Discovery Scripts (`discovery`) with Nmap

Learn about discovery scripts in Nmap, their usage, practical examples, and how they can enhance network reconnaissance and security auditing.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Nmap (Network Mapper) is a powerful and flexible network scanning tool widely used for security auditing and network discovery. One of its most valuable features is the Nmap Scripting Engine (NSE), which allows users to extend Nmap’s functionality through scripts. Among the various categories of NSE scripts, the discovery scripts play a crucial role in identifying and gathering information about networked devices and services.

This article provides an in-depth look at discovery scripts in Nmap, their usage, practical examples, and how they can enhance network reconnaissance and security auditing.

What Are discovery Scripts in Nmap?

Nmap’s NSE scripts are categorized into different groups based on their function, including discovery, safe, intrusive, exploit, and auth. The discovery category consists of scripts designed to collect information about hosts, services, and network infrastructure without performing direct exploitation or intrusive actions.

Common Use Cases of discovery Scripts

  • Identifying live hosts in a network.
  • Gathering detailed service and banner information.
  • Detecting available network shares and directories.
  • Extracting metadata from services such as HTTP, SMB, and SNMP.
  • Identifying default credentials and configurations.

Running discovery Scripts in Nmap

To use discovery scripts in Nmap, you can specify the script category explicitly using the --script flag. The basic syntax is:

nmap --script=discovery <target>

You can also run specific scripts by name:

nmap --script=<script_name> <target>

Additionally, you can combine discovery scripts with other scanning options, such as port scanning (-p), OS detection (-O), and service version detection (-sV), to gain deeper insights into a target network.

Example:

nmap -sV -O --script=discovery 192.168.1.1/24

Key discovery Scripts and Their Functions

Nmap provides a vast library of discovery scripts. Below are some of the most commonly used scripts and their practical applications.

1. broadcast-ping

  • Sends broadcast ICMP echo requests to discover hosts on a local network.

  • Example usage:

    nmap --script=broadcast-ping

2. dns-brute

  • Performs brute-force enumeration of subdomains using a wordlist.

  • Useful for identifying hidden services or testing domain security.

  • Example usage:

    nmap --script=dns-brute -sn example.com

3. dns-service-discovery

  • Discovers network services using DNS-based Service Discovery (DNS-SD).

  • Example usage:

    nmap --script=dns-service-discovery -p 5353 192.168.1.1

4. http-title

  • Retrieves the title of web pages from HTTP services.

  • Helps in identifying web applications quickly.

  • Example usage:

    nmap --script=http-title -p 80,443 192.168.1.1

5. nbstat

  • Retrieves NetBIOS name table from a remote Windows system.

  • Useful for enumerating hostnames in a Windows environment.

  • Example usage:

    nmap --script=nbstat -p 137 192.168.1.1

6. snmp-sysdescr

  • Queries SNMP-enabled devices for system descriptions.

  • Helps in identifying network infrastructure devices like routers and switches.

  • Example usage:

    nmap --script=snmp-sysdescr -p 161 192.168.1.1

7. smb-os-discovery

  • Retrieves OS information from SMB-enabled hosts.

  • Useful for identifying Windows hosts and their versions.

  • Example usage:

    nmap --script=smb-os-discovery -p 445 192.168.1.1

8. ssh-hostkey

  • Retrieves the SSH host key from remote servers.

  • Helps in fingerprinting SSH servers.

  • Example usage:

    nmap --script=ssh-hostkey -p 22 192.168.1.1

9. ftp-anon

  • Checks if anonymous FTP login is enabled on a target.

  • Useful for detecting misconfigured FTP servers.

  • Example usage:

    nmap --script=ftp-anon -p 21 192.168.1.1

10. traceroute-geolocation

  • Performs traceroute and attempts to geolocate each hop.

  • Example usage:

    nmap --script=traceroute-geolocation 192.168.1.1

Automating Discovery with NSE Script Categories

Nmap allows users to specify categories instead of individual scripts, making automation easier. Running all discovery scripts can be achieved with:

nmap --script=discovery 192.168.1.1/24

For more specific automation, combining multiple categories like discovery and safe can be done:

nmap --script="discovery,safe" 192.168.1.1

To exclude certain scripts, use:

nmap --script="discovery and not ftp-anon" 192.168.1.1

Best Practices When Using discovery Scripts

  1. Limit Scope: Avoid scanning large networks without permission to prevent unintentional disruptions.
  2. Combine with Other Options: Use -sV, -O, and -p flags for better insights.
  3. Check Firewall Rules: Some scripts may be blocked by firewalls, affecting results.
  4. Use in Controlled Environments: Testing in a lab environment helps in understanding script behavior before applying it in production.
  5. Regular Updates: Keep Nmap and NSE scripts updated for better performance and compatibility.

Conclusion

Nmap’s discovery scripts provide a powerful way to gather detailed network intelligence without performing intrusive actions. These scripts help security professionals and network administrators identify devices, services, and potential vulnerabilities. By mastering discovery scripts, users can streamline network audits and enhance security posture efficiently.

For further learning, explore the official Nmap NSE script documentation: https://nmap.org/nsedoc/


< Nmap Script ExecutionVulnerability Detection Scripts with Nmap >