Home > Network Pentesting

NSE Scripting

Nmap’s Scripting Engine (NSE) is one of the most powerful features available to pentesters. It extends Nmap from a simple scanner into a full reconnaissance and enumeration framework. NSE scripts automate tasks such as service enumeration, vulnerability discovery, authentication testing, brute forcing, misconfiguration detection, and protocol analysis. Understanding NSE allows pentesters to perform deeper scans with accuracy and speed.

NSE scripts are written in Lua and grouped into categories. Each category targets a different aspect of the system, making NSE extremely flexible and capable of performing detailed assessments.

What NSE Scripting Does

NSE scripts perform advanced tasks that go far beyond basic scans. They can:

  • Enumerate detailed service information

  • Identify vulnerabilities

  • Test authentication and access

  • Detect misconfigurations

  • Read banners and metadata

  • Dump service-specific information

  • Perform brute-force attacks (when allowed in scope)

  • Analyze protocols deeply

NSE gives pentesters the ability to automate tasks normally done manually.

NSE Script Categories

NSE scripts are organized into categories. Each category contains scripts designed for specific types of tasks.

discovery

Used for identifying services, paths, and information.

Examples include:

  • Finding web directories

  • Enumerating SMB shares

  • Extracting DNS information

vuln

Runs known vulnerability checks against services.

These scripts compare responses to known CVE patterns.

safe

Safe to run without damaging systems or triggering harmful behavior.

These are preferred for initial assessments.

intrusive

More aggressive; can affect system stability.
Used when allowed by rules of engagement.

auth

Tests authentication methods.

Identifies:

  • Default credentials

  • Weak configurations

  • Supported login methods

brute

Performs brute-force login attempts when permitted.

broadcast

Discovers hosts using broadcast-based protocols across the network.

exploit

Attempts exploitation when it is safe and allowed.

malware

Checks for signs of malware, backdoors, or botnet behavior.

Running NSE Scripts

NSE scripts can be used individually or combined with other scans.

Running Default Script Set

nmap -sC 10.10.10.5

This runs the most commonly used safe scripts.

Default Scripts + Version Detection

nmap -sC -sV 10.10.10.5

This is one of the most effective enumeration combinations.

Running a Specific Script

nmap --script http-title 10.10.10.5

This retrieves the title of a web page from port 80 or 443.

Running Multiple Scripts

nmap --script http-title,http-headers 10.10.10.5

Useful for web enumeration.

Running a Script Category

nmap --script vuln 10.10.10.5

This runs all vulnerability-related scripts.

Running All Scripts (Aggressive)

nmap --script all 10.10.10.5

This is extremely noisy and should only be used when explicitly allowed.

Practical NSE Usage

HTTP Enumeration

nmap --script http-enum -p80,443 10.10.10.5

Finds directories, hidden paths, and server information.

SMB Enumeration

nmap --script smb-enum-shares -p445 10.10.10.5

Lists visible SMB shares on Windows systems.

SSH Host Key Analysis

nmap --script ssh-hostkey 10.10.10.5

Retrieves SSH fingerprint information.

DNS Enumeration

nmap --script dns-brute 10.10.10.5

Attempts to discover subdomains.

Vulnerability Detection Example

nmap --script ssl-heartbleed -p 443 10.10.10.5

Checks for the Heartbleed vulnerability.

MySQL User Enumeration

nmap --script mysql-users -p3306 10.10.10.5

Enumerates MySQL users (safe behavior depends on script).

Script Output Analysis

NSE output often includes:

  • Detailed version information

  • Supported features

  • Detected misconfigurations

  • Vulnerability indicators

  • Authentication prompts

  • Usernames or metadata

  • Hidden paths or directories

Pentesters review this output to determine the next steps in enumeration or exploitation.

Writing Custom NSE Scripts (Basic Overview)

Pentesters can write custom scripts tailored to specific targets.

A simple NSE script contains:

  • A rule that defines when to run

  • An action that defines what to do

  • Lua code interacting with services

This allows automation for unique services or internal tools.

Why NSE Scripting Matters

NSE transforms Nmap into an advanced recon, enumeration, and vulnerability assessment tool. It saves time, increases accuracy, and provides insights that standard scanning cannot reveal. Mastering NSE gives pentesters a major advantage during real-world assessments.

Intel Dump

  • NSE automates enumeration, vulnerability checks, and protocol analysis

  • Script categories include discovery, vuln, auth, brute, safe, intrusive, exploit

  • Common commands include -sC, -sV, --script category, and script combinations

  • NSE performs tasks like directory discovery, SMB enumeration, SSL analysis, and DNS brute forcing

  • Custom Lua scripts allow expanded functionality and targeted automation

HOME COMMUNITY CAREERS DASHBOARD