The Nmap Scripting Engine (NSE) is a powerful tool that allows users to automate scanning tasks, detect vulnerabilities, and gather additional information about a target. NSE uses Lua scripts to extend Nmap's capabilities, enabling more advanced network reconnaissance and security testing.
-
Use the
-sCoption to run the default set of scripts for gathering basic information about the target, such as service version, OS, and security vulnerabilities.nmap -sC <target>
-
Alternatively, use the
--scriptoption with a specific script or category:nmap --script <script-name> <target>
nmap --script <category> <target>
nmap --script "<expression>" <target>
-
Perform a comprehensive scan using multiple options like version detection, OS fingerprinting, and the default script set:
nmap -v -Pn -sT -sV -sC -A -O -p- 192.168.1.208
NSE scripts are organized into various categories to help streamline the scanning process. Some common categories include:
| Category | Description |
|---|---|
| auth | Authentication bypass & brute-force attacks |
| broadcast | Network discovery scripts |
| brute | Brute-force attack scripts |
| discovery | Identifies hosts, services, and configurations |
| dos | Denial-of-service (DoS) testing |
| exploit | Known vulnerability exploitation |
| external | Uses external services (e.g., WHOIS, Shodan) |
| fuzzer | Sends unexpected data to test robustness |
| intrusive | May affect performance or trigger security alerts |
| malware | Detects malware-infected hosts |
| safe | No harmful impact on targets |
| version | Improves service version detection |
| vuln | Detects vulnerabilities on a target |
To list all available NSE scripts:
ls /usr/share/nmap/scripts/To count the total number of scripts:
ls /usr/share/nmap/scripts/ | wc -lUpdate the NSE script database:
nmap --script-updatedbTo filter scripts based on specific terms:
ls /usr/share/nmap/scripts/ | grep smbTo find a specific script for a service (e.g., FTP):
grep ftp /usr/share/nmap/scripts/script.dbTo search for scripts by category:
grep brute /usr/share/nmap/scripts/script.dbThe default script category runs a set of essential scripts that provide additional insights about open ports, services, and potential vulnerabilities:
nmap -v -Pn -sV -sT -A -O -p- --script=default 192.168.1.208Key Features of the Default Scripts:
- Detects common vulnerabilities
- Retrieves service versions
- Extracts banner information
- Performs light brute-force testing where applicable
You can use a specific script category to focus the scan on particular tasks.
-
Discovery category:
nmap -v -Pn -sT -sV -A -O -p- --script=discovery 192.168.1.208
-
Authentication category (checks for authentication weaknesses):
nmap -v -Pn -sT -sV -A -O -p- --script=auth 192.168.1.208
-
Brute-force category (attempts brute-force attacks):
nmap -v -Pn -sT -sV -A -O -p- --script=brute 192.168.1.208
-
Exploit category (attempts known exploits):
nmap -v -Pn -sT -sV -A -O -p- --script=exploit 192.168.1.208
-
Malware category (checks for malware):
nmap -v -Pn -sT -sV -A -O -p- --script=malware 192.168.1.208
-
DoS category (checks for DoS vulnerabilities):
nmap -v -Pn -sT -sV -A -O -p- --script=dos 192.168.1.208
NSE allows for the use of Lua expressions to target specific scripts or match patterns. This feature gives flexibility when running scripts on multiple targets or filtering by keywords.
To run a specific script:
nmap --script "ftp-anon" 192.168.1.208Run multiple scripts:
nmap --script "ssh-brute,ftp-brute,smb-brute" 192.168.1.208Use a wildcard (*) to run multiple scripts matching a pattern:
nmap --script "http-*" 192.168.1.208Run scripts using regular expressions:
nmap --script "^(smb|ftp)-.*" 192.168.1.208Exclude certain scripts using !:
nmap --script "vuln and not http-shellshock" 192.168.1.208Run a custom script:
nmap --script "/path/to/custom-script.nse" 192.168.1.208