Nmap Scripting Engine(NSE)

It is one of Nmap's most powerfull feature. It automates a wide variety of tasks. NSE can be helpfull in following areas:

  • Network Discovery
    • http-headers
    • http-email-harvest
    • http-chrono
    • nbstat
    • ipidseq
  • Vulnerability Detection
    • ssl-heartbleed
    • http-csrf
    • smtp-vuln-cve2011-1720
  • Version Detection
    • pptp-version
    • stun-version
    • skypev2-version
  • Backdoor Detection
    • ftp-proftpd-backdoor
    • irc-unrealirced-backdoor
  • Vulnerability Exploitation
    • jdwp-exec
    • http-stored-xss

Nmap has divided NSE into different script categories like :

  • Auth
  • Broadcase
  • brute
  • Default category
  • Discovery
  • Dos
  • Exploit
  • External
  • fuzzer
  • intrusive
  • malware
  • safe
  • version
  • vuln

Calling NSE

There are two ways to call NSE:

nmap -sC
This -sC looks for all the default category of Nmap scripts present in Nmap. It may take a lot time scanning time as it is going to use multiple scripts.

nmap --script dns-service-discovery google.com
Using this way we can refine our scan to one or two scripts again saving our time of scan.

As in this, we can see it simply went for reverse DNS discovery of google.com


  • Looking for http-header, http-chrono
    nmap --script http-headers,http-chrono

Scanning and Auditing Web Servers

Checking for Misconfiguration

  • Listing HTTP Methods
    Using http-methods we can discover type of HTTP methods allowed. Based on the methods we can process further.
    nmap --script http-methods -Pn -n

Lets dig a little deeper using script-args by nmap nse nmap -Pn -n --script http-methods --script-args http-methods.test-all,http-methods.retest


  • Directory Enumeration
    nmap -p80 --script http-enum

Now if you want to dig a little deeper then use http-enum.displayall

nmap -p80 --script http-enum --script-args http-enum.displayall nmapnsedir

Interesting Point of Entry

results matching ""

    No results matching ""