OSCP Notes
  • Introduction
  • Port Scanning
  • Nmap Port Scanning
  • Nmap Scripts
  • Services Enumeration
    • SMB Enumeration (Port 139, 445)
    • SNMP Enumeraion (Port 161)
    • NFS Enumeration (Port 111, 2049)
    • SMTP Enumeration (Port 25)
    • DNS Enumeration (Port 53)
    • POP3 (Port 110, 25*)
    • MySQL (Port 3306)
    • Oracle (Port 1521)
    • MsSQL (Port 1433)
  • Web / HTTP
    • Web Scanning
    • CMS
    • Directory Fuzzing
    • File Upload
      • Bypass file upload filtering
      • Bruteforcing extensions
      • WebDAV
    • Bruteforce Authentication
    • LFI and RFI
      • Interesting Files for LFI
      • Null Byte Injection
      • PHP Wrappers
    • ShellShock
    • Post Requests
  • password attacks
    • Brute-force service password
    • Cracking Password
    • Custom Worldlist
  • Exploitaion
    • Searchsploit
    • Compiling the Exploit
  • shell
    • Bind and Reverse shell
    • Upgrading shell
    • msfvenom
  • Linux Post Exploitation
    • Linux Manual Exploitation
    • Linux post exploitation scripts
    • Kernel Exploitation
  • windows post exploitation
    • General
    • Manual Exploitaion
    • Dumping the sam file
    • SUDO SU
    • Automated enumeration script
    • Windows Exploit Suggester
  • file transfer
    • General
    • Linux
    • Windows
  • cheatsheets
    • Command injection Cheatsheet
    • Find Command Cheatsheet
    • Netcat
    • SQL Injection Bypass
    • CheckList
    • XSS Payload
Powered by GitBook
On this page
  • Find Scripts
  • Help manual for scripts
  • Vulnerability Scanning
  • Scan With All Scripts
  • Scan with particular Script
  • Scan entire network with script

Nmap Scripts

Find Scripts

Find script related to a service your interested in, example here is ftp

locate .nse | grep [port name]

Example: 
locate .nse | grep ftp
ls /usr/share/nmap/scripts | grep smb

Typically NSE scripts that scans for vulnerabilities are at

ls -l /usr/share/nmap/scripts/

  • you can use this scripts with --script=<ScriptName> ,

  • it also support wildcard entries

Help manual for scripts

What does a script do?

nmap --script-help [script name]

Example:
nmap --script-help ftp-anon

Vulnerability Scanning

We can scan for vulnerability Scanning nmap scripts:

nmap --script vuln [ip target]

Scan With All Scripts

Scan a target using all NSE scripts. May take an hour to complete.

nmap -p 80 --script=all [ip target]
nmap -p 80 --script=*vuln* [ip target]
# Scan a target using all NSE vuln scripts.
nmap -p 80 --script=http*vuln* [ip target]
# Scan a target using all HTTP vulns NSE scripts.

Scan with particular Script

nmap -p 21 --script=ftp-anon [ip target]/24
# Scan entire network for FTP servers that allow anonymous access.

Scan entire network with script

nmap -p 80 --script=http-vuln-cve2010-2861 [ip target]/24
# Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash.
PreviousNmap Port ScanningNextSMB Enumeration (Port 139, 445)

Last updated 3 years ago