Nmap is a popular tool for scanning and monitoring networks. There are many ways to find information using Nmap, from blogs and articles to formal training. Yet few of these learning tools discuss one of Nmap's most powerful features: The Nmap Scripting Engine (NSE).
What is the NSE? This tool does two things. First, it allows the nmap
command to accept options that specify scripted procedures as part of a scan. Second, it enables Nmap users to author and share scripts, which provides a robust and ever-evolving library of preconfigured scans.
The NSE takes Nmap beyond the standard quick-and-dirty scans and into a deeper realm of automation, detail, and depth. Many authors have created scripts to address specific security requirements or troubleshoot queries.
Nmap provides extensive and detailed documentation for the application in general and for the NSE specifically. The documentation is broken down into sections that explain Nmap's functionality (with examples), identify the various categories and scripts, and provide guidance for creating scripts. In fact, Nmap's entire Chapter 9 is dedicated to the NSE.
NSE script types
NSE scripts are organized into 14 categories on the NSE Scripts documentation page. Many categories are security-oriented, while others hint at discovery and troubleshooting.
Some of the more interesting categories are:
- broadcast
- default
- discovery
- intrusive
- vuln
There are 604 scripts available on the NSE Scripts page—that's a lot!
Run a script
The primary option to add common NSE scripts to the nmap
command is -sC
. The --script
option defines which script to run if you're using your own script. Some scripts use customized arguments or react to the results of a more traditional Nmap scan.
nmap -sC
executes a scripted scan using the scrips in the default category. Make sure you know what these scripts do, as some of them will trip intrusion-detection software or are considered intrusive.
NOTE: As with all security utilities, be absolutely certain you are authorized to run the tools in a production network environment. Running so-called "hacker tools" on a production network can be a resume-generating event (RGE).
To load a specific script, such as banner, type:
$ nmap -sV --script=banner <target>
This script performs a basic banner grab on the targeted system(s). Note that you may need to use sudo
to run Nmap in some environments.
See the documentation for more information on customizing scripts and their execution.
Five useful NSE scripts
I discovered NSE scripts while troubleshooting a Dynamic Host Configuration Protocol (DHCP) issue, and in fact, the first two examples below are scripts that enumerate DHCP services. Many of the scripts display information on common network services, including Network Time Protocol (NTP), web services, name resolution, routing protocols, and more.
[ For more tips on writing scripts, download the Bash shell scripting cheat sheet. ]
Here are five useful scripts to get you started. But the best thing to do is browse the documentation and see what scans might be helpful in your environment. I suggest you work with these scripts before you have an issue; that way, you're already familiar with the NSE when you need it.
DHCP scripts
- broadcast-dhcp-discover: This broadcasts a DHCPDISCOVER message on the network and displays any resulting DHCPOFFER replies. Use the script to find rogue DHCP servers or as part of DHCP troubleshooting. This script is part of the broadcast category.
- dhcp-discover: This script is a little different than the broadcast version. It sends a DHCPINFORM message to get configuration settings without attempting to lease an IP address. It's part of the discovery category.
SMB servers
- smb-os-discovery: This is a script from the default category. It's an older script, so it may not return all information for Windows systems. It also discovers small and midsize business (SMB) servers, such as those using Samba.
- smb-enum-users: Find this script in the auth category. It attempts to enumerate users on Windows systems and runs with at least one local lower-privileged account. Such a script is useful for penetration testing (while wearing either a white or black hat).
SSH authentication
- ssh-auth-methods: This displays supported authentication methods for the targeted SSH server and is useful for footprinting. Check the auth category if this sounds like a valuable script for you.
There are hundreds more very practical scripts. Many target specific protocols or specific services, so be sure to check the site to see what might be useful for troubleshooting, enumeration, or penetration testing in your environment. You must be authorized to run such tools in a production environment.
Write Nmap scripts
The NSE documentation also explains how to create your own scripts. The explanation covers the sections of a script and discusses standard conventions. The documentation does a fantastic job of breaking down the scripts and explaining the components. There's a sample script that uses finger
to help you better understand how to use NSE.
Boost Nmap's power with NSE
This article summarizes a very large library of resources. On its own, Nmap is incredibly powerful and useful, and NSE supplements that with over 600 automated scans. While many of the scripts will not apply to your environment, plenty will be useful for network audits. And don't forget that tools such as Nmap (and Wireshark and tcpdump) are great troubleshooting utilities.
About the author
Damon Garn owns Cogspinner Coaction, LLC, a technical writing, editing, and IT project company based in Colorado Springs, CO. Damon authored many CompTIA Official Instructor and Student Guides (Linux+, Cloud+, Cloud Essentials+, Server+) and developed a broad library of interactive, scored labs. He regularly contributes to Enable Sysadmin, SearchNetworking, and CompTIA article repositories. Damon has 20 years of experience as a technical trainer covering Linux, Windows Server, and security content. He is a former sysadmin for US Figure Skating. He lives in Colorado Springs with his family and is a writer, musician, and amateur genealogist.
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit