> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/reconnaissance/active-scanning/nmap/nse.md).

# NSE

With nearly [600 scripts](https://nmap.org/nsedoc/) at your fingertips; You’ll be able to perform any sort of DNS enumeration, brute force attack, OS fingerprinting and banner grabbing, vulnerability detection and exploitation, backdoor identification, malware discovery, and much more.\ <mark style="color:orange;">All NSE scripts can be found in the</mark> <mark style="color:orange;"></mark><mark style="color:orange;">**`/usr/share/nmap/scripts`**</mark> <mark style="color:orange;"></mark><mark style="color:orange;">directory.</mark>

{% hint style="info" %}
You can also make your own scripts in Lua
{% endhint %}

### Script Categories:

| Nmap Script Name                             | Description                                                                                                                                 |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| <mark style="color:orange;">auth</mark>      | All sorts of authentication and user privilege scripts                                                                                      |
| <mark style="color:orange;">broadcast</mark> | Network discovery scripts that use broadcast petitions for intel gathering                                                                  |
| <mark style="color:orange;">brute</mark>     | Set of scripts for performing brute force attacks to guess access credentials                                                               |
| <mark style="color:orange;">default</mark>   | The most popular Nmap scripts, using -sC by default                                                                                         |
| <mark style="color:orange;">discovery</mark> | Scripts related to network, service and host discovery                                                                                      |
| <mark style="color:orange;">dos</mark>       | Denial of service attack scripts used to test and perform DOS and floods                                                                    |
| <mark style="color:orange;">exploit</mark>   | Used to perform service exploitation on different CVEs                                                                                      |
| <mark style="color:orange;">external</mark>  | Scripts that rely on 3rd party services or data                                                                                             |
| <mark style="color:orange;">fuzzer</mark>    | Used to perform fussing attacks against apps, services or networks                                                                          |
| <mark style="color:orange;">intrusive</mark> | All the ‘aggressive’ scripts that cause a lot of network noise                                                                              |
| <mark style="color:orange;">malware</mark>   | Malware detections and exploration scripts                                                                                                  |
| <mark style="color:orange;">safe</mark>      | Safe and non-intrusive/noisy scripts                                                                                                        |
| <mark style="color:orange;">version</mark>   | OS, service and software detection scripts                                                                                                  |
| <mark style="color:orange;">vuln</mark>      | The [Nmap vuln](https://securitytrails.com/blog/nmap-vulnerability-scan) category includes vulnerability detection and exploitation scripts |

## Search example:

Various ways to list/find NSE scripts without manually searching.

`#`<mark style="color:green;">`ls -l /user/share/nmap/scripts/ |grep smb`</mark>

`#`` `<mark style="color:green;">`ls -l /usr/share/nmap/scripts/smb*`</mark>&#x20;

`#`<mark style="color:green;">`ls -l *vuln*`</mark>&#x20;

`#`<mark style="color:green;">`locate -r '\.nse$' | grep smb`</mark>&#x20;

The NMAP NSE dir also has a file named script.db that serves as an index of all of the scripts. This could also be grep'ed to look for scripts of certain categories for example.

### Get Script Help:&#xD;

`#`<mark style="color:green;">`nmap --script-help dns-zone-transfer`</mark>

<mark style="color:yellow;">-sC</mark> or <mark style="color:yellow;">--script</mark> (custom scripts) sC starts the scripting engine\ <mark style="color:yellow;">-A</mark> aggressive script checking using defaults rather than safe scripts. And implies <mark style="color:yellow;">-sC</mark>

## Scan Examples

#### Aggressive NSE w/ ports:&#xD;

`#`<mark style="color:green;">`nmap -A -p22,11,139 -T4 10.10.10.10`</mark>

**Run all scripts of a category:**\\

`#`<mark style="color:green;">`nmap --script vuln 10.10.10.79`</mark>

L**oads all scripts in the default and safe categories.**\
`#`<mark style="color:green;">`nmap --script default,safe 10.10.10.10`</mark>

L**oads every script except for those in the intrusive category.**\
`#`<mark style="color:green;">`nmap --script "not intrusive" 10.10.10.10`</mark>

**Loads single script. Note that the .nse extension is optional.**\
`#`<mark style="color:green;">`nmap --script smb-os-discovery 10.10.10.10`</mark>``&#x9;

**Loads the script in the default category, the banner script, and all .nse files in the directory /home/user/custom scripts. Can also use '\*' wildcards here.**\
`#`<mark style="color:green;">`nmap --script default,banner,/home/user/customscripts 10.10.10.10`</mark>

**Loads all scripts whose name starts with http-, such as http-auth and http-open-proxy. The argument to --script had to be in quotes to protect the wildcard from the shell.**\
`#`<mark style="color:green;">`nmap --script "http-*" 10.10.10.10`</mark>

More complicated script selection can be done using the and, or, and not operators to build Boolean expressions. The operators have the same precedence as in Lua: not is the highest, followed by and and then or. You can alter precedence by using parentheses. Because expressions contain space characters it is necessary to quote them.\
`#`<mark style="color:green;">`nmap --script "(default or safe or intrusive) and not http-*" 10.10.10.10`</mark>\
Loads scripts in the default, safe, or intrusive categories, except for those whose names start with http-.

{% hint style="success" %}
Now hop over to [Services](/initial-access/services.md) to start exploiting broken configs if NSE auto-pwns are not working.&#x20;
{% endhint %}
