Criminal Law Outline

Criminal Law Outline Justifications of Punishment 1. Consequentialist Theory a. Actions are morally right if and only if they result in desirable outcomes b. Rely on theory of utilitarianism to justify punishment: Forward looking effects of punishment. General deterrence, specific deterrence, rehabilitation, incapacitation 2. Nonconsequentialist Theory c. Actions are morally wrong in themselves, regardless of the consequences d. Theory of Retributivism: look back at the harm and calibrate the punishment to the crime Theories of Punishment ) Incapacitation: Incarceration to render them harmless 2) Retribution: collective condemnation of society bearing down. â€Å"Just Deserts† 3) Rehabilitation: give the criminal skills and values to make them a law-abiding citizen 4) General Deterrence: deter other criminals from committing crimes 5) Specific Deterrence: deter the punished criminal from future crimes Justifications for Punishment in Context 1. The case of Thomas Dudley (Eng. 1884): Stranded at sea for 24 days, 2 men conspire and kill a third to eat. Charged with murder and sentenced to death a. Necessity defense doesn't apply.Lawfully killing another to save yourself is only in reference to necessity and self-defense (violence towards yourself) Retributive in nature 2. People v Suite: Man owned . 32 caliber pistol, not licensed as required by 1980 legislation. Sentenced to 30 days in jail b. Principle aim of the gun licensing law is general deterrence. Reduction of jail time would proclaim that first time offenses would not result in jail for first time offenders and would declare 30 days to be too harsh/abuse of discretion. Upheld to further principle of general deterrence legislature intended Standards of ProofProsecution: beyond a reasonable doubt (state has high burden b/c innocent until proven guilty) 1. Curley v US: Judge must ask if prosecution has introduced sufficient evidence such that a rational jury could decide that the prosecution has prov en its case beyond a reasonable doubt. If evidence reasonably permits a verdict of acquittal or guilt, decision is for the jury to make. Defense: by the preponderance of the evidence. (self-defense, insanity, necessity) Rule of Lenity When statutory intent is unclear, the ambiguity must be resolved in favor of the Defendant.US v. Dauray Actus Reus Definition: Voluntary Act, social harm A voluntary act that results in social harm, or an omission where there is a duty to act. 1. Thoughts do not constitute criminal acts 2. Actions compelled by the state do not constitute criminal acts 3. Criminal â€Å"acts† must be voluntary 4. No liability for omission unless there is a duty to act 5. â€Å"Status Crimes† are unconstitutional Cases Act, not thought 1) Proposition against thought crimes- State v Dalton: â€Å"act† was the writing of a child molestation diary. Acquitted.From a deterrence perspective he should not be guilty; from rehabilitation perspective maybe. Si nce regime is generally geared to deterrence it was the right outcome 2) Hate crimes/speech- Wisconsin v Mitchell: group of black men beats up young white boy a. Rule: Statutes penalizing bigoted motivations (thoughts) are justified b. Rationale: these acts are more likely to provoke retaliatory crimes, so society has a greater interest in punishing them. Deterrence and retribution justify harsher penalties Voluntary, not involuntary MPC 2. 01: Requirements of Voluntary Act 1) A person is not guilty of an offense unless his liability is based on conduct which includes a voluntary act. (2) NOT voluntary Acts: reflex/convulsion; bodily movement during unconsciousness or sleep; conduct during hypnosis; bodily movement that otherwise is not a product of the effort or determination of the actor, whether conscious or habitual 3) Acting under State Compulsion- Martin v State: drunk on public highway b/c police brought him there c. Rule: no voluntary act where state compelled the action. d. Rationale: prevent the government from punishing the innocent 4) Involuntary Acts- State v.Decina: epileptic who knew of his condition drives and kills children e. Rule: an involuntary act can be voluntary when the individual knew of its likelihood and failed to preventatively act f. Rationale: it doesn’t matter if a person is unconscious when the harm occurs as long as the act took place only because, during consciousness, there was bad thinking- here, recklessness or negligence in failure to prevent the harm. He purposefully put himself in a situation that created a further risk. 5) Powell v Texas: Powell charged with public intoxication g.Rule: Voluntary because he could have prevented his appearance in public h. Rationale: criminalizing involuntary behavior is cruel and unusual (8); this wasn’t involuntary MPC 2. 01: Voluntary, involuntary, omission, possession * Involuntary: Convulsion, moving while unconscious or asleep, conduct during hypnosis, or a movement no t a product of the effort or determination of the actor; Voluntary defined by the negative * Omission: liability for an omission cannot arise unless the omission is made sufficient expressly in the language defining the offense, or a duty to perform is imposed by law. Possession: D must have been aware of possession for sufficient period to have been able 2 terminate it Status Crimes- Criminalizing a status violates 8th Amendment: Cruel & Unusual 1) Robinson v California: man with track marks charged with narcotics addition a. Rule/Rationale: The act of using narcotics can be criminalized; addiction can’t. Criminal penalties may not be inflicted upon a person for INVOLUNTARY acts. 2) Powell v. Texas: a chronic alcoholic was charged with being drunk in public b. Rule: public drunkenness is not a status crime because it is PUBLIC. c.Rationale: convicted of being D. I. P. not chronic alcoholic. Volitional act of choosing to drink without preventing oneself from being in public i s sufficiently proximate to the inviolate act of going out while drunk to give the state an ACT to punish. 3) Jones v City of Los Angeles: punished behavior on sidewalks 24-7 which homeless people can’t avoid. d. Rule: it is unconstitutional to punish acts arising out of an involuntary status because these acts are also necessarily involuntary. Omissions 1) Omission can be an actus reus where there is a legal duty to act, and D was physically capable of acting. mens rea, causation, and concurrence still required) a. Contracts for care b. Special relationships c. Statutory duty d. D created the risk of harm e. D voluntarily assumed care (especially if others are prevented from giving care) 2) People v Beardsley: man and woman get drunk over weekend, she surreptitiously takes morphine and dies after D gave her to someone else to let her sleep it off f. Rule: no legal duty existed because none of the 5 above were present. g. Rationale: a legal duty is not the same as a moral obl igation; acquaintances aren’t close enough relationally to create a legal duty without one of the above. ) Commonwealth v Howard: mother failed to prevent her daughter’s torture and murder by a third party h. Rule: parents have a legal duty to protect their children- special relationship i. Rationale: parents can be legally forced to act; additionally, the omission was the direct cause of the death (medical testimony). 4) Commonwealth v Pestinikas: couple contracted to care for old man for $300/mo j. Rule: failure to care for another is only a breach of a legal duty when the caregiver has undertaken the responsibility of care through contract or voluntarily k.Rationale: the omission in situation of duty caused harm D could have prevented. Mens Rea Definition The particular mental state provided for in the definition of an offense. Rationale for Requiring Mens Rea Deterrence or Utilitarian Justification: you cannot deter someone who does not have a guilty mind. Retribut ive Justification: â€Å"Just Deserts. † You should not punish someone who is morally innocent. MPC v Common Law Equivalents of Mens Rea MPC 2. 02(2)| Common Law| Purposefully: conscious object to commit| Intent- natural and probable auses| Knowingly: awareness; substantial certainty| Knowledge- aware of the fact, or correctly believes it exists, including willful blindness| Recklessly: conscious disregard of foreseeable risk- subjective standard. Awareness. | Concepts of â€Å"recklessness† and â€Å"negligence† are often embodied| Negligently: should have been aware of risk and disregard it- reasonable person would have been awareNo distinction b/n general, specific intent| Distinction b/w general, specific intent| CL: Uses the concept of mens rea in many terms: Willfully, wickedly, maliciously, knowingly, intentionally, negligently.No uniformity across states as to definitions MPC: 4 mental states that are precisely defined. If no mental state is referenced i n a statute, read in recklessly. Proving â€Å"Intent†, common law- natural and probable consequences doctrine 1. Regina v Cunningham: Son in law stole gas meter to sell; mother-in-law was exposed to coal gas. a. Malice means (i) an actual intention to do the particular kind of harm that was in fact done or (ii) recklessness as to whether such harm should occur or not (foresaw risk; continued anyways) 2.State v Fugate: D shoots and kills store owner after forcing him into basement. b. Intent can be inferred from attendant circumstances and composite picture developed by evidence, including instrument used to produce death and the manner of inflicting a fatal wound. c. Intent to kill may be presumed where the natural and probable consequence of a wrongful act is to produce death. 3. Foreseeability Issues: If harm is so foreseeable as to almost be certain to occur, intent can be found. Proving â€Å"Knowledge†, common law- willful blindness 1.US v Jewell: a person acts k nowingly for common law if the person is aware of the fact OR correctly believes it exists OR suspects the fact exists and purposefully avoids learning the truth a. Deliberate ignorance and positive knowledge are equally culpable. To act â€Å"knowingly† is not necessarily to act only with positive knowledge, but also to act with an awareness of the high probability of the existence of the fact in question. When such awareness is present, â€Å"positive† knowledge is not required. Transferred Intent – only where harm is to people; NOT property 1. Regina v Pembliton: D threw stone at enemy, hit window instead.Intent to hit friends is not intent to hit window; mens rea is lacking. 2. Regina v. Falkner: intent to steal rum is not intent to burn down a ship. 3. People v Scott: D intended to shoot A and shot B instead; mens rea (intent) transfers. Society has a greater interest in deterring and punishing (retribution) people who kill than damage property. Common law Specific v General Intent – consider the attendant circumstance * Specific intent statute: requires intent to cause harm to the attendant circumstance; to be convicted under a specific intent statute, you must intend (and succeed) in burning a BOOK.You must have a conscious objective that is more than just lighting a match. * Intending to complete the act- purposefully, knowingly * General intent statute: requires intent to do the act, only. Might punish setting fire to instead of saying, setting fire to woodland flora. Drunk people are likely to get netted under a general intent statute because the attendant circumstance is general. * Intending the act- negligent, reckless * People v Atkins: Attempt to raise voluntary intoxication to charge of Arson. * Court finds Arson as general intent crime. Inadmissible b/c only need to do actus reus.How MPC Avoids Specific Intent-General Intent Distinctions 1. MPC 2. 02(1): Minimum Requirements of Culpability a. Except as provided in 2. 05 (strict liability provision), a person is not guilty of an offense unless he acted purposely, knowingly, recklessly, or negligently with respect to each material element of the offense 2. MPC 1. 13(9): â€Å"element of offense† means (i) such conduct or (ii) attendant circumstances or (iii) such a result of conduct as b. is included in the description of the forbidden conduct in the definition of the offense; or c. stablishes the required kind of culpability d. negatives an excuse or justification for such conduct e. Negatives a defense under the statute of limitations 3. MPC 1. 13(10): â€Å"Material element of an offense† means an element that does not relate exclusively to the statute of limitations, jurisdiction, venue, or any other matter similarly unconnected with (i) the harm or evil, incident to conduct, sought to be prevented by the law defining the offense, or (ii) the existence of a justification or excuse for such conduct Strict Liability Crimes Statute lacks mens rea component. MPC reads recklessness into any statute missing a mens rea. * TRUE STRICT LIABILITY CRIMES: regulatory crimes, crimes against the public welfare, morality offenses (statutory rape), felony murder. MPC 2. 05 recognizes only minor â€Å"violations† and violations outside the MPC where it is plain that the legislature intended to create strict liability Morissette: Ordinary presumption is to read mens rea in the statute (recklessness). Courts are likely to construe the following as strict liability offenses: 1.Statute protects the public welfare 2. D is in a position to prevent the harm and it is reasonable to expect this of her 3. The penalties imposed are light 4. There is little stigma associated with the offense 5. It is a newly created crime Commonwealth v Barone: Woman killed another in a car crash, appeals on grounds that the statute imposed strict liability and she shouldn't be punished 1. If a statute is ambiguous, must read in reckless or neg ligent and cannot impose strict liability. Heavy penalties and negative stigma associated with this type of crime.Mistake and Ignorance In general: D commits a crime with a belief that turns out to be wrong. MPC: what does the statute require for mens rea? Rationales for Mistake and Ignorance Defenses 1. Deterrence/Utilitarian Justification: you cannot deter someone who does not possess a guilty mind 2. Retributivist justification: â€Å"just desserts. † you should not punish someone who is morally innocent Question Tree 1. MPC or common law? a. What statute are you being asked to apply? 2. Mistake of fact or law? — what must D show to prevail under mistake defense? b. MPC 2. 4: No distinction b/w mistake of fact and law i. Mistake of fact: must negate mens rea of the statute ii. Mistake of law: no defense unless provided in the statute iii. When D raises mistake claim, P must prove that notwithstanding the mistake, D possessed requisite mens rea c. Common law: iv. Mis take of fact: 1. Specific intent: honest but unreasonable mistake is a defense 2. General intent: defense only if both honest and reasonable v. Mistake of law: 3. No excuse, but three exceptions: relied on official interp. f law, knowledge of illegality is an element of the crime, or no fair notice Common Law: Cases – Mistake of Fact 1. People v Navarro: D took lumber, thinking it was abandoned. a. Larceny is a specific intent statute, so mistake of fact is a defense, if honest 2. Bell v State: MINORITY VIEW: no exculpation for mistake where, had the mistake of fact not been made, the conduct would still be illegal or immoral. b. Moral wrong test: there is no violation of the culpability principle if the conduct is criminally punished without regard to mens rea- mistake of fact not a defense if the conduct is morally wrong. . Ask if reasonable ii. If reasonable, look at factual panorama. â€Å"what is it that you (reasonably) thought you were doing? † Insert candid res ponse. iii. Evaluate morality of actor’s conduct. If morally wrong, it is sufficient to convict. c. Legal wrong test: even if D can assert a reasonable mistake of fact, mistake of fact isn’t a defense if, had the facts been as she thought, she would still be guilty of some other crime. d. Punishes D for the crime he was mistaken about committing (and so never did actually commit) instead of for a lesser crime he did actually commit.Cases- Mistake of Law Ignorance of the law is not a defense against criminal liability UNLESS: 1. Reasonably relied on an official interpretation of the law (Marrero) 2. Where knowledge that the conduct is prohibited is an element of the crime. Ignorance or mistake negates the mens rea. a. Cheek v US: When statute requires willfulness, Subjective standard is to be used and shall be determined by the factfinder. Need not be reasonable. b. Bryan v US: (Gun Trafficker) Knowingly requires proof of knowledge of the facts that constitute the crime .Willfully requires knowledge of the specific rule they are breaking. However, ignorance of the law is no excuse; knowledge that the conduct is unlawful is all that is required. 3. The prosecution of person lacking fair notice can violate due process c. Lambert- no fair notice. In order to be punished, there must be a probability that D had actual knowledge of the law before committing the crime. MPC * Does not allow mistake as a defense where D would be guilty of another offense had the situation been as he supposed; but if that punishment is lesser, it will be imposed instead. Mistake of fact under MPC is a defense if it negates the mental state required for commission of the offense. * Mistake of law under MPC is a defense if the law provides that the state of mind established by such ignorance or mistake constitutes a defense * Relationship between various mistakes of fact and required mens rea levels: Required Mens Rea| Defense / D is not guilty if: | Purposely or knowingly| An y actual belief to the contrary (even if reckless)| Recklessly| Any non-reckless mistake of fact (even if negligent)| Negligently| Any non-negligent â€Å"reasonable† mistake|Strict Liability| Even a very reasonable, non-negligent mistake is no defense| * We applied MPC in RRH book burning example. Mistake can be a defense, but it has to be less than conscious disregard in all circumstances. RRH’s mistake was negligent at the very worst, not even reckless. Causation Question Tree 1. Actual cause? a. But for D's act, would the harm have occurred? i. No: actual cause. (proceed to proximate cause analysis) ii. Yes: not actual cause. 1. Proximate cause? a. Is D the direct cause, such that it would be fair and just to hold him liable? i. Yes: Then D has complete liability. ii.No: proceed to intervening cause analysis a. Was there an intervening cause? If Dependent, D typically is proximate cause unless bizarre i. Yes: 1. Was it dependent on D's voluntary act? a. Yes: next q uestion: i. Was it a bizarre situation? 1. No: D has liability. 1. Yes: D is absolved. 1. Was it independent of D's voluntary act? a. Yes: was it foreseeable? If yes, liable. If no, not liable a. No: does anything above fit? i. No: if there is no intervening cause and was proximate cause, D is liable. Cases 1. Commonwealth v Rementer: woman runs from boyfriend into street, hit by car, killed a.Actual cause? YES. But for their fight, she would not have been in the street. b. Proximate cause? First, was there an intervening cause? YES. ii. Was the intervening cause dependent or independent? 1. Dependent- he fought with her, and she ran. 2. In cases of intervening dependent cause, he is liable unless it was a bizarre situation. They were fighting in front of a road, so no. c. D is liable. Actual cause, and proximate cause, the latter through dep. Intervening 2. State v. Govan: D shot the V in the neck, she became a quadriplegic d. Actual cause? YES.But for†¦ e. Proximate cause? Wa s there an intervening cause? Yes- pneumonia killed her. iii. Dependent or independent intervening cause? 3. Dependent- you don’t die from TB unless you’re a quadriplegic 4. Dependent intervening cause, not bizarre- D liable. iv. An intervening cause that was a coincidence will be a superseding cause when it was unforeseeable. Intervening causes that are a response will be superseding when it was abnormal and unforeseeable 3. Henderson v Kibbe: drunk guy robbed and left on snowy highway w/o glasses f. actual cause?YES. But for being left there†¦ g. Proximate cause? Was there an intervening cause? Yes. Indep or dep? v. Independent: they weren’t driving the truck that hit him 5. If Indep, it was foreseeable, so D is liable. vi. Dependent: but he wouldn’t have been there without their robbing him 6. If Dep, truck wasn’t bizarre, so D is liable. Concurrence Temporal and Motivational 1. Temporal concurrence: D must possess the requisite mens rea at the same moment that her voluntary conduct (or omission) causes the social harm (or actus reus) 2.Motivational concurrence: the mens rea must be the motivating force behind the act Sexual Offenses MPC Rape: 213. 1: Rape if: * Compel to submit by force of threats of death, extreme pain, etc OR * You give V GHB, etc OR * V is unconscious OR * V is younger than age 10. Felony 2nd degree * NO MISTAKE OF AGE DEFENSE UNDER AGE 10 * There is a mistake of age defense between 10 and age of consent Rape Traditional: no rape unless force was used to overcome the victim’s resistance (No resistance, then no force, then no rape) rape determination based on victim’s actions. ) Heterosexual vaginal intercourse NO MENS REA 2) of a woman, not the man’s wife 3) by force and 4) without her consent – consent is an element; that she did not consent has to be shown beyond a reasonable doubt by the prosecution in order to convict (hard to prove) a. FORCE: Whether D’s act s used sufficient force to overcome P’s resistance, or whether his threats created in her mind a reasonable fear of harm. b. Rusk v State: she didn’t actively resist or attempt to run when she had the chance, so under the traditional view she could not have been raped. i.She said she was fearful, but unless D objectively manifested his intent to use physical force to accomplish his purpose, her submission will be read as consent because it couldn’t have been reasonable without an objective manifestation. ii. DISSENT: (now majority rule): this view requires too much resistance from the victim- and resisting victims get hurt more often. Modern: force requirement met by nonconsensual penetration- no need for resistance that requires force to overcome. Rape determination based on D’s actions, not V’s actions or character. * Modern rape law is built around meaningful consent. It is gender neutral, includes the word â€Å"coercion†, includes more than vaginal intercourse, uses the term â€Å"sexual assault† instead of rape * Consent is an affirmative defense, not an element 1) Physical force or coercion 2) NO EXPLICIT CONSENT ELEMENT – consent is an affirmative defense; a question that she may have consented has to be raised by a preponderance of the evidence a. State of New Jersey v MTS: force requirement met by nonconsensual penetration. Physical force in excess of that inherent in the act of sexual penetration is not required for such penetration to be unlawful i.There is an inherent wrong in forced sexual intimacy- crime against a person’s right to control her body. Rape is violating the sphere of privacy. 3) WHAT COUNTS AS CONSENT? Permission can be inferred either from acts or statements reasonably viewed in light of the surrounding circumstances b. In re John Z: Woman participated in sexual acts for a while; after penetration told him to stop. ii. Forcible rape is still committed when V consents i nitially, then withdraws consent, but D continues having sex with her iii.Her consent can be debated- she consented through acts, then lightly verbally said no, but physically continued†¦ Statutory Rape * Common law: Sex with a female under the age of consent. * Assumes male D, female V * Heterosexual, vaginal intercourse * No force required * No non-consent required (so if she consented it’s still statutory rape) * MPC 213. 4: Sexual assault. Sex with child under age 10 is a strict liability crime, no mistake of age defense. Between age 10 and age of consent, there is a mistake of age defense. Garnett: even a mentally handicapped person can be convicted of statutory rape with a person his mental equivalent- we don’t care about mindset, only about the act. * Scholars think strict liability crimes don’t serve a deterrent purpose because they punish without regard to the actors’ state of mind. * But I think this sort of liability is a good thing overal l because people are aware that if they have sex with someone who looks young, they could be in trouble- forces people to be a bit more responsible- but then, people probably don’t think of the punishments ahead of time, either.Homicide Common law: 4 primary kinds of homicide. (** minority rule) Murder, 1st degree Murder, 2nd degree Voluntary Manslaughter Involuntary Manslaughter Murder: The unlawful killing of a human being with malice aforethought Manslaughter: The unlawful killing of another human being without malice aforethought CL: 4 conditions when malice aforethought is present 1. An intent to kill 2. Intent to commit serious bodily harm 3. An abandoned and malignant heart or depraved heart 4. The felony murder rule applies If D intends to kill, he acts with express malice.If malice aforethought is shown in any other way, it is implied malice. Acceptable Evidence when proof of murder depends on malice aforethought 1. Inferred from circumstantial evidence 2. Deadly wea pon rule: Can infer intent to kill when D uses deadly weapon and aims it @ vital part of body 3. Natural and probable consequences rule Murder, 1st degree: Murder involved * Premeditation and Deliberation * Premeditated intent to kill. Killer reflected upon and thought about the killing in advance * Deliberation. Refers to the quality of the accused’s thought process * Statutory felony murder. Lying in wait, poison, torture, etc. Murder, 2nd degree: * Unpremeditated intent to kill * Intent to cause great bodily harm** * Depraved heart/extreme recklessness * All other felony murders Murder Cases * State v Brown: Death of 4 y. o. resulting from beating from father. charged with M1 * To be guilty of first degree murder, one must act with premeditation and deliberation in addition to malice aforethought * Although premeditation can be formed in an instant, it must be done deliberately- with coolness and reflection * State v Bingham: Raped and strangled on highway To allow a findi ng of premeditation only because the act takes an appreciable amount of time obliterates the distinction b/w 1st and 2nd degree murder. Having the opportunity to deliberate is not evidence of deliberation. Otherwise, any form of killing which took more than a moment could result in a finding of premeditation, without some form add'l evidence showing reflection * Gilbert v State: 75 y. o. man killed dementia wife by shooting her * good faith is not a legal defense to first degree murder Voluntary manslaughter Intent to kill plus reasonable provocation (always has to be reasonable provocation for charge of voluntary manslaughter- something akin to heat of passion. But for provocation, this person wouldn't be a killer) * Provocation: One who kills in response to legally adequate provocation is treated as having acted without malice aforethought, the mens rea required for murder * Intent to kill plus imperfect self defense** (D might have over-defended themselves) * Diminished Capacity 3 ways to determine if D is entitled to provocation defense * Common law categorical defense.If kill in response to * Aggravated Assault or battery * The observation of a serious crime against a close relative * Illegal arrest * Mutual combat * Catching one’s wife in the act of adultury * Mere Words Rule: Mere words are never enough to constitute legally adequate provocation * People v Ambro: H stabbed wife after verbal goading and revealing that she was in an affair * Mere words are usually not enough. Exception to which is when there is a series of provoking statements and circumstances. * Modern Reasonable Man. Jury must find * D actually acted in the heat of passion The heat of passion was provoked by an act or event that would have also provoked a reasonable person in the D's shoes to lose self-control * D did not have sufficient time to â€Å"cool off† b/w provocative event and the killing * A reasonable person in Ds shoes would not have had sufficient time to co ol * There must be a causal connection b/w the provocation, the passion, and the killing * People v Barry: Husband strangled wife with phone cord after hearing that she was leaving him * Court considers the whole course of provocation over time, not just in the moments leading up to the murder * MPC Extreme mental or Emotional Disturbance test * MPC 210. 3(b): A homicide that would otherwise be murder may be considered manslaughter when it is committed â€Å"under the influence of extreme mental or emotional disturbance for which there is reasonable explanation and excuse. * â€Å"the reasonableness of such excuse shall be determined from the viewpoint of a person in the actor's situation under the circumstances as he believes them to be. † subjective * State v Dumlao: Husband shoots mother in law after thinking that family members were trying to cheat on him with his wife. Was a very insecure individual * Intense mental or emotional disturbance is distinguished from insanit y in that it is to be understood in relative terms as referring to a loss of self control due to intense feelings * 3 part test for EMED Will be found in a person who has * No mental disease or defect Is exposed to an extremely unusual and overwhelming stress * Has extreme emotional reaction to it, as a result of which there is a loss self control in reason is overborn by intense feelings, such as passion, anger distress, grief excessive agitation or similar emotion * Whether there is a reasonable explanation should be made by viewing the subjective internal situation in which the D found himself and the external circumstances as he perceived them to be at the time, no matter how inaccurate that perception may have been, and assessing from that standpoint whether the explanation for his emotional disturbance was reasonableInvoluntary manslaughter — Cause death with criminal negligence * Can secure IM conviction through Criminal negligence (â€Å"gross† negligence or ev en â€Å"recklessness†) or Misdemeanor manslaughter (felony murder, junior) * MPC Equivalent 210. 3(1)(a): â€Å"criminal homicide constitutes manslaughter when it is committed recklessly† * Commonwealth v Welanski: Night club burned down and killed hundreds * Not required to prove that he caused the fire by some wanton or reckless conduct. Enough to prove that the deaths resulted from his wanton or reckless disregard of the safety of the patrons in the event of fire form any case. Depraved Heart Murder What: When there is a killing but no proof of an intent to kill, the law may â€Å"imply† malice. One of these situations is when the individual who kills acts with an abandoned and malignant heart * Homicide involving â€Å"depraved heart† can be punished as a second-degree murder; gross negligence or simple recklessness can only be punished as involuntary manslaughter * Rule: Malice will be implied in a homicide case if it can be shown that the D acted w ith gross negligence and an extreme indifference to human life. D realized that his actions created a substantial and unjustified risk of death and yet went ahead and committed the actions anyways * People v Knoller (Supreme Ct.CA 2007): Dog mauled woman to death. D charged with Murder 2 * Abandoned and malignant heart is equated with D’s awareness of the risk created by his/her own behavior. Must act with conscious disregard of the danger to human life * Phillips test: Malice is implied when the killing is proximately caused by an act, the natural consequences of which are dangerous to human life, which act was deliberately performed by a person with conscious disregard for life. Conscious disregard of human life is required, but is not subjective standard. Felony Murder * Killing during the commission of a felony is considered murder in the second degree.In some states, killing during the commission of certain statutorily proscribed crimes can elevate the murder to Murder 1 * Level of intent to perform a felonious act is evidence of malice which can be transferred to murder * People v Stamp (Ct. Appeal CA 1969): Man dies of heart attack following the robbery of his store. * A killing committed in either the perpetration of or an attempt to perpetrate robbery is murder of the first degree. Malice aforethought is presumed on the basis of the commission of a felony inherently dangerous to human life. No intentional act is necessary other than the attempt to or the actual commission of the robbery itself. * Not limited to deaths which are foreseeable.As long as the homicide is the direct causal result of the robbery, FM applies * Inherently Dangerous Felony Limitation: For the FM Rule to apply, some jurisdictions require that the underlying felony is inherently dangerous * Hines v State (GA 2003): While hunting, D mistook friend for a turkey and shot him. convicted of FM based on the underlying crime of possession of a firearm by a convicted felon. * Felo ny is â€Å"inherently dangerous† when it is â€Å"dangerous per se† or â€Å"by its circumstances creates a foreseeable risk of death. † foreseeable risk of death when person was drinking, hunting * The Res Gestae Requirement: The felony and the homicide be close in time and distance (temporal and geographic proximity).There must be a causal connection between the felony and the homicide * People v Bodely (Ct of Appeal CA 1995): Escape from a robbery. Got in car, ran over victim. * The test used in FM cases to determine whether a killing is so closely related to an underlying felony as to justify an enhanced punishment for the killing is that the crime continues until the criminal has reached a place of temporary safety * the homicide is committed in the perpetration of a felony if the killing and the felony are parts of one continuous transaction. This escape rule serves public policy considerations of deterrence * King v Commonwealth (Ct of appeals of VA 1988 ): accidental death of co-felon during commission of a felony.D charged with FM 2nd Murder after crashing plane that had marijuana in it. * death must be a consequence of the felony and not just a coincidence * Only acts causing death which are committed by those involved in the felony can be the basis for a conviction * The act causing death must result from some effort to further the felony before malice can be imputed to the act * There must be some act attributable to the felons which causes death * The Merger Doctrine: In some states FM does not apply if the underlying felony is an integral part of and included in the fact of the homicide * People v Smith (CA 1984): Beating of a child which resulted in death.Claims FM should not apply * The ostensible purpose of the FM rule is not to deter the underlying felony, but instead to deter the accidental or negligent killings that may occur in the course of committing that felony * The Agency Rule: FM rule does not apply to killings b y third parties * State v Canola (Supreme Ct. of NJ 1977): During robbery of jewelry store, co-felon shot and killed by owner of store. Other felon charged with FM. * Felon is not liable for the death of a co-felon. For D to be guilty of murder under FM rule the act of killing must be committed by D or his accomplice acting in furtherance of their common design. Lethal acts of 3rd persons not in furtherance of the felonious scheme do not count towards FM rule Attempts, Complicity, Conspiracy See chart Attempts Inchoate Conduct: conduct which occurs after the mens rea has been formed but is shy of the completed act 1. Common Law Approach * Attempt to commit felonies = felonies; attempt to commit misdemeanors = misdemeanors * generally punished less severely than completed offenses 2. MPC Approach * Generally punishes crimes at the same level as the completed offense, except when the target crime is a capital offense or a felony of the first degree (then treated as second degree felon y) Mens Rea of Attempts * Common law * Requires specific intent to commit the targeted offense.True even when the target crime does not require specific intent * MPC 5. 01 * D must ‘purposely' engage in conduct (â€Å"substantial step†) which would constitute crime if the attendant circumstances were believed as D perceived them to be. Cases 3. People v Harris (IL 1978): D charged with murder even though he did not intend murder * Attempted murder is not proved by showing that D intended to do great bodily harm or that he acted in reckless disregard for human life- Intent is needed. Attempted murder requires intent to bring about that result described by the crime of murder 4. State v Hinkhouse (OR 1996): D had HIV, slept with multiple partners.Charged with attempted murder * A person is guilty of attempting to commit a crime when the person intentionally engages in conduct which constitutes a substantial step toward the commission of the crime * A person commits attemp ted murder when he or she attempts, without justification or excuse, intentionally to cause the death of another human being. To act intentionally is to act with a conscious objective to cause the result or to engage in the conduct so described. Actus Reus of Attempts * Common Law * No single test for determining when â€Å"mere preparation† for an offense becomes an attempt * Focus is on how much, or how little, is needed to be done to complete the target offense * MPC Conduct must amount to a substantial step toward culmination of the commission of the targeted offense * Focus is on what D has already done and whether the acts are corroborative of criminal purpose Cases 5. People v Rizzo (NY 1927): D was riding aroud looking for a person to rob. Arrested and charged with attempted robbery * Line is drawn between acts which are remote and which are proximate and near to consummation. * Felonious intent alone is not enough. There must be an overt act shown to establish an att empt. * Proximity approach: A crime is attempted if D did an act tending to the commission of this robbery. Because they had not found or reached the presence of the person they intended to rob, not guilty 6. People v Staples (CA 1970): Attempted burglary of a bank vault. Acts beyond mere preparation is enough to convict of attempted robbery * Preparation consists of devising or arranging the means or measures necessary for the commission of the offense; the attempt is the direct movement toward the commission of the crime after preparations are made * The act must reach far enough toward the accomplishment of the desired result to amount to commencement * Where intent to commit the substantive offense is clearly established, acts done toward the commission of the crime may constitute an attempt where the same acts would be held insufficient to constitute an attempt if the intent with which they were done is equivocal and not clearly proved. Defenses to Attempt * Common Law * No aba ndonment. Majority of CL states do not recognize the defense of abandonment. nce D crosses line from preparation to attempt there is no turning back * Impossibility * Legal Impossibility- when no law makes the conduct a crime is a defense * No factual impossibility . * MPC * Renunciation: MPC 5. 01(4) allows a D to introduce evidence of renunciation in circumstances where * renunciation is voluntary and complete * No Impossibility Defense of Impossibility * You cannot commit a crime which is impossible to commit * US v Thomas- cannot rape a corpse. Group Criminality Complicity One who intentionally assists another in the commission of a crime can be convicted of that offense as an accomplice Mental State necessary to render one an accomplice Common Law: Act with the same mens rea as the principle AND the intent to aid * MPC: act with the same mens rea as principle AND the purpose of promoting or facilitating the commission of an offense Types of acts necessary to render on as an acc omplice * CL: any form of aid to the principle is sufficient, but a failed attempt to aid is not * MPC 2. 06: both aiding and attempting to aid are sufficient Cases Pace v State (IN 1967): man picks up hitch hiker; he robs man in back seat at knife point and driver is held as an accomplice * Negative acquiescence is not enough to constitute a person guilty of aiding and abetting the commission of a crime. Must have affirmative conduct State v Parker (MN 1969): Law student beaten in the back seat of his car by others; he escapes, claims robbery and stolen car. person in front seat held as accomplice * Aid by inaction is possible.If proof shows that a person is present at commission of a crime without disapproving or opposing it, jury may infer accomplice liability in connection with the attendant circumstances and thereby reach the conclusion that he assented to commission of the crime * Evidence of subsequent acts may also prove participation in the criminal acts- running from polic e Conspiracy An agreement between two or more persons to commit a crime CL Elements of conspiracy Actus Reus 1. An agreement between two or more persons to commit an unlawful act AND an overt act * State v Pacheco (WA 1994): PI and employee who was a cop. PI goes to FBI w/ info on employee about illegalities. Set up a sting where cop agreed to kill someone.Charged with conspiracy to commit Murder 1 * There must be an actual agreement between two or more conspirators. Unilateral agreements do not satisfy actus reus. * As it takes two to conspire, there can be no indictable conspiracy with a gov't informer who secretly intends to frustrate the conspiracy. Mens Rea 1. Specific intent to agree AND 2. specific intent that the object of agreement shall be achieved * D cannot be charged of conspiracy alone. Must be â€Å"conspiracy to commit crime X† * No Merger. Can be charged and convicted of both conspiracy and the crime itself * No abandonment defense unless the intent to abando n was communicated expressly to co-cons CasePeople v Swain (CA 1996): drive-by shooting resulted in the death of a boy. Man charged in conspiracy to commit 2nd degree implied malice murder * To sustain a conviction for conspiracy to commit a particular offense, the prosecution must show not only that the conspirators intended to agree but also that they intended to commit the elements of that offense * A conviction of conspiracy to commit murder requires a finding of intent to kill, and cannot be based on a theory of implied malice MPC 5. 03 Elements of conspiracy Main concern is about a â€Å"firm commitment to criminality† Actus Reus 1. an agreement or agreement to aid in the commission of a crime AND sometimes an overt act Mens Rea 1.Purpose of promoting or facilitating the agreement AND the result MPC Characteristics 1. D cannot be charged with conspiracy alone; must be conspiracy to commit crime X 2. Conspiracy merges with the target offense. D cannot be charged with bot h conspiracy and crime 3. For abandonment to apply, D must thwart the success of the conspiracy and must manifest â€Å"complete and voluntary renunciation† of his criminal purpose Case 1. Pinkerton Doctrine: Co-Conspirators can be held liable for ancillary crimes committed in promotion of their agreement if they are (1) reasonably foreseeable and (2) are committed in furtherance of the conspiracy 2.US v Mothersill (FL 1996): Cop blown up by pipe bomb that was intended for someone else * Each party to a continuing conspiracy may be vicariously liable for substantive criminal offenses committed by a co-conspirator during the course and in the furtherance of the conspiracy * Liability will not lie where the crime did not fall within the scope of the unlawful project or which was not reasonably foreseen as a necessary or natural consequence of the unlawful agreement * Deadly force and violence are more than peripheral possibilities so Pinkerton applies Criminal Law Defenses 1) C ase-in-chief defenses v. Affirmative defenses: 1. Case-in-chief negates one of the elements i. Ex: mistake, which negates the mens rea 2. Affirmative defenses apply even when there is clear proof of all the elements of the crime; D gets off for some other reason. ii. Ex: justification, excuse, necessity, duress 2) Burdens of Proof: 3. D has the burden of proof for affirmative defenses. Standard varies: iii.Majority: D must prove by a preponderance of the evidence iv. Minority: some states require proof beyond a reasonable doubt 3) Justification v Excuse and why it matters: 4. Justification: this conduct is right and should be encouraged. v. The evidence for justification is equally available to both sides, but P has advantage of law enforcement resources. vi. Third party liability: If D’s acts are justified, third parties are not criminally liable for helping, and may be liable for interfering. 5. Excuse: this conduct is wrong and should be discouraged. vii. The evidence for excuse is within D’s control because it is about him. viii.Third party liability: when D asserts an excuse, third parties ARE liable for helping D, and are NOT liable for interfering (if they stopped an insane person from hurting someone else, for example. ) Justification 6. D says, â€Å"I did no wrong. † Perhaps D did the right thing under the circumstances. 7. Ex: Self-defense ix. CL Self-defense: 1. D must have an honest and reasonable belief that 2. He was threatened with an imminent threat of unlawful force 3. And that the force used was necessary to repel and proportional to the threat 4. Must be subjectively and objectively reasonable, whether right in belief or not 5.PROVIDED: if D’s defensive force caused death: a. The harm avoided must be death or serious bodily injury (proportionality requirement) b. In some juris, D must try to retreat (majority rule: no duty to retreat) c. If D is the initial aggressor, additional requirements apply d. NOTE: if D f ails to meet all these requirements he may have a partial defense x. MPC Self-defense 3. 04(1) 6. D [reasonably? ] believed 7. Defensive force was immediately necessary to protect D against 8. Unlawful force by V â€Å"on the present occasion† 9. Provided: if D’s defensive force= â€Å"deadly force†: e.The harm avoided must be death, serious bodily injury, kidnapping, or sexual intercourse by force or threat f. D must try to â€Å"retreat† (except from his dwelling) if he knows that’s completely safe way to avoid V’s force g. D has no defense if he, with purpose to cause death or serious bodily injury, provoked V’s force in same encounter 4) Reasonableness standards in context of self-defense: 8. Objective reasonableness: usually includes at least some of D’s physical characteristics, plus D’s knowledge of external circumstances and surroundings; also at least some of D’s general knowledge and prior experiences. ( Pure objectivity is no focus on D at all- hypothetical reasonable person) 9.Subjective reasonableness: can include unique physical, mental, psychological characteristics 10. Purely subjective standard: whatever D actually believed, even if it was completely unreasonable by any standard [actual belief is also a requirement under objective and subjective reasonableness standards] xi. Goetz: they call it an objective reasonableness standard but they take into account D’s past experiences and perceptions- so not a purely objective standard. (And considering the proportionality requirement where D’s acts in self-defense caused death, we must ask if being outnumbered and cornered justifies the first shot or two, but not after they retreated) xii. Simon: man paranoid that Asians will attack him.Defense must try to show that this is reasonable by making racial slurs, statistics. Simon would be convicted under pure objective standard as well as objective reasonableness standard , because even considering his experiences his paranoia is unreasonable, and we’re not willing to go to the subjective standard. 11. Imperfect self-defense: When D’s belief about the circumstances permitting defensive force is unreasonable? Three competing rules: xiii. CL: if D kills based on an unreasonable belief in the necessity to kill, or in the existence of a deadly threat, or if D was the initial non-deadly force aggressor, D’s liability is mitigated from murder down to manslaughter (a partial excuse) xiv. MPC 3. 9: If Ds belief is reckless, he is guilty of a recklessness offense (manslaughter or assault); If D was negligent, it was negligent Homicide or assault. xv. The all-or-nothing rule: at common law, in MN, and in many states, if all self-defense requirements are not met there’s no defense or mitigation at all- if D’s belief is not reasonable, you cannot raise self-defense in MN. 5) Defense of another: 12. CL Act at Peril Rule: defende r of another stands in the shoes of the person being defended; he/she therefore takes the risk that, despite all reasonable appearances, the person being defended was NOT justified (eg, the person was resisting lawful arrest) xvi. People v Young: act at peril.Undercover police officers arresting someone. 13. MPC 3. 05: defender may act on reasonable appearances. Moreover, even if D’s belief is NOT reasonable, MPC only makes D liable for a crime of recklessness or negligence 6) Defense of habitation: 14. Trad CL: D could use any force necessary if he reasonably believed the force was necessary to prevent an imminent unlawful entry 15. Modern CL: Deadly force is permitted only when occupant reasonably believes such force is necessary to prevent imminent unlawful entry and the intruder intends to commit a felony or cause injury to the occupant or another occupant in the dwelling. xvii. Problem: you don’t know what they intend to do.But if they have a weapon or are screami ng that they will kill you, you’re safe in defending yourself. 16. MPC 3. 06: Use of force is justified to prevent trespass, theft, etc or to retake property, BUT must ask trespasser to desist (unless useless, dangerous), or harmful to property. Can use non-dangerous devices. 17. People v Brown: What constitutes a residence? xviii. Reasonable expectations test: whether the nature of a structure's composition is such that a reasonable person would expect some protection from unauthorized intrusions Necessity 1. Justification defense. Often used where people protested laws by breaking law, but not usually successful there; more likely to be successful where D acted in the interests of the general welfare. . Schoon: there can be no necessity defense to indirect civil disobedience (fake blood on IRS walls). ii. Hutchins: necessity cannot justify cultivation of medical marijuana. Court says don’t grow your own, wait for legislature to legalize it. 2. Generally: sometimes th e greater good is better served by breaking the law than by obeying it. Applies where the harm caused by breaking the law is less than the harm avoided by the action. (CL determines this from objective perspective, MPC, subjective) 3. Common Law Elements: Objective standard i. D reasonably (if D’s belief was unreasonable there is not defense or mitigation) believed ii.D’s criminal act was necessary to prevent iii. Imminent harm (the harm cannot have been created by the D) greater than the law which was charged was designed to prevent iv. There was no express or implied legislative preclusion of the necessity defense here 10. In context of Dudley: Prosecutor would argue Dudley created the harm, and so couldn’t use the defense 11. Defense would argue that murder was lesser than all four men dying- but would have to be MPC, not CL, b/c CL allows no justification for death of an innocent. 4. MPC 3. 02(1) Approach to Necessity: Subjective standard i. D believed ii. D ’s criminal act was necessary to prevent iii.Harm (this can include harm threatened by another person as well as nature, and the harm need not be â€Å"imminent†) greater than the charged criminal behavior the law was designed to prevent iv. PROVIDED: The harm sought to be avoided is greater than greater than the harm incurred; there is not express or implied legislative preclusion of the necessity defense 1. Ask about the following: MPC provides some middle ground- recklessness or negligence. Applies throughout category of AD’s. That is, if you believe but your belief is unfounded, it may be reckless, and you can be charged with a reckless act instead of the full blown crime that you thought you had a defense from. v. 3. 2(2): If D is reckless or negligent in creating the situation or in appraising the necessity, D is liable for any applicable crime of recklessness (e. g. manslaughter) or negligence 5. Necessity in context of Dudley to make it more clear: i. No necessity defense because killing an innocent is never justified, applying CL. MPC might have allowed him that excuse. Even through the MPC, if we’re evaluating the recklessness or negligence of his subjective belief, we’re still moving towards objective, because under negligence we care about the reasonable person. In recklessness, we care about the â€Å"law abiding† person. The difference is not obvious. 6. Similarities/Differences B/W CL and MPC i. Similar: Both use a balancing of the harms ii.Different: Under MPC there is no imminence requirement; CL suggests that necessity is not a defense to homicide b/c it can never constitute the greater good to kill an innocent person Excuse Defenses: 1. D says, â€Å"I did wrong, but I should not be punished. † 2. D is not morally blameworthy, and/or not deterrable and/or not dangerous. 3. Ex: duress, insanity, some self-defense claims 3 Categories of excuse defenses 1. Involuntary Actions i. Actions caused by D's body, but which are not the product of her mind (sleep walking, involuntary intoxicaiton) 2. Actions related to Cognitive Deficiencies ii. Actions which are caused by an actor who does not understand the nature of her conduct and whether it is right/wrong, legal/illegal 3.Actions relating to Volitional Deficiencies iii. Actions which are voluntary, but which are taken by an actor Duress 1. Trad. CL: i. D (without prior fault- there’s a defense if D was at fault in getting into that situation) was coerced to commit the charged criminal act. ii. By an actual or reasonably (if D’s belief was unreasonable there is no defense or mitigation) believed threat of imminent unlawful death or great bodily harm to D or a near relative if D did not commit the crime (this defense only excuses the specific criminal act demanded by the threatener, and never excuses homicide); and iii. D had no (legal) way to escape the threat. 2. MPC 2. 09 Duress: i.D, without prior fault (there i s no duress defense if D recklessly put himself in a position where such a threat was probable; if D was merely negligent in putting himself in that position, he is guilty of any applicable crime of negligence; if no such negligence crime applies, D has no liability), was coerced to commit the charged criminal act (this can include acts not demanded by threatener, + homicide) ii. By threat of unlawful force against his person or the person of another iii. That a person of reasonable firmness in D’s position (PORF) would have been unable to resist. 1. Example of putting yourself in a situation where duress is likely is joining a gang 2.If you are under duress and you are told to commit one crime and you have to commit another crime to get there, duress can be a defense to that crime, too- assault on the way to a robbery iv. Distinct from CL in that duress is not limited to situations involving threats of death or serious bodily harm; No explicit imminence requirement 7) Duress v Necessity: 18. Necessity: xix. Focuses on the consequences of the harming action and the concrete alternatives facing D xx. Assumes that D acts in a way that the law seems to approve and encourage (and is therefore â€Å"justified†) 19. Duress: xxi. Focuses on the way in which the choice is made and the extent to which it reflects the free will of the actor xxii.Assumes that D acts in a way that is regrettable and deserves to be discouraged, but that special circumstances makes the conviction inappropriate and unfair 12. Contento-Pachon: swallows cocaine, raises defense of duress. Court looks at the immediacy and escapability of the threat. D just has to meet preponderance standard- just needs to raise a question for the jury, no need to actually prove duress. 8) Intoxication: Voluntary and Involuntary 20. CL Voluntary Intoxication xxiii. Whether D can argue voluntary intoxication depends on whether or not the crime they are charged with is a general or specific intent cri me 13. Inadmissible when general intent b/c it is only intent to do the actus reus 14.Admissible for specific intent crimes but D must still show that b/c intoxicated, she lacked the specific intent required for commission of the crime 21. CL Involuntary Intoxication xxiv. Some jurisdictions allow evidence of involuntary intoxication to be admitted to negate either specific or general intent xxv. Most jurisdictions allow involuntary intoxication to be the basis for temporary insanity Some jurisdiction only allow only this second use of involuntary intoxication defense to stand if it caused the D to become temporarily insane 22. MPC 2. 08(4-5) xxvi. Distinguishes 3 types of intoxication. Any form of intoxication is a defense if it negates an element of the offense.Mens rea is broadly applied (except in the case of recklessness- a person acts recklessly as to an element of the crime if, as the result of the self-induced intoxication, he was not conscious of a risk of which he otherwis e would have been aware had he not been intoxicated) 15. Voluntary (â€Å"Self Induced†) Intoxication 16. Pathological Intoxication 17. Involuntary (â€Å"Non self-induced†) Intoxication h. Pathological and involuntary are affirmative defenses if the intoxication causes D to suffer from a mental condition comparable to that which constitutes insanity under MPC 2. 08(4) xxvii. Commonwealth v Smith: Intoxication produced by mixing of prescription drugs and alcohol is not involuntary even if without knowledge of synergistic effects. 18. 4 situations which I. I. admissible i.Intoxication caused by fault of another (force, duress, fraud, contrivance) j. Caused by innocent mistake of D (taking LSD thinking its advil) k. D unknowingly suffers from physiological/psychological that renders him abnormally susceptible to legal intoxicant l. Unexpected results from medically prescribed drug 9) Competence to Stand Trial: 23. In question is D’s ability to understand the legal proceedings as they are taking place, not about D’s competence at the time of the crime. 10) Insanity Defense 24. In question is D’s ability to resist the impulse for crime, know right from wrong; questions D’s ability based on the time of the incident itself. 25. Tests: xxviii.M’Naghten Rule: a right/wrong test- looks at COGNITION; focus is on D’s mental state 19. A person is legally insane if, at the time of committing the act, he was laboring under such a defect of reason, from disease of the mind, as: m. Not to know the nature and quality of the act; OR n. If he did know it, that he didn’t know it was wrong. 20. Criticisms: o. too narrow; looks only at cognition p. Does wrong mean legally wrong? Morally wrong? Morally wrong according to D personally, or society? Courts split. xxix. Irresistible impulse test: focus is on volition, inability to control acts 21. A person is legally insane if, as the result of mental disease r defect, she à ¢â‚¬Å"acted with the irresistible and uncontrollable impulse,† or â€Å"if she lost the power to choose between right and wrong, and to avoid doing the act in question, as her free agency was at the time destroyed. † 22. Criticisms: Too narrow- looks only at volition. xxx. Durham Test: focuses on testimony of psychiatrists 23. An accused is not criminally responsible if the unlawful act was the product of mental disease or defect. â€Å"Mental disease or defect† is â€Å"any abnormal condition of the kind which substantially affects mental or emotional process and substantially impairs behavior control. † 24. Criticisms: Focuses too much on expert testimony, to the point where the role of the jury is usurped- rubber-stamping an expert. xxxi. MPC 4. 1 – combination of M’Naughten and Durham- cognitive + volitional 25. A person is not responsible for criminal conduct if at the time of such conduct, as a result of mental disease or defect, he lac ks substantial capacity either to: q. Appreciate the criminality (wrongfulness) of his conduct (cognitive) r. Or to conform his conduct to the requirements of the law (volitional) 26. The terms â€Å"mental disease† or â€Å"defect† do not include an abnormality manifested only by repeated criminal or other anti-social conduct. 27. Appreciate: wrongfulness is a m

Net Sec

1. Name at least five applications and tools pre-loaded on the TargetWindows01 server desktop, and identify whether that application starts as a service on the system or must be run manually. WINDOWS APPLICATION LOADEDSTARTS AS SERVICE Y/N 1. tftpd32 Starts as a service 2. FileZilla Server Interface- The interface does not start as a service and must be ran manually 3. Wireshark – Does not start as a service and must be ran manually 4. Nessus Server Manager – Does not start as a service and must be ran manually 5. NetWitness Investigator – Does not start as a service and must be ran manually 2.What was the allocated source IP host address for the TargetWindows01 server, TargetUbuntu01 server, and the IP default gateway router? TagetWindows01 Server- Source IP = 172. 30. 0. 8 TargetUbuntu01 Server – Source IP = 172. 30. 0. 4 TargetUbuntu02 Server – Source IP = 172. 30. 0. 9 The Default Gateway IP is = 172. 30. 0. 1 3. Did the targeted IP hosts respon d to the ICMP echo-request packet with an ICMP echo-reply packet when you initiated the â€Å"ping† command at your DOS prompt? If yes, how many ICMP echo-request packets were sent back to the IP source? Yes, the targeted IP host responded back with 4 echo-replies. 4.If you ping the TargetWindows01 server and the UbuntuTarget01 server, which fields in the ICMP echo-request/echo-replies vary? The fields that vary is the Time To Live (TTL) fields. For the TargetUbuntu01 it's 64 and the TargetWindows01 is 128. 5. What is the command line syntax for running an â€Å"Intense Scan† with Zenmap on a target subnet of 172. 30. 0. 0/24? The syntax for an Intense Scan in Zenmap is as followed: nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 172. 30. 0. 0/24 6. Name at least five different scans that may be performed from the Zenmap GUI. Document under what circumstances you would choose to run those particular scans.Intense Scan-Provides a very detailed information about ports an d protocols, Operating Systems, and Mac Addresses Internse Scan, all TCP ports – Provide intense scan on all tcp ports 1-65535. Ping Scan-Provide basic information about availability and MAC addresses Quick Scan- Provides a fast scan limiting the number of TCP ports scanned only the top 100 most common TCP ports Regular Scan-This is the default scan by issuing TCP SYN scans for the most common 1000 TCP ports using pings for host detection. 7. How many different tests (i. e. , scripts) did your â€Å"Intense Scan† definition perform?List them all after reviewing the scan report. The Intense Scan initiated 36 Scripts. The scripts can be found at http://nmap. org/nsedoc/ 8. Describe what each of these tests or scripts performs within the Zenmap GUI (Nmap) scan report. Below are each of the 36 scripts and a description of each, derived from http://nmap. org/nsedoc/. acarsd-info Retrieves information from a listening acarsd daemon. Acarsd decodes ACARS (Aircraft Communicati on Addressing and Reporting System) data in real time. The information retrieved by this script includes the daemon version, API version, administrator e-mail address and listening frequency. ddress-info Shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available. afp-brute Performs password guessing against Apple Filing Protocol (AFP). afp-ls Attempts to get useful information about files from AFP volumes. The output is intended to resemble the output of ls. afp-path-vuln Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533. afp-serverinfo Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example Macmini or MacBookPro). fp-showmount Shows AFP shares and ACLs. ajp-auth Retrieves the authentication scheme and realm of an AJP service (Apache JServ Protocol) that requires authentication. ajp-brute Performs brute force passwords auditing against the A pache JServ protocol. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers. ajp-headers Performs a HEAD or GET request against either the root directory or any optional directory of an Apache JServ Protocol server and returns the server response headers. ajp-methodsDiscovers which options are supported by the AJP (Apache JServ Protocol) server by sending an OPTIONS request and lists potentially risky methods. ajp-request Requests a URI over the Apache JServ Protocol and displays the result (or stores it in a file). Different AJP methods such as; GET, HEAD, TRACE, PUT or DELETE may be used. amqp-info Gathers information (a list of all server properties) from an AMQP (advanced message queuing protocol) server. asn-query Maps IP addresses to autonomous system (AS) numbers. auth-owners Attempts to find the owner of an open TCP port by querying an auth daemon which must also be open on the target system.The auth service , also known as identd, normally runs on port 113. auth-spoof Checks for an identd (auth) server which is spoofing its replies. backorifice-brute Performs brute force password auditing against the BackOrifice service. The backorifice-brute. ports script argument is mandatory (it specifies ports to run the script against). backorifice-info Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself. banner A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds. bitcoin-getaddrQueries a Bitcoin server for a list of known Bitcoin nodes bitcoin-info Extracts version and node information from a Bitcoin server bitcoinrpc-info Obtains information from a Bitcoin server by calling getinfo on its JSON-RPC interface. bittorrent-discovery Discovers bittorrent peers sharing a file based on a user-supplied torrent file or magnet link. Peers implement the Bittorrent protoco l and share the torrent, whereas the nodes (only shown if the include-nodes NSE argument is given) implement the DHT protocol and are used to track the peers. The sets of peers and nodes are not the same, but they usually intersect. bjnp-discoverRetrieves printer or scanner information from a remote device supporting the BJNP protocol. The protocol is known to be supported by network based Canon devices. broadcast-ataoe-discover Discovers servers supporting the ATA over Ethernet protocol. ATA over Ethernet is an ethernet protocol developed by the Brantley Coile Company and allows for simple, high-performance access to SATA drives over Ethernet. broadcast-avahi-dos Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002). roadcast-bjnp-discover Attempts to discover Canon devices (Printers/Scanners) supporting the BJNP prot ocol by sending BJNP Discover requests to the network broadcast address for both ports associated with the protocol. broadcast-db2-discover Attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp. broadcast-dhcp-discover Sends a DHCP request to the broadcast address (255. 255. 255. 255) and reports the results. The script uses a static MAC address (DE:AD:CO:DE:CA:FE) while doing so in order to prevent scope exhaustion. broadcast-dhcp6-discoverSends a DHCPv6 request (Solicit) to the DHCPv6 multicast address, parses the response, then extracts and prints the address along with any options returned by the server. broadcast-dns-service-discovery Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses. broadcast-dropbox-listener Listens for the LAN sync information broadcasts that the Dropbox. com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more. broadcast-eigrp-discoveryPerforms network discovery and routing information gathering through Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP). broadcast-igmp-discovery Discovers targets that have IGMP Multicast memberships and grabs interesting information. broadcast-listener Sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders. lua for more information. broadcast-ms-sql-discover Discovers Microsoft SQL servers in the same broadcast domain. broadcast-netbios-master-browserAttempts to discover master browsers and the domains they manage. broadcast-networker-discover Discovers EMC Networker backup software servers on a LAN by sending a network broadcast query. broadcast-novell-locate Attempts to use the Service Location Protocol to discover Novell Net Ware Core Protocol (NCP) servers. broadcast-pc-anywhere Sends a special broadcast probe to discover PC-Anywhere hosts running on a LAN. broadcast-pc-duo Discovers PC-DUO remote control hosts and gateways running on a LAN by sending a special broadcast UDP probe. broadcast-pim-discovery Discovers routers that are running PIM (Protocol Independent Multicast). roadcast-ping Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes, but they can be configured to do so. broadcast-pppoe-discover Discovers PPPoE (Point-to-Point Protocol over Ethernet) servers using the PPPoE Discovery protocol (PPPoED). PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery.If no interface is specified, r equests are sent out on all available interfaces. broadcast-rip-discover Discovers hosts and routing information from devices running RIPv2 on the LAN. It does so by sending a RIPv2 Request command and collects the responses from all devices responding to the request. broadcast-ripng-discover Discovers hosts and routing information from devices running RIPng on the LAN by sending a broadcast RIPng Request command and collecting any responses. broadcast-sybase-asa-discover Discovers Sybase Anywhere servers on the LAN by sending broadcast discovery messages. broadcast-tellstick-discoverDiscovers Telldus Technologies TellStickNet devices on the LAN. The Telldus TellStick is used to wirelessly control electric devices such as lights, dimmers and electric outlets. For more information: http://www. telldus. com/ broadcast-upnp-info Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses. broadcast-ve rsant-locate Discovers Versant object databases using the broadcast srvloc protocol. broadcast-wake-on-lan Wakes a remote system up from sleep by sending a Wake-On-Lan packet. broadcast-wpad-discoverRetrieves a list of proxy servers on a LAN using the Web Proxy Autodiscovery Protocol (WPAD). It implements both the DHCP and DNS methods of doing so and starts by querying DHCP to get the address. DHCP discovery requires nmap to be running in privileged mode and will be skipped when this is not the case. DNS discovery relies on the script being able to resolve the local domain either through a script argument or by attempting to reverse resolve the local IP. broadcast-wsdd-discover Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol.It also attempts to locate any published Windows Communication Framework (WCF) web services (. NET 4. 0 or later). broadcast-xdmcp-discover Discovers servers running the X Display Manager Control P rotocol (XDMCP) by sending a XDMCP broadcast request to the LAN. Display managers allowing access are marked using the keyword Willing in the result. cassandra-brute Performs brute force password auditing against the Cassandra database. cassandra-info Attempts to get basic info and server status from a Cassandra database. cccam-version Detects the CCcam service (software for sharing subscription TV among multiple receivers). itrix-brute-xml Attempts to guess valid credentials for the Citrix PN Web Agent XML Service. The XML service authenticates against the local Windows server or the Active Directory. citrix-enum-apps Extracts a list of published applications from the ICA Browser service. citrix-enum-apps-xml Extracts a list of applications, ACLs, and settings from the Citrix XML service. citrix-enum-servers Extracts a list of Citrix servers from the ICA Browser service. citrix-enum-servers-xml Extracts the name of the server farm and member servers from Citrix XML service. couchdb -databases Gets database tables from a CouchDB database. ouchdb-stats Gets database statistics from a CouchDB database. creds-summary Lists all discovered credentials (e. g. from brute force and default password checking scripts) at end of scan. cups-info Lists printers managed by the CUPS printing service. cups-queue-info Lists currently queued print jobs of the remote CUPS service grouped by printer. cvs-brute Performs brute force password auditing against CVS pserver authentication. cvs-brute-repository Attempts to guess the name of the CVS repositories hosted on the remote server. With knowledge of the correct repository name, usernames and passwords can be guessed. aap-get-library Retrieves a list of music from a DAAP server. The list includes artist names and album and song titles. daytime Retrieves the day and time from the Daytime service. db2-das-info Connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request. db2-discover Attempts to discover DB2 servers on the network by querying open ibm-db2 UDP ports (normally port 523). dhcp-discover Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a new address. ict-info Connects to a dictionary server using the DICT protocol, runs the SHOW SERVER command, and displays the result. The DICT protocol is defined in RFC 2229 and is a protocol which allows a client to query a dictionary server for definitions from a set of natural language dictionary databases. distcc-cve2004-2687 Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service. dns-blacklistChecks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has b een flagged. Checks may be limited by service category (eg: SPAM, PROXY) or to a specific service name. dns-brute Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. dns-cache-snoop Performs DNS cache snooping against a DNS server. dns-check-zone Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests. dns-client-subnet-scanPerforms a domain lookup using the edns-client-subnet option which allows clients to specify the subnet that queries supposedly originate from. The script uses this option to supply a number of geographically distributed locations in an attempt to enumerate as many different address records as possible. The script also supports requests using a given subnet. dns-fuzz Launches a DNS fuzzing attack against DNS servers. dns-ip6-arpa-scan Performs a quick reverse DNS lookup of an IPv6 network using a technique which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks. ns-nsec-enum Enumerates DNS names using the DNSSEC NSEC-walking technique. dns-nsec3-enum Tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records. dns-nsid Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id. server and version. bind values. This script performs the same queries as the following two dig commands: – dig CH TXT bind. version @target – dig +nsid CH TXT id. server @target dns-random-srcport Checks a DNS server for the predictable-port recursion vulnerability.Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447). dns-random-txid Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447). dns-recursion Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers. dns-service-discovery Attempts to discover target hosts' services using the DNS Service Discovery protocol. dns-srv-enum Enumerates various common service (SRV) records for a given domain name.The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: – Active Directory Global Catalog – Exchange Autodiscovery – Kerberos KDC Service – Kerberos Passwd Change Service – LDAP Servers – SIP Servers – XMPP S2S – XMPP C2S dns-update Attempts to perform a dynamic DNS update without authentication. dns-zeustracker Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse. ch. Please review the following information before you start to scan: https://zeustracker. abuse. ch/ztdns. php dns-zone-t ransferRequests a zone transfer (AXFR) from a DNS server. domcon-brute Performs brute force password auditing against the Lotus Domino Console. domcon-cmd Runs a console command on the Lotus Domino Console using the given authentication credentials (see also: domcon-brute) domino-enum-users Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability. dpap-brute Performs brute force password auditing against an iPhoto Library. drda-brute Performs password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby drda-infoAttempts to extract information from database servers supporting the DRDA protocol. The script sends a DRDA EXCSAT (exchange server attributes) command packet and parses the response. duplicates Attempts to discover multihomed systems by analysing and comparing information collected by other scripts. The information analyzed currently includes, SSL certificates, SSH host keys, MAC addresses, and Netbios server names. eap-info Enumerates the authentication methods offered by an EAP (Extensible Authentication Protocol) authenticator for a given identity or for the anonymous identity if no argument is passed. pmd-info Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers. eppc-enum-processes Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication. finger Attempts to retrieve a list of usernames using the finger service. firewalk Tries to discover firewall rules using an IP TTL expiration technique known as firewalking. firewall-bypassDetects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip. flume-master-info Retrieves informat ion from Flume master HTTP pages. ftp-anon Checks if an FTP server allows anonymous logins. ftp-bounce Checks to see if an FTP server allows port scanning using the FTP bounce method. ftp-brute Performs brute force password auditing against FTP servers. ftp-libopie Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam â€Å"pi3† Zabrocki. See the advisory at http://nmap. rg/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd. ftp-proftpd-backdoor Tests for the presence of the ProFTPD 1. 3. 3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor. cmd script argument. ftp-vsftpd-backdoor Tests for the presence of the vsFTPd 2. 3. 4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the ba ckdoor using the innocuous id command by default, but that can be changed with the exploit. md or ftp-vsftpd-backdoor. cmd script arguments. ftp-vuln-cve2010-4221 Checks for a stack-based buffer overflow in the ProFTPD server, version between 1. 3. 2rc3 and 1. 3. 3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability. ganglia-info Retrieves system information (OS version, available memory, etc. from a listening Ganglia Monitoring Daemon or Ganglia Meta Daemon. giop-info Queries a CORBA naming server for a list of objects. gkrellm-info Queries a GKRellM service for monitoring information. A single round of collection is made, showing a snapshot of information at the time of the request. gopher-ls Lists files and directories at the root of a gopher service. gpsd-info Retrieves GPS time, coordinates and speed from the GPSD network daemon. hadoop-datanode-info Discovers information such as log directories from an Apache Hadoop DataNode HTTP status page. hadoop-jobtracker-infoRetrieves information from an Apache Hadoop JobTracker HTTP status page. hadoop-namenode-info Retrieves information from an Apache Hadoop NameNode HTTP status page. hadoop-secondary-namenode-info Retrieves information from an Apache Hadoop secondary NameNode HTTP status page. hadoop-tasktracker-info Retrieves information from an Apache Hadoop TaskTracker HTTP status page. hbase-master-info Retrieves information from an Apache HBase (Hadoop database) master HTTP status page. hbase-region-info Retrieves information from an Apache HBase (Hadoop database) region server HTTP status page. hddtemp-infoReads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service. hostmap-bfk Discovers hostnames that resolve to the target's IP address by querying the online database at http://www. bfk. de/bfk_dnslogger. html. hostmap-robtex Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at http://ip. robtex. com/. http-affiliate-id Grabs affiliate network IDs (e. g. Google AdSense or Analytics, Amazon Associates, etc. ) from a web page. These can be used to identify pages with the same owner. http-apache-negotiationChecks if the target http server has mod_negotiation enabled. This feature can be leveraged to find hidden resources and spider a web site using fewer requests. http-auth Retrieves the authentication scheme and realm of a web service that requires authentication. http-auth-finder Spiders a web site to find web pages requiring form-based or HTTP-based authentication. The results are returned in a table with each url and the detected method. http-awstatstotals-exec Exploits a remote code execution vulnerability in Awstats Totals 1. 0 up to 1. 14 and possibly other products based on it (CVE: 2008-3922). ttp-axis2-dir-traversal Exploits a directory traversal vulnerability in Apache Axis2 version 1. 4. 1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service ‘/conf/axis2. xml' using the path ‘/axis2/services/' to return the username and password of the admin account. http-backup-finder Spiders a website and attempts to identify backup copies of discovered files. It does so by requesting a number of different combinations of the filename (eg. index. bak, index. html~, copy of index. html). http-barracuda-dir-traversalAttempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists. org/fulldisclosure/2010/Oct/119. http-brute Performs brute force password auditing against http basic authenticatio n. http-cakephp-version Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework. http-chrono Measures the time a website takes to deliver a web page and returns the maximum, minimum and average time it took to fetch a page. ttp-config-backup Checks for backups and swap files of common content management system and web server configuration files. http-cors Tests an http server for Cross-Origin Resource Sharing (CORS), a way for domains to explicitly opt in to having certain methods invoked by another domain. http-date Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT. http-default-accounts Tests for access with default credentials used by a variety of web applications and devices. ttp-domino-enum-passwords Attempts to enumerate the hashed Do mino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. http-drupal-enum-users Enumerates Drupal users by exploiting a an information disclosure vulnerability in Views, Drupal's most popular module. http-drupal-modules Enumerates the installed Drupal modules by using a list of known modules. http-email-harvest Spiders a web site and collects e-mail addresses. http-enum Enumerates directories used by popular web applications and servers. ttp-exif-spider Spiders a site's images looking for interesting exif data embedded in . jpg files. Displays the make and model of the camera, the date the photo was taken, and the embedded geotag information. http-favicon Gets the favicon (â€Å"favorites icon†) from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed. http-form-brute Performs brute force password auditing against http form-based authentication. http-form-fuzzerPerforms a simple form fuzzing against forms found on websites. Tries strings and numbers of increasing length and attempts to determine if the fuzzing was successful. http-frontpage-login Checks whether target machines are vulnerable to anonymous Frontpage login. http-generator Displays the contents of the â€Å"generator† meta tag of a web page (default: /) if there is one. http-git Checks for a Git repository found in a website's document root /. git/) and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description. http-gitweb-projects-enumRetrieves a list of Git projects, owners and descriptions from a gitweb (web interface to the Git revision control system). http-google-malware Checks if hosts are on Google's blacklist of suspected malware and phishing serve rs. These lists are constantly updated and are part of Google's Safe Browsing service. http-grep Spiders a website and attempts to match all pages and urls against a given string. Matches are counted and grouped per url under which they were discovered. http-headers Performs a HEAD request for the root folder (â€Å"/†) of a web server and displays the HTTP headers returned. http-huawei-hg5xx-vulnDetects Huawei modems models HG530x, HG520x, HG510x (and possibly others†¦ ) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values. http-icloud-findmyiphone Retrieves the locations of all â€Å"Find my iPhone† enabled iOS devices by querying the MobileMe web service (authentication required). http-icloud-sendmsg Sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My Iphone application. h ttp-iis-webdav-vuln Checks for a vulnerability in IIS 5. /6. 0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, http://nmap. org/r/ms09-020. http-joomla-brute Performs brute force password auditing against Joomla web CMS installations. http-litespeed-sourcecode-download Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4. 0. x before 4. 0. 15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a . txt file extension (CVE-2010-2333). ttp-majordomo2-dir-traversal Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049). http-malware-host Looks for signature of known server compromises. http-method-tamper Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an ar ray of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds. http-methods Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods.Optionally tests each method individually to see if they are subject to e. g. IP address restrictions. http-open-proxy Checks if an HTTP proxy is open. http-open-redirect Spiders a website and attempts to identify open redirects. Open redirects are handlers which commonly take a URL as a parameter and responds with a http redirect (3XX) to the target. Risks of open redirects are described at http://cwe. mitre. org/data/definitions/601. html. http-passwd Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or oot. ini. http-php-version Attempts to retrieve the PHP version from a web server.PHP has a number of magic queries that return images or text that can vary with the PHP version. This script uses the following queries: /? =PHPE9568F36-D428-11d2-A769-00AA001ACF42: gets a GIF logo, which changes on April Fool's Day. /? =PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: gets an HTML credits page. http-phpself-xss Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER[â€Å"PHP_SELF†]. http-proxy-brute Performs brute force password guessing against HTTP proxy servers. http-put Uploads a local file to a remote web server using the HTTP PUT method.You must specify the filename and URL path with NSE arguments. http-qnap-nas-info Attempts to retrieve the model, firmware version, and enabled services from a QNAP Network Attached Storage (NAS) device. http-rfi-spider Crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query. http-robots. txt Checks for disallowed entries in /robots. txt on a web server. http-robtex-reverse-ip Obtains up to 100 forward DNS names for a target IP address by querying the Robtex service (http://www. robtex. com/ip/). http-robtex-shared-nsFinds up to 100 domain names which use the same name server as the target by querying the Robtex service at http://www. robtex. com/dns/. http-sitemap-generator Spiders a web server and displays its directory structure along with number and types of files in each folder. Note that files listed as having an ‘Other' extension are ones that have no extension or that are a root document. http-slowloris Tests a web server for vulnerability to the Slowloris DoS attack by launching a Slowloris attack. http-slowloris-check Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack. ttp-sql-injection Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify field s that are vulnerable. http-title Shows the title of the default page of a web server. http-tplink-dir-traversal Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication. http-trace Sends an HTTP TRACE request and shows if the method TRACE is enabled.If debug is enabled, it returns the header fields that were modified in the response. http-traceroute Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies. http-unsafe-output-escaping Spiders a website and attempts to identify output escaping problems where content is reflected back to the user. This script locates all parameters, ? x=foo&y=bar and checks if the values are reflected on the page. If they are indeed reflected, the script will try to insert ghz>hzx†zxc'xcv and check which (if any) characters were reflected back onto the page witho ut proper html escaping.This is an indication of potential XSS vulnerability. http-userdir-enum Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled. http-vhosts Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames. http-virustotal Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors.The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page: http://www. virustotal. com http-vlcstreamer-ls Connects to a VLC Streamer helper service and lists directory contents. The VLC Streamer helper service is used by the iOS VLC Streamer application to enable streaming of multimedia content from the remote server to the device. http-vmware-path-vuln Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733). http-vuln-cve2009-3960Exploits cve-2009-3960 also known as Adobe XML External Entity Injection. http-vuln-cve2010-0738 Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738). http-vuln-cve2010-2861 Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash. ttp-vuln-cve2011-3192 Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page. http-vuln-cve2011-3368 Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HT TP server's reverse proxy mode. The script will run 3 tests: o the loopback test, with 3 payloads to handle different rewrite rules o the internal hosts test. According to Contextis, we expect a delay before a server error. o The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway. ttp-vuln-cve2012-1823 Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely. http-waf-detect Attempts to determine whether a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) by probing the web server with malicious payloads and detecting changes in the response code and body. http-waf-fingerprint Tries to detect the presence of a web application firewall and its type and version. http-wordpress-brute erforms brute force password auditing against WordPress CMS/blo g installations. http-wordpress-enum Enumerates usernames in WordPress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2. 6, 3. 1, 3. 1. 1, 3. 1. 3 and 3. 2-beta2 and possibly others. http-wordpress-plugins Tries to obtain a list of installed WordPress plugins by brute force testing for known plugins. iax2-brute Performs brute force password auditing against the Asterisk IAX2 protocol. Guessing fails when a large number of attempts is made due to the maxcallnumber limit (default 2048).In case your getting â€Å"ERROR: Too many retries, aborted †¦ † after a while, this is most likely what's happening. In order to avoid this problem try: – reducing the size of your dictionary – use the brute delay option to introduce a delay between guesses – split the guessing up in chunks and wait for a while between them iax2-version Detects the UDP IAX2 service. icap-info Tests a list of known ICAP service names and prints information about any it detects. The Internet Content Adaptation Protocol (ICAP) is used to extend transparent proxy servers and is generally used for content filtering and antivirus scanning. ke-version Get information from an IKE service. Tests the service with both Main and Aggressive Mode. Sends multiple transforms in a single request, so currently, only four packets are sent to the host. imap-brute Performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication. imap-capabilities Retrieves IMAP email server capabilities. informix-brute Performs brute force password auditing against IBM Informix Dynamic Server. informix-query Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute). nformix-tables Retrieves a list of tables and column definitions for each database on an Informix server. ip-forwarding Detects whether the remote device has ip fo rwarding or â€Å"Internet connection sharing† enabled, by sending an ICMP echo request to a given target using the scanned host as default gateway. ip-geolocation-geobytes Tries to identify the physical location of an IP address using the Geobytes geolocation web service (http://www. geobytes. com/iplocator. htm). The limit of lookups using this service is 20 requests per hour. Once the limit is reached, an nmap. registry[â€Å"ip-geolocation-geobytes†]. blocked oolean is set so no further requests are made during a scan. ip-geolocation-geoplugin Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www. geoplugin. com/). There is no limit on lookups using this service. ip-geolocation-ipinfodb Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service (http://ipinfodb. com/ip_location_api. php). ip-geolocation-maxmind Tries to identify the physical location of an IP address using a Geolocation Maxmind database file (available from http://www. maxmind. com/app/ip-location).This script supports queries using all Maxmind databases that are supported by their API including the commercial ones. ipidseq Classifies a host's IP ID sequence (test for susceptibility to idle scan). ipv6-node-info Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Node Information Queries. ipv6-ra-flood Generates a flood of Router Advertisements (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS), will start to compute IPv6 suffix and update their routing table to reflect the accepted announcement.This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests. irc-botnet-channels Checks an IRC server for channels that are commonly used by malicious botnets. irc-brute Performs brute force password auditing against IRC (Internet Relay Chat) serv ers. irc-info Gathers information from an IRC server. irc-sasl-brute Performs brute force password auditing against IRC (Internet Relay Chat) servers supporting SASL authentication. irc-unrealircd-backdoor Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond. scsi-brute Performs brute force password auditing against iSCSI targets. iscsi-info Collects and displays information from remote iSCSI targets. isns-info Lists portals and iSCSI nodes registered with the Internet Storage Name Service (iSNS). jdwp-exec Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script abuses this to inject and execute a Java class file that executes the supplied shell command and returns its output. jdwp-info Attempts to exploit java's remote debugging port.When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script injects and execute a Java class file that returns remote system information. jdwp-inject Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script allows injection of arbitrary class files. jdwp-version Detects the Java Debug Wire Protocol. This protocol is used by Java programs to be debugged via the network.It should not be open to the public Internet, as it does not provide any security against malicious attackers who can inject their own bytecode into the debugged process. krb5-enum-users Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will responde using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either th e TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication. dap-brute Attempts to brute-force LDAP authentication. By default it uses the built-in username and password lists. In order to use your own lists use the userdb and passdb script arguments. ldap-novell-getpass Universal Password enables advanced password policies, including extended characters in passwords, synchronization of passwords from eDirectory to other systems, and a single password for all access to eDirectory. ldap-rootdse Retrieves the LDAP root DSA-specific Entry (DSE) ldap-search Attempts to perform an LDAP search and returns all matches. lexmark-config Retrieves configuration information from a Lexmark S300-S400 printer. lmnr-resolve Resolves a hostname by using the LLMNR (Link-Local Multicast Name Resolution) protocol. lltd-discovery Uses the Microsoft LLTD protocol to discover hosts on a local network. maxdb-info Retrieves version and database information from a SAP Max DB database. mcafee-epo-agent Check if ePO agent is running on port 8081 or port identified as ePO Agent port. membase-brute Performs brute force password auditing against Couchbase Membase servers. membase-http-info Retrieves information (hostname, OS, uptime, etc. ) from the CouchBase Web Administration port. The information retrieved by this script does not require any credentials. emcached-info Retrieves information (including system architecture, process ID, and server time) from distributed memory object caching system memcached. metasploit-info Gathers info from the Metasploit rpc service. It requires a valid login pair. After authentication it tries to determine Metasploit version and deduce the OS type. Then it creates a new console and executes few commands to get additional info. References: * http://wiki. msgpack. org/display/MSGPACK/Format+specification * https://community. rapid7. com/docs/DOC-1516 Metasploit RPC API Guide metasp loit-msgrpc-brutePerforms brute force username and password auditing against Metasploit msgrpc interface. metasploit-xmlrpc-brute Performs brute force password auditing against a Metasploit RPC server using the XMLRPC protocol. mmouse-brute Performs brute force password auditing against the RPA Tech Mobile Mouse servers. mmouse-exec Connects to an RPA Tech Mobile Mouse server, starts an application and sends a sequence of keys to it. Any application that the user has access to can be started and the key sequence is sent to the application after it has been started. modbus-discover Enumerates SCADA Modbus slave ids (sids) and collects their device information. ongodb-brute Performs brute force password auditing against the MongoDB database. mongodb-databases Attempts to get a list of tables from a MongoDB database. mongodb-info Attempts to get build info and server status from a MongoDB database. mrinfo Queries targets for multicast routing information. ms-sql-brute Performs password guessing against Microsoft SQL Server (ms-sql). Works best in conjunction with the broadcast-ms-sql-discover script. ms-sql-config Queries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers, and configuration settings. ms-sql-dacQueries the Microsoft SQL Browser service for the DAC (Dedicated Admin Connection) port of a given (or all) SQL Server instance. The DAC port is used to connect to the database instance when normal connection attempts fail, for example, when server is hanging, out of memory or in other bad states. In addition, the DAC port provides an admin with access to system objects otherwise not accessible over normal connections. ms-sql-dump-hashes Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges. s-sql-empty-password Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysad min (sa) account. ms-sql-hasdbaccess Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to. ms-sql-info Attempts to determine configuration and version information for Microsoft SQL Server instances. ms-sql-query Runs a query against Microsoft SQL Server (ms-sql). ms-sql-tables Queries Microsoft SQL Server (ms-sql) for a list of tables per database. ms-sql-xp-cmdshell Attempts to run a command using the command shell of Microsoft SQL Server (ms-sql). msrpc-enumQueries an MSRPC endpoint mapper for a list of mapped services and displays the gathered information. mtrace Queries for the multicast path from a source to a destination host. murmur-version Detects the Murmur service (server for the Mumble voice communication client) version 1. 2. 0 and above. mysql-audit Audits MySQL database server security configuration against parts of the CIS MySQL v1. 0. 2 benchmark (the engine can be used for other MySQL audits by creating appropriate audit files ). mysql-brute Performs password guessing against MySQL. mysql-databases Attempts to list all databases on a MySQL server. mysql-dump-hashesDumps the password hashes from an MySQL server in a format suitable for cracking by tools such as John the Ripper. Appropriate DB privileges (root) are required. mysql-empty-password Checks for MySQL servers with an empty password for root or anonymous. mysql-enum Performs valid user enumeration against MySQL server. mysql-info Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt. mysql-query Runs a query against a MySQL database and returns the results as a table. mysql-users Attempts to list all users on a MySQL server. mysql-variablesAttempts to show all variables on a MySQL server. mysql-vuln-cve2012-2122 nat-pmp-info Get's the routers WAN IP using the NAT Port Mapping Protocol (NAT-PMP). The NAT-PMP protocol is supported by a broad range of routers including: – Apple AirPort Express – Apple AirPort Extreme – Apple Time Capsule – DD-WRT – OpenWrt v8. 09 or higher, with MiniUPnP daemon – pfSense v2. 0 – Tarifa (firmware) (Linksys WRT54G/GL/GS) – Tomato Firmware v1. 24 or higher. (Linksys WRT54G/GL/GS and many more) – Peplink Balance nat-pmp-mapport Maps a WAN port on the router to a local port on the client using the NAT Port Mapping Protocol (NAT-PMP).It supports the following operations: o map – maps a new external port on the router to an internal port of the requesting IP o unmap – unmaps a previously mapped port for the requesting IP o unmapall – unmaps all previously mapped ports for the requesting IP nbstat Attempts to retrieve the target's NetBIOS names and MAC address. ncp-enum-users Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service. ncp-serverinfo Retrieves eDirectory server information (OS ve rsion, server name, mounts, etc. ) from the Novell NetWare Core Protocol (NCP) service. ndmp-fs-infoLists remote file systems by querying the remote device using the Network Data Management Protocol (ndmp). NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to support the protocol: Amanda Bacula CA Arcserve CommVault Simpana EMC Networker Hitachi Data Systems IBM Tivoli Quest Software Netvault Backup Symantec Netbackup Symantec Backup Exec ndmp-version Retrieves version information from the remote Network Data Management Protocol (ndmp) service.NDMP is a protocol intended to transport data between a NAS device and the backup device, removing the need for the data to pass through the backup server. The following products are known to support the protocol: Amanda Bacula CA Arcserve CommVault Simpana EMC Networker Hitachi Data Systems IBM Tivoli Ques t Software Netvault Backup Symantec Netbackup Symantec Backup Exec nessus-brute Performs brute force password auditing against a Nessus vulnerability scanning daemon using the NTP 1. 2 protocol. nessus-xmlrpc-brute Performs brute force password auditing against a Nessus vulnerability scanning daemon using the XMLRPC protocol. etbus-auth-bypass Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password. netbus-brute Performs brute force password auditing against the Netbus backdoor (â€Å"remote administration†) service. netbus-info Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself. netbus-version Extends version detection to detect NetBuster, a honeypot service that mimes NetBus. nexpose-brute Performs brute force password auditing against a Nexpose vulnerability scanner using the API 1. 1.By default it only tries three guesses per username to avoid target account lockout. nfs-ls Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of ls. nfs-showmount Shows NFS exports, like the showmount -e command. nfs-statfs Retrieves disk space statistics and information from a remote NFS share. The output is intended to resemble the output of df. nping-brute Performs brute force password auditing against an Nping Echo service. nrpe-enum Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc. tp-info Gets the time and configuration variables from an NTP server. We send two requests: a time request and a â€Å"read variables† (opcode 2) control message. Without verbosity, the script shows the time and the value of the version, processor, system, refid, and stratum variables. With verbosity, all variables are shown. ntp-monlist Obtains and prints an NTP server's monitor data. omp2- brute Performs brute force password auditing against the OpenVAS manager using OMPv2. omp2-enum-targets Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server. openlookup-infoParses and displays the banner information of an OpenLookup (network key-value store) server. openvas-otp-brute Performs brute force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1. 0 protocol. oracle-brute Performs brute force password auditing against Oracle servers. oracle-brute-stealth Exploits the CVE-2012-3137 vulnerability, a weakness in Oracle's O5LOGIN authentication scheme. The vulnerability exists in Oracle 11g R1/R2 and allows linking the session key to a password hash. When initiating an authentication attempt as a valid user the server will respond with a session key and salt.Once received the script will disconnect the connection thereby not recording the login attempt. The session key and salt can then be used to brute force t he users password. oracle-enum-users Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update). oracle-sid-brute Guesses Oracle instance/SID names against the TNS-listener. ovs-agent-version Detects the version of an Oracle Virtual Server Agent by fingerprinting responses to an HTTP GET request and an XML-RPC method call. p2p-conficker Checks if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication. path-mtu Performs simple Path MTU Discovery to target hosts. pcanywhere-brute Performs brute force password auditing against the pcAnywhere remote access protocol. pgsql-brute Performs password guessing against PostgreSQL. pjl-ready-message Retrieves or sets the ready message on printers that support the Printer Job Language. This includes most PostScript printers that listen on port 9100. Without an argument, displays the current ready message. With the p jl_ready_message script argument, displays the old ready message and changes it to the message given. op3-brute Tries to log into a POP3 account by guessing usernames and passwords. pop3-capabilities Retrieves POP3 email server capabilities. pptp-version Attempts to extract system information from the point-to-point tunneling protocol (PPTP) service. qscan Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or â€Å"families†) may be due to network mechanisms such as port forwarding to machines behind a NAT. quake3-infoExtracts information from a Quake3 game server and other games which use the same protocol. quake3-master-getservers Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol). rdp-enum-encryption Determines which Secu rity layer and Encryption level is supported by the RDP service. It does so by cycling through all existing protocols and ciphers. When run in debug mode, the script also returns the protocols and ciphers that fail and any errors that were reported. rdp-vuln-ms12-020 Checks if a machine is vulnerable to MS12-020 RDP vulnerability. realvnc-auth-bypassChecks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369). redis-brute Performs brute force passwords auditing against a Redis key-value store. redis-info Retrieves information (such as version number and architecture) from a Redis key-value store. resolveall Resolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmap's target list. This differs from Nmap's normal host resolution process, which only scans the first address (A or AAAA record) returned for each host name. reverse-index Creates a reverse index at the end of scan output showing which hosts run a particular service. This is in addition to Nmap's normal output listing the services on each host. rexec-brute Performs brute force password auditing against the classic UNIX rexec (remote exec) service. riak-http-info Retrieves information (such as node name and architecture) from a Basho Riak distributed database using the HTTP protocol. rlogin-brute Performs brute force password auditing against the classic UNIX rlogin (remote login) service. This script must be run in privileged mode on UNIX because it must bind to a low source port number. rmi-dumpregistry Connects to a remote RMI registry and attempts to dump all of its objects. mi-vuln-classloader Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature. rpc-grind Fingerprints the target RPC port to extract the target service, RPC number and version. rpcap-brute Perform s brute force password auditing against the WinPcap Remote Capture Daemon (rpcap). rpcap-info Connects to the rpcap service (provides remote sniffing capabilities through WinPcap) and retrieves interface information.The service can either be setup to require authentication or not and also supports IP restrictions. rpcinfo Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name. rsync-brute Performs brute force password auditing against the rsync remote file syncing protocol. rsync-list-modules Lists modules available for rsync (remote file sync) synchronization. rtsp-methods Determines which methods are supported by the RTSP (real time streaming protocol) server. tsp-url-brute Attempts to enumerate RTSP media URLS by testing for common paths on devices such as surveillance IP cameras. samba-vuln-cve-2012-1182 Checks if ta rget machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182. servicetags Attempts to extract system information (OS, hardware, etc. ) from the Sun Service Tags service agent (UDP port 6481). sip-brute Performs brute force password auditing against Session Initiation Protocol (SIP – http://en. wikipedia. org/wiki/Session_Initiation_Protocol) accounts. This protocol is most commonly associated with VoIP sessions. ip-call-spoof Spoofs a call to a SIP phone and detects the action taken by the target (busy, declined, hung up, etc. ) sip-enum-users Enumerates a SIP server's valid extensions (users). sip-methods Enumerates a SIP Server's allowed methods (INVITE, OPTIONS, SUBSCRIBE, etc. ) skypev2-version Detects the Skype version 2 service. smb-brute Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actu ally using them.When a username is discovered, besides being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That means that if you're going to run smb-brute. nse, you should run other smb scripts you want. This checks passwords in a case-insensitive way, determining case after a password is found, for Windows versions before Vista. smb-check-vulns Checks for vulnerabilities: MS08-067, a Windows RPC vulnerability Conficker, an infection by the Conficker worm Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000 SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 75497) MS06-025, a Windows Ras RPC service vulnerability MS07-029, a Windows Dns Server RPC service vulnerability smb-enum-domains Attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000. In addition to the actual domain, the â€Å"Builtin† domain is generally displ ayed. Windows returns this in the list of domains, but its policies don't appear to be used anywhere. smb-enum-groups Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum. exe with the /G switch. smb-enum-processesPulls a list of processes from the remote server over SMB. This will determine all running processes, their process IDs, and their parent processes. It is done by querying the remote registry service, which is disabled by default on Vista; on all other Windows versions, it requires Administrator privileges. smb-enum-sessions Enumerates the users logged into a system either locally or through an SMB share. The local users can be logged on either physically on the machine, or through a terminal services session. Connections to a SMB share are, for example, people connected to fileshares or making RPC calls.Nmap's connection will also show up, and is generally identified by the one that connected â€Å" 0 seconds ago†. smb-enum-shares Attempts to list shares using the srvsvc. NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc. NetShareGetInfo. If access to those functions is denied, a list of common share names are checked. smb-enum-users Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb. lua). The goal of this script is to iscover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system. smb-flood Exhausts a remote SMB server's connection limit by by opening as many connections as we can. Most implementations of SMB have a hard global limit of 11 connections for user accounts and 10 connections for anonymous. Once that limit is reached, f urther connections are denied. This script exploits that limit by taking up all the connections and holding them. smb-lsAttempts to retrieve useful information about files shared on SMB volumes. The output is intended to resemble the output of the UNIX ls command. smb-mbenum Queries information managed by the Windows Master Browser. smb-os-discovery Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). This is done by starting a session with the anonymous account (or with a proper user account, if one is given; it likely doesn't make a difference); in response to a session starting, the server will send back all this information. smb-print-text