Nmap Scripts

Find Scripts

Find script related to a service your interested in, example here is ftp

locate .nse | grep [port name]

Example: 
locate .nse | grep ftp

ls /usr/share/nmap/scripts | grep smb

Typically NSE scripts that scans for vulnerabilities are at

ls -l /usr/share/nmap/scripts/

• you can use this scripts with --script=<ScriptName> ,

• it also support wildcard entries

Help manual for scripts

What does a script do?

nmap --script-help [script name]

Example:
nmap --script-help ftp-anon

Vulnerability Scanning

We can scan for vulnerability Scanning nmap scripts:

nmap --script vuln [ip target]

Scan With All Scripts

Scan a target using all NSE scripts. May take an hour to complete.

nmap -p 80 --script=all [ip target]

nmap -p 80 --script=*vuln* [ip target]
# Scan a target using all NSE vuln scripts.

nmap -p 80 --script=http*vuln* [ip target]
# Scan a target using all HTTP vulns NSE scripts.

Scan with particular Script

nmap -p 21 --script=ftp-anon [ip target]/24
# Scan entire network for FTP servers that allow anonymous access.

Scan entire network with script

nmap -p 80 --script=http-vuln-cve2010-2861 [ip target]/24
# Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash.