Loading courses...
Please wait while we prepare your learning journey.
Please wait while we prepare your learning journey.
Duration: 1.5 hours (Estimated)
Welcome to the sixth episode of our comprehensive Nmap course! In this module, we'll explore the Nmap Scripting Engine (NSE) - a powerful framework that extends Nmap's capabilities far beyond basic scanning. You'll learn how to use pre-built scripts for advanced reconnaissance, vulnerability detection, and service enumeration.
The NSE transforms Nmap from a simple port scanner into a comprehensive security assessment platform. It's like upgrading from a magnifying glass to a complete forensic laboratory.
With over 600 built-in scripts, NSE can automate complex tasks, detect vulnerabilities, and extract detailed information from network services.
By the end of this module, you'll be able to leverage NSE scripts to perform advanced reconnaissance, detect vulnerabilities, and extract valuable information from network services - all within the familiar Nmap framework.
The Nmap Scripting Engine (NSE) is a powerful extension framework that allows users to write and share scripts to automate a wide variety of networking tasks. These scripts are written in the Lua programming language and are executed during Nmap scans.
NSE enables Nmap to:
The NSE was introduced in Nmap 4.21 in 2007 and has since become one of Nmap's most powerful features, with hundreds of scripts available in the standard distribution and more available from the community.
NSE scripts are organized into categories based on their functionality:
-sC or -AUnderstanding these categories helps you select appropriate scripts for different scenarios and security requirements.
Let's start with basic NSE commands:
nmap -sC 192.168.1.1This runs the default set of scripts, which are generally safe and provide useful information without being intrusive.
Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 20:00 EDT Nmap scan report for 192.168.1.1 Host is up (0.0023s latency). Not shown: 995 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 3072 da:db:85:cc:5e:2d:d9:a2:52:f5:87:f2:8f:1e:c2:82 (RSA) | 256 c1:8a:f5:82:96:e2:93:68:95:b7:a1:ce:a1:4b:77:19 (ECDSA) |_ 256 cf:c1:34:c2:2d:e1:32:b2:e5:e0:3d:f4:f8:64:59:c9 (ED25519) 53/tcp open domain | dns-nsid: |_ bind.version: 9.16.1-Ubuntu 80/tcp open http |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.41 (Ubuntu) 443/tcp open https |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=philocyber.com | Subject Alternative Name: DNS:philocyber.com, DNS:www.philocyber.com | Not valid before: 2025-01-14T00:00:00 |_Not valid after: 2026-01-14T23:59:59 8443/tcp open https-alt Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds
Notice how the scripts provide additional information about each service, such as SSH host keys, DNS server version, HTTP server details, and SSL certificate information.
nmap --script=discovery 192.168.1.1This runs all scripts in the "discovery" category, which focus on discovering more information about the target.
Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 20:05 EDT Pre-scan script results: | broadcast-dhcp-discover: | Response 1 of 1: | IP Offered: 192.168.1.100 | DHCP Message Type: DHCPOFFER | Server Identifier: 192.168.1.1 | IP Address Lease Time: 1 day, 0:00:00 | Subnet Mask: 255.255.255.0 | Router: 192.168.1.1 | Domain Name Server: 192.168.1.1 |_ Domain Name: home Nmap scan report for 192.168.1.1 Host is up (0.0023s latency). Not shown: 995 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 3072 da:db:85:cc:5e:2d:d9:a2:52:f5:87:f2:8f:1e:c2:82 (RSA) | 256 c1:8a:f5:82:96:e2:93:68:95:b7:a1:ce:a1:4b:77:19 (ECDSA) |_ 256 cf:c1:34:c2:2d:e1:32:b2:e5:e0:3d:f4:f8:64:59:c9 (ED25519) 53/tcp open domain | dns-nsid: |_ bind.version: 9.16.1-Ubuntu 80/tcp open http |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.41 (Ubuntu) 443/tcp open https |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=philocyber.com | Subject Alternative Name: DNS:philocyber.com, DNS:www.philocyber.com | Not valid before: 2025-01-14T00:00:00 |_Not valid after: 2026-01-14T23:59:59 8443/tcp open https-alt Host script results: | dns-brute: | DNS Brute-force hostnames: | mail.philocyber.com - 203.0.113.10 | www.philocyber.com - 203.0.113.10 | ftp.philocyber.com - 203.0.113.10 |_ admin.philocyber.com - 203.0.113.10 Nmap done: 1 IP address (1 host up) scanned in 8.35 seconds
nmap --script=http-title,http-headers 192.168.1.1 -p 80This runs only the specified scripts against the target's HTTP port.
Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 20:10 EDT Nmap scan report for 192.168.1.1 Host is up (0.0023s latency). PORT STATE SERVICE 80/tcp open http |_http-title: Apache2 Ubuntu Default Page: It works | http-headers: | Date: Wed, 14 Apr 2025 00:10:15 GMT | Server: Apache/2.4.41 (Ubuntu) | Last-Modified: Mon, 10 Apr 2025 10:30:22 GMT | ETag: "2c39-61b63e5c46240" | Accept-Ranges: bytes | Content-Length: 11321 | Vary: Accept-Encoding | Connection: close | Content-Type: text/html | |_ (Request type: GET) Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
nmap --script="http-*" 192.168.1.1 -p 80This runs all scripts whose names start with "http-" against the target's HTTP port.
nmap --script="default,safe" 192.168.1.1This runs scripts from both the "default" and "safe" categories.
Many NSE scripts accept arguments to customize their behavior:
nmap --script=http-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.1This runs the http-brute script with custom username and password lists.
To get information about a specific script:
nmap --script-help=http-enumStarting Nmap 7.94 ( https://nmap.org ) http-enum Categories: discovery intrusive https://nmap.org/nsedoc/scripts/http-enum.html Enumerates directories used by popular web applications and servers. This parses a fingerprint file that's similar in format to the Nikto Web application scanner. This script, however, takes it one step further by building in advanced pattern matching as well as having the ability to identify specific versions of Web applications. You can pass your own fingerprint file with the 'fingerprints' script argument. Script Arguments http-enum.basepath Base path to prepend to all requests. Default: / http-enum.displayall Set to true to display all paths, even if they return 404. Default: false http-enum.fingerprintfile Specify a different file to read fingerprints from. http-enum.category Set to a category (like 'wordpress') to only run fingerprints matching that category. slaxml.debug See the documentation for the slaxml library. http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent See the documentation for the http library. Example Usage nmap --script=http-enum <target> nmap --script=http-enum --script-args http-enum.basepath='pub/' <target>
When running complex scripts, you may need to adjust timing parameters:
nmap --script=vuln -T4 --max-hostgroup 1 --min-rate 100 192.168.1.1This runs vulnerability detection scripts with aggressive timing settings.
nmap --script=default -oA script_results 192.168.1.1This saves the script results in all formats (normal, XML, and grepable).
Let's explore some of the most useful script categories:
Gather information about the network and services.
nmap --script=discovery 192.168.1.0/24Useful scripts include:
Enhance Nmap's service detection capabilities. These scripts are automatically used with -sV.
nmap --script=version 192.168.1.1Check for known security issues.
nmap --script=vuln 192.168.1.1Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 20:20 EDT Nmap scan report for 192.168.1.1 Host is up (0.0023s latency). Not shown: 995 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 443/tcp open https 8443/tcp open https-alt Nmap done: 1 IP address (1 host up) scanned in 30.42 seconds
Popular scripts include:
Attempt to crack passwords.
nmap --script=brute 192.168.1.1Common scripts include:
Note: Always ensure you have proper authorization before using brute force scripts, as they can trigger account lockouts and generate significant traffic.
Let's explore scripts for common services:
nmap --script="http-*" -p 80,443 192.168.1.1Useful scripts:
nmap --script="mysql-*,ms-sql-*,mongodb-*" -p 1433,3306,27017 192.168.1.1Useful scripts:
nmap --script="smtp-*,pop3-*,imap-*" -p 25,110,143,465,587,993,995 192.168.1.1Useful scripts:
nmap --script="smb-*" -p 139,445 192.168.1.1Useful scripts:
For comprehensive assessments, combine scripts into workflows:
nmap -p 80,443 --script="http-enum,http-headers,http-methods,http-title,http-robots.txt,http-vuln-*" 192.168.1.1This workflow:
nmap -p- --script="default,discovery,version" --script-timeout 2m 192.168.1.1This workflow:
nmap -p 22,23,25,80,443,445,3389 --script="ssl-cert,ssh-auth-methods,telnet-encryption,smb-security-mode" 192.168.1.1This workflow checks for:
Run the default scripts against a target and analyze the results:
nmap -sC 192.168.1.1 -oN default_scripts.txtQuestions to answer:
Perform detailed enumeration of specific services:
# Web server enumeration
nmap --script="http-enum,http-headers,http-methods" -p 80,443 192.168.1.1 -oN web_enum.txt
# SSH enumeration
nmap --script="ssh-hostkey,ssh-auth-methods" -p 22 192.168.1.1 -oN ssh_enum.txt
# Compare the information gatheredCreate a table showing what information each script provided and how it might be useful for security assessment.
Perform a vulnerability scan on your target:
nmap --script=vuln 192.168.1.1 -oN vuln_scan.txtAnalyze the results:
Create a custom script workflow for a specific scenario:
# Example: Internal network assessment nmap -p 21-25,80,139,445 --script="default,discovery,safe" 192.168.1.0/24 -oA internal_assessmentDocument your workflow:
Problem: Scripts take too long or time out.
Solution:
# Adjust script timeout nmap --script=vuln --script-timeout 5m 192.168.1.1Problem: Scripts report vulnerabilities that don't exist.
Solution:
# Verify with other tools/manual testing nmap --script=ssl-heartbleed ... # Then verify with dedicated testerProblem: Scripts fail with errors.
Solution:
# Update NSE database nmap --script-updatedb # Run with debugging nmap --script=... -d ...Problem: Scripts are too intrusive/noisy.
Solution:
# Use targeted/safe scripts nmap --script="safe" ... # Control timing --min-rate 100 --max-retries 1A security team used NSE scripts to assess a web application:
nmap -sV -p 80,443 philocyber.comnmap --script="http-enum,http-headers,http-methods" ...nmap --script="http-vuln-*" ...This identified outdated software, exposed interfaces, insecure methods, and info leakage, leading to specific remediation recommendations.
A network admin used NSE for a security audit:
nmap -sV 10.0.0.0/24nmap --script="ssl-cert,ssh-auth-methods,smb-security-mode" ...nmap --script="vuln" ...This revealed expired certs, weak auth, insecure SMB, and known exploits, allowing prioritization of updates and configuration changes.
In the next episode, we'll explore:
Note: Use this video as a visual guide to complement the written material.
1. What is the primary purpose of the Nmap Scripting Engine (NSE)?
2. Which Nmap option is used to run the default set of NSE scripts?
3. If you want to run all NSE scripts that are categorized as potentially dangerous or could disrupt services, which category would you target?
4. How can you provide specific parameters or configurations to an NSE script when running it with Nmap?
5. What is a common strategy for performing a comprehensive web application assessment using the Nmap Scripting Engine?