Hack Like a Pro: Using the Nmap Scripting Engine (NSE) for Reconnaissance

Using the Nmap Scripting Engine (NSE) for Reconnaissance

Welcome back, my tenderfoot hackers!

Those of you who have been reading my posts here for awhile know how much I emphasize good reconnaissance. Novice hackers often jump into a hack/exploit without doing proper recon and either fail or get caught. Experienced and expert hackers know that 70-80 percent of a good and successful hack is dependent upon successful and accurate reconnaissance.

I know I have said it before, but bear with me as I say it again for the newcomers. There is NO SILVER BULLET that succeeds under all circumstances. Long before we ever begin the hack, we have spent hours, days, and maybe months doing reconnaissance. If you aren't willing to do that, you will never be successful in this field of endeavor.

Nmap is one of the few tools that every hacker should be conversant in. Although it is not perfect, it is excellent for active reconnaissance. Although I discourage the use of Windows for hacking, Nmap does have a version for Windows with a nice GUI called Zenmap. You can download it here.

Nmap Scripting Engine (NSE)

I have done a couple of tutorials on using Nmap, but one thing I have not covered is the scripting engine built into it.

The Nmap scripting engine is one of Nmap's most powerful and, at the same time, most flexible features. It allows users to write their own scripts and share these scripts with other users for the purposes of networking, reconnaissance, etc. These scripts can be used for:

  • Network discovery
  • More sophisticated and accurate OS version detection
  • Vulnerability detection
  • Backdoor detection
  • Vulnerability exploitation

In this tutorial, we will look at the scripts that have been shared and are built into Kali (we will write scripts in a future tutorial), and will examine how to use them to do thorough recon on our target, to increase the possibility of success, and reduce the possibilities of frustration... or worse.

Step 1: Fire Up Kali & Open a Terminal

As usual, let's start by firing up Kali and opening a terminal. If you aren't using Kali, but instead one of the many hacking/security distributions such Buqtraq's Black Window, Security Onion, BackTrack, or another, no problem—Nmap is built into ALL of them. You can't really have a security/hacking platform without Nmap.

Step 2: Find the Nmap Scripts

From the terminal, let's look for the Nmap scripts. All of the scripts should end in .nse (nmap scripting engine), so we can find the scripts by using the Linux locate command with the wildcard *.nse. That should find all files ending in .nse.

  • kali > locate *.nse

As you can see in the screenshot above, our terminal displays hundreds of Nmap scripts.

Step 3: Finding Vulnerability Scanning Scripts

Among the most useful to us are the vulnerability scanning scripts. These scripts are usually designed to find a specific vulnerability or type of vulnerability that we can then come back later and exploit. To locate those scripts that we can use for vulnerability scanning, we can type:

  • kali> locate *vuln*.nse

As you can see, it returned a few vulnerability scanning scripts. I have highlighted one I want to use next, namely smb-check-vulns.nse. This script will check the system to see whether it has any of the well-known SMB vulnerabilities such as MS08-067.

Step 4: Running the Script

The basic syntax for running these scripts is this:

  • nmap --script <scriptname> <host ip>

Let's try running the SMB vulnerability checking script against an internal LAN host.

  • kali> nmap --script smb-check-vulns-nse

When we do so, we can see that it returns some errors and suggests that we add --script-args=unsafe=1 to our command. I did so below and, in this case, added -p445 so that the script focuses upon just the SMB port 445.

  • kali> nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p445

Now, when I run the command, I get much more useful results.

As you can see, it tells me that MS08-067 is vulnerable, so now I know I can use that module in Metasploit to exploit that system!

Step 5: Getting Help with a Script

With these hundreds of scripts, we may need some help in determining what they do and how they work. For instance, if we scroll down to the "http" section of the scripts, we will see a script named:

  • http-vuln-cve2013-0156.nse

To determine what this script does, we can retrieve its help file by typing:

  • nmap -script-help http-vuln-cve2013-0156.nse

When we do so, we will retrieve its help file like that below.

Note that this script is designed to find the CVE2013-0156 vulnerability, which is a vulnerability in Ruby on Rails. Ruby on Rails is very popular open-source web design framework that is behind millions of database driven web apps, so this vulnerability is likely to still be out there in thousands of websites. Happy hunting!

The Nmap scripting engine is a powerful item in our arsenal of hacking tools that can be tailored to a multitude of tasks. In future posts, I will explore more of its capabilities and show you how to write your own Nmap scripts. So keep coming back, my tenderfoot hackers!

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.


Hello Sir,

What if the scan target is behind a router? Will it show open router ports and how do I know to which internal IP are forwarded?

Another thing, Let's say I get a meterpreter session on a PC behind a router: Can I open a port on that router through the shell given that I know the router login credentials? Thank you !

Read about NAT, you can't scan internal ip's behind a router.

When I type proxychains nmap --script-args=unsafe=1 --script smb-check-vulns.nse xxx.xx.xx.xx it doesn't check for vulnerabilities. It just scans normally like when I use nmap -sS

Check your command. You are missing your port switch.

first of all GREAT TUTORIALS !

can you please help me ? i'm having the same problem as casperass, nmap doesn't check for vuln and i didn't get what you wanted to say by "missing your port switch". Thank you

When you use nmap (please read my tutorials on nmap before using these advanced tutorials) you need to designate a a port or range of ports. That is what I was referring to.

hello, i really like your tutorials, you know how to explain. i'm having the same problem as CASPERA SS, nmap doesn't check for vulns. just scans normal when i type proxychains nmap --script-args=unsafe=1 --script smb-check-vulns.nse xxx.xx.xx.xx. I saw you replied "You are missing your port switch" but i don't know what you meant by that. Thank you

Share Your Thoughts

  • Hot
  • Latest