Scripts for Nmap

Nmap ("Network Mapper") is a utility for network discovery and security auditing.

Besides basic network discovery and port scanning, Nmap has a builtin scripting engine (NSE). With this scripting engine more complex network tasks can be created. The Nmap installation comes with a wide variety of scripts (/usr/share/nmap/scripts). The scripts can be applied for each host or service found during network discovery, or before and after the scan.

The script execution can be configured with the following command line parameters(see nmap(1)):

• --script: comma separated list of directories, files or categories
• --script-help: show the help for the given scripts
• --script-args: provide additional parameters
• --script-trace: show all data send and received

In the following a few examples are given.

DHCP service discovery, sends a DHCP discovery broadcast and display the received DHCP configuration parameters:

sudo nmap \
         --script=broadcast-dns-service-discovery \
         --script-args='broadcast-dhcp-discover.mac=de:ad:be:ef:ca:fe' \
         -e eth0

Retrieve the SSH host keys of the target host:

nmap --script=ssh-hostkey -p 22 login.example.org

Get information about the SSL certificate:

nmap --script=ssl-cert -p 443 www.example.org

Print the HTTP headers:

nmap --script=http-headers -p 80 www.example.org

Get list of RSS feeds from a website:

nmap --script http-feed.nse -p www.example.org

Find possible subdomains:

nmap --script=dns-brute --script-args dns-brute.domain=example.com