tips tools reconnaissance

SecurityTrails Blog · Nov 21 · SecurityTrails team

Nmap Scripts (NSE): The Key To Enhance Your Network Scans

Reading time: 7 minutes

Nmap is, quite simply, the best port scanner around. We love it because it offers easy installation, simple usage syntax and great results, as we previously explored in our Nmap commands article.

For those who aren’t familiar with it, Nmap isn’t just a common tool we all use for port scanning IP ranges from time to time—it offers much more than that.

So if you really want to boost your Nmap scanning capabilities, keep reading. Today we’ll take a close look at the Nmap Scripting Engine, known as NSE.

What is the Nmap Scripting Engine (NSE)?

NSE stands for Nmap Scripting Engine, and it’s basically a digital library of Nmap scripts that helps to enhance the default Nmap features and report the results in a traditional Nmap output.

One of the best things about NSE is its ability to let users write and share their own scripts, so you’re not limited to relying on the Nmap default NSE scripts. The only requirement for you to write these scripts is that they must be coded using the Lua programming language.

What can you do with these Nmap scripts?

With nearly 600 scripts at your fingertips, there’s almost no infosec research task you can’t accomplish. In particular, you’ll be able to perform any sort of DNS enumeration, brute force attack, OS fingerprinting and banner grabbing, vulnerability detection and exploitation, backdoor identification, malware discovery, and much more.

Types of Nmap scripts

When we talk about writing NSE scripts, there are four different types that can help us enhance the default Nmap features, depending on the target and the scanning phase in which they are run.

  1. Prerule scripts: These types of scripts run before the rest of any scanning operation, while Nmap doesn’t have any data about the remote target.
  2. Host scripts: Once the Nmap default scan has finished the host exploration, detection, port scanning or software discovery, it will perform the host scripts.
  3. Service scripts: These are a particular set of Nmap scripts that are run against services on the remote host. These include http service scripts, for example, which can be run against web servers.
  4. Postrule scripts: These are run after the entire Nmap scan has finished, and are often useful for parsing, formatting and presenting the different results.

Nmap script categories

Let’s analyze the different categories of Nmap scripts.

Nmap Script Name Description
auth All sorts of authentication and user privilege scripts
broadcast Network discovery scripts that use broadcast petitions for intel gathering
brute Set of scripts for performing brute force attacks to guess access credentials
default The most popular Nmap scripts, using -sC by default
discovery Scripts related to network, service and host discovery
dos Denial of service attack scripts used to test and perform DOS and floods
exploit Used to perform service exploitation on different CVEs
external Scripts that rely on 3rd party services or data
fuzzer Used to perform fussing attacks against apps, services or networks
intrusive All the ‘aggressive’ scripts that cause a lot of network noise
malware Malware detections and exploration scripts
safe Safe and non-intrusive/noisy scripts
version OS, service and software detection scripts
vuln The Nmap vuln category includes vulnerability detection and exploitation scripts

How can I use the Nmap Scripting Engine?

While writing these scripts can sometimes be quite difficult, their usage is fairly simple, as are most Nmap arguments and options.

When you’re dealing with over 600 scripts, it isn’t easy to find the most popular ones by inspecting them one by one. That’s why the Nmap team has built an ‘-sC’ option, which lets you run the top Nmap scripts at once.

To do this, simply use the ‘-sC’ argument, as shown below:

nmap -sC 192.168.122.1

Expected output:

[root@research ~]# nmap -sC 192.168.122.1 Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-18 12:52 -03 Nmap scan report for 192.168.122.1 Host is up (0.000033s latency). Not shown: 996 closed ports PORT STATE SERVICE 21/tcp open ftp 53/tcp open domain | dns-nsid: |\_ bind.version: dnsmasq-2.80 80/tcp open http |\_http-title: Test Page for the HTTP Server on Fedora Nmap done: 1 IP address (1 host up) scanned in 15.58 seconds [root@research ~]#

Run all the scripts within a category

Other times, you’ll need to run all the scripts within a category. That can be done by using the ‘–script category’ name, as you can see here:

nmap --script discovery 192.168.122.1

You can even combine two categories if needed:

nmap --script default,safe 192.168.122.1

Output example:

Nmap scripts output example

Or if you want to exclude some, you can prevent certain script categories from running—just use the ‘not’ parameter before the category name. as in this example:

nmap --script "not vuln" 192.168.122.1

Run Nmap scripts with a wildcard *

Nmap also allows you to run scripts using wildcards, meaning you can target multiple scripts that finish or end up with any pattern. For example, if you want to run all the scripts that begin with ‘ftp’, you could simply use this syntax:

nmap --script "ftp-\*" 192.168.122.1

The same goes for SSH:

nmap --script "ssh-\*" 192.168.122.1

Run a single Nmap script

This is the perfect solution when you already know which script is going to be used. For example, if we want to run the http-brute script to perform brute force password auditing against http basic, digest and ntlm authentication, we’ll use:

nmap --script="http-brute" 192.168.122.1

Run your own scripts

As we said before, NSE has the ability to let you write your own scripts, and run those scripts locally in your operating system. For this purpose, you can use this syntax:

nmap --script =/your-scripts 192.168.122.1

Just make sure you replace the path /your-scripts with the local path where your scripts are stored.

Combine them all

You’ve seen how easy it is to run single scripts, categories and even your own local scripts. Now let’s combine them all into one single command, as shown in the following example:

nmap --script "vuln,safe,/my/script and not ftp-\*" 192.168.122.1

In the previous script, we combined two script categories; your own script and omitting all scripts that begin with “ftp-“.

Nmap scripting alternatives

While NSE allows you to expand the default Nmap features, there are so many scripts that choosing the best ones and waiting for the results could take a tremendous amount of time, especially in large-scale research.

That’s why we’ve built a web-based infosec product that combines the very best of most popular Nmap features.

This enterprise-grade product is called ‘Attack Surface Reduction - ASR’, and it allows you to fully scan your entire network infrastructure for attack prevention, or as a red team tool that lets you explore the full attack surface of any company in the world. Its main features include:

IP block with full geolocation, associated domains and hosting provider

These features will enable you to discover the full list of associated domains, and IP addresses related to any organization, as well as the web hosting provider, within seconds:

IP block with full geolocation

Service, network discovery and DNS enumeration

These features will let you fully discover your own infrastructure assets, including domain names, Alexa rank, organization, and much more. Take a look:

Service, network discovery and DNS enumeration

Open port scanning, software detection and banner grabbing

When it comes to software detection, ASR lets you discover the remote software running on any server within seconds without waiting for scans, and correlate data between different results. It’s all in there!

Open port scanning, software detection and banner grabbing

Whether you’re dealing with a vulnerable OpenSSH version, system service or even the operating system itself, our application detection algorithm will detect the current open ports, grab the banner and display the information for you.

Summary

NSE is one of the most powerful Nmap features available, allowing us to expand the core features and release the full powers of Nmap to boost our OSINT research during the intelligence-recon process.

While there are tons of different Nmap scripts, those we’ve found most useful on a day-to-day basis fit into the vuln, discovery and brute-force categories.

The truth is infosec professionals can’t rely only on Nmap—there are other tools for boosting your Nmap scans, with additional OSINT features. To get the most out of discovering exposed areas on your attack surface, check out Threat Intelligence API,and Attack Surface Reduction - ASR, our first-class products for penetration testers and infosec professionals.