Essential NSE Script Categories and Security-Relevant Scripts
The NSE Scripting Engine Architecture
The Nmap Scripting Engine (NSE) transforms Nmap from a port scanner into a comprehensive assessment platform with over 600 scripts organized into categories that dictate their behavior, safety profile, and intended use case. Understanding these categories is not merely academic—misclassification can crash production systems, trigger intrusion detection systems, or expose operators to legal liability. The script portfolio you assemble must align with your authorization scope, target environment criticality, and the temporal constraints of your assessment.
The category system operates on multiple axes: safe, intrusive, vul, exploit, auth, broadcast, brute, discovery, external, fuzzer, intrusive, malware, safe, version, and vuln. A single script may carry multiple category tags, and the interaction between these tags determines both default execution behavior and risk exposure.
Vulnerability Scanning: The vuln Category and Its Limitations
The vuln category contains scripts that identify known security weaknesses through banner analysis, version fingerprinting, and limited active testing. These scripts represent the most legally sensitive category because they test for specific defect conditions that may constitute unauthorized access under various jurisdictions.
Category structure and execution:
nmap --script vuln -p 80,443 target.example.com
This executes all scripts tagged vuln, including http-vuln-cve2017-5638 (Apache Struts), ssl-heartbleed, and smb-vuln-ms17-010. However, the NVD correlation gap presents a critical operational challenge. NSE vulnerability scripts typically lag 30–90 days behind National Vulnerability Database publication due to Nmap's release cycle and the engineering effort required to develop reliable, non-destructive detection methods. Scripts may reference CVEs that have been superseded by modified attack vectors, or miss vulnerabilities entirely where no stable detection signature exists.
False positive management requires systematic triage:
| Indicator | Action | |-----------|--------| | Version-based detection without active exploitation proof | Flag for manual verification with searchsploit or custom proof-of-concept | | Service banner mismatch (e.g., backported patches) | Correlate with ssh-hostkey or ssl-cert dates; check vendor security advisories | | Chained vulnerability claims | Validate each link independently; NSE scripts rarely test complete attack chains |
The ssl-enum-ciphers script exemplifies both the power and limitation of vulnerability-category scripts. It enumerates supported cipher suites and flags deprecated configurations without executing a full TLS handshake exploit:
nmap --script ssl-enum-ciphers -p 443 target.example.com --script-args tls.servername=target.example.com
However, it cannot detect implementation-specific flaws like OpenSSL's CVE-2014-0160 (Heartbleed) without the companion ssl-heartbleed script, which actively probes for the vulnerable memory disclosure pattern.
Authentication and Brute-Force: The auth and brute Categories
Scripts in the auth and brute categories test credential strength across dozens of protocols. These carry the highest legal risk and require meticulous operational discipline.
Rate limiting implementation prevents service disruption and detection:
nmap --script ssh-brute --script-args brute.mode=creds,brute.credfile=./controlled_creds.txt,brute.delay=3s -p 22 target.example.com
The brute.delay argument enforces inter-attempt spacing, while brute.mode=creds restricts testing to username/password pairs you control—essential for authorized assessments. The default brute.mode=pass iterates passwords against discovered or supplied usernames and must never execute without explicit written authorization specifying acceptable credential lists.
Credential list management demands cryptographic verification:
# Verify wordlist integrity before deployment
sha256sum /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt
# Maintain chain of custody logs
echo "$(date -Iseconds) $(whoami) $(sha256sum ./custom_creds.txt)" >> ~/.nmap_credential_audit.log
Legal considerations vary by jurisdiction but universally require: explicit authorization matching the target scope; rate limiting that avoids denial-of-service conditions; and logging that demonstrates professional duty of care. The http-form-brute and snmp-brute scripts have triggered criminal charges when deployed against infrastructure without documented authorization.
Information Gathering and Reconnaissance
The discovery, version, and default script categories provide foundational intelligence without the risk profile of vulnerability or brute-force scripts. These represent your standard reconnaissance portfolio.
Banner grabbing and service enumeration:
The http-enum script performs directory and application fingerprinting comparable to specialized tools like Gobuster or Nikto:
nmap --script http-enum -p 80,8080,8443 --script-args http-enum.displayall=1 target.example.com
This script probes for common administrative interfaces, configuration backups (backup.zip, web.config.bak), and application-specific paths. The http-enum.displayall=1 argument reveals negative findings that help confirm absence versus failed detection.
Service-specific extraction scripts:
| Script | Target | Critical Data | |--------|--------|---------------| | mongodb-databases | MongoDB ≥2.6 | Database names, sizes, collection counts without authentication | | redis-info | Redis | Configuration, connected clients, memory usage, keyspace statistics | | smb-os-discovery | SMB/CIFS | Operating system version, domain/workgroup, computer name, server time | | dns-zone-transfer | DNS | Complete zone files when AXFR is misconfigured |
The dns-zone-transfer script requires particular attention to scope creep—it may traverse delegated subdomains outside your authorized range:
nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=example.com,dns-zone-transfer.server=ns1.example.com -p 53
Always validate obtained zone data against your authorization boundaries before further testing of discovered hosts.
Metadata extraction scripts like http-git and http-svn-enum reveal repository structures, commit histories, and developer identities that frequently expose internal infrastructure details or embedded credentials.
Malware and Backdoor Detection
The malware category identifies indicators of compromise through service fingerprint anomalies and known Remote Access Trojan (RAT) signatures. These scripts operate on behavioral and signature-based detection rather than static file analysis.
Known signature detection:
Scripts like auth-spoof identify SMTP servers with open relay configurations commonly exploited by spam infrastructure, while http-malware-host checks for known malicious URL patterns. The irc-unrealircd-backdoor script detects the historic backdoor in UnrealIRCd 3.2.8.1 by testing for a specific command execution signature.
Unusual service fingerprint identification:
Rather than matching known malware signatures, service-fingerprints anomalies—such as SSH servers with non-standard version strings, HTTP services on traditionally non-HTTP ports, or Telnet services with unusual banner patterns—may indicate compromise. The banner script with aggressive version probing assists this analysis:
nmap -sV --version-intensity 9 --script banner -p 1-65535 target.example.com
Cross-reference anomalous findings with shodan or censys historical data to distinguish intentional non-standard configurations from post-compromise modifications.
Network and Broadcast Discovery at Scale
Broadcast and multicast scripts enable infrastructure discovery without individual host targeting, critical for large network assessments and shadow IT identification.
Protocol-specific enumeration:
# SNMP community string discovery and MIB traversal
nmap --script snmp-brute,snmp-sysdescr,snmp-interfaces,snmp-netstat -p 161 --script-args snmp-brute.communitiesdb=./community_strings.txt 192.168.0.0/24
# MSRPC endpoint mapping and named pipe enumeration
nmap --script msrpc-enum,rpc-grind -p 135,593 target.example.com
# DHCP discovery for unauthorized server identification
nmap --script broadcast-dhcp-discover -e eth0
DNS infrastructure enumeration:
Beyond dns-zone-transfer, the dns-service-discovery script identifies mDNS/Bonjour announcements revealing internal service advertisements, and dns-srv-enum locates Kerberos, LDAP, and SIP servers through SRV record queries.
Scale considerations: Broadcast scripts generate significant network traffic. The broadcast category executed against /16 networks has caused switch buffer exhaustion. Use --script-timeout and limit concurrent execution:
nmap --script broadcast-* --script-timeout 30s --max-parallelism 10 192.168.0.0/16
Safe, Intrusive, and Destructive Categories: Evaluation Workflow
NSE scripts carry safety classifications that determine default execution behavior. Understanding the precise boundaries prevents accidental target impact.
| Category | Behavioral Guarantee | Examples | Default Inclusion | |----------|---------------------|----------|-----------------| | safe | No target impact beyond normal network connection; no exploitation, no resource exhaustion | banner, ssh-hostkey, dns-zone-transfer | Yes (with -sC or --script default) | | intrusive | May crash vulnerable services, consume significant resources, or log conspicuous activity | http-sql-injection, smb-double-pulsar-backdoor, vuln scripts | No | | exploit | Attempts privilege escalation or code execution; inherently target-modifying | http-shellshock with execution payload, smb-exec | No | | fuzzer | Sends malformed data to trigger crashes; explicitly destructive | dns-fuzz, http-form-fuzzer | No |
The --script-help evaluation workflow must precede every script execution:
# Step 1: Retrieve comprehensive script documentation
nmap --script-help ssl-enum-ciphers,http-enum
# Step 2: Inspect script source for understanding of exact behavior
cat /usr/share/nmap/scripts/ssl-enum-ciphers.nse | head -80
# Step 3: Validate safety classification and category membership
nmap --script-help ssl-enum-ciphers | grep -A5 "Categories:"
# Step 4: Trace execution for debugging unexpected behavior
nmap --script http-enum --script-trace -p 80 target.example.com 2>&1 | tee http-enum-trace.log
The --script-trace argument displays all network traffic generated by scripts, essential for understanding why a script fails or generates unexpected target load. Combine with --packet-trace for complete traffic analysis.
Battle-tested portfolio for common scenarios:
| Assessment Type | Script Selection | Safety Rationale | |-----------------|----------------|------------------| | External reconnaissance | banner,dns-zone-transfer,http-enum,ssl-enum-ciphers,whois-ip | All safe or safe-with-caveats; no exploitation risk | | Internal network audit | safe,discovery,snmp-sysdescr,smb-os-discovery | Default safe category plus authorized SNMP access | | Vulnerability validation | vuln category with manual --script-help review; correlate with searchsploit | Explicitly intrusive; requires authorization scope matching | | Incident response | malware,safe plus specific IOC scripts as identified | Balances detection depth against evidence preservation |
Responsible usage demands that every script selection be justifiable to both technical peers and legal authorities. Document your rationale, verify classifications, and never assume that "scanning" scripts are inherently non-destructive.