Nmap Scripting Engine (NSE)

Learn how to leverage Nmap's powerful scripting capabilities for advanced network reconnaissance and vulnerability assessment

The Nmap Scripting Engine (NSE) is a powerful feature that extends Nmap's functionality beyond basic port scanning. It allows users to write and share scripts that automate a wide variety of networking tasks, from advanced service detection to vulnerability scanning and exploitation.

Basic NSE Usage

Default Script Scan

nmap -sC 192.168.1.1

Runs the default set of scripts against the target.

Script Scan with Version Detection

nmap -sC -sV 192.168.1.1

Combines script scanning with service version detection.

Aggressive Scan

nmap -A 192.168.1.1

Enables OS detection, version detection, script scanning, and traceroute.

Understanding NSE

NSE Architecture

The Nmap Scripting Engine is built on the Lua programming language and consists of:

Script Files: Individual .nse files containing Lua code
Libraries: Shared Lua functions for common tasks
Categories: Organizational groups for scripts based on functionality
Script Database: Information about available scripts
Runtime Environment: The execution environment within Nmap

Scripts are executed at specific times during a scan, based on their type:

Pre-scanning scripts: Run before the scan starts
Host discovery scripts: Run during host discovery
Service detection scripts: Run during service detection
Post-scanning scripts: Run after the main scan completes

This architecture allows for flexible and powerful extensions to Nmap's core functionality.

Script Categories

NSE scripts are organized into categories based on their functionality and potential impact:

auth: Authentication related scripts
broadcast: Network discovery via broadcast
brute: Brute force authentication attacks
default: Scripts run by default with -sC
discovery: Network/host/service discovery
dos: Denial of Service testing
exploit: Exploitation of vulnerabilities
external: Scripts that use external resources
fuzzer: Scripts for fuzzing applications
intrusive: Scripts that might crash services or be considered intrusive
malware: Detection of malware or backdoors
safe: Non-intrusive scripts
version: Version detection enhancement scripts
vuln: Vulnerability detection scripts

You can run scripts from specific categories using:

nmap --script=category 192.168.1.1

For example:

nmap --script=discovery,safe 192.168.1.1

Script Arguments

Many NSE scripts accept arguments to customize their behavior. Arguments are passed using the --script-args option:

nmap --script=http-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.1

Multiple arguments are separated by commas. For complex arguments, you can use:

nmap --script=http-form-brute --script-args 'http-form-brute.path=/login.php,http-form-brute.uservar=user,http-form-brute.passvar=pass' 192.168.1.1

To see what arguments a script accepts, you can use:

nmap --script-help script-name

For example:

nmap --script-help http-brute

Popular NSE Scripts by Category

Discovery Scripts

# Host discovery
nmap --script=broadcast-ping 192.168.1.0/24

# Service discovery
nmap --script=dns-service-discovery 192.168.1.1

# Network mapping
nmap --script=broadcast-dhcp-discover 192.168.1.0/24

Information Gathering Scripts

# HTTP information
nmap --script=http-enum,http-headers,http-title -p 80,443 192.168.1.1

# SMB information
nmap --script=smb-os-discovery,smb-enum-shares -p 445 192.168.1.1

# SSL/TLS information
nmap --script=ssl-enum-ciphers -p 443 192.168.1.1

Vulnerability Assessment Scripts

# General vulnerability scan
nmap --script=vuln 192.168.1.1

# Specific vulnerability check
nmap --script=ssl-heartbleed -p 443 192.168.1.1

# Web application vulnerabilities
nmap --script=http-vuln* -p 80,443 192.168.1.1

Authentication Testing Scripts

# SSH authentication
nmap --script=ssh-auth-methods -p 22 192.168.1.1

# HTTP basic authentication
nmap --script=http-auth -p 80,443 192.168.1.1

# Brute force attacks
nmap --script=ftp-brute -p 21 192.168.1.1

Advanced NSE Usage

Script Selection Techniques

# Combine categories and specific scripts
nmap --script="default,safe,http-title" 192.168.1.1

# Exclude scripts
nmap --script="default,!http-enum" 192.168.1.1

# Use expressions
nmap --script="(http-*) and not (http-brute or http-slowloris)" 192.168.1.1

Script Timing and Performance

# Control script timeout
nmap --script=http-enum --script-timeout 30s 192.168.1.1

# Limit concurrent scripts
nmap --script=vuln --max-parallelism 10 192.168.1.1

Output Management

# Save script output to XML
nmap --script=vuln -oX script_results.xml 192.168.1.1

# Increase verbosity for more script information
nmap --script=discovery -v 192.168.1.1

Practical NSE Examples

Web Server Enumeration

nmap --script=http-enum,http-headers,http-methods,http-title -p 80,443,8080 192.168.1.1

WordPress Site Analysis

nmap --script=http-wordpress-enum,http-wordpress-users -p 80,443 wordpress-site.com

Web Application Vulnerability Scan

nmap --script="http-vuln*" -p 80,443,8080 192.168.1.1

Best Practices for Using NSE

Start with safe scripts: Begin with non-intrusive scripts before running potentially disruptive ones
Understand script impact: Read script documentation to understand potential consequences
Use appropriate timing: Adjust script timing based on network conditions and target sensitivity
Target specific ports: Run scripts only against relevant ports to improve efficiency
Save and analyze results: Always save script output for later analysis and documentation

Next Steps

Now that you understand how to use the Nmap Scripting Engine, you can explore:

Timing and Performance - Learn how to optimize scan speed and accuracy
Practical Applications - Discover real-world applications of Nmap in network security

PreviousTiming and Performance

NextPractical Applications

Penetration Testing Guide

Hashcat Guide

Hydra Guide

Nikto Guide

OWASP ZAP Guide

Burp Suite Guide

XSS Guide

SQLMap Guide

Reverse Shells Guide

John the Ripper Guide

Nmap Guide