NSE
With nearly 600 scripts at your fingertips; You’ll be able to perform any sort of DNS enumeration, brute force attack, OS fingerprinting and banner grabbing, vulnerability detection and exploitation, backdoor identification, malware discovery, and much more.
All NSE scripts can be found in the /usr/share/nmap/scripts directory.
You can also make your own scripts in Lua
Script Categories:
| Nmap Script Name | Description |
|---|---|
auth | All sorts of authentication and user privilege scripts |
broadcast | Network discovery scripts that use broadcast petitions for intel gathering |
brute | Set of scripts for performing brute force attacks to guess access credentials |
default | The most popular Nmap scripts, using -sC by default |
discovery | Scripts related to network, service and host discovery |
dos | Denial of service attack scripts used to test and perform DOS and floods |
exploit | Used to perform service exploitation on different CVEs |
external | Scripts that rely on 3rd party services or data |
fuzzer | Used to perform fussing attacks against apps, services or networks |
intrusive | All the ‘aggressive’ scripts that cause a lot of network noise |
malware | Malware detections and exploration scripts |
safe | Safe and non-intrusive/noisy scripts |
version | OS, service and software detection scripts |
vuln | The Nmap vuln category includes vulnerability detection and exploitation scripts |
Search example:
Various ways to list/find NSE scripts without manually searching.
#ls -l /user/share/nmap/scripts/ |grep smb
# ls -l /usr/share/nmap/scripts/smb*
#ls -l *vuln*
#locate -r '\.nse$' | grep smb
The NMAP NSE dir also has a file named script.db that serves as an index of all of the scripts. This could also be grep'ed to look for scripts of certain categories for example.
Get Script Help:
#nmap --script-help dns-zone-transfer
-sC or --script (custom scripts) sC starts the scripting engine -A aggressive script checking using defaults rather than safe scripts. And implies -sC
Scan Examples
Aggressive NSE w/ ports:
#nmap -A -p22,11,139 -T4 10.10.10.10
Run all scripts of a category:
#nmap --script vuln 10.10.10.79
Loads all scripts in the default and safe categories.
#nmap --script default,safe 10.10.10.10
Loads every script except for those in the intrusive category.
#nmap --script "not intrusive" 10.10.10.10
Loads single script. Note that the .nse extension is optional.
#nmap --script smb-os-discovery 10.10.10.10
Loads the script in the default category, the banner script, and all .nse files in the directory /home/user/custom scripts. Can also use '*' wildcards here.
#nmap --script default,banner,/home/user/customscripts 10.10.10.10
Loads all scripts whose name starts with http-, such as http-auth and http-open-proxy. The argument to --script had to be in quotes to protect the wildcard from the shell.
#nmap --script "http-*" 10.10.10.10
More complicated script selection can be done using the and, or, and not operators to build Boolean expressions. The operators have the same precedence as in Lua: not is the highest, followed by and and then or. You can alter precedence by using parentheses. Because expressions contain space characters it is necessary to quote them.
#nmap --script "(default or safe or intrusive) and not http-*" 10.10.10.10
Loads scripts in the default, safe, or intrusive categories, except for those whose names start with http-.
Now hop over to Services to start exploiting broken configs if NSE auto-pwns are not working.
Last updated