Using NSE scripts:
When it was introduced, the Nmap introduced a Nmap Scripting Engine, that widens the capabilities of Network mapper via usage of Lua scripts.
NSE scripts are very versatile and became one the main features of Nmap. Those enabled the user to perform even vulnerability exploitation.
In order to enable the script scan, the -sC option is used. This will select all NSE scripts by default and execute them against target(s):
Here we get ssh-hostkey and http-title scripts as output. The number of those outputs depends on the host or port rules.
The -sC option enables script scan mode which executes default scripts if host and port rules are matching with them.
There are following categories of NSE scripts:
auth: This category is for scripts related to user authentication
broadcast: This is a very interesting category of scripts that use broadcast petitions to gather information
brute: This category is for scripts that help conduct brute-force password auditing
default: This category is for scripts that are executed when a script scan is executed ( -sC )
discovery: This category is for scripts related to host and service discovery.
dos: This category is for scripts related to denial of service attacks
exploit: This category is for scripts that exploit security vulnerabilities
external: This category is for scripts that depend on a third-party service
fuzzer: This category is for NSE scripts that are focused on fuzzing
intrusive: This category is for scripts that might crash something or generate a lot of network noise; scripts that system administrators may consider intrusive belong to this category
malware: This category is for scripts related to malware detection
safe: This category is for scripts that are considered safe in all situations
version: This category is for scripts that are used for advanced versioning
vuln: This category is for scripts related to security vulnerabilities
NSE script arguments:
The –script-args flag is used to set the arguments of NSE scripts. For example, if you would like to set the useragent HTTP library argument, you would use the following:
nmap --script http-title --script-args http.useragent="Mozilla 999" <target>
You can also use aliases when setting the arguments for NSE scripts:
nmap -p80 --script http-trace --script-args path <target>
Instead of the previous code, you can use this one:
nmap -p80 --script http-trace --script-args http-trace.path <target>
Users may select specific scripts when scanning using the Nmap option –script
<filename or path/folder/category/expression> :
nmap --script <filename or path/folder/category/expression> <target>
For example, the command to run the NSE script dns-brute is as follows:
nmap --script dns-brute <target>
The Nmap Scripting Engine also supports the execution of multiple scripts simultaneously:
Execute all the scripts in the vuln category:
nmap -sV --script vuln <target>
Scripts in the version or discovery categories:
nmap -sV --script="version,discovery" <target>
Running all the scripts except for the ones in the exploit category:
nmap -sV --script "not exploit" <target>
All HTTP scripts except http-brute and http-slowloris :
nmap -sV --script "(http-*) and not(http-slowloris or http-brute)" <target>
Adding new scripts:
There are occasions where there is a need for scripts that are not officialy included in nmap. To test them, you simply need to copy them to your /scripts folder inside your Nmap directory and run the following command:
After updating the database, you simply need to select them, as you would do with the –script option. You may execute scripts without including them in the database by setting a script path as the argument:
# nmap --script /root/loot/nonofficial.nse <target>
The https://secwiki.org/w/Nmap/External_Script_Library Wiki page keeps track of all scripts that for different reasons could not get included officially with Nmap.