ls -al /usr/share/nmap/scripts/ | grep -e “ftp”
ls -al /usr/share/nmap/scripts/ | grep -e “http”
ls -al /usr/share/nmap/scripts/ | grep -e “smb”
ls -al /usr/share/nmap/scripts/ | grep -e “telnet”
ls -al /usr/share/nmap/scripts/ | grep -e “smtp”
ls -al /usr/share/nmap/scripts/ | grep -e “ssl”
ls -al /usr/share/nmap/scripts/ | grep -e “tls”
ls -al /usr/share/nmap/scripts/ | grep -e “dns”
ls -al /usr/share/nmap/scripts/ | grep -e “mysql”
for more Blog articles and Training Sessions click Here
FTP Enumeration:
ftp-anon.nse
ftp-bounce.nse
ftp-brute.nse
ftp-libopie.nse
ftp-proftpd-backdoor.nse
ftp-syst.nse
ftp-vsftpd-backdoor.nse
ftp-vuln-cve2010–4221.nse
tftp-enum.nse
ftp-anon.nse:
script: sudo nmap — script ftp-anon -p 21 <target ip>
ftp-vuln-cve2010–4221.nse
Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010–4221). Authentication is not required to exploit this vulnerability.
script: sudo nmap — script ftp-vuln-cve2010–4221 -p 21 <target ip>
references:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221
http://www.exploit-db.com/exploits/15449/
http://www.metasploit.com/modules/exploit/freebsd/ftp/proftp_telnet_iac
ftp-libopie.nse
Checks if an FTPd is prone to CVE-2010–1938 (OPIE off-by-one stack overflow), if launched against a vulnerable host, this script will crash the FTPd.
script: sudo nmap — script ftp-libopie -p- <target ip>
ftp-vsftpd-backdoor.nse
This script attempts to exploit the backdoor using the innocuous id. Command to execute in shell (default is id). vsftpd (very secure file transfer protocol deamon).
script: sudo nmap — script ftp-vsftpd-backdoor -p 21 <target ip>
ftp-proftpd-backdoor.nse
This script attempts to exploit the backdoor using the innocuous id, Command to execute in shell (default is id).
script: sudo nmap — script ftp-proftpd-backdoor -p 21 <target ip>
ftp-brute.nse
Performs brute force password auditing against FTP servers. the amount of time to wait for a response on the socket. Lowering this value may result in a higher throughput for servers having a delayed response on incorrect login attempts. (default: 5s). This script uses brute library to perform password
guessing.
script: sudo nmap — script ftp-brute -p 21 <target ip>
ftp-bounce.nse
Checks to see if an FTP server allows port scanning using the FTP bounce method. Username to log in with. Default anonymous. Password to log in with. Default IEUser@. Host to try connecting to with the PORT command.
script: sudo nmap -sV -sC — script ftp-bounce -p 21 <target ip>
ftp-syst.nse
Sends FTP SYST and STAT commands and returns the result.
script: sudo nmap -sV -sC — script ftp-syst -p 21 <target ip>
tftp-enum.nse
Enumerates TFTP (trivial file transfer protocol) filenames by testing for a list of common ones. TFTP doesn’t provide directory listings. This script tries to retrieve filenames from a list. The list is composed of static names from the file tftplist.txt, plus configuration filenames for Cisco devices that change based on the target address, of the form A.B.C.X-confg for an IP address A.B.C.D and for X in 0 to 255. filelist= file name with list of filenames to enumerate at tftp server.
script: nmap -sU -p 69 — script tftp-enum.nse — script-args tftp-enum.filelist=customlist.txt <target>
for more Blog articles and Training Sessions click Here
