- Nmap Network Scanning
- Chapter15.Nmap Reference Guide
- Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.
Tasks we had in mind when creating the system include network discovery, more sophisticated version detection, vulnerability detection. NSE can even be used for vulnerability exploitation.
To reflect those different uses and to simplify the choice of which scripts to run, each script contains a field associating it with one or more categories. Currently defined categories are auth, broadcast, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln. These are all described in the section called “Script Categories”.
Scripts are not run in a sandbox and thus could accidentally or maliciously damage your system or invade your privacy. Never run scripts from third parties unless you trust the authors or have carefully audited the scripts yourself.
The Nmap Scripting Engine is described in detailin Chapter9, Nmap Scripting Engine and is controlled by the following options:
-sCPerforms a script scan using the default set of scripts. It is equivalent to
--script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.-
--script<filename>|<category>|<directory>/|<expression>[,...] Runs a script scan using the comma-separated list of filenames, scriptcategories, and directories. Each element in the list may also be aBoolean expression describing a more complex set of scripts. Eachelement is interpreted first as an expression, then as a category, andfinally as a file or directory name.
There are two special features for advanced users only.One is to prefix script names and expressions with
+to force them to run even if they normallywouldn't (e.g. the relevant service wasn't detected on the targetport). The other is that the argumentallmay beused to specify every script in Nmap's database. Be cautious withthis because NSE contains dangerous scripts such as exploits, bruteforce authentication crackers, and denial of service attacks.File and directory names may be relative or absolute. Absolute names areused directly. Relative paths are looked for in the
scriptsof each of the following places untilfound:When a directory name ending in
/is given, Nmap loads every file in the directorywhose name ends with.nse. All other files areignored and directories are not searched recursively. When a filename isgiven, it does not have to have the.nseextension;it will be added automatically if necessary.Nmap scripts are stored in a
scriptssubdirectory of the Nmap data directory by default(see Chapter14, Understanding and Customizing Nmap Data Files).For efficiency, scripts are indexed ina database storedinscripts/script.db,which lists the category or categories in which each script belongs.When referring to scripts from
script.dbby name, you can use a shell-style ‘*’ wildcard.- nmap --script "http-*"
Loads all scripts whose name starts with
http-, such ashttp-authandhttp-open-proxy. The argument to--scripthad to be in quotes to protect the wildcard from the shell.
More complicated script selection can be done using the
and,or, andnotoperators to build Boolean expressions. The operators have the same precedence as in Lua:notis the highest, followed byandand thenor. You can alter precedence by using parentheses. Because expressions contain space characters it is necessary to quote them.- nmap --script "not intrusive"
Loads every script except for those in the
intrusivecategory.- nmap --script "default or safe"
This is functionally equivalent to nmap --script "default,safe". It loads all scripts that are in the
defaultcategory or thesafecategory or both.- nmap --script "default and safe"
Loads those scripts that are in both the
defaultandsafecategories.- nmap --script "(default or safe or intrusive) and not http-*"
Loads scripts in the
default,safe, orintrusivecategories, except for those whose names start withhttp-.
--script-args<n1>=<v1>,<n2>={<n3>=<v3>},<n4>={<v4>,<v5>}Lets you provide arguments to NSE scripts. Arguments are a comma-separated listof
name=valuepairs. Names and values may be strings notcontaining whitespace or the characters‘{’,‘}’,‘=’, or‘,’.To include one of these characters in a string, enclose the string in single ordouble quotes. Within a quoted string, ‘\’escapes a quote. A backslash is only used to escape quotation marks in thisspecial case; in all other cases a backslash is interpreted literally. Valuesmay also be tables enclosed in{}, just as in Lua. A tablemay contain simple string values or more name-value pairs, including nestedtables. Many scripts qualify their arguments with the script name, as inxmpp-info.server_name. You may use that full qualified version to affect just the specified script, or you may pass the unqualified version (server_namein this case) to affect all scripts using that argument name. A script will first check for its fully qualified argument name (the name specified in its documentation) before it accepts an unqualified argument name. A complex example of script arguments is--script-args 'user=foo,pass=",{}=bar",whois={whodb=nofollow+ripe},xmpp-info.server_name=localhost'. The online NSE Documentation Portal at https://nmap.org/nsedoc/lists the arguments that each script accepts.--script-args-file<filename>Lets you load arguments to NSE scripts from a file. Any arguments on the command line supersede ones in the file. The file can be an absolute path, or a path relative to Nmap's usual search path (NMAPDIR, etc.) Arguments can be comma-separated or newline-separated, but otherwise follow the same rules as for
--script-args, without requiring special quoting and escaping, since they are not parsed by the shell.-
--script-help<filename>|<category>|<directory>|<expression>|all[,...] Shows help about scripts. For each script matching the given specification, Nmap prints the script name, its categories, and its description. The specifications are the same as those accepted by
--script; so for example if you want help about theftp-anonscript, you would run nmap --script-help ftp-anon. In addition to getting help for individual scripts, you can use this as a preview of what scripts will be run for a specification, for example with nmap --script-help default.--script-traceThis option does what
--packet-tracedoes, just one ISO layer higher. If this option is specified all incoming and outgoing communication performed by a script is printed. The displayed information includes the communication protocol, the source, the target and the transmitted data. If more than 5% of all transmitted data is not printable, then the trace output is in a hex dump format. Specifying--packet-traceenables script tracing too.--script-updatedbThis option updates the script database found in
scripts/script.dbwhich is used by Nmap to determine the available default scripts and categories. It is only necessary to update the database if you have added or removed NSE scripts from the defaultscriptsdirectory or if you have changed the categories of any script. This option is generally used by itself: nmap --script-updatedb.
