Nmap is a popular tool for scanning and monitoring networks. There are many ways to find information using Nmap, from blogs and articles to formal training. Yet few of these learning tools discuss one of Nmap's most powerful features: The Nmap Scripting Engine (NSE).
What is the NSE? This tool does two things. First, it allows the
nmap command to accept options that specify scripted procedures as part of a scan. Second, it enables Nmap users to author and share scripts, which provides a robust and ever-evolving library of preconfigured scans.
The NSE takes Nmap beyond the standard quick-and-dirty scans and into a deeper realm of automation, detail, and depth. Many authors have created scripts to address specific security requirements or troubleshoot queries.
Nmap provides extensive and detailed documentation for the application in general and for the NSE specifically. The documentation is broken down into sections that explain Nmap's functionality (with examples), identify the various categories and scripts, and provide guidance for creating scripts. In fact, Nmap's entire Chapter 9 is dedicated to the NSE.
NSE script types
NSE scripts are organized into 14 categories on the NSE Scripts documentation page. Many categories are security-oriented, while others hint at discovery and troubleshooting.
Some of the more interesting categories are:
There are 604 scripts available on the NSE Scripts page—that's a lot!
Run a script
The primary option to add common NSE scripts to the
nmap command is
--script option defines which script to run if you're using your own script. Some scripts use customized arguments or react to the results of a more traditional Nmap scan.
nmap -sC executes a scripted scan using the scrips in the default category. Make sure you know what these scripts do, as some of them will trip intrusion-detection software or are considered intrusive.
NOTE: As with all security utilities, be absolutely certain you are authorized to run the tools in a production network environment. Running so-called "hacker tools" on a production network can be a resume-generating event (RGE).
To load a specific script, such as banner, type:
$ nmap -sV --script=banner <target>
This script performs a basic banner grab on the targeted system(s). Note that you may need to use
sudo to run Nmap in some environments.
See the documentation for more information on customizing scripts and their execution.
Five useful NSE scripts
I discovered NSE scripts while troubleshooting a Dynamic Host Configuration Protocol (DHCP) issue, and in fact, the first two examples below are scripts that enumerate DHCP services. Many of the scripts display information on common network services, including Network Time Protocol (NTP), web services, name resolution, routing protocols, and more.
[ For more tips on writing scripts, download the Bash shell scripting cheat sheet. ]
Here are five useful scripts to get you started. But the best thing to do is browse the documentation and see what scans might be helpful in your environment. I suggest you work with these scripts before you have an issue; that way, you're already familiar with the NSE when you need it.
- broadcast-dhcp-discover: This broadcasts a DHCPDISCOVER message on the network and displays any resulting DHCPOFFER replies. Use the script to find rogue DHCP servers or as part of DHCP troubleshooting. This script is part of the broadcast category.
- dhcp-discover: This script is a little different than the broadcast version. It sends a DHCPINFORM message to get configuration settings without attempting to lease an IP address. It's part of the discovery category.
- smb-os-discovery: This is a script from the default category. It's an older script, so it may not return all information for Windows systems. It also discovers small and midsize business (SMB) servers, such as those using Samba.
- smb-enum-users: Find this script in the auth category. It attempts to enumerate users on Windows systems and runs with at least one local lower-privileged account. Such a script is useful for penetration testing (while wearing either a white or black hat).
- ssh-auth-methods: This displays supported authentication methods for the targeted SSH server and is useful for footprinting. Check the auth category if this sounds like a valuable script for you.
There are hundreds more very practical scripts. Many target specific protocols or specific services, so be sure to check the site to see what might be useful for troubleshooting, enumeration, or penetration testing in your environment. You must be authorized to run such tools in a production environment.
Write Nmap scripts
The NSE documentation also explains how to create your own scripts. The explanation covers the sections of a script and discusses standard conventions. The documentation does a fantastic job of breaking down the scripts and explaining the components. There's a sample script that uses
finger to help you better understand how to use NSE.
Boost Nmap's power with NSE
This article summarizes a very large library of resources. On its own, Nmap is incredibly powerful and useful, and NSE supplements that with over 600 automated scans. While many of the scripts will not apply to your environment, plenty will be useful for network audits. And don't forget that tools such as Nmap (and Wireshark and tcpdump) are great troubleshooting utilities.