The Nmap Scripting Engine (NSE) is a framework that allows you to write and execute custom scripts in the Lua programming language. These scripts can automate tasks like service version detection, vulnerability scanning, and even advanced attacks.
NSE enhances Nmap by performing more specific and detailed network assessments beyond just finding open ports.
Key points
- Built-in Lua scripting engine
- Scripts can be used for advanced scanning tasks
- Scripts are categorized (e.g., discovery, vulnerability, exploit)
Running Scripts with -sC
The -sC option runs default scripts. These scripts are a pre-defined set of commonly useful scripts for tasks like version detection and service enumeration.
nmap -sC 192.168.1.10Running Specific Scripts with --script
You can specify particular scripts to run using the --script option. You can run one or more scripts by separating them with commas. If the script is part of a category, you can specify the category name.
nmap --script=http-title 192.168.1.10 # Runs the http-title script
nmap --script=vuln 192.168.1.10 # Runs all vulnerability scriptsScript Categories
NSE scripts are categorized based on their function. Common categories include:
- Discovery: Identifies services, protocols, and versions
- Vulnerability: Detects potential weaknesses and known vulnerabilities
- Exploit: Attempts to exploit vulnerabilities
- Brute Force: Tries different authentication attempts for services like SSH or HTTP
- Intrusive: Potentially disruptive, used for deep penetration testing
Example: Running all scripts in a category
nmap --script=discovery 192.168.1.10Example: Running a Vulnerability Scan
Running a specific vulnerability script can help identify weaknesses in services. For example, you can check for a known Heartbleed vulnerability using the ssl-heartbleed script.
nmap --script=ssl-heartbleed 192.168.1.10NSE Script Output
When running NSE scripts, Nmap will show detailed results, often with information like service versions, vulnerabilities, or open ports. Here’s an example of the output when running the http-title script:
Nmap scan report for 192.168.1.10
Host is up (0.00035s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29
| http-title: Site doesn't have a title (text/html).
|_Requested resource was http://192.168.1.10/
Nmap done: 1 IP address (1 host up) scanned in 1.23 secondsExample Script Categories and Use Cases
| Script Category | Example Scripts | Use Case |
|---|---|---|
| Discovery | http-title, dns-brute | Discover web pages, DNS records |
| Vulnerability | smb-vuln-ms17-010, ssl-heartbleed | Find security flaws, such as Heartbleed or MS17-010 |
| Exploit | smb-ms10-061, http-shellshock | Test for known vulnerabilities to be exploited |
| Brute Force | ssh-brute, http-brute | Attempt brute force login attempts |
| Intrusive | http-slowloris, smb-psexec | Disrupt services or test for advanced exploits |