# NSE With nearly [600 scripts](https://nmap.org/nsedoc/) at your fingertips; You’ll be able to perform any sort of DNS enumeration, brute force attack, OS fingerprinting and banner grabbing, vulnerability detection and exploitation, backdoor identification, malware discovery, and much more. \ All NSE scripts can be found in the **`/usr/share/nmap/scripts`** directory. {% hint style="info" %} You can also make your own scripts in Lua {% endhint %} ### Script Categories: | Nmap Script Name | Description | | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | auth | All sorts of authentication and user privilege scripts | | broadcast | Network discovery scripts that use broadcast petitions for intel gathering | | brute | Set of scripts for performing brute force attacks to guess access credentials | | default | The most popular Nmap scripts, using -sC by default | | discovery | Scripts related to network, service and host discovery | | dos | Denial of service attack scripts used to test and perform DOS and floods | | exploit | Used to perform service exploitation on different CVEs | | external | Scripts that rely on 3rd party services or data | | fuzzer | Used to perform fussing attacks against apps, services or networks | | intrusive | All the ‘aggressive’ scripts that cause a lot of network noise | | malware | Malware detections and exploration scripts | | safe | Safe and non-intrusive/noisy scripts | | version | OS, service and software detection scripts | | vuln | The [Nmap vuln](https://securitytrails.com/blog/nmap-vulnerability-scan) category includes vulnerability detection and exploitation scripts | ## Search example: Various ways to list/find NSE scripts without manually searching. `#``ls -l /user/share/nmap/scripts/ |grep smb` `#`` ``ls -l /usr/share/nmap/scripts/smb*` `#``ls -l *vuln*` `#``locate -r '\.nse$' | grep smb` The NMAP NSE dir also has a file named script.db that serves as an index of all of the scripts. This could also be grep'ed to look for scripts of certain categories for example. ### Get Script Help: `#``nmap --script-help dns-zone-transfer` -sC or --script (custom scripts) sC starts the scripting engine \ -A aggressive script checking using defaults rather than safe scripts. And implies -sC ## Scan Examples #### Aggressive NSE w/ ports: `#``nmap -A -p22,11,139 -T4 10.10.10.10` **Run all scripts of a category:** \\ `#``nmap --script vuln 10.10.10.79` L**oads all scripts in the default and safe categories.** \ `#``nmap --script default,safe 10.10.10.10` L**oads every script except for those in the intrusive category.** \ `#``nmap --script "not intrusive" 10.10.10.10` **Loads single script. Note that the .nse extension is optional.** \ `#``nmap --script smb-os-discovery 10.10.10.10`` ` **Loads the script in the default category, the banner script, and all .nse files in the directory /home/user/custom scripts. Can also use '\*' wildcards here.** \ `#``nmap --script default,banner,/home/user/customscripts 10.10.10.10` **Loads all scripts whose name starts with http-, such as http-auth and http-open-proxy. The argument to --script had to be in quotes to protect the wildcard from the shell.** \ `#``nmap --script "http-*" 10.10.10.10` More complicated script selection can be done using the and, or, and not operators to build Boolean expressions. The operators have the same precedence as in Lua: not is the highest, followed by and and then or. You can alter precedence by using parentheses. Because expressions contain space characters it is necessary to quote them. \ `#``nmap --script "(default or safe or intrusive) and not http-*" 10.10.10.10` \ Loads scripts in the default, safe, or intrusive categories, except for those whose names start with http-. {% hint style="success" %} Now hop over to [Services](https://www.hackbook.io/initial-access/services) to start exploiting broken configs if NSE auto-pwns are not working. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.hackbook.io/reconnaissance/active-scanning/nmap/nse.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.