Nmap xmpp-info NSE Script


This page contains detailed information about how to use the xmpp-info NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Select:
Overview
Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/xmpp-info.nse
Script categories: default, safe, discovery, version
Target service / protocol: jabber, xmpp-client, xmpp-server
Target network port(s): 5222, 5269
List of CVEs: -

Script Description

The xmpp-info.nse script connects to XMPP server (port 5222) and collects server information such as: supported auth mechanisms, compression methods, whether TLS is supported and mandatory, stream management, language, support of In-Band registration, server capabilities. If possible, studies server vendor.

Xmpp-info NSE Script Arguments

This is a full list of arguments supported by the xmpp-info.nse script:

xmpp-info.alt_server_name

If set, overwrites alternative hello name sent to the server. This name should differ from the real DNS name. It is used to find out whether the server refuses to talk if a wrong name is used. Default is ".".

xmpp-info.no_starttls

If set, disables TLS processing.

xmpp-info.server_name

If set, overwrites hello name sent to the server. It can be necessary if XMPP server's name differs from DNS name.

smbdomain

The domain to log in with. If you aren't in a domain environment, then anything will (should?) be accepted by the server.

smbhash

A password hash to use when logging in. This is given as a single hex string (32 characters) or a pair of hex strings (both 32 characters, optionally separated by a single character). These hashes are the LanMan or NTLM hash of the user's password, and are stored on disk or in memory. They can be retrieved from memory using the fgdump or pwdump tools.

smbnoguest

Use to disable usage of the 'guest' account.

smbpassword

The password to connect with. Be cautious with this, since some servers will lock accounts if the incorrect password is given. Although it's rare that the Administrator account can be locked out, in the off chance that it can, you could get yourself in trouble. To use a blank password, leave this parameter off altogether.

smbtype

The type of SMB authentication to use. These are the possible options:

  • v1: Sends LMv1 and NTLMv1.
  • LMv1: Sends LMv1 only.
  • NTLMv1: Sends NTLMv1 only (default).
  • v2: Sends LMv2 and NTLMv2.
  • LMv2: Sends LMv2 only.
  • NTLMv2: Doesn't exist; the protocol doesn't support NTLMv2 alone. The default, NTLMv1, is a pretty decent compromise between security and compatibility. If you are paranoid, you might want to use v2 or lmv2 for this. (Actually, if you're paranoid, you should be avoiding this protocol altogether!). If you're using an extremely old system, you might need to set this to v1 or lm, which are less secure but more compatible. For information, see smbauth.lua.

smbusername

The SMB username to log in with. The forms "DOMAIN\username" and "username@DOMAIN" are not understood. To set a domain, use the smbdomain argument.

- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:

nmap --script=xmpp-info --script-args xmpp-info.alt_server_name=value,xmpp-info.no_starttls=value <target>

Xmpp-info NSE Script Example Usage

Here's an example of how to use the xmpp-info.nse script:

nmap --script=xmpp-info <target>

Xmpp-info NSE Script Example Output

Here's a sample output from the xmpp-info.nse script:

PORT     STATE SERVICE REASON  VERSION
5222/tcp open  jabber  syn-ack ejabberd (Protocol 1.0)
| xmpp-info:
|   Respects server name
|   info:
|     xmpp:
|       lang: en
|       version: 1.0
|     capabilities:
|       node: http://www.process-one.net/en/ejabberd/
|       ver: TQ2JFyRoSa70h2G1bpgjzuXb2sU=
|     features:
|       In-Band Registration
|     auth_mechanisms:
|       DIGEST-MD5
|       SCRAM-SHA-1
|       PLAIN
|   pre_tls:
|     features:
|_      TLS

Xmpp-info NSE Script Example XML Output

Here's a sample XML output from the xmpp-info.nse script produced by providing the -oX <file> Nmap option:

 <elem>Respects server name</elem>
 <table key="info">
   <table key="xmpp">
     <elem key="lang">en</elem>
     <elem key="version">1.0</elem>
   </table>
   <table key="capabilities">
     <elem key="node">http://www.process-one.net/en/ejabberd/</elem>
     <elem key="ver">TQ2JFyRoSa70h2G1bpgjzuXb2sU=</elem>
   </table>
   <table key="features">
     <elem>In-Band Registration</elem>
   </table>
   <table key="auth_mechanisms">
     <elem>DIGEST-MD5</elem>
     <elem>SCRAM-SHA-1</elem>
     <elem>PLAIN</elem>
   </table>
 </table>
 <table key="pre_tls">
   <table key="features">
     <elem>TLS</elem>
   </table>
 </table>

Author

  • Vasiliy Kulikov

References

See Also

Related NSE scripts to the xmpp-info.nse script:

Visit Nmap NSE Library for more scripts.

The xmpp-info.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.

STARTTLS Failed

Here is a relevant code snippet related to the "STARTTLS Failed" error message:

564:	  elseif #altname_result["errors"] ~= #plain_result["errors"] then
565:	    table.insert(r, "Respects server name")
566:	  end
567:	
568:	  if not tls_result then
569:	    if starttls_failed then table.insert(r, "STARTTLS Failed") end
570:	    r["info"] = plain_result
571:	  else
572:	    local i,p,t = factor(plain_result, tls_result)
573:	    r["info"] = (#i and i) or nil
574:	    r["pre_tls"] = (#p and p) or nil

Version

This page has been created based on Nmap version 7.92.

Go back to menu.