Nmap (Network Mapper) is a leading open-source tool used for network discovery, service enumeration, and security auditing. Its capabilities are extended through the Nmap Scripting Engine (NSE), which allows users to write and execute custom scripts for a variety of advanced tasks such as vulnerability detection, web server enumeration, and protocol analysis.
The following commands have been tested in a Kali Linux environment, one of the most popular distributions used by ethical hackers and penetration testers. If you’re getting started with Nmap scripting or want to refine your scanning skills, this guide will help you run powerful NSE scripts efficiently.
Locate NSE Scripts in Kali Linux
To begin using Nmap scripting, you need to locate where the scripts are stored. On Kali Linux, the default path is:
$ cd /usr/share/nmap/scripts
$ ls
This directory contains hundreds of .nse scripts that you can use directly or customize for your scanning needs.
Web Server Enumeration with http-enum
This script helps detect common web directories, applications, and services on a target web server.
Command:
$ nmap -sV --script=http-enum 192.168.148.128
Why Use It:
Quickly identifies web admin panels, login portals, and app paths that could be vulnerable to attack.
Check for Slowloris Vulnerability
The http-slowloris-check script determines if a web server is susceptible to the Slowloris Denial of Service attack.
Command:
$ nmap -T4 --script http-slowloris-check <IP>
Why Use It:
Helps test web servers for DoS resilience by checking for vulnerability to low-and-slow attacks.
SSL Certificate and Cipher Enumeration
Two critical scripts, ssl-cert and ssl-enum-ciphers, are used for evaluating the security of SSL/TLS services.
Command:
$ nmap --script ssl-cert,ssl-enum-ciphers -p 443 Domain/IP
Why Use It:
Audits SSL certificates for expiry, weak ciphers, and configuration issues.
Detect Anonymous FTP Access
The ftp-anon.nse script checks whether anonymous access is enabled on an FTP server.
Command:
$ nmap -p 21 -T4 192.168.148.128 --script /usr/share/nmap/scripts/ftp-anon.nse
Why Use It:
Anonymous FTP access can be a major security hole—this script helps detect it fast.
Run a General Vulnerability Scan
The vuln script is a wrapper that runs several vulnerability detection scripts at once.
Command:
$ nmap --script vuln 192.168.148.128
Why Use It:
Provides a quick and comprehensive overview of known vulnerabilities on a host.
Extract and Analyze HTTP Headers
Use the http-headers script to analyze how securely a web server is configured.
Command:
$ nmap --script http-headers 192.168.148.128
Why Use It:
Checks for missing or misconfigured headers like X-Frame-Options, Server, and Content-Security-Policy.
Scan for Malware-Hosting Domains
The http-malware-host script determines if a domain is hosting malicious content.
Command:
$ nmap -sV --script=http-malware-host 192.168.148.128
Why Use It:
Useful in threat hunting and incident response to identify compromised web servers.
Tips for Using NSE on Kali Linux
- Update Script Database: $ nmap –script-updatedb
- Use Verbose Mode for More Detail: $ nmap -v -sV –script=http-enum IP
- Always Scan with Permission: Ensure you have legal authorization before scanning any network or host.
Conclusion
The Nmap Scripting Engine transforms Nmap from a simple port scanner into a versatile security auditing tool. Whether you’re scanning for vulnerabilities, evaluating SSL settings, or analyzing web servers, the commands above provide a strong foundation. Since these examples are tested on Kali Linux, you can use them confidently in real-world security assessments or penetration tests.
1 Comment
Comments are closed.