Nmap Scripting Engine: Custom Automation and NSE Development
NSE Architecture and Execution Model
The Nmap Scripting Engine (NSE) embeds a Lua 5.3 runtime that executes scripts in parallel with Nmap's native packet engine. This is not an afterthought bolted onto the scanner—scripts run during the scan phase itself, not in a post-processing step. The engine binds to Nsock for asynchronous network I/O, letting hundreds of scripts run concurrently without blocking the main scan thread.
Scripts fall into categories (vuln, exploit, auth, brute, discovery, safe, intrusive, malware, version, default) and trigger via four rule types:
| Rule type | When it fires | Typical use |
|---|---|---|
prerule |
Before host discovery | Script-wide setup, reading files |
hostrule |
After host discovery, per live target | Host-level checks (e.g., traceroute analysis) |
portrule |
After port scan, matching specific ports/services | Service enumeration, vulnerability checks |
postrule |
After all scanning completes | Aggregated reporting, cross-host correlation |
Rules return Lua booleans; Nmap's engine decides whether to queue the script's action function. A portrule matching shortport.http will fire against any port Nmap identified as HTTP—whether 80, 8080, or a nonstandard port with a recognizable banner.
Built-in Script Library and Selection
NSE ships with hundreds of scripts. Treat the default set (-sC, equivalent to --script=default) as a safe baseline; it runs only scripts in the default, safe, or version categories that complete quickly and carry minimal crash risk.
Selective execution patterns:
# Default safe scripts against a single host
nmap -sC 192.0.2.10
# Specific category — vuln checks against a web server
nmap --script vuln -p 80,443 198.51.100.5
# Multiple categories, comma-separated
nmap --script "discovery,auth" 192.168.50.0/24
# Exclude destructive scripts even when globbing
nmap --script "not intrusive" 10.0.3.0/24
What it does:
--script vulnloads all scripts in thevulncategory, checking for known CVEs, configuration weaknesses, and information disclosures. When to use it: During authorized vulnerability assessment phases after initial host discovery. Risks: Somevulnscripts areintrusive—they may trigger IDS alerts or, in rare cases, crash fragile services. Expected output: Structured vulnerability findings with CVE references and severity indicators.
Lab vs. Production distinction:
| Environment | Approach | Rationale |
|---|---|---|
| Lab | nmap --script "vuln,exploit" --script-args=unsafe=1 |
Full coverage, accept crashes in isolated networks |
| Production | nmap --script "safe,vuln" --max-parallelism 10 --max-retries 2 |
Exclude exploits, throttle parallelism, reduce retry storms |
The exploit category deserves particular caution. These scripts actively attempt code execution or authentication bypass. They are invaluable for validating patch status in a lab, but a production exploit run against a missed shadow IT server is an incident report waiting to happen.
Script Arguments and Dynamic Interaction
Scripts expose tunable parameters via --script-args and --script-args-file. This transforms static scripts into flexible tools.
# Pass a custom User-Agent to http-title
nmap --script http-title --script-args http.useragent='Mozilla/5.0 (Windows NT 10.0; Win64; x64)' -p 80,443 192.0.2.15
# Multiple arguments, semicolon-delimited
nmap --script ssh-brute --script-args "userdb=./users.txt,passdb=./passwords.txt,ssh-brute.timeout=8s" -p 22 198.51.100.20
# Arguments from file for repeatability
nmap --script smb-enum-shares --script-args-file ./smb-args.txt 10.0.4.50
What it does:
http.useragentoverrides the default NSE User-Agent string, reducing signature-based detection and matching target logging expectations. When to use it: When testing WAF rules, reproducing a specific client environment, or avoiding "Nmap Scripting Engine" strings in logs. Risks: Custom User-Agents are trivial to set; they do not constitute meaningful evasion against mature monitoring. Expected output: Identical http-title extraction, but server logs reflect the supplied string.
Discover available arguments for any script:
nmap --script-help http-title
nmap --script-help ssh-brute
The --script-help output lists required vs. optional arguments, default values, and category membership. Read it before firing unfamiliar scripts—brute scripts especially can lock accounts if you do not set proper delays.
Writing Custom NSE Scripts
Custom scripts solve the gap where no existing script matches your protocol, your detection logic, or your reporting format. The minimum viable script needs four fields: description, categories, rule, and action.
Complete minimal example — a hostrule script that checks whether a target's PTR record resolves to a suspicious pattern:
description = [[
Checks if a reverse-DNS PTR record contains indicators of
dynamic/residential IP space, useful for flagging VPN exit nodes
or residential proxies during incident response.
]]
categories = {"discovery", "safe"}
author = "Analyst Name"
license = "Same as Nmap"
-- Pull in the NSE DNS library
local dns = require "dns"
local stdnse = require "stdnse"
-- Hostrule: run once per host after host discovery
hostrule = function(host)
-- Only run if we have an IP; IPv6 PTR logic differs
return host.ip ~= nil
end
-- Main action
action = function(host)
local status, name = dns.query(host.ip, {dtype="PTR"})
if not status then
return "No PTR record found"
end
local suspicious = {
"dhcp", "dynamic", "pool", "res", "ppp", "dsl", "cable"
}
local lower_name = string.lower(name)
for _, pattern in ipairs(suspicious) do
if string.find(lower_name, pattern, 1, true) then
return string.format("SUSPICIOUS PTR: %s (matched '%s')", name, pattern)
end
end
return string.format("PTR: %s", name)
end
Save as ptr-suspicious.nse in your Nmap scripts directory (<nmapdatadir>/scripts/ on Linux, or use --datadir to point elsewhere). Run with:
nmap --script ptr-suspicious 192.0.2.100
What it does: The
hostrulefires after host discovery;actionperforms a reverse-DNS lookup and pattern-matches against known dynamic-IP keywords. When to use it: During threat-hunting to flag residential proxies or misattributed scan sources. Risks: PTR records are attacker-controllable; never treat a "clean" result as proof of legitimate infrastructure. Expected output: Either a matched pattern string, a plain PTR record, or "No PTR record found."
Key NSE libraries for development:
| Library | Purpose | Example function |
|---|---|---|
nmap |
Core API: host/port info, socket creation | nmap.new_socket() |
stdnse |
Utilities: formatting, debugging, timing | stdnse.debug(1, "message") |
shortport |
Common portrule predicates | shortport.http |
table |
Table manipulation helpers | table.contains(t, val) |
string |
Pattern matching, parsing | string.match(response, "Server: (.+)\r\n") |
nsock |
Asynchronous I/O (via nmap socket methods) |
socket:connect(host, port) |
Scripts run in a sandboxed Lua environment. You cannot import arbitrary C libraries or execute shell commands directly—this is by design. For complex logic requiring external data, use stdnse.get_script_args() to read file paths passed via --script-args, then parse those files in pure Lua.
Script Debugging and Performance Profiling
NSE scripts fail silently by default—a timeout, a closed port, or a protocol mismatch yields no output. Force visibility:
# Debug level 2: script execution flow
nmap --script http-title -d2 --script-trace 192.0.2.10
# Full packet-level trace of script network activity
nmap --script http-title -d3 --packet-trace 192.0.2.10
What it does:
-d2enables script-level debug output;--script-traceprints each Nsock read/write. When to use it: When a script returns nothing and you suspect a protocol edge case. Risks: Packet traces are voluminous; redirect to file. Expected output: Lua stack traces, socket state transitions, and raw HTTP request/response pairs.
For systematic profiling, use --script-timeout and --host-timeout to prevent hung scripts from stalling entire scan phases. The stdnse.debug() function accepts levels 1-9; use level 1 for production diagnostics and level 3+ only during active development.
Maintaining Private Script Repositories
Organizations with custom detection logic or sensitive signatures should not rely on the global Nmap script directory. Establish a private repository structure:
/opt/nse-private/
├── scripts/ # *.nse files
├── lib/ # Private Lua libraries
├── data/ # Fingerprint files, wordlists
└── update.sh # Version-controlled deployment
Invoke with explicit datadir:
nmap --datadir /opt/nse-private --script my-custom-script 192.0.2.0/24
Or symlink individual scripts into the system directory and run --script-updatedb to rebuild the script database. The script.db file in the datadir is a Lua table that Nmap parses at startup; corruption here causes cryptic "Script not found" errors.
Update mechanisms: the built-in nmap --script-update-db only reindexes local files. For true update delivery, version-control your repository and deploy via configuration management (Ansible, Puppet, etc.). Do not attempt to overlay private scripts onto Nmap's upstream directory—upstream package updates will conflict and overwrite.
NSE vs. External Tools: When to Stay, When to Leave
NSE excels at tight integration with scan results: port state awareness, version detection data, and hostrule timing are free. It falters when you need persistent sessions, complex protocol state machines, or heavy post-processing.
| Scenario | NSE appropriate? | Better alternative |
|---|---|---|
| HTTP header grab during host scan | Yes | — |
| Full web application crawl and form testing | No | Burp Suite, OWASP ZAP |
| SSH key fingerprinting | Yes | — |
| Brute-force with custom retry/backoff logic | Marginal | Hydra, Medusa |
| Exploit with multi-stage payload delivery | No | Metasploit framework |
| Vulnerability check with 100+ request variants | No | Standalone scanner (OpenVAS, Nessus) |
Metasploit modules and NSE scripts overlap conceptually but diverge architecturally. NSE runs statelessly per host/port with seconds of execution time; Metasploit maintains sessions, pivots, and runs arbitrary Ruby. A script like msrpc-enum will list interfaces; a Metasploit module will bind to one and extract SAM hashes. Use NSE for reconnaissance breadth, Metasploit for targeted depth.
Script Safety and Denial of Service
The safe vs. intrusive categorization is a signal, not a guarantee. safe scripts do not crash services in Nmap's testing, but your antique ICS HMI speaking a broken HTTP subset was not in that test matrix. intrusive scripts may send payloads that exhaust connection tables, fill disk logs, or trigger fail2ban rules.
Common mistakes:
| Mistake | Why it bites you |
|---|---|
Running brute scripts without --script-args brute.delay |
Account lockouts, SIEM alerts, angry phone calls |
Using exploit category against production without scoping |
Actual service crashes on unpatched systems |
Globbing --script "*" on large networks |
Resource exhaustion from hundreds of scripts × thousands of hosts |
Ignoring http.max-cache-size and similar limits |
Memory bloat, OOM kills on low-resource scan nodes |
Assuming safe means "zero network impact" |
Any probe increases load; cumulative effect matters at scale |
⚠️ Authorized, defensive use only. Exploit and intrusive scripts are designed for lab validation and authorized hardening assessments. Never direct them at systems without explicit, documented authorization that covers both the technical scope and the business impact of potential service interruption.
Before production deployment, mirror your target's service versions in a lab and run the intended script with -d3 --packet-trace. Watch for connection rate limits, nonstandard protocol responses, and memory growth. A script that completes in 0.3 seconds against nginx may hang indefinitely against a custom embedded web server that never closes the socket.