NMAP Scripting Engine
The NMAP scripting engine adds some extra functionality to Nmap, and lets us run Lua scripts as parts of our scans. These scripts can help with the reconnaissance process by automating some of the common tasks we might need to do. For example, there are NMAP scripts for DNS enumeration, Directory brute forcing and Vulnerability scanning.
The are over 600 scripts, (so obviously we wont go into all of them here) full list of scripts can be found at NSE Doc
Script Categories
Scripts can be broken into several categories
| Nmap Script Name | Description |
|---|---|
| auth | All sorts of authentication and user privilege scripts |
| broadcast | Network discovery scripts that use broadcast petitions for intel gathering |
| brute | Set of scripts for performing brute force attacks to guess access credentials |
| default | The most popular Nmap scripts, using -sC by default |
| discovery | Scripts related to network, service and host discovery |
| dos | Denial of service attack scripts used to test and perform DOS and floods |
| exploit | Used to perform service exploitation on different CVEs |
| external | Scripts that rely on 3rd party services or data |
| fuzzer | Used to perform fussing attacks against apps, services or networks |
| intrusive | All the ‘aggressive’ scripts that cause a lot of network noise |
| malware | Malware detections and exploration scripts |
| safe | Safe and non-intrusive/noisy scripts |
| version | OS, service and software detection scripts |
| vuln | The Nmap vuln category includes vulnerability detection and exploitation scripts |
NMAP is also, (usually), clever when it comes to running scripts, with them only triggered when certain conditions are met. For example, it wont run the http-enumeration scripts unless a HTTP server is detected.
Running Scripts
One way of running the NSE scripts is to run those in the "Default" category.
There is a flag that allows us to do this -sC
$ nmap -sC 127.0.0.1
To run a script as part of your NMAP scan you use the --script flag. For
example, the "ftp-anon" script will attempt to connect to any FTP servers it
finds, and checks for anonymous access.
So we could run a version detection scan, and the FTP anonymous script on our target with
$ sudo nmap -sV 127.0.0.1 --script ftp-anon
Note: that the default scan will still take place, so we may want to limit the ports Nmap looks at if we have already done this.
For example lets say we have already identified a HTTP server on port 80. We could use NSE for directory enumeration with the following command.
$ sudo nmap -p 80 --script http-enum
We can also run multiple scripts:
$ sudo nmap -p 20,80 --script ftp-anon,http-enum
Running Groups of scripts
We can also run groups of scripts, for example any of the scripts that have HTTP in the title
$ nmap 127.0.0.1 --script "http*"
Important
The quotes here are important, otherwise the shell gets confused
Or all the scripts in a given category
$ nmap 127.0.0.1 --script "auth"
#Or Combinations
$ nmap 127.0.0.1 --script "default safe"