🛡️ Methodology Checklist
- Run default scripts:
nmap -sC [TARGET] - Run script category:
nmap --script [auth|vuln|exploit|brute] [TARGET] - Run specific script:
nmap --script [SCRIPT_NAME] [TARGET] - Pass script arguments:
nmap --script [SCRIPT] --script-args [KEY=VAL] [TARGET] - Search for relevant scripts:
ls /usr/share/nmap/scripts/ | grep [KEYWORD] - Run vuln scripts on service-specific ports after version detection
🎯 Operational Context
Think Dumber First: Run
-sC(default scripts) with every version scan — they’re safe and reveal massive amounts of context. Thevulncategory is often avoided but runs fast on targeted ports. Thesmb-vuln-ms17-010script is your first check on any Windows SMB host. Always run--script-updatedbif scripts error out.
When you land here: Services identified. Run service-specific NSE scripts on confirmed open ports. For AD targets: smb-vuln-ms17-010, smb-enum-shares, ldap-rootdse. For web: http-headers, http-title, http-methods. For databases: ms-sql-info, mysql-info.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -sC | Run default NSE script category (safe, informative) |
sudo nmap [TARGET_IP] -p [PORT] --script banner,smtp-commands | Run specific named scripts |
sudo nmap [TARGET_IP] --script vuln | Run all vulnerability-category scripts (maps versions to CVEs) |
sudo nmap [TARGET_IP] -A | Aggressive: OS detection + version + default scripts + traceroute |
sudo nmap --script-updatedb | Update NSE script database |
🔬 Deep Dive & Workflow
NSE Script Categories
| Category | Description | Risk Level |
|---|---|---|
auth | Brute-force or bypass authentication | Medium |
broadcast | Local network discovery via broadcast | Low |
brute | Credential brute-forcing | Medium |
default (-sC) | Safe & useful — standard first pass | Low |
discovery | Advanced enumeration (SNMP, registries) | Low |
dos | Denial of Service | High — may crash target |
exploit | Active exploitation | High — may gain shell or crash |
external | Queries external DBs (Whois) | Low |
fuzzer | Sends random data to find bugs | Medium |
intrusive | Aggressive/noisy — will trigger IDS | High |
malware | Detects backdoors | Low |
safe | Non-intrusive — won’t crash services | Low |
version | Advanced version detection (extends -sV) | Low |
vuln | Checks for known CVEs | Medium |
Aggressive Scan (-A)
Combines: OS Detection (-O) + Version Detection (-sV) + Script Scanning (-sC) + Traceroute. Very noisy — easily detected by IDS.
vuln Category
Includes the vulners script — matches detected software versions against CVSS scores and exploit databases. Excellent for quick VA sweeps.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Script returns ‘ERROR: Failed to load [script]‘ | Missing NSE library or outdated script database | Run sudo nmap --script-updatedb; confirm script exists: ls /usr/share/nmap/scripts/ | grep [NAME] |
--script vuln returns false positives (vulnerable when patched) | Script checks version strings, not actual exploitation | Cross-validate with searchsploit [SERVICE] [VERSION]; manually test before reporting |
| Script hangs indefinitely | Hitting blocked port or network timeout | Add --script-timeout 30s to all script scans; scripts with no timeout default to nmap’s overall timeout |
smb-vuln-ms17-010 shows ‘Host does NOT appear vulnerable’ on known-vulnerable target | Script uses crafted SMB packets that may fail through NAT | Test with MSF auxiliary/scanner/smb/smb_ms17_010 which has more robust detection |
| Script requires credentials but argument not passed | Forgot --script-args | Format: nmap --script smb-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt [TARGET] |
📝 Reporting Trigger
Finding Title: (NSE scripts surface specific vulnerabilities — each script hit is a potential finding. Document: script name, target port, raw script output, and CVE reference. Validate all vuln script results manually before including in report.)