The Nmap scripts are written in Lua language
Location: /usr/share/nmap/scripts
Update Scripts: sudo nmap --script-updatedb
Help Menu: nmap --script-help <script-name>
NSE Reference Portal - Nmap Scripting Engine documentation
Usage and Examples | Nmap Network Scanning
Nmap Default Script Scan
# Run Nmap Default Scripts
# Same scripts are run when -A is used
nmap -sC <ip-address>
nmap --script=default <ip-address>Nmap Script Scan
nmap -p 21 --script ftp-anon <ip-address>
nmap -sV -p 21 --script ftp-anon,ftp-vsfppd-backdoor <ip-address>
# Run all FTP scripts
nmap -sV -p 21 --script "ftp-*" <ip-address>
nmap -sV -p 21 --script=ftp* <ip-address>Banner Grabbing
This scan is similar to service version scan but Nmap does not filter the information that it does not consider important
nmap -p22,80 --script banner <ip-address>FTP Enumeration
FTP runs on port 21
ls -lah /usr/share/nmap/scripts | grep -e “ftp-” (List only ftp scripts)
Common Scripts
- ftp-anon : Check if anonymous login is available for FTP connection
- ftp-brute : Brute force connection using FTP (Not recommended use tool like Hydra)
- ftp-syst : Shows system information
- ftp-proftpd-backdoor, ftp-vsftpd-backdoor : Check if an backdoor connection to the system is possible (Intrusive scripts directly interacts with the system)
- ftp-vuln-cve2010-4221 : Checks for vulnerability (Always search what the vulnerability is applicable for before using. This one only applies to proftpd)
DNS Enumeration
Recommended to use SecLists when wordlist is needed.
“Zonetransfer.me” can be used to test and practice DNS attacks
Common Scripts
- dns-zone-transfer : Tries to perform zone transfer (copy dns details from one server to another. Only works on misconfigured servers)
- dns-brute : Brute force the dns to gather information (Recommended over zone transfer)
nmap --script dns-zone-transfer \
--script-args dns-zone-transfer.server=SERVERNAME,dns-zone-transfer.port=53,dns-zone-transfer.domain=zonetransfer.me # Refer Information Gathering for more details on zone transfer
nmap -Pn --script dns-brute \
--script-args dns-brute.threads=5,dns-brute.hostlist=/usr/share/wordlist/SecLists/Discovery/DNS/fierce-hoslist.txt zonetransfer.meSMTP Enumeration
SMTP runs on port 25
ls -lah /usr/share/nmap/scripts | grep -e “smtp-” (List only smtp scripts)
Common Scripts
- smtp-commands : Lists all the supported SMTP commands (VRFY, EXPN can be exploited to enumerate usernames)
- smtp-enum-users : Enumerate users on the system
- smtp-open-relay : Check if open relay is enabled which can be used to bypass authentication
nmap -p 25 --script smtp-commands <ip-address>
nmap -p 25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY} <ip-address>
nmap -p 25 --script smtp-open-relay <ip-address>HTTP Enumeration
HTTP runs on port 80. HTTPS runs on port 443
ls -lah /usr/share/nmap/scripts | grep -e “http-” (List only http scripts)
Common Scripts
- http-methods : Returns the methods that are running of the server
- http-enum : Enumerate hidden directories on the server (Similar to dirbuster/gobuster)
- http-waf-detect : Detect web application firewall
- http-waf-fingerprint : Identify the version/ type of firewall running
nmap -Pn -sV -T4 -p 80 --script http-methods --script-args http-methods.test=all <ip-address>
nmap -sV -p 80 --script http-enum <ip-address>
nmap -Pn -p 443,80 --script http-enum,http-waf-fingerprint <ip-address>http-waf-detect will return an payload when run on browser will return the firewall name
SMB (Service Message Block) Enumeration
SMB runs on port 445
ls -lah /usr/share/nmap/scripts | grep -e “smb-” (List only SMB scripts)
Common Scripts
- smb-os-discovery : Find the OS running on the system
- smb-enum-shares : List all the shares (Shared folders/ drives, etc.) on the system along with their permissions
- smb-enum-users : Find users on the system
- smb-protocols : Returns the version of the SMB protocol running on the system
- smb-vuln-ms17-010 : Eternal blue remote execution exploit
nmap -p 445 --script smb-os-discovery <ip-address>
nmap -p 445 --script smb-enum-shares <ip-address>MySQL Enumeration
MySQL runs on port 3306
Common Scripts
- mysql-info : Returns information about the server
- mysql-enum : Try to guess usernames from the service
- mysql-empty-password : Checks if any user ha empty password
- mysql-brute : Try to brute force users on the system
nmap -p 3306 --script mysql-info <ip-address>NFS (Network File Share) Enumeration
Port 111 with have RPCBind Server which converts the RPC Address to Universal Address ls -lah /usr/share/nmap/scripts | grep -e “nfs-”
Common Scripts
- nfs-ls : Returns files on NTS
- nfs-showmount : Show the Mounted Directories on NTS
- nfs-statsfs : Return information about the NFS File System
nmap -p 111 --script nfs-ls,nfs-showmount,nfs-statfs <ip-address>Vulnerability Scan (External Scripts)
GitHub - vulnersCom/nmap-vulners: NSE script based on Vulners.com API
nmap -sV -p21-8080 --script vulners <ip-address>