Skip to content

12. Nmap Nmap Scripting Engine

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) is a powerful feature of Nmap that allows users to automate a wide variety of networking tasks using scripts. These scripts can perform tasks such as network discovery, vulnerability detection, exploitation, and more. NSE scripts are written in Lua, a lightweight scripting language.

Syntax

nmap --script <script-name>

Explanation:

  • --script <script-name>: Specifies the NSE script or category to use.
  • <script-name> can be:
    • A single script (e.g., ftp-anon)
    • Multiple scripts separated by commas (e.g., ftp-anon,ftp-brute)
    • A wildcard to include multiple related scripts (e.g., ftp-*).

Examples

1. Single Script Example

nmap -p 21 --script ftp-anon 192.168.1.1

Explanation:

  • -p 21: Scans port 21, typically used for FTP.
  • --script ftp-anon: Runs the ftp-anon NSE script, which checks for anonymous FTP login capability.
  • 192.168.1.1: Target IP address.

Output (Example):

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (username: anonymous)
|_drwxrwxrwx   2 0        0            4096 Sep 01 12:34 public

This output shows that anonymous FTP login is allowed, and the public directory is accessible.

2. Multiple Scripts Example

nmap -p 21 --script ftp-anon,ftp-brute 192.168.1.1

Explanation:

  • ftp-anon: Checks for anonymous FTP login.
  • ftp-brute: Attempts brute force login on the FTP server using a predefined username/password dictionary.

Output (Example):

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (username: anonymous)
|_drwxrwxrwx   2 0        0            4096 Sep 01 12:34 public
| ftp-brute:
| Accounts
|_ admin:password - Valid credentials

This shows that both anonymous login is allowed and valid credentials (admin:password) were found.

3. Using Wildcards

nmap -p 21 --script "ftp-*" 192.168.1.1

Explanation:

  • ftp-*: Runs all scripts in the ftp category (e.g., ftp-anon, ftp-brute, etc.).
  • Useful: When you want to perform comprehensive testing of all FTP-related functionalities.

NSE Categories

NSE scripts are divided into categories based on their purpose. Examples include:

  1. Auth: Authentication bypass and brute force.
  2. Vuln: Detect vulnerabilities.
  3. Discovery: Network discovery.
  4. Exploit: Exploit vulnerabilities.
  5. Safe: Scripts considered safe to run in any environment.

Updating NSE Scripts

Use the --script-updatedb command to update the NSE script database after adding new scripts:

nmap --script-updatedb