Top NMAP NSE scripts

Nmap comes with 586 NSE scripts. 148 of them are default (-sC) or version (-sV) scripts. The rest (438) have to be invoked directly or by category, so many folks don’t use them. Here are my top 18 NSE scripts you should run in 2018:

1. http-default-accounts
Fingerprint 100s of web apps and embedded devices with http-enum. Got Nikto? http-enum uses that fingerprint file, too. … Found a device with a web interface? Check for default creds with http-default-accounts.

2. targets-xml
Import a list of targets to scan directly from the XML output of another scan with targets-xml. Lots of scripts that discover new addresses let you scan them in the same command with –script-args newtargets

3. dns-brute
Enumerate subdomains with dns-brute. Brute-force resolve common hostnames and SRV records against discovered DNS servers.

4. broadcast and safe
All 38 scripts in the “broadcast and safe” categories. Find targets & discover services like ATAoE, DB2, DHCP, DNSSD, Dropbox, NetBIOS, OSPF2, UPnP, WPAD, and XDMCP on your local LAN: –script ‘broadcast and safe’

5. dns-ip6-arpa-scan
Use Hollywood-style byte-by-byte bruteforce to find #IPv6 PTR DNS records with dns-ip6-arpa-scan

6. targets-ipv6-multicast-echo
IPv6 network address ranges are absurdly large. Find and scan #IPv6 targets on your local LAN with targets-ipv6-multicast-* scripts.

7. ssl-cert-intaddr
Find internal/private IP addresses leaked in some HTTP services and SSL certificates with http-bigip-cookie, ssl-cert-intaddr, http-internal-ip-disclosure

8. tn3270-screen and others
Hack the Gibson or other IBM mainframe systems with scripts by @mainframed767: tn3270-screen, tso-enum, tso-brute, vtam-enum, cics-info, cics-enum, cics-user-enum, cics-brute

9. vnc-title
VNC scripts, adding Apple Remote Desktop, VeNCrypt, Tight, and TLS types. Enumerate with vnc-info, brute force with vnc-brute, grab screen info with vnc-title.

10. http-security-headers
Check general web security with fast scripts & deep spiders like http-security-headers, http-cookie-flags, http-crossdomainxml, http-csrf, http-errors, http-dombased-xss, http-fileupload-exploiter, http-rfi-spider

11. ssh-brute
Formidible SSH security checks with new libssh2-based scripts: ssh-publickey-acceptance, ssh-run, ssh-auth-methods, ssh-brute

12. smb-protocols
Enumerate all SMB versions with smb-protocols. Then take advantage of awesome new SMB2 support by @calderpwn: smb2-vuln-uptime, smb2-capabilities, smb2-security-mode, smb2-time

13. shodan-api and others
The “external” NSE category contains scripts that query third-party services. Use shodan-api to query @shodanhq with Nmap: … (Other fun external scripts: http-xssed, http-google-malware, targets-asn, asn-query

14. ip-geolocation-map-kml
Geolocate your targets and plot them on @googlemaps, thanks to @mak_kolybabi. Run one of the ip-geolocation scripts along with ip-geolocation-map-kml (or use your API key with -google or -bing).

15. http-form-brute
NSE has 73 BruteForce credential testing scripts. Why not check out http-form-brute, which can handle all sorts of complicated CSRF and cookie schemes, and works great against Django, WordPress, MediaWiki, Joomla, and Drupal.

16. http-grep
Spider a site for emails, IP addresses, #creditcard numbers, SSN, or write your own custom patterns with http-grep

17. ssl-enum-ciphers
Check for weak TLS/SSL configurations everywhere, even SMTP, RDP, VNC, etc. with ssl-enum-ciphers (Related scripts include ssl-dh-params, ssl-heartbleed, ssl-poodle, tls-ticketbleed, etc.)

18. big vulnerabilities
Keep up with the latest big vulnerabilities like Struts RCE (http-vuln-cve2017-5638), Intel AMT privesc (http-vuln-cve2017-5689), MS17-010 (smb-vuln-ms17-010), and lots more.

One thought on “Top NMAP NSE scripts”

  1. Brute force Active Directory usernames using Kerberos & a userid list!

    nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP]

Leave a Reply

Your email address will not be published. Required fields are marked *