Nmap comes with 586 NSE scripts. 148 of them are default (-sC) or version (-sV) scripts. The rest (438) have to be invoked directly or by category, so many folks don’t use them. Here are my top 18 NSE scripts you should run in 2018:
Fingerprint 100s of web apps and embedded devices with http-enum. Got Nikto? http-enum uses that fingerprint file, too. https://nmap.org/nsedoc/scripts/http-enum.html … Found a device with a web interface? Check for default creds with http-default-accounts.
Import a list of targets to scan directly from the XML output of another scan with targets-xml. Lots of scripts that discover new addresses let you scan them in the same command with –script-args newtargets
Enumerate subdomains with dns-brute. Brute-force resolve common hostnames and SRV records against discovered DNS servers.
4. broadcast and safe
All 38 scripts in the “broadcast and safe” categories. Find targets & discover services like ATAoE, DB2, DHCP, DNSSD, Dropbox, NetBIOS, OSPF2, UPnP, WPAD, and XDMCP on your local LAN: –script ‘broadcast and safe’
Use Hollywood-style byte-by-byte bruteforce to find #IPv6 PTR DNS records with dns-ip6-arpa-scan
IPv6 network address ranges are absurdly large. Find and scan #IPv6 targets on your local LAN with targets-ipv6-multicast-* scripts.
Find internal/private IP addresses leaked in some HTTP services and SSL certificates with http-bigip-cookie, ssl-cert-intaddr, http-internal-ip-disclosure
8. tn3270-screen and others
Hack the Gibson or other IBM mainframe systems with scripts by @mainframed767: tn3270-screen, tso-enum, tso-brute, vtam-enum, cics-info, cics-enum, cics-user-enum, cics-brute
VNC scripts, adding Apple Remote Desktop, VeNCrypt, Tight, and TLS types. Enumerate with vnc-info, brute force with vnc-brute, grab screen info with vnc-title.
Check general web security with fast scripts & deep spiders like http-security-headers, http-cookie-flags, http-crossdomainxml, http-csrf, http-errors, http-dombased-xss, http-fileupload-exploiter, http-rfi-spider
Formidible SSH security checks with new libssh2-based scripts: ssh-publickey-acceptance, ssh-run, ssh-auth-methods, ssh-brute
13. shodan-api and others
The “external” NSE category contains scripts that query third-party services. Use shodan-api to query @shodanhq with Nmap: https://nmap.org/nsedoc/scripts/shodan-api.html … (Other fun external scripts: http-xssed, http-google-malware, targets-asn, asn-query
Geolocate your targets and plot them on @googlemaps, thanks to @mak_kolybabi. Run one of the ip-geolocation scripts along with ip-geolocation-map-kml (or use your API key with -google or -bing).
NSE has 73 BruteForce credential testing scripts. Why not check out http-form-brute, which can handle all sorts of complicated CSRF and cookie schemes, and works great against Django, WordPress, MediaWiki, Joomla, and Drupal.
Spider a site for emails, IP addresses, #creditcard numbers, SSN, or write your own custom patterns with http-grep
Check for weak TLS/SSL configurations everywhere, even SMTP, RDP, VNC, etc. with ssl-enum-ciphers (Related scripts include ssl-dh-params, ssl-heartbleed, ssl-poodle, tls-ticketbleed, etc.)
18. big vulnerabilities
Keep up with the latest big vulnerabilities like Struts RCE (http-vuln-cve2017-5638), Intel AMT privesc (http-vuln-cve2017-5689), MS17-010 (smb-vuln-ms17-010), and lots more.