What is the Nmap Scripting Engine (NSE)?
NSE stands for Nmap Scripting Engine, and it’s basically a digital library of Nmap scripts that helps to enhance the default Nmap features and report the results in a traditional Nmap output.
One of the best things about NSE is its ability to let users write and share their own scripts, so you’re not limited to relying on the Nmap default NSE scripts. The only requirement for you to write these scripts is that they must be coded using the Lua programming language.
What can you do with these Nmap scripts?
With nearly 600 scripts at your fingertips, there’s almost no infosec research task you can’t accomplish. In particular, you’ll be able to perform any sort of DNS enumeration, brute force attack, OS fingerprinting and banner grabbing, vulnerability detection and exploitation, backdoor identification, malware discovery, and much more.
Types of Nmap scripts
When we talk about writing NSE scripts, there are four different types that can help us enhance the default Nmap features, depending on the target and the scanning phase in which they are run.
- Prerule scripts: These types of scripts run before the rest of any scanning operation, while Nmap doesn’t have any data about the remote target.
- Host scripts: Once the Nmap default scan has finished the host exploration, detection, port scanning or software discovery, it will perform the host scripts.
- Service scripts: These are a particular set of Nmap scripts that are run against services on the remote host. These include http service scripts, for example, which can be run against web servers.
- Postrule scripts: These are run after the entire Nmap scan has finished, and are often useful for parsing, formatting and presenting the different results.
Nmap script categories
Let’s analyze the different categories of Nmap scripts.
|Nmap Script Name||Description|
|auth||All sorts of authentication and user privilege scripts|
|broadcast||Network discovery scripts that use broadcast petitions for intel gathering|
|brute||Set of scripts for performing brute force attacks to guess access credentials|
|default||The most popular Nmap scripts, using -sC by default|
|discovery||Scripts related to network, service and host discovery|
|dos||Denial of service attack scripts used to test and perform DOS and floods|
|exploit||Used to perform service exploitation on different CVEs|
|external||Scripts that rely on 3rd party services or data|
|fuzzer||Used to perform fussing attacks against apps, services or networks|
|intrusive||All the ‘aggressive’ scripts that cause a lot of network noise|
|malware||Malware detections and exploration scripts|
|safe||Safe and non-intrusive/noisy scripts|
|version||OS, service and software detection scripts|
|vuln||The Nmap vuln category includes vulnerability detection and exploitation scripts|
How can I use the Nmap Scripting Engine?
While writing these scripts can sometimes be quite difficult, their usage is fairly simple, as are most Nmap arguments and options.
Run the most popular scripts
When you’re dealing with over 600 scripts, it isn’t easy to find the most popular ones by inspecting them one by one. That’s why the Nmap team has built an ‘-sC’ option, which lets you run the top Nmap scripts at once.
To do this, simply use the ‘-sC’ argument, as shown below:
nmap -sC 192.168.122.1
[root@research ~]# nmap -sC 192.168.122.1 Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-18 12:52 -03 Nmap scan report for 192.168.122.1 Host is up (0.000033s latency). Not shown: 996 closed ports PORT STATE SERVICE 21/tcp open ftp 53/tcp open domain | dns-nsid: |\_ bind.version: dnsmasq-2.80 80/tcp open http |\_http-title: Test Page for the HTTP Server on Fedora Nmap done: 1 IP address (1 host up) scanned in 15.58 seconds [root@research ~]#
Run all the scripts within a category
Other times, you’ll need to run all the scripts within a category. That can be done by using the ‘–script category’ name, as you can see here:
nmap --script discovery 192.168.122.1
You can even combine two categories if needed:
nmap --script default,safe 192.168.122.1
Or if you want to exclude some, you can prevent certain script categories from running—just use the ‘not’ parameter before the category name. as in this example:
nmap --script "not vuln" 192.168.122.1
Run Nmap scripts with a wildcard *
Nmap also allows you to run scripts using wildcards, meaning you can target multiple scripts that finish or end up with any pattern. For example, if you want to run all the scripts that begin with ‘ftp’, you could simply use this syntax:
nmap --script "ftp-\*" 192.168.122.1
The same goes for SSH:
nmap --script "ssh-\*" 192.168.122.1
Run a single Nmap script
This is the perfect solution when you already know which script is going to be used. For example, if we want to run the http-brute script to perform brute force password auditing against http basic, digest and ntlm authentication, we’ll use:
nmap --script="http-brute" 192.168.122.1
Run your own scripts
As we said before, NSE has the ability to let you write your own scripts, and run those scripts locally in your operating system. For this purpose, you can use this syntax:
nmap --script =/your-scripts 192.168.122.1
Just make sure you replace the path /your-scripts with the local path where your scripts are stored.
Combine them all
You’ve seen how easy it is to run single scripts, categories and even your own local scripts. Now let’s combine them all into one single command, as shown in the following example:
nmap --script "vuln,safe,/my/script and not ftp-\*" 192.168.122.1
In the previous script, we combined two script categories; your own script and omitting all scripts that begin with “ftp-“.
Nmap scripting alternatives
While NSE allows you to expand the default Nmap features, there are so many scripts that choosing the best ones and waiting for the results could take a tremendous amount of time, especially in large-scale research.
That’s why we’ve built a web-based infosec product that combines the very best of most popular Nmap features.
This enterprise-grade product is called ‘Attack Surface Reduction - ASR’, and it allows you to fully scan your entire network infrastructure for attack prevention, or as a red team tool that lets you explore the full attack surface of any company in the world. Its main features include:
IP block with full geolocation, associated domains and hosting provider
These features will enable you to discover the full list of associated domains, and IP addresses related to any organization, as well as the web hosting provider, within seconds:
Service, network discovery and DNS enumeration
These features will let you fully discover your own infrastructure assets, including domain names, Alexa rank, organization, and much more. Take a look:
Open port scanning, software detection and banner grabbing
When it comes to software detection, ASR lets you discover the remote software running on any server within seconds without waiting for scans, and correlate data between different results. It’s all in there!
Whether you’re dealing with a vulnerable OpenSSH version, system service or even the operating system itself, our application detection algorithm will detect the current open ports, grab the banner and display the information for you.
NSE is one of the most powerful Nmap features available, allowing us to expand the core features and release the full powers of Nmap to boost our OSINT research during the intelligence-recon process.
While there are tons of different Nmap scripts, those we’ve found most useful on a day-to-day basis fit into the vuln, discovery and brute-force categories.
The truth is infosec professionals can’t rely only on Nmap—there are other tools for boosting your Nmap scans, with additional OSINT features. To get the most out of discovering exposed areas on your attack surface, check out Threat Intelligence API,and Attack Surface Reduction - ASR, our first-class products for penetration testers and infosec professionals.