Nmap scripts
This page is very outdated, please consult http://nmap.org/nsedoc/ which lists the most recent scripts and libraries for Nmap.
This page contains the scripts that I’ve developed for the Nmap scanner available at insecure.org. Nmap scripts extends the capabilities of the scanner to do discovery, password guessing or anything else the developer decides to implement.
Several powerful scripts are already included with the scanner today. More information regarding which scripts are included and what they do can be found here.
The following table contains the scripts I have written and a short description of what they do.
| Script name | Ver | Description |
| rpc.lua | 0.1 | RPC library needed by the NFS scripts |
| nfs-showmount | 0.5 | Lists NFS exports on the target system. |
| nfs-get-stats | 0.1 | Retrieves disk usage statistics for each export |
| nfs-get-dirlist | 0.1 | Lists contents of a NFS share |
| citrix-brute-xml |
0.2 | Performs password guessing against the Citrix XML service. |
| citrix-enum-apps |
0.2 | Queries the Citrix ICA Browser (1604/udp) for a list of applications |
| citrix-enum-apps-xml |
0.2 | Queries the Citrix XML service for a list of published applications. The output is more detailed than from the ICA browser and contains ACLs. |
| citrix-enum-servers |
0.2 | Queries the Citrix ICA browser (1604/udp) for a list of servers |
| citrix-enum-servers-xml |
0.2 | Queries the Citrix XML service for a list of servers |
| oracle-sid-brute |
0.2 | Tries to determine valid instance names (SIDs) by using a dictionary |
| lexmark-config | 0.3 | Extracts the configuration from Lexmark S300-400 series printers |
| afp-showmount | 0.3 | Queries the Apple File Sharing (AFP) for shared folders and their ACLs |
| dns-service-discovery | 0.2 | Uses the DNS Service Discovery protocol to enumerate information |
| asn.lua | - | Library needed for the ldap scripts |
| ldap.lua | 0.2 | Library needed for the ldap scripts |
| ldap-rootdse.nse | 0.2 | Queries an LDAP server for the root object |
| ldap-search.nse | 0.2 | Provides basic LDAP search functionality |
| ldap-brute.nse | 0.1 | Password guessing against LDAP service |
| snmp.lua | - | An updated SNMP lib needed for the SNMP scripts to work |
| snmp-netstat | 0.1 | Creates a netstat based on info from SNMP |
| snmp-processes | 0.3 | Lists running processes on the remote system |
| snmp-win32-services | 0.2 | Lists the services running on the Windows host |
| snmp-win32-shares | 0.2 | Gets a list of remote shares and their paths |
| snmp-win32-software | 0.2 | Lists installed software with date of installation |
| snmp-win32-users | 0.2 | Lists the users on the remote Windows host |
| mysql.lua | 0.2 | MySQL library needed by the MySQL scripts |
| mysql-brute | 0.3 | Password guessing for MySQL |
| mysql-empty-password | 0.3 | Checks if root or anonymous has empty password |
| mysql-list-users | 0.1 | Attempts to list MySQL users |
| mysql-list-databases | 0.1 | Attempts to list MySQL databases |
| mysql-show-variables | 0.1 | Attempts to show all MySQL variables |
| daap-get-library | 0.2 | Lists the contents of a DAAP library |
All scripts that have been marked with strikethrough are either already in Nmap or have been commited to the nmap development release. Once commited, the script will no longer be maintained and updated on this web page. To install the development release follow the steps outlined over here.
The Citrix scripts that rely on the XML service to enumerate their information are dependant of the citrixxml.lua library, which is included in the zip file. While the scripts should be copied to the Nmap scripts directory, the citrixxml.lua file should be placed in nselib.
The oracle-sid-brute script can be supplied a custom dictionary using the oraclesids argument. If no dictionary is supplied, the default nselib/data/oracle-sids (included in the zip file) is used. The default list was created by red database security and is available from here.
The afp-showmount zip file contains two files: afp.lua and afp-showmount. The afp.lua contains the protocol specific code and goes into the nselib directory. The afp-showmount script goes into the scripts folder as usual.
For more information regarding the SNMP scripts have a look over here.
