Script Categories in Nmap Scripting Engine (NSE)

The Nmap scripting engine is the most flexible and prominent feature of Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap and can write as well as share the simple scripts with their friends to automate the networking tasks.

Because scripts are not executed in a sandbox, they may inadvertently or intentionally harm your system or breach your privacy. Run third-party scripts only if you have thoroughly audited them yourself or if you have faith in the writers.

They fall into a list of categories defined by the NSE script.

Auth scripts are designed to test and evaluate the authentication mechanisms of network services.

Deals with the authentication credentials or bypassing them on the target system. Like ftp-anon, oracle-enum-users, and x11-access.

locate *.nse | grep “auth”

List of available scripts:

Broadcast scripts interact with broadcast services on the network, providing information about hosts that respond to broadcast requests.

Use the new targets script argument to allow these scripts to automatically add the hosts they discover to the Nmap scanning queue.

locate *.nse | grep “broadcast”

List of available scripts:

Scripts are coded to deliver unexpected or randomly generated fields to the server software with every packet.

Although this method is slow and requires a lot of bandwidth, it can be helpful for locating hidden bugs and vulnerabilities in software.

dns-fuzz is one such script; it continuously sends slightly incorrect domain requests to a DNS server until it crashes or until a user-specified time limit is reached.

locate *.nse | grep “fuzzer”

List of available scripts:

Brute scripts attempt to guess usernames and passwords for various services, helping to identify weak or easily guessable credentials.

These scripts use brute force attacks to try and guess the authentication credentials of the remote server.

Scripts for brute forcing numerous protocols, such as http-brute, oracle-brute, snmp-brute, ssh-brute, and ftp-brute, are available in Nmap.

locate *.nse | grep “brute”

List of available scripts:

Instead of listing scripts with –script, these scripts, which are the default set, are executed when the -sC or -A options are used.

Like any other category, this one can also be explicitly specified by using –script=default.

When choosing which scripts should be executed by default, a number of factors are taken into account:

• Speed
• Usefulness
• Verbosity
• Reliability
• Intrusiveness
• Privacy

These scripts are designed to discover information about the target hosts, including open ports, services running on those ports, and the operating system in use.

Examples include html-title (obtains the title of the root path of web sites), smb-enum-shares (enumerates Windows shares), and snmp-sysdescr (extracts system details via SNMP).

locate *.nse | grep “discovery”

List of available scripts:

Denial of Service (DoS) scripts simulate or execute attacks that aim to overwhelm a target system or network, causing service disruptions.

This is sometimes done to test a denial of service vulnerability, but more often than not, it is an unwelcome but necessary side effect of testing for a conventional vulnerability. 

Sometimes, these tests cause vulnerable services to crash.

locate *.nse | grep “dos”

List of available scripts:

Exploitation scripts attempt to leverage known vulnerabilities to gain unauthorized access or perform specific actions on the target system.

Examples include jdwp-exec and http-shellshock.

locate *.nse | grep “exploit”

List of available scripts:

Scripts in this category may interact with external data sources or services, enhancing the capabilities of Nmap beyond the local network.

whois-ip, which connects to whois servers to obtain the target’s address, is one example of this in action.

List of available scripts:

These kinds of scripts could potentially cause more serious disruptions to the target system. 

Examples are http-open-proxy (which attempts to use the target server as an HTTP proxy) and snmp-brute (which tries to guess a device’s SNMP community string by sending common values such as public, private, and cisco). 

Unless a script is in the special version category, it should be categorized as either safe or intrusive.

When executing intrusive scripts, users should proceed with caution.

List of available scripts:

Malware detection scripts help identify the presence of known malware or backdoors on the target system.

Examples include smtp-strangeport, which watches for SMTP servers running on unusual port numbers, and auth-spoof, which detects identified spoofing daemons that provide a fake answer before even receiving a query. 

Malware infections have been linked to both of these behaviors frequently.

locate *.nse | grep “malware”

List of available scripts:

Safe scripts are made to have as little of an impact as possible on the target system; they are classified as safe because they are less likely to use a lot of network bandwidth or other resources, disrupt operations, have unforeseen consequences, or take advantage of security flaws.

Examples are ssh-hostkey (retrieves an SSH host key) and html-title (grabs the title from a web page). 

Other scripts that fall outside of the safe category should be placed in the intrusive category. 

Scripts in the version category are not classified according to safety.

List of available scripts:

This special category contains scripts that are not explicitly selectable; instead, they are an extension of the version detection feature. 

They are only chosen to execute in the event that version detection (-sV) is asked for. Their output is identical to that of version detection and does not generate results for host or service scripts. 

Examples are skypev2-version, pptp-version, and iax2-version.

locate *.nse | grep “version”

List of available scripts:

These scripts search for particular, well-known vulnerabilities; they typically only print out the results if any are discovered. When it comes to identifying possible security risks, they can be very helpful. 

Examples include realvnc-auth-bypass and afp-path-vuln.

locate *.nse | grep “vuln”

List of available scripts:

Reference link – https://nmap.org/book/nse-usage.html#nse-categories 

In the upcoming articles, I am going to cover each category in detail with the demonstration, so stay tuned, and if you have any doubt, ping me at Aman Mishra.

Until next time, stay curious, stay secure, and keep exploring the fascinating world of cybersecurity. See you guys soon, Byee!