-tns-version:
l Decodes the VSNNUM version from TNS listener
auth brute #pop3-brute: auth brute
CAPA command to ask what commands #pop3-capabilities:
it CAPA command to ask what commands it supports
Enumerate information from POP3 with #pop3-ntlm-info: Enumerate information from POP3 with NTLM auth enabled
Auth brute #vnc-brute: Auth brute
Queries for protocol version and supporte#vnc-info: Queries for protocol version and supported security types
Tries to log in and get desktop name (aut#vnc-title: Tries to log in and get desktop name (auth or no auth)
Requires tls.lua. Check if vuln to CCS v #ssl-ccs-injection: Requires tls.lua. Check if vuln to CCS vulnerability CVE-2014-022
Reports private IPv4 address found in cer#ssl-cert-intaddr: Reports private IPv4 address found in cert
Retrieves server’s SSL cert. Output depen #ssl-cert: Retrieves server’s SSL cert. Output depends verbosity, -v or -vv
Retrieves target host’s time and date f #ssl-date: Retrieves target host’s time and date from TLS ServerHello Response
Weak Diffie-Hellman param detection. #ssl-dh-params: Weak Diffie-Hellman param detection.
Repeatedly initiates SSLv3/TLS connectio #ssl-enum-ciphers: Repeatedly initiates SSLv3/TLS connection, trying new ciphers
Detection for OpenSSL Heartbleed (CVE-#ssl-heartbleed: Detection for OpenSSL Heartbleed (CVE-2014-0160) based on sslte
Checks if SSL cert has fingerprint in db #ssl-known-key: Checks if SSL cert has fingerprint in db of problematic keys
Checks for SSLv3 CBC ciphers (POODL #ssl-poodle: Checks for SSLv3 CBC ciphers (POODLE CVE-2014-3566)
Checks for SSLv2, CVE-2015-3197, CV #sslv2-drown: Checks for SSLv2, CVE-2015-3197, CVE-2016-0703, CVE-2016-0800
Checks for SSLv2 and which ciphers #sslv2: Checks for SSLv2 and which ciphers
Check if Secure Socket Tunneling Protoco #sstp-discover: Check if Secure Socket Tunneling Protocol is supported
Attempts to get useful information about #afp-ls: Attempts to get useful information about files from AFP volumes
Exploits dirTrav against AFP share #afp-path-vuln: Exploits dirTrav against AFP share
Shows AFP server information #afp-serverinfo: Shows AFP server information
Shows AFP shares and ACLs #afp-showmount: Shows AFP shares and ACLs
Detects vulnerable to F5 Ticketbleed (C #tls-ticketbleed: Detects vulnerable to F5 Ticketbleed (CVE-2016-9244)
Enumerates a TLS server’s supported pr#tls-nextprotoneg: Enumerates a TLS server’s supported protocols
Enumerates a TLS server’s supported app #tls-alpn: Enumerates a TLS server’s supported application-layer protocols using AL
Enum SIP Server allowed methods (IN #sip-brute: Enum SIP Server allowed methods (INVITE, OPTIONS, SUBSCRIPTE, e
Enum SIP server’s valid extensions. Se #sip-call-spoof: Enum SIP server’s valid extensions. Sends REGISTER SIP request
Spoof call and detects action taken by tar#sip-enum-users: Spoof call and detects action taken by target (busy, declined, hung
Brute pass SIP accounts #sip-methods: Brute pass SIP accounts
Brute #pop3-brute: Brute
Retrieves POP3 email server capabilities#pop3-capabilities: Retrieves POP3 email server capabilities
Enum info from POP3 with NTLM auth en#pop3-ntlm-info: Enum info from POP3 with NTLM auth enabled
Retrieve nbstat information and mac #nbstat: Retrieve nbstat information and mac
Discover usernames by checking error co#krb5-enum-users: Discover usernames by checking error code. Needs kerberos RE
#tftp-enum:
Discovers info such as log directories #hadoop-datanode-info: Discovers info such as log directories from Apache Hadoop
Retrieves information from Apache Hado#hadoop-jobtracker-info: Retrieves information from Apache Hadoop JobTracker stat
Retrieve information from Apache Hado #hadoop-namenode-info: Retrieve information from Apache Hadoop NameNode stat
Retrieve information from Apache Hado #hadoop-secondary-namenode-info: Retrieve information from Apache Hadoop seco
Retrieve information from Apache Hadoo#hadoop-tasktracker-info: Retrieve information from Apache Hadoop TaskTracker sta
Tries to discover firewall rules using an #firewalk: Tries to discover firewall rules using an IP TTL expiration technique known
Page 14
nmap mapping
a1301: Exploit an auth bypass in Coldfusion

te network IDs (AdSense, analytics, amazon, etc)
heck for mod_negotiation. If GET index, does site return index or index.html,etc
attempt to retrieve server-status if mod_status is enabled /server-status
mines if an ASP.NET has debugging enabled using HTTP DEBUG
site to find web pages requiring form-based or HTTP-based authentication
uthentication scheme and realm of a web services that requires auth
Enumerate users in Avaya IP office systems
xploits RCE in Awstats Totals 1-1.14
ploits a dirTrav vuln in Apache Axis2 version 1.4.1
t to identify backup copies of discovered files (.bak, ~ files, 'copy of index.html', etc)
al: Attempts to retrieve conf from Barracuda Networks Spam & Virus Firewall using DirTrav
s unencrypted F5 BIG-IP cookies in HTTP responses
ttp basic, digest, and ntlm auth
sion CakePHP by detecting certain files
it takes for website to deliver a page and returns statistics
nnect as Cisco AnyConnect client to Cisco SSL VPN and retrieves version and tunnel information
etrieve version, abs path of admin panel from vulnerable ColdFusion 9 and 10
Extract and output HTML and JavaScript comments from responses
s for backups and swap files of common CMS and web config files
s cookies and reports on flags and paths
by sending Access-Control-Request-Method headers
checks for /crossdomain.xml and /clientaccesspolicy.xml for information
ossibly unreliable)
services and prints diff
for access with default creds used by a variety of web applications and devices
pt to spider and identify devframeworks (better tools to more accurately detect)
ts firmware backdoor on some D-Link routers via User-Agent
where attacker-controlled info in DOM may be used to affect JavaScript
ords: Enum hashed Domino Internet Passwords (authenticated only)
numerates Drual users by exploiting information disclosure vuln
nstalled Drupal modules/themes by using a list of known modules and themes
rectories used by popular web applications and servers (args to make it better, complex, but could be worth it)
ports on error pages
ages looking for ‘interesting’ exif data
con, hashes it, and checks against known applications for fingerprinting
or atom feeds
es from servers
es 3 methods to exploit upload forms
e pass against http form-based auth
ds in forms it detects (requires specific args/setup)
ks whether target machiens are vuln to anonymous Frontpage login
ontents of the “generator” meta tag of a web page if it exists
retrieve as much repo information as possible
: Retrieves a list of Git projects, owners, and descriptions from a gitweb
cks if hosts are on Google’s blacklist
mpt to match pages/urls against a given string. Search for email/ip by default. Configure more!
HEAD request and displays headers
etects Huawei modem models vulnerable to information disclosure vulnerabilities
Retrieves locations of all “find my iphone” enabled iOS devices by querying MobleMe (auth required)
nds message to iOS through MobleMe
(DoS) brute force short names of files and dirs in the root folder of vulnerable IIS servers
Page 15
nmap mapping
uln 5.1/6.0 access to secured WebDAV folders
send HTTP/1.0 request without host header to see if website will disclose IP
mpt to discover JSONP endpoints (possible use for bypass Same Origin Policy)
-download: Exploits null-byte poisoning in Litespeed 4-4.0.15
n "index" page
rsal: Exploits dirTrav in Majordomo2
or signature of known server compromises (attempts to detect servers that always return 302)
er allows mod_cluster management protocol (MCMP) methods
mpt to verb tamper to access protected resources
ptions are supported by a server by sending OPTIONS request
r: check to see if a mobile UA will redirect to a mobile specific website
P NTLM auth request with null domain and user, obtain NetBIOS, DNS, and OS build if available
o connect to google through the proxy
s and attempts to identify open redirects
to dir traversal
to retrieve PHP version through use of Magic Queries
rsal: Exploits dirTrav in phpMyAdmin 2.6.4
r php and texts XSS via $_SERVER[“PHP_SELF”]
ainst HTTP proxy servers
using HTTP PUT
ve model, firmware, and enabled services from a QNAP NAS
ers and informs about cross-domain include of scripts
FI vulns. tests every form field and every param in URL (specific tools to test this and configure this better)
disallowed entries in robots.txt
ains up to 100 forward DNS for target IP by querying Robtex
ains up to 100 domain names which use same name server as target by querying Robtex
cks headers for security related headers (headers could be different by page, really best to analyze these per request through a proxy or ot
server header for missing version info (infeasible with version probes)
o exploit CVE-2014-6271 and CVE-2014-7169 Shellshock vulnerability in web applications http-shellshock.uri=/
ider site and display dir structure with number and types of files in each folder (dir brute force better)
) Checks if vulnerable to Slowloris
ute a slowloris attack
ic attempt to show SQL errors in forms.
rms, posts, and searches for stored XSS
rs of Subversion repo by examining logs of recent commits
ormation from subversion repo
the default page of a web server
ploit dirTrav in TP-Link wireless routers
ACE is enabled
presence of reverse proxies
from HVAC equipment controllers
ng: fuzz parameters and checks to see if they are reflected
for various tool UA headers to see if they are allowed or not (also see robots.txt)
to enum valid usernames on servers running mod_userdir module or similar enabled
b virtual hostnames by sending HEAD requests
ether file has been determined as malware by Virustotal
cts to a VLC Streamer helper service and lists dir contents
ecks for dirTrav in VMWare ESX, ESXi, and Server (2009)
Webmin before 1.290 and Usermin before 1.220 file disclosure using %01
dobe XML External Entity Injection. Read local files in BlazeDS <3.2, LiveCycle 8.0.1 8.2.1 and 9, LiveCycleData Services 2.5.1 2.6.1 and
Boss target is vulnerable to JMX console auth bypass via HEAD request
Dir trav against ColdFusion to grab password hash for admin, use hidden salt to crate SHA1 hash and authenticate as admin (ColdFusion pa
Page 16
nmap mapping
Denial of service against Apache handling multiple overlapping/simple ranges of a page
Reverse Proxy Bypass vuln in Apache. Loopback test, internal hosts test, external website test
HP-CGI installations that are vuln to this cve. Retrieve source code and execute code. append multiple ?
Ruby on Rails object injection, remote command exec, and DoS. All Ruby < 2.3.15, 3.0.x - 3.0.19, 3.1.x - 3.1.10, and 3.2.x - 3.2.11 are vuln.
URL redirection and reflected XSS vuln in Allegro RomPager
imbra 7.2.6 local file inclusion
Cisco ASA ASDM Priv Esc
Cisco ASA ASDM Priv Esc
Cisco ASA SSL VPN Auth bypass
Cisco ASA DoS
Drupalgeddon < 7.32, injects new admin and attempt to log in
Wordpress CM Download Manager plugin <= 2.0.0 remote code injection
lasticsearch 1.3.0-1.3.7 1.4.0-1.4.2 RCE in groovy
RCE in Windows Systems. HTTP request with no impact on the system to detect. Win 7,8,8.1 and server 2012,2012R2
0: Wordpress 4.7.0 4.7.1 priv esc
pache Struts RCE
ntel AMT priv esc
oomla 3.7 - 3.7.1 SQLi
e: RomPager 4.07 Misfortune Cookie RCE
WNR admin creds 1.0.260_60-0.86 and 1.0.2.54_60.0.82
detect IPS/IDS/WAF. args: aggro,uri,detectBodyChanges
pt to fingerprint WAF if exists. args: intensive=1
WebDAV installations using OPTIONS and PROPFIND methods
e wordpress auth
te wordpress themes/plugins
m wordpress users
d.com database and outputs results
HTTP redirects to HTTPS on same port
ful info about files from NFS Exports
S explorts like ‘showmount -e’
pace from NFS like ‘df’
rver allows anonymous logins, if so, get a dir listing
server allows port scanning using the FTP bounce method, see https://en.wikipedia.org/wiki/FTP_bounce_attack
ce against FTP
2010-1938, WARNING will crash if vulnerable, better to manually check...
k for ProFTPD 1.3.3c backdoor, OSVDB-ID 69562. If vuln, telnet or ftp and send: "HELP ACIDBITCHEZ"
STAT commands and returns result. SYST asks for OS info. STAT asks for server status. see https://cr.yp.to/ftp/syst.html
for vsFTPd 2.3.4 backdoor CVE-2011-2523, send a :) and potential to execute a command
ck for stack-based buffer overflow in ProFTPD server between 1.3.2rc3 and 1.3.3b. May crash the ftp service. Default tries to run nmap. Ch
databases, linked servers, settings. auth required.

e DAC (admin) port of an instance
mp hashes in format for john. requires admin.
ttempts to auth using empty password for the 'sa' account.
ies for list of databases a user has access to. auth required.
server (UDP 1434) for info. no auth required.
o from services with NTLM auth enabled
y against server. auth required.
a list of tables per database. auth required.
a command. requires admin. args 'username''password''cmd'
config against parts of CIS MySQL 1.0.2 benchmark --script-args mysql-audit.username,password,filename
against mySQL, seems beneficial to let nmap brute instead of hydra for additional nmap scripts args 'userdb''passdb'
s to list databases. args mysqluser,mysqlpass. will use empty password if none provided/brute/etc
Page 17
nmap mapping
ps hashes for John. requires root. args username,password
hecks for Mysql servers with an empty password for 'root' or 'anonymous'
er enum using a bug. 5.x are susceptible when using old auth mechanism. seclists.org/fulldisclosure/2012/Dec/9
prints proto, version, thread, status, capabilities, password salt, etc
and returns the table args 'query''username''password'
(requires auth)
o show variables on a server. requires auth. will use empty password if non provided.
auth bypass in versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22.
rmines which Security layer and Encryption level is supported by RDP service
s for CVE-2012-0002 by checking for CVE-2012-0152 (DoS). Checks without crashing, but could still potentially crash.
assword auditing
nes whether encryption is supported. Some implement incorrectly and lead to remote root vuln.
rmation from Microsoft Telnet with NTLM auth enabled.
s authentication methods that the SSH server supports
n against ssh servers
's key fingerprint and (with high verbosity) the public key itself.
: Brute-force with private keys, passphrases, and usernames and checks to see if the target accepts them
mmand on the ssh server and returns the command output
number of algorithms that the server offers.
ports obsolete less secure SSH Protocol Version 1
num nework interfaces through SNMP. snmp-interfaces.host arg is required
ts to enum Huawei / HP/H3c Locally defined users through the hh3c-user.mib OID. --script-args creds.snmp=:<community>
formation from SNMPv3 GET request
o find community string by brute force guessing. default wordlist: nselib/data/snmpcommunities.lst. provide own with snmp-brute.communiti
o download CISCO router IOS config files using SNMP RW (v1) and display or save them --script-args creds.snmp=:<community>
uery for netstat like output. Can be used to identify and add new targets to scan by using newtargets script arg.
o enumerate running processes through SNMP
extract system information from SNMP v1 service
mpt to enumerate windows services through SNMP
pt to enumerate windows shares through SNMP
mpt to enumerate installed software through SNMP
t to enumerate winodws users accounts through SNMP
gin/plain/cram-md5/digest-md5/NTLM
to use EHLO and HELP to gather Extended commands supported by a server [--script-args smtp-commands.domain=<domain>]
to enumerate users by using VRFY, EXPN, or RCPT TO commands. Will stop if auth is enforced.
servers that allow NTLM auth. Sending NULL NTLM will cause a response of NetBIOS, DNS, and OS build version
o relay mail by issuing combination of SMTP commands.
SMTP is running on non-standard port.
check for Heap overflow within versions of EXIM prior to 4.69 (CVE-2010-4344) and priv exc in EXIM prior to 4.72 (CVE-2010-4345) (Crash
check for memory corruption in Postfix server when using Cyrus SASL library auth (CVE-2011-1720). (Crash)
check for format string vuln in Exim 4.70-4.75 with DKIM support (CVE-2011-1764). RCE with EXIM priv levels
ss login over SMB
oor: check if target is running Double Pulsar SMB backdoor
mpt to enum domains on a system with policies. generally requires creds.
a list of grous from remote system as well as a list of groups users. Works similar to 'enum.exe /g'
list of processes from remote server over SMB. Done by query remote registry service. disabled by default on Vista. Requires Admin on ot
s list of services running. Requires Admin. No longer default available.
merate users logged in locally or through share. reading remote registry (Vista disabled by default). Requires higher than 'anonymous'
t to list shares using srvsvc.NetShareEnumAll MSRPC and NetShareGetInfo. NetShareGetInfo requires Admin
to enum users on remote system through MSRPC over 445 or 139. SAMR enum and LSA brute.
mote SMB server's connection limit by opening as many as possible.
e useful information about files shared on SMB volumes. Resemble output of 'ls' command
ormation managed by the Windows Master Browser
Page 18
nmap mapping
to determine OS, computer name, domain, workgroup, and current time over SMB. anonymous.
print test on a shared printer by calling Printer Spooler Service RPC functions
initiate a connection using each version of SMB. if SMBv1 is found, it will mark it as insecure.
st powerful module. requires configuration. config places in /nselib/data/psexec. Read documentation. https://github.com/nmap/nmap/blob/m
s information about the SMB security level determined by SMB, ie signing, challenge-response, etc
Admin. grab server stats.
o from registry. Requires Admin, though auth user should get some info.
ts systems infected by conficker worm. dangerous check and may crash systems.
check if vuln to Arbitrary Shared Library Load vuln CVE-2017-7494. Unpatched Samba from 3.5.0-4.4.13 and prior to 4.5.10 and 4.6.4 are a
detects if vuln to DoS CVE-2009-3103. Will crash the service if it is vulnerable
k if vuln to MS06-025 RasRPCSubmitRequest RPC method
k if vuln to MS07-029 DNS RPC vulnerability. Will crash the service if vulnerable
k if vuln to MS08-067. Dangerous and may crash systems
k if vuln to MS10-054. Dangerous and will BSOD system
k if vuln to ms10-061 Printer Spooler impersonation. used in Stuxnet. Checks for vuln in safe way without crashing. Needs access to at leas
k if vuln to MS17-010 aka EternalBlue. Connects to $IPC tree, executes transaction and checks if error. SMBv1 vuln.
ck if vuln to null pointer dereference in regsvc. Will crash service if vuln.
to list supported cabilities in a SMBv2 server for each enabled dialect.
rmines mesage signing config in SMBv2 servers for all supported dialects.
ain the current system date and start date of a SMB2 server
t to detect missing patches in windows sytems by checking the uptime returned during the SMB2 protocol negotiation
2: RCE as root from anonymous connection
eve Novell Universal Password for a user (requires admin account)

DAP root DSA-specific Entry
erform an LDAP search and returns all matches (requires account)
et RPC port to extract service, rpc number, and version
WinPcap Remote Capture
ce information through rpcap service
apper and fetches a list of all registered programs
heme and realm of AJP service
T against root and returns response headers

hich options are supported by AJP
RI and displays results
discover servers supporting ATA over ethernet. requires "-e <interface>"
Discover Canon (printer/scanner) supporting BJNP

ttempt to discover DB2 servers on network by sending broadcast to UDP 523
send DHCP request to broadcast address and reports results
: send DHCPv6 request to multicast and prints address with any other options
covery: discover hosts' services using DNS Service Discovery Protocol
r: Listen for LAN sync Dropbox client broadcasts (already doing broadcast-listener)
discover through CISCO's EIGRP, needs a A.S. value or will listen
NOT IN KALI
Discovers targets that have IGMP Multicast memberships and grabs interesting information
NOT IN KALI
or broadcast communication and attempts to decode received packets, CDP, HSRP, Spotify, DropBox, DHCP, ARP and more
: broadcast version uses roadcast and only SQL Server Browser service discovery method.
browser: attempt to discovery master browser and the domains they manage
ver: Discovers EMC Networker backup software servers by sending broadcast query
ttempts to use Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers
discover IPv4 network using OSPFv2, sniff for OSPF Hello packets and reply
Page 19
nmap mapping
ends a special broadcast to check for PC Anywhere hosts
ers PC-DUO remote control hosts and gateways by sending broadcast probe
Discovers routers that are running PIM (protocol Independent Multicast)
adcast pings and outputs responding hosts IP and MAC
: Discovers PPPoE servers using PPPoE Discovery protocol
cover hosts and routing using RIPv2. Send RIPv2 Request and collects responses
Discovers hosts and routing information from devices running RIPng
ver: Discovers Sonicwall firewalls using same method as manufacturers own “SetupTool”
cover: Discovers Sybase Anywhere Servers on LAN
r: Discovers Telldus Technologies TellStickNet
mpt to extract system information from UPnP service by sending multicast and collecting
Discovers Versant object databases using broadcast srvloc
akes a remote system from sleep using WoL packet
Retrieve a list of proxy servers on lan using WPAD. Both DHCP and DNS methods.
multicast discover supporting Web Services Dynamic Discovery protocol.
: discovers servers running XDMCP
HTTP traffic and dumps URLs
ce for IP addresses
oft LLTD protocol to discover hosts on a local network
ostname using LLMNR. Requires –script-arg ‘llmnr-resolve.hostname=examplename’
xes for a given routing AS number –script-args targets-asn.asn=
ns in pre-scanning to map IPv4 to IPv6 and add them to scan. Lower 4 bytes of IPv6 are replaced with IPv4 address. --script-args targets-ip
Nmap -6
Nmap -6
Nmap -6
Nmap -6
Nmap -6
for Citrix PN Web Agent XML
acts list of applications, ACLs, and settings from Citrix XML
a list of published applications from the ICA Browser service
xtracts name of server farm and member servers from Citrix XML
cts a list of Citrix servers from the ICA Browser service
et IP addresses against multiple DNS anti-spam and other lists
ms DNS cache snooping against DNS

DNS zone config against best practices
erform domain lookup using the edns-client-subnet option
zing attack against DNS
ms reverse lookup of IPv6 using special technique
e DNS using the DNSSEC NSEC-walking technique
enum domain names from DNS server that supports DNSSEC NSEC3
ation from DNS by requesting nameserver ID and asking for its id.server and version.bind values
k DNS for predictable-port recursion Vuln
NS for predictable TXID DNS recursion Vuln
NS allows queries for third-party names
empts to discover target hosts’ services using DNS
s various common SRV records for a given domain name
mic DNS update without authentication
IP range is part of Zeus
sts a zone transfer from DNS server
mote debugging port (requires cmd as argument)

ote debugging port
Page 20
nmap mapping
mote debugging port (requires user passed java class)
a Debug Wire Protocol
a list of tables from a mongo db

fo and server status from mongo db
it vuln to steal session key and salt for offline brute
erate valid oracle users against unpatched Oracle 11g

oracle instance/SID names against TNS listener
es the VSNNUM version from TNS listener
ommand to ask what commands it supports

e information from POP3 with NTLM auth enabled
col version and supported security types

d get desktop name (auth or no auth)
tls.lua. Check if vuln to CCS vulnerability CVE-2014-0224, MitM
rivate IPv4 address found in cert
SSL cert. Output depends verbosity, -v or -vv
host’s time and date from TLS ServerHello Response
e-Hellman param detection.
edly initiates SSLv3/TLS connection, trying new ciphers
or OpenSSL Heartbleed (CVE-2014-0160) based on ssltest.py
SSL cert has fingerprint in db of problematic keys
Lv3 CBC ciphers (POODLE CVE-2014-3566)
SLv2, CVE-2015-3197, CVE-2016-0703, CVE-2016-0800 (DROWN)
nd which ciphers
cure Socket Tunneling Protocol is supported
ful information about files from AFP volumes
Trav against AFP share
P server information
FP shares and ACLs
nerable to F5 Ticketbleed (CVE-2016-9244)
ates a TLS server’s supported protocols
S server’s supported application-layer protocols using ALPN
er allowed methods (INVITE, OPTIONS, SUBSCRIPTE, etc). Sends OPTION
erver’s valid extensions. Sends REGISTER SIP request looking for response code.
l and detects action taken by target (busy, declined, hung up, etc)
s POP3 email server capabilities

from POP3 with NTLM auth enabled
ormation and mac
r usernames by checking error code. Needs kerberos REALM to operate –script-args krb5-enum-users.realm=’test’
scovers info such as log directories from Apache Hadoop DataNode

etrieves information from Apache Hadoop JobTracker status page
etrieve information from Apache Hadoop NameNode status page
ode-info: Retrieve information from Apache Hadoop secondary NameNode status page
Retrieve information from Apache Hadoop TaskTracker status page
firewall rules using an IP TTL expiration technique known as firewalking
Page 21
nmap mapping
nnel information
mplex, but could be worth it)
Me (auth required)
Page 22
nmap mapping
ild if available
and configure this better)
y best to analyze these per request through a proxy or other)
ications http-shellshock.uri=/
brute force better)
0.1 8.2.1 and 9, LiveCycleData Services 2.5.1 2.6.1 and 3, Flex Data Service 2.0.1 and ColdFusion 7.0.2 8.0 8.0.1 and 9.0
ate SHA1 hash and authenticate as admin (ColdFusion pass the hash)
Page 23
nmap mapping
ode. append multiple ?

3.0.x - 3.0.19, 3.1.x - 3.1.10, and 3.2.x - 3.2.11 are vuln. If 500 response, likely vulnerable
Win 7,8,8.1 and server 2012,2012R2
a.org/wiki/FTP_bounce_attack
"HELP ACIDBITCHEZ"
status. see https://cr.yp.to/ftp/syst.html
b. May crash the ftp service. Default tries to run nmap. Check exploit-db.
rname,password,filename
nmap scripts args 'userdb''passdb'
ovided/brute/etc
Page 24
nmap mapping
org/fulldisclosure/2012/Dec/9
hing, but could still potentially crash.
the target accepts them
. --script-args creds.snmp=:<community>
pcommunities.lst. provide own with snmp-brute.communitiesdb arg

ve them --script-args creds.snmp=:<community>
y using newtargets script arg.
script-args smtp-commands.domain=<domain>]
auth is enforced.
BIOS, DNS, and OS build version
nd priv exc in EXIM prior to 4.72 (CVE-2010-4345) (Crash)

(CVE-2011-1720). (Crash)
). RCE with EXIM priv levels
to 'enum.exe /g'
rvice. disabled by default on Vista. Requires Admin on others.
bled by default). Requires higher than 'anonymous'

ShareGetInfo requires Admin
and LSA brute.
Page 25
nmap mapping
B. anonymous.
ead documentation. https://github.com/nmap/nmap/blob/master/scripts/smb-psexec.nse

ge-response, etc
amba from 3.5.0-4.4.13 and prior to 4.5.10 and 4.6.4 are affected by RCE.
uln in safe way without crashing. Needs access to at least one shared printer.
n and checks if error. SMBv1 vuln.
ring the SMB2 protocol negotiation
P, Spotify, DropBox, DHCP, ARP and more
ol (NCP) servers
Page 26
nmap mapping
v6 are replaced with IPv4 address. --script-args targets-ipv6-map4to6.IPv4Hosts={},targets-ipv6-subnet={}
on.bind values
Page 27
nmap mapping
rgs krb5-enum-users.realm=’test’
Page 28
nmap mapping
1 and ColdFusion 7.0.2 8.0 8.0.1 and 9.0
Page 29
nmap mapping
},targets-ipv6-subnet={}
Page 30
Script Blocks
Module Comment
http-apache-negotiation webRecon
http-apache-server-status webRecon
http-aspnet-debug webRecon
http-auth-finder webRecon
http-auth webRecon
http-backup-finder webRecon
http-bigip-cookie webRecon
http-cakephp-version webRecon
http-cisco-anyconnect webRecon
http-comments-displayer webRecon
http-config-backup webRecon
http-cookie-flags webRecon
http-cors webRecon
http-cross-domain-policy webRecon
http-default-accounts webRecon
http-drupal-enum webRecon
http-favicon webRecon
http-generator webRecon
http-git webRecon
http-grep webRecon
http-headers webRecon
http-jsonp-detection webRecon
http-ls webRecon
http-mcmp webRecon
http-method-tamper webRecon
http-methods webRecon
http-mobileversion-checker webRecon
http-ntlm-info webRecon
http-passwd webRecon
http-php-version webRecon
http-robots.txt webRecon
http-title webRecon
http-traceroute webRecon
http-unsafe-output-escaping webRecon
http-useragent-tester webRecon
http-userdir-enum webRecon
http-vhosts webRecon
http-vlcstreamer-ls webRecon
http-waf-detect webRecon
http-waf-fingerprint webRecon
http-webdav-scan webRecon
http-apache-negotiation,http-apache-server-status,http-aspnet-debug,http-a
http-adobe-coldfusion-apsa1301 httpVulns
http-awstatstotals-exec httpVulns
http-axis2-dir-traversal httpVulns
http-barracuda-dir-traversal httpVulns
http-coldfusion-subzero httpVulns
http-csrf httpVulns
Page 31
Script Blocks
http-dombased-xss httpVulns
http-drupal-enum-users httpVulns
http-frontpage-login httpVulns
http-iis-webdav-vuln httpVulns
http-litespeed-sourcecode-download httpVulns
http-majordomo2-dir-traversal httpVulns
http-open-redirect httpVulns
http-phpmyadmin-dir-traversal httpVulns
http-vmware-path-vuln httpVulns
http-vuln-misfortune-cookie httpVulns
http-vuln-wnr1000-creds httpVulns
http-adobe-coldfusion-apsa1301,http-awstatstotals-exec,http-axis2-dir-trave
nfs-ls nfsRecon
nfs-showmount nfsRecon
nfs-statfs nfsRecon
nfs-ls,nfs-showmount,nfs-statfs
broadcast-ataoe-discover broadcastrecon
broadcast-avahi-dos broadcastrecon
broadcast-bjnp-discover broadcastrecon
broadcast-db2-discover broadcastrecon
broadcast-dhcp-discover broadcastrecon
broadcast-dhcp6-discover broadcastrecon
broadcast-dns-service-discovery broadcastrecon
broadcast-dropbox-listener broadcastrecon
broadcast-eigrp-discovery broadcastrecon
broadcast-hid-discoveryd broadcastrecon
broadcast-igmp-discovery broadcastrecon
broadcast-jenkins-discover broadcastrecon
broadcast-listener broadcastrecon
broadcast-ms-sql-discover broadcastrecon
broadcast-netbios-master-browser broadcastrecon
broadcast-networker-discover broadcastrecon
broadcast-novell-locate broadcastrecon
Page 32
Script Blocks
broadcast-ospf2-discover broadcastrecon
broadcast-pc-anywhere broadcastrecon
broadcast-pc-duo broadcastrecon
broadcast-pim-discovery broadcastrecon
broadcast-ping broadcastrecon
broadcast-pppoe-discover broadcastrecon
broadcast-rip-discover broadcastrecon
broadcast-ripng-discover broadcastrecon
broadcast-sonicwall-discover broadcastrecon
broadcast-sybase-asa-discover broadcastrecon
broadcast-tellstick-discover broadcastrecon
broadcast-upnp-info broadcastrecon
broadcast-versant-locate broadcastrecon
broadcast-wake-on-lan broadcastrecon
broadcast-wpad-discover broadcastrecon
broadcast-wsdd-discover broadcastrecon
broadcast-xdmcp-discover broadcastrecon
url-snarf broadcastrecon
targets-sniffer broadcastrecon
lltd-discovery broadcastrecon
broadcast-ataoe-discover,broadcast-avahi-dos,broadcast-bjnp-discover,bro
ajp-auth Jserve
ajp-headers Jserve
ajp-methods Jserve
ajp-request Jserve
ajp-auth,ajp-headers,ajp-methods,ajp-request
Page 33
Script Blocks
status,http-aspnet-debug,http-auth-finder,http-auth,http-backup-finder,http-bigip-cookie,http-cakephp-version,http-cisco-anyconnect,http-co
Page 34
Script Blocks
stotals-exec,http-axis2-dir-traversal,http-barracuda-dir-traversal,http-coldfusion-subzero,http-csrf,http-dombased-xss,http-drupal-enum-user
Page 35
Script Blocks
os,broadcast-bjnp-discover,broadcast-db2-discover,broadcast-dhcp-discover,broadcast-dhcp6-discover,broadcast-dns-service-discovery,br
Page 36
Script Blocks
version,http-cisco-anyconnect,http-comments-displayer,http-config-backup,http-cookie-flags,http-cors,http-cross-domain-policy,http-default-
Page 37
Script Blocks
dombased-xss,http-drupal-enum-users,http-frontpage-login,http-iis-webdav-vuln,http-litespeed-sourcecode-download,http-majordomo2-dir-
Page 38
Script Blocks
er,broadcast-dns-service-discovery,broadcast-dropbox-listener,broadcast-eigrp-discovery,broadcast-hid-discoveryd,broadcast-igmp-discov
Page 39
Script Blocks
,http-cross-domain-policy,http-default-accounts,http-drupal-enum,http-favicon,http-generator,http-git,http-grep,http-headers,http-jsonp-detec
Page 40
Script Blocks
ecode-download,http-majordomo2-dir-traversal,http-open-redirect,http-phpmyadmin-dir-traversal,http-vmware-path-vuln,http-vuln-cve2006-3
Page 41
Script Blocks
hid-discoveryd,broadcast-igmp-discovery,broadcast-jenkins-discover,broadcast-listener,broadcast-ms-sql-discover,broadcast-netbios-mast
Page 42
Script Blocks
http-grep,http-headers,http-jsonp-detection,http-ls,http-mcmp,http-method-tamper,http-methods,http-mobileversion-checker,http-ntlm-info,ht
Page 43
Script Blocks
vmware-path-vuln,http-vuln-cve2006-3392,http-vuln-cve2009-3960,http-vuln-cve2010-0738,http-vuln-cve2010-2861,http-vuln-cve2011-3368
Page 44
Script Blocks
-sql-discover,broadcast-netbios-master-browser,broadcast-networker-discover,broadcast-novell-locate,broadcast-ospf2-discover,broadcas
Page 45
Script Blocks
mobileversion-checker,http-ntlm-info,http-passwd,http-php-version,http-robots.txt,http-title,http-traceroute,http-unsafe-output-escaping,http-u
Page 46
Script Blocks
cve2010-2861,http-vuln-cve2011-3368,http-vuln-cve2012-1823,http-vuln-cve2013-0156,http-vuln-cve2013-7091,http-vuln-cve2014-2126,ht
Page 47
Script Blocks
e,broadcast-ospf2-discover,broadcast-pc-anywhere,broadcast-pc-duo,broadcast-pim-discovery,broadcast-ping,broadcast-pppoe-discover,b
Page 48
Script Blocks
ute,http-unsafe-output-escaping,http-useragent-tester,http-userdir-enum,http-vhosts,http-vlcstreamer-ls,http-waf-detect,http-waf-fingerprint,h
Page 49
Script Blocks
2013-7091,http-vuln-cve2014-2126,http-vuln-cve2014-2127,http-vuln-cve2014-2128,http-vuln-cve2014-3704,http-vuln-cve2014-8877,http-v
Page 50
Script Blocks
dcast-ping,broadcast-pppoe-discover,broadcast-rip-discover,broadcast-ripng-discover,broadcast-sonicwall-discover,broadcast-sybase-asa-d
Page 51
Script Blocks
s,http-waf-detect,http-waf-fingerprint,http-webdav-scan
Page 52
Script Blocks
4-3704,http-vuln-cve2014-8877,http-vuln-cve2015-1427,http-vuln-cve2015-1635,http-vuln-cve2017-1001000,http-vuln-cve2017-5638,http-v
Page 53
Script Blocks
cwall-discover,broadcast-sybase-asa-discover,broadcast-tellstick-discover,broadcast-upnp-info,broadcast-versant-locate,broadcast-wake-o
Page 54
Script Blocks
001000,http-vuln-cve2017-5638,http-vuln-cve2017-5689,http-vuln-cve2017-8917,http-vuln-misfortune-cookie,http-vuln-wnr1000-creds
Page 55
Script Blocks
cast-versant-locate,broadcast-wake-on-lan,broadcast-wpad-discover,broadcast-wsdd-discover,broadcast-xdmcp-discover,url-snarf,targets-
Page 56
Script Blocks
e-cookie,http-vuln-wnr1000-creds
Page 57
Script Blocks
cast-xdmcp-discover,url-snarf,targets-sniffer,lltd-discovery
Page 58

Nmap To Reconscan Mapping

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nmap To Reconscan Mapping

Uploaded by

Copyright:

Available Formats

nmap mapping

Script Without NSE

a1301: Exploit an auth bypass in Coldfusion

databases, linked servers, settings. auth required.

eve Novell Universal Password for a user (requires admin account)

T against root and returns response headers

Discover Canon (printer/scanner) supporting BJNP

ms DNS cache snooping against DNS

mote debugging port (requires cmd as argument)

a list of tables from a mongo db

erate valid oracle users against unpatched Oracle 11g

ommand to ask what commands it supports

col version and supported security types

s POP3 email server capabilities

scovers info such as log directories from Apache Hadoop DataNode

mplex, but could be worth it)

and configure this better)

y best to analyze these per request through a proxy or other)

ode. append multiple ?

Win 7,8,8.1 and server 2012,2012R2

hing, but could still potentially crash.

the target accepts them

pcommunities.lst. provide own with snmp-brute.communitiesdb arg

nd priv exc in EXIM prior to 4.72 (CVE-2010-4345) (Crash)

bled by default). Requires higher than 'anonymous'

ead documentation. https://github.com/nmap/nmap/blob/master/scripts/smb-psexec.nse

ring the SMB2 protocol negotiation

P, Spotify, DropBox, DHCP, ARP and more

v6 are replaced with IPv4 address. --script-args targets-ipv6-map4to6.IPv4Hosts={},targets-ipv6-subnet={}

1 and ColdFusion 7.0.2 8.0 8.0.1 and 9.0

You might also like