HashFirewall

NSE (Nmap): Advanced Scripts for professionals

by

admin
in ,

What is NSE?

Learn how Nmap Scripting Engine (NSE) works, its architecture, script categories, and real vulnerability scanning examples.

Nmap image

Introduction

NSE (Nmap scripting engine), is the more advanced and useful version of Nmap that is utilized for actual reconnaissance and security verification.
Basic Nmap tells us which ports are open, but NSE explains what those open ports actually mean in practice.

By enabling logic-based, task-specific scripts to run directly against discovered services, NSE expands on the drawbacks of conventional scanning. NSE automates that thought process and applies it uniformly across hosts, eliminating the need to manually test each service individually. For Detailed information visit NMAP NSE official documentation.

Essential Elements of NSE

NSE is a framework composed of several closely related elements rather than a single feature:

  • The Nmap Core Engine

It serves as the cornerstone.

  • manages the host finding
  • Scanning ports
  • Identification of services
  • Communication over networks
  • NSE has no goals to strive for in the absence of the main engine.
  • Lua Interpreter

Lua is a quick and lightweight programming language used to write NSE programs.

  • Designed to be fast
  • minimal use of memory
  • Perfect for automating networks

NMAP scripting Engine

This is Execution layer. Decides when to run scripts, manage parallel execution and controls script dependencies.

NSE Libraries

Nmap Scripting Engine (NSE) libraries are Lua modules that extend script functionality for tasks like networking, parsing, and protocol handling.

  • shortport: Defines port rules and service matching for script execution (e.g., shortport.http)
  • smb: Handles SMB/CIFS protocol interactions, including enumeration and authentication.
  • datafile: Loads Nmap data files for protocols, payloads, and match data.
  • match: Provides pattern matching utilities for parsing responses.
  • nmap: Core Nmap API for sockets, timing, output, and host/port info.

Script Categories

Nmap Scripting Engine (NSE) organizes scripts into categories to control execution based on risk, purpose, and scan type. These help users select scripts like –script discovery for targeted scans.

  • brute: Performs brute-force
  • discovery: Identifies hosts, services, and network details
  • dos: Tests for denial-of-service vulnerabilities
  • malware: Detects backdoors or infections
  • safe: Low-risk scripts unlikely to harm targets.
  • fuzzer: Sends malformed data to find bugs.

Commands and their output

1. nmap –script vuln 192.168.1.10

Output

PORT STATE SERVICE
80/tcp open http
| http-shellshock:
| VULNERABLE:
| Shellshock vulnerability (CVE-2014-6271)
| State: VULNERABLE
| Risk factor: High
|
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1
| Risk factor: Critical

2. nmap -p445 –script smb-vuln* 192.168.1.20

Output

PORT STATE SERVICE
445/tcp open microsoft-ds

| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1
| CVE: CVE-2017-0143
| Exploit: EternalBlue
| Risk: CRITICAL

3. nmap -p80 –script http-enum 192.168.1.10

Output

| http-enum:
| /admin/: Admin panel
| /backup/: Backup folder
| /phpmyadmin/: phpMyAdmin login page