nmap.org
Open in
urlscan Pro
2600:3c01:e000:3e6::6d4e:7061
Public Scan
URL:
https://nmap.org/book/nse.html
Submission: On July 28 via api from US — Scanned from DE
Submission: On July 28 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
/search/
<form class="nst-search" id="nst-head-search" action="/search/">
<input class="nst-search-q" name="q" type="search" placeholder="Site Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>/search/
<form class="nst-search" id="nst-foot-search" action="/search/">
<input class="nst-search-q" name="q" type="search" placeholder="Site Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>Text Content
Nmap.org Npcap.com Seclists.org Sectools.org Insecure.org
Download Reference Guide Book Docs Zenmap GUI In the Movies
* Nmap Network Scanning
* Chapter 9. Nmap Scripting Engine
Prev
Next
CHAPTER 9. NMAP SCRIPTING ENGINE
Table of Contents
* Introduction
* Usage and Examples
* Script Categories
* Script Types and Phases
* Command-line Arguments
* Script Selection
* Arguments to Scripts
* Complete Examples
* Script Format
* description Field
* categories Field
* author Field
* license Field
* dependencies Field
* Rules
* Action
* Environment Variables
* Script Language
* Lua Base Language
* NSE Scripts
* NSE Libraries
* List of All Libraries
* Hacking NSE Libraries
* Adding C Modules to Nselib
* Nmap API
* Information Passed to a Script
* Network I/O API
* Connect-style network I/O
* Raw packet network I/O
* Structured and Unstructured Output
*
* Exception Handling
* The Registry
* Script Writing Tutorial
* The Head
* The Rule
* The Action
* Writing Script Documentation (NSEDoc)
* NSE Documentation Tags
* Script Parallelism in NSE
* Worker Threads
* Mutexes
* Condition Variables
* Collaborative Multithreading
* The base thread
* Version Detection Using NSE
* Example Script: finger
* Implementation Details
* Initialization Phase
* Script Scanning
INTRODUCTION
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible
features. It allows users to write (and share) simple scripts to automate a wide
variety of networking tasks. Those scripts are then executed in parallel with
the speed and efficiency you expect from Nmap. Users can rely on the growing and
diverse set of scripts distributed with Nmap, or write their own to meet custom
needs.
We designed NSE to be versatile, with the following tasks in mind:
Network discovery
This is Nmap's bread and butter. Examples include looking up whois data based on
the target domain, querying ARIN, RIPE, or APNIC for the target IP to determine
ownership, performing identd lookups on open ports, SNMP queries, and listing
available NFS/SMB/RPC shares and services.
More sophisticated version detection
The Nmap version detection system (Chapter 7, Service and Application Version
Detection) is able to recognize thousands of different services through its
probe and regular expression signature based matching system, but it cannot
recognize everything. For example, identifying the Skype v2 service requires two
independent probes, which version detection isn't flexible enough to handle.
Nmap could also recognize more SNMP services if it tried a few hundred different
community names by brute force. Neither of these tasks are well suited to
traditional Nmap version detection, but both are easily accomplished with NSE.
For these reasons, version detection now calls NSE by default to handle some
tricky services. This is described in the section called “Version Detection
Using NSE”.
Vulnerability detection
When a new vulnerability is discovered, you often want to scan your networks
quickly to identify vulnerable systems before the bad guys do. While Nmap isn't
a comprehensive vulnerability scanner, NSE is powerful enough to handle even
demanding vulnerability checks. When the Heartbleed bug affected hundreds of
thousands of systems worldwide, Nmap's developers responded with the
ssl-heartbleed detection script within 2 days. Many vulnerability detection
scripts are already available and we plan to distribute more as they are
written.
Backdoor detection
Many attackers and some automated worms leave backdoors to enable later reentry.
Some of these can be detected by Nmap's regular expression based version
detection, but more complex worms and backdoors require NSE's advanced
capabilities to reliably detect. NSE has been used to detect the Double Pulsar
NSA backdoor in SMB and backdoored versions of UnrealIRCd, vsftpd, and ProFTPd.
Vulnerability exploitation
As a general scripting language, NSE can even be used to exploit vulnerabilities
rather than just find them. The capability to add custom exploit scripts may be
valuable for some people (particularly penetration testers), though we aren't
planning to turn Nmap into an exploitation framework such as Metasploit.
These listed items were our initial goals, and we expect Nmap users to come up
with even more inventive uses for NSE.
Scripts are written in the embedded Lua programming language, version 5.3. The
language itself is well documented in the books Programming in Lua, Fourth
Edition and Lua 5.2 Reference Manual. The reference manual, updated for Lua 5.3,
is also freely available online, as is the first edition of Programming in Lua.
Given the availability of these excellent general Lua programming references,
this document only covers aspects and extensions specific to Nmap's scripting
engine.
NSE is activated with the -sC option (or --script if you wish to specify a
custom set of scripts) and results are integrated into Nmap normal and XML
output.
A typical script scan is shown in the Example 9.1. Service scripts producing
output in this example are ssh-hostkey, which provides the system's RSA and DSA
SSH keys, and rpcinfo, which queries portmapper to enumerate available services.
The only host script producing output in this example is smb-os-discovery, which
collects a variety of information from SMB servers. Nmap discovered all of this
information in a third of a second.
Example 9.1. Typical NSE output
# nmap -sC -p22,111,139 -T4 localhost
Starting Nmap ( https://nmap.org )
Nmap scan report for flog (127.0.0.1)
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: 1024 b1:36:0d:3f:50:dc:13:96:b2:6e:34:39:0d:9b:1a:38 (DSA)
|_2048 77:d0:20:1c:44:1f:87:a0:30:aa:85:cf:e8:ca:4c:11 (RSA)
111/tcp open rpcbind
| rpcinfo:
| 100000 2,3,4 111/udp rpcbind
| 100024 1 56454/udp status
|_100000 2,3,4 111/tcp rpcbind
139/tcp open netbios-ssn
Host script results:
| smb-os-discovery: Unix
| LAN Manager: Samba 3.0.31-0.fc8
|_Name: WORKGROUP
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
A 38-minute video introduction to NSE is available at
https://nmap.org/presentations/BHDC10/. This presentation was given by Fyodor
and David Fifield at Defcon and the Black Hat Briefings in 2010.
--------------------------------------------------------------------------------
PrevSOLUTION: Detect Rogue Wireless Access Points on an Enterprise Network
UpNmap Network Scanning
Home
NextUsage and Examples
NMAP SECURITY SCANNER
* Ref Guide
* Install Guide
* Docs
* Download
* Nmap OEM
NPCAP PACKET CAPTURE
* User's Guide
* API docs
* Download
* Npcap OEM
SECURITY LISTS
* Nmap Announce
* Nmap Dev
* Full Disclosure
* Open Source Security
* BreachExchange
SECURITY TOOLS
* Vuln scanners
* Password audit
* Web scanners
* Wireless
* Exploitation
ABOUT
* About/Contact
* Privacy
* Advertising
* Nmap Public Source License