Nmap NSE Scripts for Vulnerability Scanning

Published on January 22, 2025

Nmap’s scripting engine (NSE) goes beyond simple port scanning, letting you detect vulnerabilities and gather more detailed data. This article covers how NSE scripts are categorized, where they live on your system, and how to run them to spot known CVEs on a target.

1. NSE Scripts and Categories

NSE scripts are grouped by categories like vuln, safe, intrusive, and more. You can see these categories in /usr/share/nmap/scripts/script.db on Kali. A single script can belong to multiple categories—scripts labeled “intrusive” might cause a service to crash, so use them with caution.

2. Running Vulnerability Scripts

To use Nmap for lightweight vulnerability scanning, you can run all vuln category scripts with:

sudo nmap -sV -p 443 --script "vuln" <target-IP>

Service detection (-sV) helps Nmap identify software versions. The vulners script, for example, checks its database for matching CVEs and displays details like severity and PoCs.

3. Adding Custom NSE Scripts

If an official script for a specific CVE doesn’t exist, you can often find one online (e.g. GitHub). Place it in /usr/share/nmap/scripts/, then update the local database:

sudo nmap --script-updatedb

You can then reference it by filename:

sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" <target-IP>

4. Final Thoughts

Intrusive vs. Safe: Always check a script’s category. Intrusive scripts might risk system stability.
Version Detection: NSE relies on accurate service fingerprinting to provide relevant vulnerability data.
Manual Review: Avoid blindly trusting scripts— verify their safety before running them in production.

Linked Articles

Nmap & PowerShell Scanning Techniques