Nmap/External Script Library

From SecWiki
< Nmap(Redirected from Nmap/Script Vault)
Jump to: navigation, search

The purpose of this page is to collect all the interesting NSE scripts that for different reasons were not included in the official Nmap repository. Common reasons for not including scripts with Nmap are:

  • The script has dependencies that we can't include with Nmap for portability, license, or size reasons
  • License incompatability between Nmap and the script itself (acceptable licenses for included scripts)
  • Script not yet fully debugged or has some other technical problem preventing inclusion
  • Script function is too obscure or too far from Nmap's core functionality to warrant inclusion with Nmap
  • Script is still under consideration for inclusion. It may need more techincal review, or we may want to see how many people find it useful.


(Please add new scripts to the top of this section)


This IP2Proxy script allows user to query an IP address if it was being used as VPN anonymizer, open proxies, web proxies, Tor exits, data center, web hosting (DCH) range, search engine robots (SES) and residential (RES) by using the IP2Proxy Lua Package.


This IP2Location Nmap script provides a fast lookup of country, region, city, latitude, longitude, ZIP code, time zone, ISP, domain name, connection type, IDD code, area code, weather station code, station name, mcc, mnc, mobile brand, elevation, and usage type from IP address by using IP2Location database with IP2Location Lua Package.


This script attempts to infect a discovered MS SQL instances with the SQL Slammer worm. If vulnerable, the target machine will then attempt to propagate to other IP addresses. Obviously this one shouldonly be used in closed test environments, and very carefully at that.


The script captures a screen shot for every service that looks like http. It is useful for identifying rogue http services that the system administrator does not recognise by simply flicking through all the screen shots. It uses wkhtmltoimage from the wkhtmltopdf project to do the job. See the related blog post for details. The script was further improved by Paul Asadoorian in PaulDotCom Podcast Episode 295


Identification of vulnerabilities (matches version info with osvdb database)

Link: http://seclists.org/nmap-dev/2010/q2/726

Update: http://seclists.org/nmap-dev/2015/q3/319


HTTP fingerprinting to determine web server implementation

Link: http://seclists.org/nmap-dev/2010/q2/436


Enumerates Bitcoin peers

Link: http://seclists.org/nmap-dev/2011/q2/837


http-google-email.nse - attempts to search for e-mails pertaining to a specific domain in Google's Web search engine(google.com) and Google Groups search engine(groups.google.com).

Link: http://seclists.org/nmap-dev/2011/q3/401


http-reverse-ip.nse - attempts to find domains that are hosted on a specific ip address using Bing's ip: operator.

Link: http://seclists.org/nmap-dev/2011/q3/401


Retrieves the available commands and banners from a listening NNTP daemon.

Link: https://gist.github.com/1231055


Attempts to retrieve the configuration settings from a Polycom SoundPoint VoIP phone.

Link: https://gist.github.com/1234193


Attempts to retrieve the configuration settings from a Vivotek network camera.

Link: https://gist.github.com/1357401


Checks a Minecraft server for "insecure mode".

Link: http://seclists.org/nmap-dev/2010/q4/729


Request a list of nodes from a remote Vuze node.

Link: http://seclists.org/nmap-dev/2011/q4/375


Attempts to retrieve the configuration settings from an Asus WL500 series wireless router.

Link: https://gist.github.com/1669787


Retrieves device and version information from a listening GPSD-NG daemon.

Link: https://gist.github.com/1670029


Attempts to retrieve device information from an Internet Gateway Device (IGD) UPnP configuration file.

Link: https://gist.github.com/1697234


Attempts to retrieve all valid usernames from the HTTP component of Carel Pl@ntVisor (CarelDataServer.exe).


Queries the external reverse md5 database for a single, or a list of md5 hashes and prints the found ones.


Finds Trendnet TV-IP110w webcams that allow unauthenticated access to their video feed.