Can you share all the available nmap scripts list?
I need to do a scan, for example with http-sql-injection.nse nmap script.
I already know that I should use --script-args to set arguments. How can I look at the whole pack of arguments that this script (or any of nmap's scripts) can take?
According to the nmap scripts list documentation in "Example 9.2. script help", the nmap's parameter that displays help about the script is:
nmap --script-help Namely:
nmap --script-help http-sql-injection.nse
If you look at NSE documentation written by own Nmap's creator:
3.1. description Field
The description field describes what a script is testing for and any important notes the user should be aware of. Depending on script complexity, the description may vary from a few sentences to a few paragraphs. The first paragraph should be a brief synopsis of the script function suitable for stand-alone presentation to the user. Further paragraphs may provide much more script detail.
Fyodor explains that the "description" field is used to describe everything about the complexity that the script itself might have. So, go ahead and look deeper into how the script was made:
$ vi /usr/share/nmap/scripts/http-sql-injection.nse
...
11 description = [[
12 Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL
13 injection attack. It also extracts forms from found websites and tries to identify
14 fields that are vulnerable.
15
16 The script spiders an HTTP server looking for URLs containing queries. It then
17 proceeds to combine crafted SQL commands with susceptible URLs in order to
18 obtain errors. The errors are analysed to see if the URL is vulnerable to
19 attack. This uses the most basic form of SQL injection but anything more
20 complicated is better suited to a standalone tool.
21
22 We may not have access to the target web server's true hostname, which can prevent access to
23 virtually hosted sites.
24 ]]
This explains why the http-sql-injection.nse script does not show "usage options" whether that's what you expected to see.
The NSE script has a tradition to include "usage options" inside the comments. Such thing that was documented on the section "8.1 The Head":
Next comes NSEDoc information. This script is missing the common @usage and @args tags since it is so simple, but it does have an NSEDoc @output tag:
---
--@output
-- 21/tcp open ftp ProFTPD 1.3.1
-- |_ auth-owners: nobody
-- 22/tcp open ssh OpenSSH 4.3p2 Debian 9 tech2 (protocol 2.0)
-- |_ auth-owners: root
-- 25/tcp open smtp Postfix smtpd
-- |_ auth-owners: postfix
-- 80/tcp open http Apache httpd 2.0.61 ((Unix) PHP/4.4.7 ...)
-- |_ auth-owners: apache
-- 113/tcp open auth?
-- |_ auth-owners: nobody
-- 587/tcp open submission Postfix smtpd
-- |_ auth-owners: postfix
-- 5666/tcp open unknown
-- |_ auth-owners: root
Since the documentation does not explicitly show the use of "@usage", look yourself in /usr/share/nmap/scripts/:
$ grep -iR -A5 "@usage" /usr/share/nmap/scripts/
/usr/share/nmap/scripts/ajp-brute.nse:-- @usage
/usr/share/nmap/scripts/ajp-brute.nse--- nmap -p 8009 --script ajp-brute
/usr/share/nmap/scripts/ajp-brute.nse---
/usr/share/nmap/scripts/ajp-brute.nse--- @output
/usr/share/nmap/scripts/ajp-brute.nse--- PORT STATE SERVICE
/usr/share/nmap/scripts/ajp-brute.nse--- 8009/tcp open ajp13
…