ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: usr / share / nmap / scripts

local coroutine = require "coroutine"
local dns = require "dns"
local io = require "io"
local math = require "math"
local nmap = require "nmap"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local target = require "target"

description = [[
Attempts to enumerate DNS hostnames by brute force guessing of common subdomains.
]]
-- 2011-01-26

---
-- @usage
-- nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
-- nmap --script dns-brute www.foo.com
-- @args dns-brute.hostlist The filename of a list of host strings to try.
-- @args dns-brute.threads Thread to use (default 5).
-- @args dns-brute.srv Perform lookup for SRV records
-- @args dns-brute.domain Domain name to brute force if no host is specified
-- @args newtargets Add discovered targets to nmap scan queue
-- @output
-- Pre-scan script results:
-- | dns-brute:
-- |   DNS Brute-force hostnames
-- |     www.foo.com - 127.0.0.1
-- |     mail.foo.com - 127.0.0.2
-- |     blog.foo.com - 127.0.1.3
-- |     ns1.foo.com - 127.0.0.4
-- |_    admin.foo.com - 127.0.0.5

author = "Cirrus"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"intrusive", "discovery"}

prerule = function()
    if not stdnse.get_script_args("dns-brute.domain") then
      stdnse.print_debug(3,
        "Skipping '%s' %s, 'dns-brute.domain' argument is missing.",
        SCRIPT_NAME, SCRIPT_TYPE)
      return false
    end
    return true
end

hostrule = function(host)
	return true
end

local HOST_LIST = {
	'www', 'mail', 'blog', 'ns0', 'ns1', 'mail2', 'mail3', 'admin', 'ads', 'ssh',
	'voip', 'sip', 'dns', 'ns2', 'ns3', 'dns0', 'dns1', 'dns2', 'eshop', 'shop',
	'forum', 'ftp', 'ftp0', 'host', 'log', 'mx0', 'mx1', 'mysql', 'sql', 'news',
	'noc', 'ns', 'auth', 'administration', 'adserver', 'alerts', 'alpha', 'ap',
	'app', 'apache', 'apps' , 'appserver', 'gw', 'backup', 'beta', 'cdn', 'chat',
	'citrix', 'cms', 'erp', 'corp', 'intranet', 'crs', 'svn', 'cvs', 'git', 'db',
	'database', 'demo', 'dev', 'devsql', 'dhcp', 'dmz', 'download', 'en', 'f5',
	'fileserver', 'firewall', 'help', 'http', 'id', 'info', 'images', 'internal',
	'internet', 'lab', 'ldap', 'linux', 'local', 'log', 'ipv6', 'syslog',
	'mailgate', 'main', 'manage', 'mgmt', 'monitor', 'mirror', 'mobile', 'mssql',
	'oracle', 'exchange', 'owa', 'mta', 'mx', 'mx0', 'mx1', 'ntp', 'ops', 'pbx',
	'whois', 'ssl', 'secure', 'server', 'smtp', 'squid', 'stage', 'stats', 'test',
	'upload', 'vm', 'vnc', 'vpn', 'wiki', 'xml', 'direct',
}

local SRV_LIST = {
	'_afpovertcp._tcp', '_ssh._tcp', '_autodiscover._tcp', '_caldav._tcp',
	'_client._smtp', '_gc._tcp', '_h323cs._tcp', '_h323cs._udp', '_h323ls._tcp',
	'_h323ls._udp', '_h323rs._tcp', '_h323rs._tcp', '_http._tcp', '_iax.udp',
	'_imap._tcp', '_imaps._tcp', '_jabber-client._tcp', '_jabber._tcp',
	'_kerberos-adm._tcp', '_kerberos._tcp', '_kerberos._tcp.dc._msdcs',
	'_kerberos._udp', '_kpasswd._tcp', '_kpasswd._udp', '_ldap._tcp',
	'_ldap._tcp.dc._msdcs', '_ldap._tcp.gc._msdcs', '_ldap._tcp.pdc._msdcs',
	'_msdcs', '_mysqlsrv._tcp', '_ntp._udp', '_pop3._tcp', '_pop3s._tcp',
	'_sip._tcp', '_sip._tls', '_sip._udp', '_sipfederationtls._tcp',
	'_sipinternaltls._tcp', '_sips._tcp', '_smtp._tcp', '_stun._tcp',
	'_stun._udp', '_tcp', '_tls', '_udp', '_vlmcs._tcp', '_vlmcs._udp',
	'_wpad._tcp', '_xmpp-client._tcp', '_xmpp-server._tcp',
}

local function guess_domain(host)
	local name

name = stdnse.get_hostname(host)
	if name and name ~= host.ip then
		return string.match(name, "%.([^.]+%..+)%.?$") or string.match(name, "^([^.]+%.[^.]+)%.?$")
	else
		return nil
	end
end

--- Check if an element is inside a table
--@param table Table to check
--@param element Element to find in table
--@return boolean Element was found or not
function table.contains(table, element)
	if(type(table) == "table") then
		for _, value in pairs(table) do
			if value == element then
				return true
			end
		end
	end
	return false
end

-- Single DNS lookup, returning all results. dtype should be e.g. "A", "AAAA".
local function resolve(host, dtype)
	local status, result = dns.query(host, {dtype=dtype,retAll=true})
	return status and result or false
end

local function array_iter(array, i, j)
	return coroutine.wrap(function ()
		while i <= j do
			coroutine.yield(array[i])
			i = i + 1
		end
	end)
end

local function thread_main(domainname, results, name_iter)
	local condvar = nmap.condvar( results )
	for name in name_iter do
		for _, dtype in ipairs({"A", "AAAA"}) do
			local res = resolve(name..'.'..domainname, dtype)
			if(res) then
				for _,addr in ipairs(res) do
					local hostn = name..'.'..domainname
					if target.ALLOW_NEW_TARGETS then
						stdnse.print_debug("Added target: "..hostn)
						local status,err = target.add(hostn)
					end
					stdnse.print_debug("Hostname: "..hostn.." IP: "..addr)
					results[#results+1] = { hostname=hostn, address=addr }
				end
			end
		end
	end
	condvar("signal")
end

local function srv_main(domainname, srvresults, srv_iter)
	local condvar = nmap.condvar( srvresults )
	for name in srv_iter do
		local res = resolve(name..'.'..domainname, "SRV")
		if(res) then
			for _,addr in ipairs(res) do
				local hostn = name..'.'..domainname
				addr = stdnse.strsplit(":",addr)
				for _, dtype in ipairs({"A", "AAAA"}) do
					local srvres = resolve(addr[4], dtype)
					if(srvres) then
						for srvhost,srvip in ipairs(srvres) do
							stdnse.print_debug("Hostname: "..hostn.." IP: "..srvip)
							srvresults[#srvresults+1] = { hostname=hostn, address=srvip }
							if target.ALLOW_NEW_TARGETS then
								stdnse.print_debug("Added target: "..srvip)
								local status,err = target.add(srvip)
							end
						end
					end
				end
			end
		end
	end
	condvar("signal")
end

action = function(host)
	local domainname = stdnse.get_script_args('dns-brute.domain')
	if not domainname then
		domainname = guess_domain(host)
	end
	if not domainname then
		return string.format("Can't guess domain of \"%s\"; use %s.domain script argument.", stdnse.get_hostname(host), SCRIPT_NAME)
	end

if not nmap.registry.bruteddomains then
		nmap.registry.bruteddomains = {}
	end

local dosrv
	if(not table.contains(nmap.registry.bruteddomains,domainname)) then
		table.insert(nmap.registry.bruteddomains, domainname)
		stdnse.print_debug("Starting dns-brute at: "..domainname)
		local max_threads = stdnse.get_script_args('dns-brute.threads') and tonumber( stdnse.get_script_args('dns-brute.threads') ) or 5
		dosrv = stdnse.get_script_args("dns-brute.srv") or false
		stdnse.print_debug("THREADS: "..max_threads)
		local fileName = stdnse.get_script_args('dns-brute.hostlist')
		local commFile = (fileName and nmap.fetchfile(fileName)) or fileName
		local hostlist
		if commFile then
			local file = io.open(commFile)
			if file then
				hostlist = {}
				while true do
					local l = file:read()
					if not l then
						break
					end
					if not l:match("#!comment:") then
						table.insert(hostlist, l)
					end
				end
				file:close()
      else
				print("dns-brute: Hostlist file not found. Will use default list.")
			end
    end
		if (not hostlist) then hostlist = HOST_LIST end
		local srvlist = SRV_LIST

local threads, results, revresults, srvresults = {}, {}, {}, {}
		results['name'] = "Result:"
		local condvar = nmap.condvar( results )
		local i = 1
		local howmany = math.floor(#hostlist/max_threads)+1
		stdnse.print_debug("Hosts per thread: "..howmany)
		repeat
			local j = math.min(i+howmany, #hostlist)
			local name_iter = array_iter(hostlist, i, j)
			threads[stdnse.new_thread(thread_main, domainname, results, name_iter)] = true
			i = j+1
		until i > #hostlist
		local done
		-- wait for all threads to finish
		while( not(done) ) do
			done = true
			for thread in pairs(threads) do
				if (coroutine.status(thread) ~= "dead") then done = false end
			end
			if ( not(done) ) then
				condvar("wait")
			end
		end

if(dosrv) then
			local i = 1
			local threads = {}
			local howmany_ip = math.floor(#srvlist/max_threads)+1
			local condvar = nmap.condvar( srvresults )
			stdnse.print_debug("SRV's per thread: "..howmany_ip)
			repeat
				local j = math.min(i+howmany_ip, #srvlist)
				local name_iter = array_iter(srvlist, i, j)
				threads[stdnse.new_thread(srv_main, domainname, srvresults, name_iter)] = true
				i = j+1
			until i > #srvlist
			local done
			-- wait for all threads to finish
			while( not(done) ) do
				done = true
				for thread in pairs(threads) do
					if (coroutine.status(thread) ~= "dead") then done = false end
				end
				if ( not(done) ) then
					condvar("wait")
				end
			end
		end

local response = {}
		local t_dns = {}
		t_dns['name'] = "DNS Brute-force hostnames"
		if(#results==0) then
			table.insert(t_dns,"No results.")
		end
		for _, res in ipairs(results) do
			table.insert(t_dns, res['hostname'].." - "..res['address'])
		end
		response[#response + 1] = t_dns
		if(dosrv) then
			local t_srv = {}
			t_srv['name'] = "SRV results"
			if(#srvresults==0) then
				table.insert(t_srv,"No results.")
			end
			for _, res in ipairs(srvresults) do
				table.insert(t_srv, res['hostname'].." - "..res['address'])
			end
			response[#response + 1] = t_srv
		end
		return stdnse.format_output(true, response)
	end
end

[+] ..
[-] qscan.nse [edit]
[-] oracle-brute.nse [edit]
[-] smtp-vuln-cve2011-1764.nse [edit]
[-] broadcast-pc-duo.nse [edit]
[-] targets-ipv6-multicast-mld.nse [edit]
[-] http-backup-finder.nse [edit]
[-] http-sitemap-generator.nse [edit]
[-] cassandra-brute.nse [edit]
[-] snmp-win32-services.nse [edit]
[-] ftp-brute.nse [edit]
[-] irc-botnet-channels.nse [edit]
[-] rsync-brute.nse [edit]
[-] icap-info.nse [edit]
[-] citrix-brute-xml.nse [edit]
[-] iax2-version.nse [edit]
[-] nfs-ls.nse [edit]
[-] ndmp-fs-info.nse [edit]
[-] cvs-brute-repository.nse [edit]
[-] http-drupal-modules.nse [edit]
[-] mysql-databases.nse [edit]
[-] xmpp-info.nse [edit]
[-] pgsql-brute.nse [edit]
[-] ssl-google-cert-catalog.nse [edit]
[-] smtp-commands.nse [edit]
[-] rpcinfo.nse [edit]
[-] snmp-hh3c-logins.nse [edit]
[-] dns-zone-transfer.nse [edit]
[-] murmur-version.nse [edit]
[-] metasploit-xmlrpc-brute.nse [edit]
[-] http-brute.nse [edit]
[-] nessus-xmlrpc-brute.nse [edit]
[-] krb5-enum-users.nse [edit]
[-] vuze-dht-info.nse [edit]
[-] smb-ls.nse [edit]
[-] openlookup-info.nse [edit]
[-] hadoop-namenode-info.nse [edit]
[-] informix-tables.nse [edit]
[-] http-vuln-cve2010-0738.nse [edit]
[-] omp2-brute.nse [edit]
[-] http-headers.nse [edit]
[-] bitcoin-info.nse [edit]
[-] smb-psexec.nse [edit]
[-] eppc-enum-processes.nse [edit]
[-] afp-brute.nse [edit]
[-] iscsi-brute.nse [edit]
[-] http-enum.nse [edit]
[-] smb-enum-sessions.nse [edit]
[-] daytime.nse [edit]
[-] mongodb-info.nse [edit]
[-] omp2-enum-targets.nse [edit]
[-] p2p-conficker.nse [edit]
[-] teamspeak2-version.nse [edit]
[-] http-wordpress-brute.nse [edit]
[-] riak-http-info.nse [edit]
[-] http-joomla-brute.nse [edit]
[-] path-mtu.nse [edit]
[-] targets-traceroute.nse [edit]
[-] snmp-win32-users.nse [edit]
[-] http-unsafe-output-escaping.nse [edit]
[-] http-traceroute.nse [edit]
[-] ftp-anon.nse [edit]
[-] mysql-info.nse [edit]
[-] mtrace.nse [edit]
[-] openvas-otp-brute.nse [edit]
[-] lltd-discovery.nse [edit]
[-] ssl-enum-ciphers.nse [edit]
[-] dict-info.nse [edit]
[-] netbus-version.nse [edit]
[-] nfs-statfs.nse [edit]
[-] hostmap-bfk.nse [edit]
[-] dns-random-txid.nse [edit]
[-] http-affiliate-id.nse [edit]
[-] socks-brute.nse [edit]
[-] bitcoin-getaddr.nse [edit]
[-] acarsd-info.nse [edit]
[-] http-cakephp-version.nse [edit]
[-] oracle-enum-users.nse [edit]
[-] dns-brute.nse [edit]
[-] http-google-malware.nse [edit]
[-] hostmap-robtex.nse [edit]
[-] http-barracuda-dir-traversal.nse [edit]
[-] http-auth-finder.nse [edit]
[-] resolveall.nse [edit]
[-] informix-query.nse [edit]
[-] mysql-users.nse [edit]
[-] nrpe-enum.nse [edit]
[-] mysql-empty-password.nse [edit]
[-] broadcast-xdmcp-discover.nse [edit]
[-] ip-geolocation-geobytes.nse [edit]
[-] cups-info.nse [edit]
[-] tftp-enum.nse [edit]
[-] http-icloud-sendmsg.nse [edit]
[-] nbstat.nse [edit]
[-] ajp-headers.nse [edit]
[-] nexpose-brute.nse [edit]
[-] giop-info.nse [edit]
[-] sip-call-spoof.nse [edit]
[-] broadcast-tellstick-discover.nse [edit]
[-] dns-nsec3-enum.nse [edit]
[-] http-grep.nse [edit]
[-] http-drupal-enum-users.nse [edit]
[-] smb-enum-processes.nse [edit]
[-] maxdb-info.nse [edit]
[-] rtsp-url-brute.nse [edit]
[-] ganglia-info.nse [edit]
[-] ip-geolocation-maxmind.nse [edit]
[-] traceroute-geolocation.nse [edit]
[-] rpcap-info.nse [edit]
[-] http-waf-detect.nse [edit]
[-] ms-sql-dac.nse [edit]
[-] citrix-enum-servers.nse [edit]
[-] http-vmware-path-vuln.nse [edit]
[-] mongodb-brute.nse [edit]
[-] http-passwd.nse [edit]
[-] x11-access.nse [edit]
[-] http-generator.nse [edit]
[-] ms-sql-info.nse [edit]
[-] http-method-tamper.nse [edit]
[-] http-robtex-shared-ns.nse [edit]
[-] http-majordomo2-dir-traversal.nse [edit]
[-] ms-sql-empty-password.nse [edit]
[-] broadcast-netbios-master-browser.nse [edit]
[-] citrix-enum-servers-xml.nse [edit]
[-] broadcast-networker-discover.nse [edit]
[-] mrinfo.nse [edit]
[-] lexmark-config.nse [edit]
[-] http-frontpage-login.nse [edit]
[-] smtp-open-relay.nse [edit]
[-] http-git.nse [edit]
[-] targets-asn.nse [edit]
[-] http-favicon.nse [edit]
[-] backorifice-info.nse [edit]
[-] http-vuln-cve2011-3192.nse [edit]
[-] realvnc-auth-bypass.nse [edit]
[-] broadcast-wpad-discover.nse [edit]
[-] http-methods.nse [edit]
[-] smb-check-vulns.nse [edit]
[-] sshv1.nse [edit]
[-] broadcast-bjnp-discover.nse [edit]
[-] http-title.nse [edit]
[-] broadcast-novell-locate.nse [edit]
[-] smb-vuln-ms10-054.nse [edit]
[-] afp-showmount.nse [edit]
[-] broadcast-rip-discover.nse [edit]
[-] http-slowloris.nse [edit]
[-] nat-pmp-mapport.nse [edit]
[-] ftp-libopie.nse [edit]
[-] targets-ipv6-multicast-echo.nse [edit]
[-] nessus-brute.nse [edit]
[-] membase-brute.nse [edit]
[-] ip-geolocation-ipinfodb.nse [edit]
[-] smb-print-text.nse [edit]
[-] smtp-enum-users.nse [edit]
[-] ajp-brute.nse [edit]
[-] bitcoinrpc-info.nse [edit]
[-] auth-owners.nse [edit]
[-] targets-ipv6-multicast-invalid-dst.nse [edit]
[-] afp-path-vuln.nse [edit]
[-] oracle-brute-stealth.nse [edit]
[-] http-vlcstreamer-ls.nse [edit]
[-] auth-spoof.nse [edit]
[-] nping-brute.nse [edit]
[-] broadcast-dropbox-listener.nse [edit]
[-] afp-ls.nse [edit]
[-] broadcast-db2-discover.nse [edit]
[-] quake3-info.nse [edit]
[-] snmp-sysdescr.nse [edit]
[-] dhcp-discover.nse [edit]
[-] ms-sql-config.nse [edit]
[-] http-comments-displayer.nse [edit]
[-] smb-vuln-ms10-061.nse [edit]
[-] ipv6-node-info.nse [edit]
[-] http-awstatstotals-exec.nse [edit]
[-] ldap-rootdse.nse [edit]
[-] rtsp-methods.nse [edit]
[-] smb-enum-domains.nse [edit]
[-] sniffer-detect.nse [edit]
[-] hbase-master-info.nse [edit]
[-] modbus-discover.nse [edit]
[-] http-rfi-spider.nse [edit]
[-] msrpc-enum.nse [edit]
[-] mysql-query.nse [edit]
[-] ftp-vsftpd-backdoor.nse [edit]
[-] domcon-brute.nse [edit]
[-] citrix-enum-apps-xml.nse [edit]
[-] pjl-ready-message.nse [edit]
[-] sip-brute.nse [edit]
[-] http-vuln-cve2011-3368.nse [edit]
[-] firewalk.nse [edit]
[-] http-gitweb-projects-enum.nse [edit]
[-] http-open-redirect.nse [edit]
[-] ajp-methods.nse [edit]
[-] ip-forwarding.nse [edit]
[-] ncp-serverinfo.nse [edit]
[-] smb-enum-shares.nse [edit]
[-] ssh2-enum-algos.nse [edit]
[-] cvs-brute.nse [edit]
[-] nat-pmp-info.nse [edit]
[-] epmd-info.nse [edit]
[-] bjnp-discover.nse [edit]
[-] stuxnet-detect.nse [edit]
[-] ftp-vuln-cve2010-4221.nse [edit]
[-] http-litespeed-sourcecode-download.nse [edit]
[-] gpsd-info.nse [edit]
[-] snmp-ios-config.nse [edit]
[-] broadcast-igmp-discovery.nse [edit]
[-] http-robtex-reverse-ip.nse [edit]
[-] snmp-processes.nse [edit]
[-] broadcast-sybase-asa-discover.nse [edit]
[-] wsdd-discover.nse [edit]
[-] netbus-info.nse [edit]
[-] broadcast-ripng-discover.nse [edit]
[-] pop3-brute.nse [edit]
[-] backorifice-brute.nse [edit]
[-] domcon-cmd.nse [edit]
[-] citrix-enum-apps.nse [edit]
[-] dns-nsec-enum.nse [edit]
[-] rpcap-brute.nse [edit]
[-] ftp-bounce.nse [edit]
[-] stun-info.nse [edit]
[-] dns-update.nse [edit]
[-] broadcast-wake-on-lan.nse [edit]
[-] dns-cache-snoop.nse [edit]
[-] rsync-list-modules.nse [edit]
[-] snmp-netstat.nse [edit]
[-] url-snarf.nse [edit]
[-] snmp-interfaces.nse [edit]
[-] cassandra-info.nse [edit]
[-] http-huawei-hg5xx-vuln.nse [edit]
[-] memcached-info.nse [edit]
[-] http-proxy-brute.nse [edit]
[-] pptp-version.nse [edit]
[-] broadcast-pppoe-discover.nse [edit]
[-] dns-random-srcport.nse [edit]
[-] ip-geolocation-geoplugin.nse [edit]
[-] smb-security-mode.nse [edit]
[-] ms-sql-dump-hashes.nse [edit]
[-] ntp-monlist.nse [edit]
[-] http-wordpress-enum.nse [edit]
[-] ike-version.nse [edit]
[-] broadcast-eigrp-discovery.nse [edit]
[-] amqp-info.nse [edit]
[-] iax2-brute.nse [edit]
[-] mysql-variables.nse [edit]
[-] ajp-request.nse [edit]
[-] cccam-version.nse [edit]
[-] mysql-brute.nse [edit]
[-] http-malware-host.nse [edit]
[-] http-domino-enum-passwords.nse [edit]
[-] vnc-brute.nse [edit]
[-] duplicates.nse [edit]
[-] db2-das-info.nse [edit]
[-] broadcast-dhcp6-discover.nse [edit]
[-] pop3-capabilities.nse [edit]
[-] http-form-fuzzer.nse [edit]
[-] flume-master-info.nse [edit]
[-] ms-sql-tables.nse [edit]
[-] broadcast-wsdd-discover.nse [edit]
[-] jdwp-info.nse [edit]
[-] mcafee-epo-agent.nse [edit]
[-] smb-brute.nse [edit]
[-] irc-sasl-brute.nse [edit]
[-] http-php-version.nse [edit]
[-] ms-sql-brute.nse [edit]
[-] http-form-brute.nse [edit]
[-] http-cors.nse [edit]
[-] jdwp-version.nse [edit]
[-] smbv2-enabled.nse [edit]
[-] ssl-cert.nse [edit]
[-] dns-fuzz.nse [edit]
[-] mysql-enum.nse [edit]
[-] script.db [edit]
[-] rlogin-brute.nse [edit]
[-] ovs-agent-version.nse [edit]
[-] ntp-info.nse [edit]
[-] ajp-auth.nse [edit]
[-] targets-sniffer.nse [edit]
[-] quake3-master-getservers.nse [edit]
[-] http-date.nse [edit]
[-] cups-queue-info.nse [edit]
[-] rdp-vuln-ms12-020.nse [edit]
[-] http-tplink-dir-traversal.nse [edit]
[-] http-robots.txt.nse [edit]
[-] hadoop-tasktracker-info.nse [edit]
[-] eap-info.nse [edit]
[-] ms-sql-xp-cmdshell.nse [edit]
[-] broadcast-dns-service-discovery.nse [edit]
[-] sip-methods.nse [edit]
[-] broadcast-avahi-dos.nse [edit]
[-] hadoop-secondary-namenode-info.nse [edit]
[-] db2-discover.nse [edit]
[-] jdwp-inject.nse [edit]
[-] servicetags.nse [edit]
[-] netbus-brute.nse [edit]
[-] ms-sql-hasdbaccess.nse [edit]
[-] gopher-ls.nse [edit]
[-] asn-query.nse [edit]
[-] firewall-bypass.nse [edit]
[-] redis-brute.nse [edit]
[-] dpap-brute.nse [edit]
[-] imap-capabilities.nse [edit]
[-] smtp-vuln-cve2010-4344.nse [edit]
[-] tls-nextprotoneg.nse [edit]
[-] upnp-info.nse [edit]
[-] http-icloud-findmyiphone.nse [edit]
[-] ventrilo-info.nse [edit]
[-] hostmap-ip2hosts.nse [edit]
[-] wdb-version.nse [edit]
[-] http-qnap-nas-info.nse [edit]
[-] smb-enum-groups.nse [edit]
[-] address-info.nse [edit]
[-] smb-mbenum.nse [edit]
[-] dns-srv-enum.nse [edit]
[-] http-iis-webdav-vuln.nse [edit]
[-] broadcast-listener.nse [edit]
[-] http-default-accounts.nse [edit]
[-] mysql-audit.nse [edit]
[-] bittorrent-discovery.nse [edit]
[-] reverse-index.nse [edit]
[-] smb-os-discovery.nse [edit]
[-] smtp-strangeport.nse [edit]
[-] socks-open-proxy.nse [edit]
[-] http-vhosts.nse [edit]
[-] broadcast-upnp-info.nse [edit]
[-] afp-serverinfo.nse [edit]
[-] targets-ipv6-multicast-slaac.nse [edit]
[-] ldap-novell-getpass.nse [edit]
[-] nfs-showmount.nse [edit]
[-] http-vuln-cve2012-1823.nse [edit]
[-] stun-version.nse [edit]
[-] http-fileupload-exploiter.nse [edit]
[-] vnc-info.nse [edit]
[-] http-axis2-dir-traversal.nse [edit]
[-] ssh-hostkey.nse [edit]
[-] http-phpmyadmin-dir-traversal.nse [edit]
[-] hadoop-jobtracker-info.nse [edit]
[-] http-stored-xss.nse [edit]
[-] hbase-region-info.nse [edit]
[-] broadcast-ataoe-discover.nse [edit]
[-] dns-check-zone.nse [edit]
[-] rdp-enum-encryption.nse [edit]
[-] ms-sql-query.nse [edit]
[-] http-wordpress-plugins.nse [edit]
[-] irc-info.nse [edit]
[-] rmi-vuln-classloader.nse [edit]
[-] ssl-known-key.nse [edit]
[-] mysql-dump-hashes.nse [edit]
[-] rexec-brute.nse [edit]
[-] mmouse-exec.nse [edit]
[-] vmauthd-brute.nse [edit]
[-] dns-ip6-arpa-scan.nse [edit]
[-] smb-system-info.nse [edit]
[-] irc-brute.nse [edit]
[-] broadcast-versant-locate.nse [edit]
[-] xmpp-brute.nse [edit]
[-] ldap-search.nse [edit]
[-] http-put.nse [edit]
[-] banner.nse [edit]
[-] http-adobe-coldfusion-apsa1301.nse [edit]
[-] llmnr-resolve.nse [edit]
[-] domino-enum-users.nse [edit]
[-] broadcast-ms-sql-discover.nse [edit]
[-] telnet-brute.nse [edit]
[-] isns-info.nse [edit]
[-] http-userdir-enum.nse [edit]
[-] smb-enum-users.nse [edit]
[-] dns-nsid.nse [edit]
[-] ndmp-version.nse [edit]
[-] voldemort-info.nse [edit]
[-] sslv2.nse [edit]
[-] redis-info.nse [edit]
[-] drda-brute.nse [edit]
[-] smtp-vuln-cve2011-1720.nse [edit]
[-] skypev2-version.nse [edit]
[-] http-open-proxy.nse [edit]
[-] irc-unrealircd-backdoor.nse [edit]
[-] ssl-date.nse [edit]
[-] couchdb-databases.nse [edit]
[-] snmp-win32-software.nse [edit]
[-] whois.nse [edit]
[-] http-email-harvest.nse [edit]
[-] http-virustotal.nse [edit]
[-] broadcast-pim-discovery.nse [edit]
[-] distcc-cve2004-2687.nse [edit]
[-] http-exif-spider.nse [edit]
[-] couchdb-stats.nse [edit]
[-] rpc-grind.nse [edit]
[-] finger.nse [edit]
[-] metasploit-msgrpc-brute.nse [edit]
[-] http-waf-fingerprint.nse [edit]
[-] http-config-backup.nse [edit]
[-] http-vuln-cve2010-2861.nse [edit]
[-] ipv6-ra-flood.nse [edit]
[-] http-phpself-xss.nse [edit]
[-] http-sql-injection.nse [edit]
[-] telnet-encryption.nse [edit]
[-] jdwp-exec.nse [edit]
[-] hddtemp-info.nse [edit]
[-] metasploit-info.nse [edit]
[-] ipidseq.nse [edit]
[-] http-auth.nse [edit]
[-] ncp-enum-users.nse [edit]
[-] sip-enum-users.nse [edit]
[-] daap-get-library.nse [edit]
[-] socks-auth-info.nse [edit]
[-] broadcast-dhcp-discover.nse [edit]
[-] http-vuln-cve2009-3960.nse [edit]
[-] http-coldfusion-subzero.nse [edit]
[-] mongodb-databases.nse [edit]
[-] xdmcp-discover.nse [edit]
[-] http-chrono.nse [edit]
[-] netbus-auth-bypass.nse [edit]
[-] drda-info.nse [edit]
[-] membase-http-info.nse [edit]
[-] smb-flood.nse [edit]
[-] dns-zeustracker.nse [edit]
[-] http-apache-negotiation.nse [edit]
[-] iscsi-info.nse [edit]
[-] smb-server-stats.nse [edit]
[-] mysql-vuln-cve2012-2122.nse [edit]
[-] dns-service-discovery.nse [edit]
[-] creds-summary.nse [edit]
[-] oracle-sid-brute.nse [edit]
[-] dns-recursion.nse [edit]
[-] broadcast-pc-anywhere.nse [edit]
[-] http-slowloris-check.nse [edit]
[-] snmp-brute.nse [edit]
[-] ftp-proftpd-backdoor.nse [edit]
[-] imap-brute.nse [edit]
[-] gkrellm-info.nse [edit]
[-] versant-info.nse [edit]
[-] svn-brute.nse [edit]
[-] hadoop-datanode-info.nse [edit]
[-] informix-brute.nse [edit]
[-] mmouse-brute.nse [edit]
[-] samba-vuln-cve-2012-1182.nse [edit]
[-] broadcast-ping.nse [edit]
[-] unusual-port.nse [edit]
[-] smtp-brute.nse [edit]
[-] http-vuln-cve2013-0156.nse [edit]
[-] http-trace.nse [edit]
[-] rmi-dumpregistry.nse [edit]
[-] dns-blacklist.nse [edit]
[-] ldap-brute.nse [edit]
[-] pcanywhere-brute.nse [edit]
[-] dns-client-subnet-scan.nse [edit]
[-] snmp-win32-shares.nse [edit]