目录导航
如果您想探索NSE(Nmap Scripting Language—-Nmap脚本语言)脚本的世界,此页面有望帮助您快速有效地找到所需内容。
在此页面上,您将找到所有可用的NSE脚本的完整列表,这些列表以交互式表格(电子表格)的形式组织,所有相关信息都集中在一个位置。
介绍
无论您是想在场景中使用特定的NSE脚本,还是只想查看针对特定协议或端口的脚本,下面的电子表格都有望为您提供一个快速的答案,并为您提供一个可用的概述。在Nmap脚本的世界中。
电子表格下方包含所有604个Nmap NSE脚本的列表,这些脚本当前在最新的Nmap版本中可用。电子表格是交互式的,它使您可以:
- 使用搜索过滤功能快速查找相关脚本(请参见下面的示例)
- 按任何列排序(按升序或降序),例如按端口号排序
- 单击脚本名称以查看带有所有相关详细信息的官方文档
nmap NSE脚本使用示例
waf指纹识别
nmap --script=http-waf-fingerprint --script-args http-waf-fingerprint.intensive=1 www.ddosi.org
允许的http请求方法测试
nmap --script http-methods --script-args http-methods.url-path='/code' www.ddosi.org 
筛选范例
如上所述,您可以使用搜索功能根据您感兴趣的模式交互式过滤出脚本。以下是几个示例:
- 搜索:
smb discovery
仅显示“发现”类别中与“ smb”协议相关的脚本。 - 搜索
1521
定位到端口1521(Oracle数据库)的“仅显示”脚本。 - 搜索:
http brute
仅显示与Web服务和Web应用程序的暴力破解有关的脚本。 - 搜索:
ftp
仅显示与FTP相关的脚本。
我们来看一下。
Nmap脚本列表(交互式电子表格)
| NSE Script 名 | 网络端口 | 服务/协议 | 类别 |
|---|---|---|---|
| acarsd-info | 2202 | acarsd, tcp | safe, discovery |
| address-info | – | – | default, safe |
| afp-brute | 548 | afp | intrusive, brute |
| afp-ls | 548 | afp | discovery, safe |
| afp-path-vuln | 548 | tcp | exploit, intrusive, vuln |
| afp-serverinfo | 548 | afp | default, discovery, safe |
| afp-showmount | 548 | tcp | discovery, safe |
| ajp-auth | 8009 | ajp13, tcp | default, auth, safe |
| ajp-brute | 8009 | ajp13, tcp | intrusive, brute |
| ajp-headers | 8009 | ajp13, tcp | discovery, safe |
| ajp-methods | 8009 | ajp13, tcp | default, safe |
| ajp-request | 8009 | ajp13, tcp | discovery, safe |
| allseeingeye-info | 1258, 2126, 3123, 12444, 13200, 23196, 26000, 27138, 27244, 27777, 28138 | allseeingeye, udp | discovery, safe, version |
| amqp-info | 5672 | amqp, tcp | default, discovery, safe, version |
| asn-query | – | – | discovery, external, safe |
| auth-owners | 113 | auth | default, safe |
| auth-spoof | 113 | auth | malware, safe |
| backorifice-brute | 151-222, 1024-1512, 25252, 31337 | udp | intrusive, brute |
| backorifice-info | 151-222, 1024-1512, 25252, 31337 | udp | default, discovery, safe |
| bacnet-info | 47808 | bacnet, tcp, udp | discovery, version |
| banner | any | any | discovery, safe |
| bitcoin-getaddr | 8333 | bitcoin, tcp | discovery, safe |
| bitcoin-info | 8333 | bitcoin, tcp | discovery, safe |
| bitcoinrpc-info | 8332 | – | default, discovery, safe |
| bittorrent-discovery | – | – | discovery, safe |
| bjnp-discover | 8611, 8612 | udp | safe, discovery |
| broadcast-ataoe-discover | – | – | broadcast, safe |
| broadcast-avahi-dos | – | – | broadcast, dos, intrusive, vuln |
| broadcast-bjnp-discover | – | – | safe, broadcast |
| broadcast-db2-discover | – | – | broadcast, safe |
| broadcast-dhcp6-discover | – | – | broadcast, safe |
| broadcast-dhcp-discover | – | – | broadcast, safe |
| broadcast-dns-service-discovery | – | – | broadcast, safe |
| broadcast-dropbox-listener | – | – | broadcast, safe |
| broadcast-eigrp-discovery | – | – | discovery, broadcast, safe |
| broadcast-hid-discoveryd | – | – | discovery, broadcast, safe |
| broadcast-igmp-discovery | – | – | discovery, safe, broadcast |
| broadcast-jenkins-discover | – | – | discovery, broadcast, safe |
| broadcast-listener | – | – | broadcast, safe |
| broadcast-ms-sql-discover | – | – | broadcast, safe |
| broadcast-netbios-master-browser | – | – | broadcast, safe |
| broadcast-networker-discover | – | – | broadcast, safe |
| broadcast-novell-locate | – | – | broadcast, safe |
| broadcast-ospf2-discover | – | – | broadcast, discovery, safe |
| broadcast-pc-anywhere | – | – | broadcast, safe |
| broadcast-pc-duo | – | – | broadcast, safe |
| broadcast-pim-discovery | – | – | discovery, safe, broadcast |
| broadcast-ping | – | – | discovery, safe, broadcast |
| broadcast-pppoe-discover | – | – | broadcast, safe |
| broadcast-rip-discover | – | – | broadcast, safe |
| broadcast-ripng-discover | – | – | broadcast, safe |
| broadcast-sonicwall-discover | – | – | broadcast, safe |
| broadcast-sybase-asa-discover | – | – | broadcast, safe |
| broadcast-tellstick-discover | – | – | broadcast, safe |
| broadcast-upnp-info | – | – | broadcast, safe |
| broadcast-versant-locate | – | – | broadcast, safe |
| broadcast-wake-on-lan | – | – | broadcast, safe |
| broadcast-wpad-discover | – | – | broadcast, safe |
| broadcast-wsdd-discover | – | – | broadcast, safe |
| broadcast-xdmcp-discover | – | – | broadcast, safe |
| cassandra-brute | 9160 | cassandra | intrusive, brute |
| cassandra-info | 9160 | cassandra | default, discovery, safe |
| cccam-version | 10000, 10001, 12000, 12001, 16000, 16001 | cccam | version |
| cics-enum | 23, 992 | tn3270 | intrusive, brute |
| cics-info | 23, 992 | tn3270 | discovery, safe |
| cics-user-brute | 23, 992 | tn3270 | intrusive, brute |
| cics-user-enum | 23, 992 | tn3270 | intrusive, brute |
| citrix-brute-xml | 8080, 80, 443 | http, https, tcp | intrusive, brute |
| citrix-enum-apps | 1604 | udp | discovery, safe |
| citrix-enum-apps-xml | 8080, 80, 443 | http, https, tcp | discovery, safe |
| citrix-enum-servers | 1604 | udp | discovery, safe |
| citrix-enum-servers-xml | 8080, 80, 443 | http, https, tcp | discovery, safe |
| clamav-exec | 3310 | clam | exploit, vuln |
| clock-skew | various | – | default, safe |
| coap-resources | 5683 | coap, udp | safe, discovery |
| couchdb-databases | 5984 | – | discovery, safe |
| couchdb-stats | 5984 | – | discovery, safe |
| creds-summary | – | – | auth, default, safe |
| cups-info | 631 | ipp, tcp | safe, discovery |
| cups-queue-info | 631 | ipp, tcp | safe, discovery |
| cvs-brute | 2401 | cvspserver | intrusive, brute |
| cvs-brute-repository | 2401 | cvspserver | intrusive, brute |
| daap-get-library | 3689 | daap | discovery, safe |
| daytime | 13 | daytime, tcp, udp | discovery, safe |
| db2-das-info | 523 | tcp, udp | safe, discovery, version |
| deluge-rpc-brute | 58846 | deluge-rpc | intrusive, brute |
| dhcp-discover | 67 | udp | discovery, safe |
| dicom-brute | 104, 2345, 2761, 2762, 4242, 11112 | dicom, tcp | auth, brute |
| dicom-ping | 104, 2345, 2761, 2762, 4242, 11112 | dicom, tcp | discovery, default, safe, auth |
| dict-info | 2628 | dict, tcp | discovery, safe |
| distcc-cve2004-2687 | 3632 | distcc | exploit, intrusive, vuln |
| dns-blacklist | – | – | external, safe |
| dns-brute | – | – | intrusive, discovery |
| dns-cache-snoop | 53 | dns, udp | intrusive, discovery |
| dns-check-zone | – | – | discovery, safe, external |
| dns-client-subnet-scan | 53 | dns, udp, tcp | discovery, safe |
| dns-fuzz | 53 | dns, udp, tcp | fuzzer, intrusive |
| dns-ip6-arpa-scan | – | – | intrusive, discovery |
| dns-nsec3-enum | 53 | dns, udp, tcp | discovery, intrusive |
| dns-nsec-enum | 53 | dns, udp, tcp | discovery, intrusive |
| dns-nsid | 53 | dns, udp, tcp | discovery, default, safe |
| dns-random-srcport | 53 | dns, udp | external, intrusive |
| dns-random-txid | 53 | dns, udp | external, intrusive |
| dns-recursion | 53 | dns, udp | default, safe |
| dns-service-discovery | 5353 | dns, udp | default, discovery, safe |
| dns-srv-enum | – | – | discovery, safe |
| dns-update | 53 | dns, udp, tcp | vuln, intrusive |
| dns-zeustracker | – | – | safe, discovery, external, malware |
| dns-zone-transfer | 53 | dns, tcp | intrusive, discovery |
| docker-version | 2375, 2376 | docker, docker-s, tcp | version |
| domcon-brute | 2050 | tcp | intrusive, brute |
| domcon-cmd | 2050 | dominoconsole, tcp | intrusive, auth |
| domino-enum-users | 1352 | lotusnotes, tcp | intrusive, auth |
| dpap-brute | 8770 | apple-iphoto | intrusive, brute |
| drda-brute | 50000, 60000 | drda, ibm-db2, tcp | intrusive, brute |
| drda-info | 50000, 60000, 9090, 1526, 1527 | – | safe, discovery, version |
| duplicates | – | – | safe |
| eap-info | – | – | broadcast, safe |
| enip-info | 44818 | tcp, udp | discovery, version |
| epmd-info | 4369 | epmd | default, discovery, safe |
| eppc-enum-processes | 3031 | eppc, tcp | discovery, safe |
| fcrdns | – | – | discovery, safe |
| finger | 79 | finger | default, discovery, safe |
| fingerprint-strings | 79, any | finger | version |
| firewalk | – | – | safe, discovery |
| firewall-bypass | – | – | vuln, intrusive |
| flume-master-info | 35871 | flume-master | default, discovery, safe |
| fox-info | 1911, 4911 | niagara-fox, tcp | discovery, version |
| freelancer-info | 2302 | freelancer, udp | default, discovery, safe, version |
| ftp-anon | 21, 990 | ftp, ftps | default, auth, safe |
| ftp-bounce | 21, 990 | ftp, ftps | default, safe |
| ftp-brute | 21 | ftp | intrusive, brute |
| ftp-libopie | 21 | ftp | vuln, intrusive |
| ftp-proftpd-backdoor | 21 | ftp | exploit, intrusive, malware, vuln |
| ftp-syst | 21, 990 | ftp, ftps | default, discovery, safe |
| ftp-vsftpd-backdoor | 21 | ftp | exploit, intrusive, malware, vuln |
| ftp-vuln-cve2010-4221 | 21 | ftp | intrusive, vuln |
| ganglia-info | 8649, 8651 | ganglia, tcp | default, discovery, safe |
| giop-info | 2809, 1050, 1049 | giop, tcp | default, discovery, safe |
| gkrellm-info | 19150 | gkrellm, tcp | discovery, safe |
| gopher-ls | 70 | gopher, tcp | default, discovery, safe |
| gpsd-info | 2947 | gpsd-ng, tcp | discovery, safe |
| hadoop-datanode-info | 50075 | hadoop-datanode | default, discovery, safe |
| hadoop-jobtracker-info | 50030 | hadoop-jobtracker | default, discovery, safe |
| hadoop-namenode-info | 50070 | hadoop-namenode | default, discovery, safe |
| hadoop-secondary-namenode-info | 50090 | hadoop-secondary-namenode | default, discovery, safe |
| hadoop-tasktracker-info | 50060 | hadoop-tasktracker | default, discovery, safe |
| hbase-master-info | 60010 | hbase-master | default, discovery, safe |
| hbase-region-info | 60030 | hbase-region | default, discovery, safe |
| hddtemp-info | 7634 | hddtemp, tcp | default, discovery, safe |
| hnap-info | 80, 8080 | http | safe, discovery, default, version |
| hostmap-bfk | – | – | external, discovery |
| hostmap-crtsh | – | – | external, discovery |
| hostmap-robtex | – | – | discovery, safe, external |
| http-adobe-coldfusion-apsa1301 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, vuln |
| http-affiliate-id | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | safe, discovery |
| http-apache-negotiation | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | safe, discovery |
| http-apache-server-status | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-aspnet-debug | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, discovery |
| http-auth-finder | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-auth | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, auth, safe |
| http-avaya-ipoffice-users | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, vuln |
| http-awstatstotals-exec | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, intrusive, exploit |
| http-axis2-dir-traversal | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, intrusive, exploit |
| http-backup-finder | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-barracuda-dir-traversal | 8000 | barracuda, tcp | intrusive, exploit, auth |
| http-bigip-cookie | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-brute | 80, 443 | http, https | intrusive, brute |
| http-cakephp-version | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-chrono | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive |
| http-cisco-anyconnect | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | default, discovery, safe |
| http-coldfusion-subzero | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit |
| http-comments-displayer | 80, 443 | http, https | discovery, safe |
| http-config-backup | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | auth, intrusive |
| http-cookie-flags | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, safe, vuln |
| http-cors | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, discovery, safe |
| http-cross-domain-policy | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | safe, external, vuln |
| http-csrf | 80, 443 | http, https | intrusive, exploit, vuln |
| http-date | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-default-accounts | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, auth, intrusive |
| http-devframework | 80, 443 | http, https | discovery, intrusive |
| http-dlink-backdoor | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, vuln |
| http-dombased-xss | 80, 443 | http, https | intrusive, exploit, vuln |
| http-domino-enum-passwords | 80, 443 | http, https | intrusive, auth |
| http-drupal-enum | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive |
| http-drupal-enum-users | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive |
| http-enum | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive, vuln |
| http-errors | 80, 443 | http, https | discovery, intrusive |
| http-exif-spider | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | intrusive |
| http-favicon | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, discovery, safe |
| http-feed | 80, 443 | http, https | discovery, intrusive |
| http-fetch | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | safe |
| http-fileupload-exploiter | 80, 443 | http, https | intrusive, exploit, vuln |
| http-form-brute | 80, 443 | http, https | intrusive, brute |
| http-form-fuzzer | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | fuzzer, intrusive |
| http-frontpage-login | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, safe |
| http-generator | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, discovery, safe |
| http-git | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, safe, vuln |
| http-gitweb-projects-enum | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-google-malware | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | malware, discovery, safe, external |
| http-grep | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-headers | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-hp-ilo-info | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | safe, discovery |
| http-huawei-hg5xx-vuln | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, vuln |
| http-icloud-findmyiphone | – | – | discovery, safe, external |
| http-icloud-sendmsg | – | – | discovery, safe, external |
| http-iis-short-name-brute | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | intrusive, brute |
| http-iis-webdav-vuln | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, intrusive |
| http-internal-ip-disclosure | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, discovery, safe |
| http-joomla-brute | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | intrusive, brute |
| http-jsonp-detection | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | safe, vuln, discovery |
| http-litespeed-sourcecode-download | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, intrusive, exploit |
| http-ls | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, discovery, safe |
| http-majordomo2-dir-traversal | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | intrusive, vuln, exploit |
| http-malware-host | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | malware, safe |
| http-mcmp | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | safe, discovery |
| http-methods | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, safe |
| http-method-tamper | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | auth, vuln |
| http-mobileversion-checker | 80, 443 | http, https | discovery, safe |
| http-ntlm-info | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, discovery, safe |
| http-open-proxy | 8123, 3128, 8000, 8080 | polipo, squid-http, http-proxy | default, discovery, external, safe |
| http-open-redirect | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive |
| http-passwd | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | intrusive, vuln |
| http-phpmyadmin-dir-traversal | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, exploit |
| http-phpself-xss | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | fuzzer, intrusive, vuln |
| http-php-version | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-proxy-brute | 8123, 3128, 8000, 8080 | polipo, squid-http, http-proxy | brute, intrusive, external |
| http-put | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive |
| http-qnap-nas-info | 443, 8080 | https, tcp | safe, discovery |
| http-referer-checker | 80, 443 | http, https | discovery, safe |
| http-rfi-spider | 80, 443 | http, https | intrusive |
| http-robots.txt | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, discovery, safe |
| http-robtex-reverse-ip | – | – | discovery, safe, external |
| http-robtex-shared-ns | – | – | discovery, safe, external |
| http-sap-netweaver-leak | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | safe, discovery |
| http-security-headers | 80, 443 | http, tcp | discovery, safe |
| http-server-header | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | version |
| http-shellshock | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, vuln, intrusive |
| http-sitemap-generator | 80, 443 | http, https | discovery, intrusive |
| http-slowloris-check | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, safe |
| http-slowloris | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | dos, intrusive |
| http-sql-injection | 80, 443 | http, https | intrusive, vuln |
| https-redirect | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | version |
| http-stored-xss | 80, 443 | http, https | intrusive, exploit, vuln |
| http-svn-enum | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, discovery, safe |
| http-svn-info | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, discovery, safe |
| http-title | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, discovery, safe |
| http-tplink-dir-traversal | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, exploit |
| http-trace | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, discovery, safe |
| http-traceroute | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe |
| http-trane-info | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, version, safe |
| http-unsafe-output-escaping | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive |
| http-useragent-tester | 80, 443 | http, https | discovery, safe |
| http-userdir-enum | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | auth, intrusive |
| http-vhosts | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive |
| http-virustotal | – | – | safe, malware, external |
| http-vlcstreamer-ls | 54340 | vlcstreamer, tcp | discovery, safe |
| http-vmware-path-vuln | 80, 443, 8222, 8333 | http, https | vuln, safe |
| http-vuln-cve2006-3392 | 10000 | – | exploit, vuln, intrusive |
| http-vuln-cve2009-3960 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, intrusive, vuln |
| http-vuln-cve2010-0738 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | safe, auth, vuln |
| http-vuln-cve2010-2861 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | intrusive, vuln |
| http-vuln-cve2011-3192 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, safe |
| http-vuln-cve2011-3368 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | intrusive, vuln |
| http-vuln-cve2012-1823 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, vuln, intrusive |
| http-vuln-cve2013-0156 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, vuln |
| http-vuln-cve2013-6786 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, vuln |
| http-vuln-cve2013-7091 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, vuln, intrusive |
| http-vuln-cve2014-2126 | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | vuln, safe |
| http-vuln-cve2014-2127 | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | vuln, safe |
| http-vuln-cve2014-2128 | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | vuln, safe |
| http-vuln-cve2014-2129 | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | vuln, safe |
| http-vuln-cve2014-3704 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, intrusive, exploit |
| http-vuln-cve2014-8877 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, intrusive, exploit |
| http-vuln-cve2015-1427 | 9200 | http, tcp | vuln, intrusive |
| http-vuln-cve2015-1635 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, safe |
| http-vuln-cve2017-1001000 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, safe |
| http-vuln-cve2017-5638 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln |
| http-vuln-cve2017-5689 | 623, 664, 16992, 16993 | amt-soap-http | vuln, auth, exploit |
| http-vuln-cve2017-8917 | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | vuln, intrusive |
| http-vuln-misfortune-cookie | 7547 | http | vuln, intrusive |
| http-vuln-wnr1000-creds | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | exploit, vuln, intrusive |
| http-waf-detect | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive |
| http-waf-fingerprint | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive |
| http-webdav-scan | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | safe, discovery, default |
| http-wordpress-brute | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | intrusive, brute |
| http-wordpress-enum | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, intrusive |
| http-wordpress-users | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | auth, intrusive, vuln |
| http-xssed | 80, 443 | http, https | safe, external, discovery |
| iax2-brute | 4569 | iax2, udp, tcp | intrusive, brute |
| iax2-version | 4569 | iax2, udp, tcp | version |
| icap-info | 1344 | icap | safe, discovery |
| iec-identify | 2404 | iec-104, tcp | discovery, intrusive |
| ike-version | 500 | isakmp, udp | default, discovery, safe, version |
| imap-brute | 143, 993 | imap, imaps | brute, intrusive |
| imap-capabilities | 143, 993 | imap, imaps | default, safe |
| imap-ntlm-info | 143, 993 | imap, imaps | default, discovery, safe |
| impress-remote-discover | 1599 | impress-remote, tcp | intrusive, brute |
| informix-brute | 1526, 9088, 9090, 9092 | informix, tcp | intrusive, brute |
| informix-query | 1526, 9088, 9090, 9092 | informix, tcp | intrusive, auth |
| informix-tables | 1526, 9088, 9090, 9092 | informix, tcp | intrusive, auth |
| ip-forwarding | – | – | safe, discovery |
| ip-geolocation-geoplugin | – | – | discovery, external, safe |
| ip-geolocation-ipinfodb | – | – | discovery, external, safe |
| ip-geolocation-map-bing | – | – | external, safe |
| ip-geolocation-map-google | – | – | external, safe |
| ip-geolocation-map-kml | – | – | safe |
| ip-geolocation-maxmind | – | – | discovery, external, safe |
| ip-https-discover | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | discovery, safe, default |
| ipidseq | – | – | safe, discovery |
| ipmi-brute | 623 | asf-rmcp, udp | intrusive, brute |
| ipmi-cipher-zero | 623 | asf-rmcp, udp | vuln, safe |
| ipmi-version | 623 | asf-rmcp, udp | discovery, safe |
| ipv6-multicast-mld-list | – | – | broadcast, discovery |
| ipv6-node-info | – | – | default, discovery, safe |
| ipv6-ra-flood | – | – | dos, intrusive |
| irc-botnet-channels | 6664, 6665, 6666, 6667, 6668, 6669, 6679, 6697, 7000, 8067 | irc | discovery, vuln, safe |
| irc-brute | 6664, 6665, 6666, 6667, 6668, 6669, 6679, 6697, 7000, 8067 | irc | brute, intrusive |
| irc-info | 6664, 6665, 6666, 6667, 6668, 6669, 6679, 6697, 7000, 8067 | irc | default, discovery, safe |
| irc-sasl-brute | 6664, 6665, 6666, 6667, 6668, 6669, 6679, 6697, 7000, 8067 | irc | brute, intrusive |
| irc-unrealircd-backdoor | 6664, 6665, 6666, 6667, 6668, 6669, 6679, 6697, 7000, 8067 | irc | exploit, intrusive, malware, vuln |
| iscsi-brute | 3260 | tcp | intrusive, brute |
| iscsi-info | 3260 | tcp | default, safe, discovery |
| isns-info | 3205 | isns | safe, discovery |
| jdwp-exec | any | tcp | exploit, intrusive |
| jdwp-info | any | tcp | default, safe, discovery |
| jdwp-inject | any | tcp | exploit, intrusive |
| jdwp-version | any | tcp | version |
| knx-gateway-discover | – | – | discovery, safe, broadcast |
| knx-gateway-info | 3671 | efcp, udp | default, discovery, safe |
| krb5-enum-users | 88 | kerberos-sec, udp, tcp | auth, intrusive |
| ldap-brute | 389, 636 | ldap, ldapssl | intrusive, brute |
| ldap-novell-getpass | 389, 636 | ldap, ldapssl | discovery, safe |
| ldap-rootdse | 389, 636 | ldap, ldapssl, tcp, udp | discovery, safe |
| ldap-search | 389, 636 | ldap, ldapssl | discovery, safe |
| lexmark-config | 5353, 9100 | udp | discovery, safe |
| llmnr-resolve | – | – | discovery, safe, broadcast |
| lltd-discovery | – | – | broadcast, discovery, safe |
| lu-enum | 23, 992 | tn3270 | intrusive, brute |
| maxdb-info | 7210 | maxdb, tcp | default, version, safe |
| mcafee-epo-agent | 8081 | tcp | version, safe |
| membase-brute | 11210, 11211 | couchbase-tap, tcp | intrusive, brute |
| membase-http-info | 8091 | http, tcp | discovery, safe |
| memcached-info | 11211 | memcached, tcp, udp | discovery, safe |
| metasploit-info | 55553 | metasploit-msgrpc | intrusive, safe |
| metasploit-msgrpc-brute | 55553 | metasploit-msgrpc | intrusive, brute |
| metasploit-xmlrpc-brute | 55553 | metasploit-xmlrpc, tcp | intrusive, brute |
| mikrotik-routeros-brute | 8728 | tcp | intrusive, brute |
| mmouse-brute | 51010 | mmouse, tcp | intrusive, brute |
| mmouse-exec | 51010 | mmouse, tcp | intrusive |
| modbus-discover | 502 | modbus | discovery, intrusive |
| mongodb-brute | 27017 | mongodb, mongod | intrusive, brute |
| mongodb-databases | 27017 | mongodb, mongod | default, discovery, safe |
| mongodb-info | 27017 | mongodb, mongod | default, discovery, safe |
| mqtt-subscribe | 1883, 8883 | mqtt, secure-mqtt, tcp | safe, discovery, version |
| mrinfo | – | – | discovery, safe, broadcast |
| msrpc-enum | – | – | safe, discovery |
| ms-sql-brute | 1433 | ms-sql-s | brute, intrusive |
| ms-sql-config | 1433 | ms-sql-s | discovery, safe |
| ms-sql-dac | 1434 | udp | discovery, safe |
| ms-sql-dump-hashes | 1433 | ms-sql-s | auth, discovery, safe |
| ms-sql-empty-password | 1433 | ms-sql-s | auth, intrusive |
| ms-sql-hasdbaccess | 1433 | ms-sql-s | auth, discovery, safe |
| ms-sql-info | 445, 1433, 1434 | ms-sql-s, smb, tcp, udp | default, discovery, safe |
| ms-sql-ntlm-info | 1433 | ms-sql-s | default, discovery, safe |
| ms-sql-query | 1433 | ms-sql-s | discovery, safe |
| ms-sql-tables | 1433 | ms-sql-s | discovery, safe |
| ms-sql-xp-cmdshell | 1433 | ms-sql-s | intrusive |
| mtrace | – | – | discovery, safe, broadcast |
| murmur-version | 64738 | murmur, tcp, udp | version |
| mysql-audit | 3306 | mysql | discovery, safe |
| mysql-brute | 3306 | mysql | intrusive, brute |
| mysql-databases | 3306 | mysql | discovery, intrusive |
| mysql-dump-hashes | 3306 | mysql | auth, discovery, safe |
| mysql-empty-password | 3306 | mysql | intrusive, auth |
| mysql-enum | 3306 | mysql | intrusive, brute |
| mysql-info | 3306 | mysql | default, discovery, safe |
| mysql-query | 3306 | mysql | auth, discovery, safe |
| mysql-users | 3306 | mysql | auth, intrusive |
| mysql-variables | 3306 | mysql | discovery, intrusive |
| mysql-vuln-cve2012-2122 | 3306 | mysql | discovery, intrusive, vuln |
| nat-pmp-info | 5351 | nat-pmp, udp | default, discovery, safe |
| nat-pmp-mapport | 5351 | nat-pmp, udp | discovery, safe |
| nbd-info | 10809 | netbios-ns, tcp | discovery, intrusive |
| nbns-interfaces | 137 | netbios-ns, udp | default, discovery, safe |
| nbstat | 135, 137, 139, 445 | netbios, smb, tcp, udp | default, discovery, safe |
| ncp-enum-users | 524 | ncp, tcp | auth, safe |
| ncp-serverinfo | 524 | ncp, tcp | default, discovery, safe |
| ndmp-fs-info | 10000 | ndmp, tcp | discovery, safe |
| ndmp-version | 10000 | ndmp, tcp | version |
| nessus-brute | 1241 | nessus, tcp | intrusive, brute |
| nessus-xmlrpc-brute | 8834 | ssl/http, tcp | intrusive, brute |
| netbus-auth-bypass | 12345 | netbus, tcp | auth, safe, vuln |
| netbus-brute | 12345 | netbus, tcp | brute, intrusive |
| netbus-info | 12345 | netbus, tcp | default, discovery, safe |
| netbus-version | 12345 | netbus, tcp | version |
| nexpose-brute | 3780 | nexpose, tcp | intrusive, brute |
| nfs-ls | 111 | rpcbind, tcp, udp | discovery, safe |
| nfs-showmount | 111 | rpcbind, mountd, tcp, udp | discovery, safe |
| nfs-statfs | 111 | rpcbind, tcp, udp | discovery, safe |
| nje-node-brute | 175, 2252 | nje | intrusive, brute |
| nje-pass-brute | 175, 2252 | nje | intrusive, brute |
| nntp-ntlm-info | 119, 433, 563 | nntp, snews | default, discovery, safe |
| nping-brute | 9929 | nping-echo | brute, intrusive |
| nrpe-enum | 5666 | nrpe | discovery, intrusive |
| ntp-info | 123 | ntp, udp, tcp | default, discovery, safe |
| ntp-monlist | 123 | ntp, udp | discovery, intrusive |
| omp2-brute | 9390 | openvas | brute, intrusive |
| omp2-enum-targets | 9390 | openvas | discovery, safe |
| openflow-info | 6633, 6653 | openflow, tcp | default, safe |
| omron-info | 9600 | fins, tcp, udp | discovery, version |
| openlookup-info | 5850 | openlookup | default, discovery, safe, version |
| openvas-otp-brute | 9390, 9391 | openvas, tcp | intrusive, brute |
| openwebnet-discovery | 20000 | openwebnet | discovery, safe |
| oracle-brute | 1521 | oracle-tns | intrusive, brute |
| oracle-brute-stealth | 1521 | oracle-tns | intrusive, brute |
| oracle-enum-users | 1521 | oracle-tns | intrusive, auth |
| oracle-sid-brute | 1521 | oracle-tns | intrusive, brute |
| oracle-tns-version | 1521, 1522, 1523 | oracle-tns | version, safe |
| ovs-agent-version | 8899 | – | version |
| p2p-conficker | 137, 139, 445 | smb, netbios, tcp, udp | default, safe |
| path-mtu | – | – | safe, discovery |
| pcanywhere-brute | 5631 | pcanywheredata | intrusive, brute |
| pcworx-info | 1962 | pcworx, tcp | discovery |
| pgsql-brute | 5432 | postgresql | intrusive, brute |
| pjl-ready-message | 9100 | jetdirect | intrusive |
| pop3-brute | 110, 995 | pop3, pop3s | intrusive, brute |
| pop3-capabilities | 110, 995 | pop3, pop3s | default, discovery, safe |
| pop3-ntlm-info | 110, 995 | pop3, pop3s | default, discovery, safe |
| port-states | – | – | safe |
| pptp-version | 1723 | – | version |
| puppet-naivesigning | 8140 | puppet, tcp | intrusive, vuln |
| qconn-exec | 8000 | qconn, tcp | intrusive, exploit, vuln |
| qscan | – | – | safe, discovery |
| quake1-info | – | – | default, discovery, safe, version |
| quake3-info | 27960-27970 | quake3, udp | default, discovery, safe, version |
| quake3-master-getservers | 20110, 20510, 27950, 30710 | quake3-master, udp | default, discovery, safe |
| rdp-enum-encryption | 3389 | ms-wbt-server | safe, discovery |
| rdp-ntlm-info | 3389 | ms-wbt-server | default, discovery, safe |
| rdp-vuln-ms12-020 | 3389 | ms-wbt-server | intrusive, vuln |
| realvnc-auth-bypass | 5900, 5901, 5902 | vnc | auth, safe, vuln |
| redis-brute | 6379 | redis | intrusive, brute |
| redis-info | 6379 | redis | discovery, safe |
| resolveall | – | – | safe, discovery |
| reverse-index | – | – | safe |
| rexec-brute | 512 | exec, tcp | brute, intrusive |
| rfc868-time | 37 | time, tcp, udp | discovery, safe, version |
| riak-http-info | 8098 | http | discovery, safe |
| rlogin-brute | 513 | login, tcp | brute, intrusive |
| rmi-dumpregistry | 1098, 1099, 1090, 8901, 8902, 8903 | java-rmi, rmiregistry | default, discovery, safe |
| rmi-vuln-classloader | 1098, 1099, 1090, 8901, 8902, 8903 | java-rmi, rmiregistry | intrusive, vuln |
| rpcap-brute | 2002 | rpcap, tcp | intrusive, brute |
| rpcap-info | 2002 | rpcap, tcp | discovery, safe |
| rpc-grind | any | rpcbind | version |
| rpcinfo | 111 | rpcbind, tcp, udp | discovery, default, safe, version |
| rsa-vuln-roca | 22, 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssh, ssl | vuln, safe |
| rsync-brute | 873 | rsync, tcp | brute, intrusive |
| rsync-list-modules | 873 | rsync, tcp | discovery, safe |
| rtsp-methods | 554 | rtsp, tcp | default, safe |
| rtsp-url-brute | 554 | rtsp, tcp | brute, intrusive |
| rusers | any | rusersd, tcp, udp | discovery, safe |
| s7-info | 102 | iso-tsap, tcp | discovery, version |
| samba-vuln-cve-2012-1182 | 139 | netbios-ssn | vuln, intrusive |
| servicetags | 6481 | udp | default, discovery, safe |
| shodan-api | – | – | discovery, safe, external |
| sip-brute | 5060 | sip, tcp, udp | intrusive, brute |
| sip-call-spoof | 5060 | sip, tcp, udp | discovery, intrusive |
| sip-enum-users | 5060 | sip, tcp, udp | auth, intrusive |
| sip-methods | 5060 | sip, tcp, udp | default, safe, discovery |
| skypev2-version | any | tcp | version |
| smb2-capabilities | 137, 139, 445 | smb, netbios, tcp, udp | safe, discovery |
| smb2-security-mode | 137, 139, 445 | smb, netbios, tcp, udp | safe, discovery, default |
| smb2-time | 137, 139, 445 | smb, netbios, tcp, udp | discovery, safe, default |
| smb2-vuln-uptime | 137, 139, 445 | smb, netbios, tcp, udp | vuln, safe |
| smb-brute | 137, 139, 445 | smb, netbios, tcp, udp | intrusive, brute |
| smb-double-pulsar-backdoor | 137, 139, 445 | smb, netbios, tcp, udp | vuln, safe, malware |
| smb-enum-domains | 137, 139, 445 | smb, netbios, tcp, udp | discovery, intrusive |
| smb-enum-groups | 137, 139, 445 | smb, netbios, tcp, udp | discovery, intrusive |
| smb-enum-processes | 137, 139, 445 | smb, netbios, tcp, udp | discovery, intrusive |
| smb-enum-services | 139, 445 | smb, netbios, tcp | discovery, intrusive, safe |
| smb-enum-sessions | 137, 139, 445 | smb, netbios, tcp, udp | discovery, intrusive |
| smb-enum-shares | 137, 139, 445 | smb, netbios, tcp, udp | discovery, intrusive |
| smb-enum-users | 137, 139, 445 | smb, netbios, tcp, udp | auth, intrusive |
| smb-flood | 137, 139, 445 | smb, netbios, tcp, udp | intrusive, dos |
| smb-ls | 137, 139, 445 | smb, netbios, tcp, udp | discovery, safe |
| smb-mbenum | 137, 139, 445 | smb, netbios, tcp, udp | discovery, safe |
| smb-os-discovery | 137, 139, 445 | smb, netbios, tcp, udp | default, discovery, safe |
| smb-print-text | 137, 139, 445 | smb, netbios, tcp, udp | intrusive |
| smb-protocols | 137, 139, 445 | smb, netbios, tcp, udp | safe, discovery |
| smb-psexec | 137, 139, 445 | smb, netbios, tcp, udp | intrusive |
| smb-security-mode | 137, 139, 445 | smb, netbios, tcp, udp | default, discovery, safe |
| smb-server-stats | 137, 139, 445 | smb, netbios, tcp, udp | discovery, intrusive |
| smb-system-info | 137, 139, 445 | smb, netbios, tcp, udp | discovery, intrusive |
| smb-vuln-conficker | 137, 139, 445 | smb, netbios, tcp, udp | intrusive, exploit, dos, vuln |
| smb-vuln-cve2009-3103 | 137, 139, 445 | smb, netbios, tcp, udp | intrusive, exploit, dos, vuln |
| smb-vuln-cve-2017-7494 | 137, 139, 445 | smb, netbios, tcp, udp | vuln, intrusive |
| smb-vuln-ms06-025 | 137, 139, 445 | smb, netbios, tcp, udp | intrusive, exploit, dos, vuln |
| smb-vuln-ms07-029 | 137, 139, 445 | smb, netbios, tcp, udp | intrusive, exploit, dos, vuln |
| smb-vuln-ms08-067 | 137, 139, 445 | smb, netbios, tcp, udp | intrusive, exploit, dos, vuln |
| smb-vuln-ms10-054 | 137, 139, 445 | smb, netbios, tcp, udp | vuln, intrusive, dos |
| smb-vuln-ms10-061 | 137, 139, 445 | smb, netbios, tcp, udp | vuln, intrusive |
| smb-vuln-ms17-010 | 137, 139, 445 | smb, netbios, tcp, udp | vuln, safe |
| smb-vuln-regsvc-dos | 137, 139, 445 | smb, netbios, tcp, udp | intrusive, exploit, dos, vuln |
| smb-vuln-webexec | 445, 139 | smb, netbios, tcp | intrusive, vuln |
| smb-webexec-exploit | 445, 139 | smb, netbios, tcp | intrusive, exploit |
| smtp-brute | 25, 465, 587 | smtp, smtps, submission | brute, intrusive |
| smtp-commands | 25, 465, 587 | smtp, smtps, submission | default, discovery, safe |
| smtp-enum-users | 25, 465, 587 | smtp, smtps, submission | auth, external, intrusive |
| smtp-ntlm-info | 25, 465, 587 | smtp, smtps, submission | default, discovery, safe |
| smtp-open-relay | 25, 465, 587 | smtp, smtps, submission | discovery, intrusive, external |
| smtp-strangeport | 25, 465, 587 | smtp, smtps, submission | malware, safe |
| smtp-vuln-cve2010-4344 | 25, 465, 587 | smtp, smtps, submission | exploit, intrusive, vuln |
| smtp-vuln-cve2011-1720 | 25, 465, 587 | smtp, smtps, submission | intrusive, vuln |
| smtp-vuln-cve2011-1764 | 25, 465, 587 | smtp, smtps, submission | intrusive, vuln |
| sniffer-detect | – | – | discovery, intrusive |
| snmp-brute | 161 | snmp, udp | intrusive, brute |
| snmp-hh3c-logins | 161 | snmp, udp | default, discovery, safe |
| snmp-info | 161 | snmp, udp | default, version, safe |
| snmp-interfaces | 161 | snmp, udp | default, discovery, safe |
| snmp-ios-config | 161 | snmp, udp | intrusive |
| snmp-netstat | 161 | snmp, udp | default, discovery, safe |
| snmp-processes | 161 | snmp, udp | default, discovery, safe |
| snmp-sysdescr | 161 | snmp, udp | default, discovery, safe |
| snmp-win32-services | 161 | snmp, udp | default, discovery, safe |
| snmp-win32-shares | 161 | snmp, udp | default, discovery, safe |
| snmp-win32-software | 161 | snmp, udp | default, discovery, safe |
| snmp-win32-users | 161 | snmp, udp | default, auth, safe |
| socks-auth-info | 1080, 9050 | socks, socks5, tor-socks | discovery, safe, default |
| socks-brute | 1080, 9050 | socks, socks5, tor-socks | brute, intrusive |
| socks-open-proxy | 1080, 9050 | socks, socks5, tor-socks | default, discovery, external, safe |
| ssh2-enum-algos | 22 | ssh | safe, discovery |
| ssh-auth-methods | 22 | ssh | auth, intrusive |
| ssh-brute | 22 | ssh | brute, intrusive |
| ssh-hostkey | 22 | ssh | safe, default, discovery |
| ssh-publickey-acceptance | 22 | ssh | auth, intrusive |
| ssh-run | 22 | ssh | intrusive |
| sshv1 | 22 | ssh | default, safe |
| ssl-ccs-injection | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | vuln, safe |
| ssl-cert-intaddr | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | vuln, discovery, safe |
| ssl-cert | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | default, safe, discovery |
| ssl-date | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | discovery, safe, default |
| ssl-dh-params | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | vuln, safe |
| ssl-enum-ciphers | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | discovery, intrusive |
| ssl-heartbleed | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | vuln, safe |
| ssl-known-key | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | safe, discovery, vuln, default |
| ssl-poodle | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | vuln, safe |
| sslv2-drown | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | intrusive, vuln |
| sslv2 | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | default, safe |
| sstp-discover | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | discovery, default, safe |
| stun-info | 3478 | stun, udp | discovery, safe |
| stun-version | 3478 | stun, udp | version |
| stuxnet-detect | 137, 139, 445 | smb, netbios, tcp, udp | discovery, intrusive |
| supermicro-ipmi-conf | 49152 | tcp | exploit, vuln |
| svn-brute | 3690 | svnserve, tcp | intrusive, brute |
| targets-asn | – | – | discovery, external, safe |
| targets-ipv6-map4to6 | – | – | discovery |
| targets-ipv6-multicast-echo | – | – | discovery, broadcast |
| targets-ipv6-multicast-invalid-dst | – | – | discovery, broadcast |
| targets-ipv6-multicast-mld | – | – | discovery, broadcast |
| targets-ipv6-multicast-slaac | – | – | discovery, broadcast |
| targets-ipv6-wordlist | – | – | discovery |
| targets-sniffer | – | – | broadcast, discovery, safe |
| targets-traceroute | – | – | safe, discovery |
| targets-xml | – | – | safe |
| teamspeak2-version | 8767 | teamspeak2, udp | version |
| telnet-brute | 23 | telnet | brute, intrusive |
| telnet-encryption | 23 | telnet | safe, discovery |
| telnet-ntlm-info | 23 | telnet | default, discovery, safe |
| tftp-enum | 69 | udp | discovery, intrusive |
| tls-alpn | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | discovery, safe, default |
| tls-nextprotoneg | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | discovery, safe, default |
| tls-ticketbleed | 261, 271, 324, 443, 465, 563, 585, 636, 853, 989, 990, 992, 993, 994, 995, 2221, 2252, 2376, 3269, 3389, 4911, 5061, 5986, 6679, 6697, 8443, 9001, 8883 | ssl | vuln, safe |
| tn3270-screen | 23, 992 | tn3270 | safe, discovery |
| tor-consensus-checker | – | – | external, safe |
| traceroute-geolocation | – | – | safe, external, discovery |
| tso-brute | 23, 992, 623 | tn3270 | intrusive |
| tso-enum | 23, 992, 623 | tn3270 | intrusive, brute |
| ubiquiti-discovery | 10001 | ubiquiti-discovery, udp | default, discovery, version, safe |
| unittest | – | – | safe |
| unusual-port | any | – | safe |
| upnp-info | 1900 | udp | default, discovery, safe |
| uptime-agent-info | 9998 | uptime-agent, tcp | safe, default |
| url-snarf | – | – | safe |
| ventrilo-info | 3784 | ventrilo, tcp, udp | default, discovery, safe, version |
| versant-info | 5019 | versant, tcp | discovery, safe |
| vmauthd-brute | 902 | ssl/vmware-auth, vmware-auth, tcp | brute, intrusive |
| vmware-version | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | discovery, safe, version |
| vnc-brute | 5901 | vnc, tcp | intrusive, brute |
| vnc-info | 5900, 5901, 5902 | vnc, tcp | default, discovery, safe |
| vnc-title | 5900, 5901, 5902 | vnc, tcp | intrusive, discovery |
| voldemort-info | 6666 | vp3, tcp | discovery, safe |
| vtam-enum | 23, 992 | tn3270 | intrusive, brute |
| vulners | – | – | vuln, safe, external |
| vuze-dht-info | 17555, 49160, 49161, 49162 | vuze-dht, udp | discovery, safe |
| wdb-version | 17185 | wdbrpc, udp | default, safe, version, discovery, vuln |
| weblogic-t3-info | 7001, 7002, 7003 | http | default, safe, discovery, version |
| whois-domain | – | – | discovery, external, safe |
| whois-ip | – | – | discovery, external, safe |
| wsdd-discover | 3702 | udp | safe, discovery, default |
| x11-access | 6000-6009 | – | default, safe, auth |
| xdmcp-discover | 177 | xdmcp, udp | safe, discovery |
| xmlrpc-methods | 80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000 | http, https | default, safe, discovery |
| xmpp-brute | 5222 | jabber, xmpp-client | brute, intrusive |
| xmpp-info | 5222, 5269 | jabber, xmpp-client, xmpp-server | default, safe, discovery, version |
NSE脚本类别
当前,共有14类NSE脚本。类别包括:
- 认证
- 广播
- 爆破
- 默认
- 发现
- dos
- exploit
- external
- fuzzer
- 侵入性
- 恶意软件
- 安全
- 版本
- 漏洞
有关NSE脚本类别及其描述的更多信息,请参见此处。
如何使用NSE脚本
在运行NSE脚本时,Nmap非常灵活。例如,它允许您使用单个nmap命令一次运行一个脚本或多个脚本。
这是运行单个脚本以通过SMB协议枚举目标Windows系统的OS版本的最简单示例:
nmap -p 445 --script smb-os-discovery <目标>这是一个示例,一次运行多个脚本,列举了操作系统版本,网络共享和目标Windows系统的NetBIOS信息的示例:
nmap -p 139,445 --script smb-os-discovery,smb-enum-services,nbstat <目标>下面是一些示例,这些示例说明如何仅基于类别标准即可运行多个脚本:
nmap --script discovery <目标>
nmap --script "default and safe" <目标>
nmap --script "not intrusive" <目标>您还可以使用通配符(*)根据名称指定多个脚本,并将其与类别标准结合使用,例如:
nmap --script "http-* and (default or safe or intrusive)" <目标>请注意,某些脚本具有参数,您可以通过--script-args选项提供这些参数。这是使用自定义用户列表和密码列表的SSH登录暴力破解的示例:
nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=pwds.txt,brute.threads=4 <目标>要找出哪些参数适用于哪个脚本有点棘手。有时甚至读取脚本的源代码也无济于事,因为可以在脚本所依赖的NSE库中处理参数。
找出所有脚本参数的最佳方法是使用官方的https://nmap.org/nsedoc/文档。上面的Nmap脚本列表/交互式电子表格提供了直接链接到每个脚本手册页面的链接,其中包含所有详细信息,包括脚本参数。
NSE的功能非常强大,此处的信息实际上只是从头开始。有关如何使用NSE脚本的更多详细信息和示例,建议您访问官方的“用法和示例”页面。
如何调试NSE脚本
有时您可能会遇到NSE脚本的问题,例如,您可能想知道某个特定的脚本是否正在运行,或者是否正在执行应有的功能。
这里有一些技巧,您可以尝试调试NSE脚本:
- 使用
-v开关提高详细程度。NSE引擎将开始产生更多的输出,并向您显示正在发生的事情。请注意,您也可以使用倍数来增加详细程度,也可以-vv直接设置级别(最大值为-v3)。 - 使用
-d开关提高调试级别。这将开始产生带有更多详细信息的调试信息。您也可以使用多个-dd或直接设置调试级别(最大级别-d9)。 - 使用该
--script-trace开关,它将显示正在发送和接收的所有网络数据。 - 最后,您可以查看脚本的源代码,甚至自己插入一些调试消息。脚本通常位于
/usr/share/nmap/scripts文件夹中。
NSE脚本无法正常运行或根本不运行的典型问题之一是您不是以root用户身份运行nmap,而是仅以普通用户身份运行。尽管大多数NSE脚本不需要root特权,但其中一些却需要。有关更多信息,请参见为什么nmap需要root特权。
结论
希望本文能为您提供一些价值,并使您能够更好地适应NSE脚本领域。
Nmap脚本已经存在很多年了,它们已经过了很好的测试,因此将其纳入我们的渗透测试始终是谨慎的做法。
![[TXT]](https://nmap.org/icons/text.gif){kind=icon}