Nmap Scripting Engine

What is it? A powerful feature allowing you to write (or use existing) scripts in Lua to automate tasks like vulnerability scanning, brute-forcing, and advanced enumeration.

1. Script Categories

NSE scripts are divided into 14 categories based on their function:

Category	Description
auth	Checks for authentication/credentials (e.g., empty passwords).
brute	Attempts to guess passwords via brute-force.
default	Safe, fast, and reliable scripts. Runs automatically with -sC.
discovery	Discovers more info about the service/host.
exploit	Attempts to actively exploit known vulnerabilities.
fuzzer	Sends random data to discover bugs (time-consuming).
intrusive	Risky scripts that might crash the target or trigger alerts.
malware	Checks if the target is infected.
safe	Passive scripts that won't crash services.
version	Advanced version detection.
vuln	Checks for specific vulnerabilities (CVEs).
Others	broadcast, dos, external.

2. How to Use Scripts

A. Default Scripts (sC)

Runs the "default" category scripts (safe and useful).

sudo nmap <target> -sC

B. Specific Category

Runs all scripts within a named category (e.g., vuln).

sudo nmap <target> --script <category>

C. Specific Scripts

Runs only the scripts you list by name.

sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 23:21 CEST
Nmap scan report for 10.129.2.28
Host is up (0.050s latency).

PORT   STATE SERVICE
25/tcp open  smtp
|_banner: 220 inlane ESMTP Postfix (Ubuntu)
|_smtp-commands: inlane, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

3. The Aggressive Scan (A)

This is a "Combo Flag." It enables four things at once to give you a complete picture:

Service Detection (sV)

OS Detection (O)

Traceroute (-traceroute)

Default Scripts (sC)

sudo nmap 10.129.2.28 -p 80 -A

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 01:38 CEST
Nmap scan report for 10.129.2.28
Host is up (0.012s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.3.4
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: blog.inlanefreight.com
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
...
Aggressive OS guesses: Linux 2.6.32 (96%)...
TRACEROUTE
HOP RTT      ADDRESS
1   11.91 ms 10.129.2.28

Result: We identified the Web Server (Apache), the App (WordPress 5.3.4), the Title, and the OS (Linux) in one command.

4. Vulnerability Scanning (-script vuln)

Scans services against databases of known vulnerabilities (CVEs).

sudo nmap 10.129.2.28 -p 80 -sV --script vuln

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
...
| http-wordpress-users:
| Username found: admin
...
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
...

NSE Cheat Sheet

Flag	Function	Description
-sC	Default Scripts	Runs the default set of safe, useful scripts.
--script <name>	Run Script	Runs specific scripts (comma-separated) or categories.
--script-args	Arguments	Passes arguments to scripts (e.g., credentials).
-A	Aggressive	Enables OS detection, Version detection, Script scanning, and Traceroute.
--script vuln	Vuln Scan	Specialized category for finding CVEs and security flaws.