Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) allows for advanced interaction with services using Lua-based scripts. NSE is divided into 14 categories, each serving a unique purpose.
NSE Script Categories
| Category | Description |
|---|---|
auth |
Detects authentication credentials. |
broadcast |
Discovers hosts via broadcast and adds them to scans. |
brute |
Performs brute-force attacks to discover credentials. |
default |
Scripts run with the -sC option. |
discovery |
Identifies accessible services on the network. |
dos |
Tests for denial of service vulnerabilities (potentially disruptive). |
exploit |
Attempts to exploit known vulnerabilities. |
external |
Leverages external services for deeper analysis. |
fuzzer |
Sends malformed packets to uncover unexpected behavior. |
intrusive |
May affect the target system’s stability or behavior. |
malware |
Checks if the system is infected with known malware. |
safe |
Non-intrusive and non-destructive scripts. |
version |
Enhances version detection capabilities. |
vuln |
Identifies known vulnerabilities in services. |
Using NSE in Scans
Default Scripts
sudo nmap <target> -sC
Specific Script Category
sudo nmap <target> --script <category>
Defined Scripts
sudo nmap <target> --script <script-name>, <script-name>
SMTP Example
sudo nmap <target> -p 25 --script banner, smtp-commands
| Option | Description |
|---|---|
10.129.2.28 |
Target IP |
-p 25 |
Scans only SMTP port |
--script banner,smtp-commands |
Executes specified NSE scripts |
-
banner: Reveals service banners (e.g., OS distribution).
-
smtp-commands: Lists supported SMTP commands, useful for user enumeration.
Aggressive Scan
sudo nmap <target> -p 80 -A
| Option | Description |
|---|---|
-A |
Runs OS detection (-O), version detection (-sV), traceroute, and default scripts (-sC) |
Nmap may reveal:
-
Web server (e.g., Apache 2.4.29)
-
Web application (e.g., WordPress 5.3.4)
-
Web title (e.g., blog.inlanefreight.com)
-
Likely OS (e.g., Linux 96%)
Vulnerability Assessment (HTTP)
sudo nmap <target> -p 80 -sV --script vuln
| Option | Description |
|---|---|
-p 80 |
Scans only port 80 |
-sV |
Detects service versions |
--script vuln |
Executes all vulnerability-checking scripts from vuln category |
These scripts interact with the service and application, checking known vulnerabilities using various databases.