The Nmap Scripting Engine (NSE) is one of the most powerful features within Nmap. It allows penetration testers and security researchers to create, automate, and perform customized scanning on a target system or network. When using NSE, the scanning techniques are usually aggressive and can sometimes create data loss or even crash a target system.

NSE script types:

  • Auth: This category contains scripts that can scan a target to detect whether authentication bypass is possible.
  • Broadcast: This category contains scripts that are used to discover host systems on a network.
  • Brute: This category contains scripts that are used to perform some types of bruteforce attacks on a remote server to gain unauthorized access.
  • Default: This category contains a set of default scripts within NSE for scanning.
  • Discovery: This category contains scripts that are used in active information gathering regarding network services on a target.
  • "DoS": This category contains scripts that can simulate a Denial-of-Service (DoS) attack on a target to check whether the target is susceptible to such types of attacks.
  • Exploit: This category contains scripts that are used to actively exploit security vulnerabilities on a target.
  • External: This category contains scripts that usually send data that’s been gathered from a target to an external resource for further processing.
  • Fuzzer: This category contains scripts that are used to send random data into an application to discover any software bugs and vulnerabilities within applications.
  • Intrusive: This category contains high-risk scripts that can crash systems and cause data loss.
  • Malware: This category contains scripts that can determine whether a target is infected with malware.
  • Safe: This category contains scripts that are not intrusive and safe to use on a target system.
  • Version: This category contains scripts that are used to gather the version information of services on a target system.
  • Vuln: This category contains scripts that are used to check for specific vulnerabilities on a target system.

Performing scan using NSE:

nmap --script ftp-vsftpd-backdoor 172.30.1.134 -p 21

nse_1 The --script command allows you to specify either a single script, multiple scripts, or a category of scripts. We also saw that the target machine is exploitable: nse_2 2. I searched up for the version name and it’s exploit , we got one: nse_3 3. Additionally, within Kali Linux, there is a tool known as searchsploit that allows you to perform a query/search for exploits within the offline version of Exploit-DB on Kali Linux nse_4 4. Open msfconsole , search for vsftpd 2.3.4 nse_5 5. use that exploit using the command use 0 , then show info nse_6 6. If you want to execute an entire category of scripts in NSE, you can use the –script <category-name>

nmap --script vuln 172.30.1.134

A bunch of information will be spit out by NMAP nse_7