⚠️ Authorised Networks Only: Nmap NSE scripts — especially vuln and exploit category scripts — should only be run against systems you own or have explicit written authorisation to test. Running vulnerability detection scripts against systems without authorisation is illegal under computer fraud laws worldwide.
Nmap scripts Ethical Hackers Must Know in 2026 :— Most people use Nmap to scan ports and move on. The professionals use it to do a third of their enumeration work in a single command. The Nmap Scripting Engine has over 600 scripts. You do not need all of them. You need the 10 that appear in every professional assessment, find the vulnerabilities that matter, and save hours of manual checking. These are the scripts I run on every engagement — the ones that consistently find EternalBlue-vulnerable systems, anonymous FTP servers, open mail relays, and HTTP method misconfigurations before I have opened any other tool.
🎯 What You’ll Learn
The 10 NSE scripts that appear in professional penetration test workflows
Real command examples and expected output for each script
When to use -sC vs –script=vuln vs targeted single scripts
How to find scripts for any service and update the script database
⏱️ 40 min read · 3 exercises
📊 How do you currently use Nmap?
✅ Moving from basic port scanning to targeted NSE scripts is one of the biggest workflow improvements available in Kali. The scripts in this guide cover SMB, HTTP, FTP, SSL, SMTP, and more — each one replaces a separate manual check that would otherwise take minutes per host.
📋 The 10 Nmap scripts Ethical Hackers Must Know
- smb-vuln-ms17-010 — EternalBlue Detection
- smb-enum-users — SMB User Enumeration
- http-enum — Web Directory Discovery
- http-methods — Dangerous HTTP Method Detection
- ssl-heartbleed — Heartbleed Vulnerability
- ftp-anon — Anonymous FTP Login
- smtp-open-relay — Mail Relay Misconfiguration
- vulners — CVE Lookup per Service Version
- http-title — Web Server Title and Header Fingerprinting
- ssh-auth-methods — SSH Authentication Discovery
1. smb-vuln-ms17-010 — EternalBlue Detection
MS17-010 (EternalBlue) is the SMB vulnerability that powered WannaCry and NotPetya. Despite being patched in 2017, it remains present in unpatched systems encountered on internal network assessments. This script checks for the vulnerability without attempting exploitation — safe to run during a vulnerability assessment.
smb-vuln-ms17-010
nmap -p 445 –script smb-vuln-ms17-010 192.168.56.102
# Expected output on vulnerable host:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1
| State: VULNERABLE
# Scan entire subnet for EternalBlue
nmap -p 445 –script smb-vuln-ms17-010 192.168.56.0/24 -oN eternalblue_scan.txt
2. smb-enum-users — SMB User Enumeration
smb-enum-users + smb-enum-shares
nmap -p 445 –script smb-enum-users 192.168.56.102
# Also enumerate shares:
nmap -p 445 –script smb-enum-shares,smb-enum-users 192.168.56.102
| smb-enum-users:
| METASPLOITABLE\root (RID: 1000)
| METASPLOITABLE\msfadmin (RID: 1002)
| METASPLOITABLE\postgres (RID: 1008)
3. http-enum — Web Directory Discovery
http-enum + http-title
nmap -p 80,443,8080,8443 –script http-enum TARGET
| http-enum:
| /admin/: Possible admin folder
| /phpMyAdmin/: phpMyAdmin
| /robots.txt: Robots file
# Run against all web ports on subnet
nmap -p 80,443,8080 –script http-enum,http-title 192.168.56.0/24 –open
4. http-methods — Dangerous HTTP Method Detection
http-methods
nmap -p 80,443 –script http-methods TARGET
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS TRACE
| Potentially risky methods: PUT DELETE TRACE
# PUT = file upload · DELETE = file deletion · TRACE = XST attack vector
5. ssl-heartbleed — Heartbleed Detection
ssl-heartbleed + ssl-cert
nmap -p 443 –script ssl-heartbleed TARGET
# Also check SSL certificate details
nmap -p 443 –script ssl-cert,ssl-enum-ciphers TARGET
| ssl-cert: Subject: commonName=*.target.com
| Not valid before: 2025-01-01
| Not valid after: 2026-01-01
6. ftp-anon — Anonymous FTP Login
ftp-anon + ftp-syst
nmap -p 21 –script ftp-anon,ftp-syst TARGET
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status: vsftpd 2.3.4
# vsftpd 2.3.4 has a backdoor (CVE-2011-2523) — check with:
nmap -p 21 –script ftp-vsftpd-backdoor TARGET
🛠️ EXERCISE 1 — KALI TERMINAL (15 MIN)
Run All 10 NSE Scripts Against Metasploitable in One Command
⏱️ Time: 15 minutes · Kali terminal · Metasploitable running
COMBINED NSE SCAN — METASPLOITABLE
# Run all 10 scripts in a single Nmap command
nmap -sV -p 21,22,25,80,443,445,3306 \
–script ftp-anon,ftp-vsftpd-backdoor,smb-vuln-ms17-010,smb-enum-users,\
http-enum,http-methods,http-title,ssl-heartbleed,smtp-open-relay,vulners \
192.168.56.102 -oN metasploitable_nse_scan.txt
# Quick vuln scan using category shortcut
nmap -sV –script vuln 192.168.56.102 -oN vuln_scan.txt
# View results
cat metasploitable_nse_scan.txt | grep -A 5 “VULNERABLE\|allowed\|Risky”
✅ What you just learned: Metasploitable is intentionally vulnerable — the combined NSE scan will find vsftpd backdoor on FTP, anonymous FTP login, SMB vulnerabilities, open MySQL without authentication, and several HTTP findings. The -oN flag saves everything to a file for report evidence. The vuln category shortcut (–script vuln) runs all vulnerability detection scripts simultaneously — useful when you want comprehensive coverage rather than specific scripts. Note how much reconnaissance information a single Nmap scan provides when NSE is used properly.
📸 Screenshot your NSE scan output showing VULNERABLE findings and share in #nmap-scripts on Discord.
7. smtp-open-relay — Mail Relay Misconfiguration
smtp-open-relay + smtp-commands
nmap -p 25,587,465 –script smtp-open-relay,smtp-commands TARGET
| smtp-commands: TARGET, PIPELINING, SIZE 10240000, VRFY, ENHANCEDSTATUSCODES
| smtp-open-relay: Server is an open relay (14/16 tests)
# Open relay = server forwards email for arbitrary senders = spam/phishing risk
# VRFY command enabled = user enumeration possible
nmap -p 25 –script smtp-enum-users –script-args smtp-enum-users.methods={VRFY} TARGET
8. vulners — CVE Lookup per Service Version
vulners — CVE DATABASE LOOKUP
# vulners queries Vulners.com database for CVEs matching service versions
# Requires -sV for version detection
nmap -sV –script vulners 192.168.56.102
| vulners:
| cpe:/a:vsftpd:vsftpd:2.3.4:
| CVE-2011-2523 10.0 https://vulners.com/cve/CVE-2011-2523
| cpe:/a:apache:http_server:2.2.8:
| CVE-2011-3192 7.8 https://vulners.com/cve/CVE-2011-3192
# Output includes CVSS scores — prioritise 9.0+ findings
9. http-title — Web Server Title Fingerprinting
http-title
# http-title — identify all web servers on subnet by page title
nmap -p 80,443,8080,8443 –script http-title 192.168.56.0/24 –open
192.168.56.102: Metasploitable2 – Linux
192.168.56.103: phpMyAdmin
192.168.56.104: Welcome to nginx!
10. ssh-auth-methods — SSH Authentication Discovery
ssh-auth-methods
# ssh-auth-methods — check if password auth is enabled
nmap -p 22 –script ssh-auth-methods TARGET
| ssh-auth-methods:
| Supported authentication methods:
| publickey
| password ← password auth enabled = brute force viable
| keyboard-interactive
🧠 EXERCISE 2 — THINK LIKE A HACKER (8 MIN)
Build the Optimal NSE Script Stack for Three Different Assessment Scenarios
⏱️ Time: 8 minutes · No tools required
For each scenario, select the exact NSE scripts and flags
you would run. Time and stealth matter.
you would run. Time and stealth matter.
SCENARIO A: Quick triage of 50 Windows servers.
You have 30 minutes. Primary concern: unpatched SMB.
Write the single Nmap command.
SCENARIO B: Full web application pre-assessment.
30 web servers, multiple ports. Need: directories,
titles, methods, SSL status. No IDS concern.
Write the command.
SCENARIO C: Targeted single-host deep scan.
One Linux server, all services. Maximum finding density.
IDS present — need to keep noise moderate.
Write the command — and explain one flag you add for
stealth.
✅ Answer key: A = nmap -p 445 –script smb-vuln-ms17-010,smb-vuln-ms08-067 192.168.1.0/24 –open (targeted, fast, just SMB vuln check). B = nmap -p 80,443,8080,8443 –script http-enum,http-title,http-methods,ssl-cert,ssl-heartbleed 192.168.1.0/24 –open (all web ports, all HTTP/SSL scripts). C = nmap -sV –script vuln,default -T3 –reason TARGET (comprehensive but -T3 slows timing to reduce IDS detection risk — T4 default generates more noise, T3 is stealthier while still completing in reasonable time).
📸 Share your three NSE commands in #nmap-scripts on Discord.
🛠️ EXERCISE 3 — BROWSER (10 MIN)
Discover NSE Scripts for Services Found in Your Last Port Scan
⏱️ Time: 10 minutes · Browser · nmap.org
Step 1: Go to nmap.org/nsedoc/
Step 2: Pick any 3 services you recently found open in a scan
(e.g. RDP, MySQL, MongoDB, Redis, Elasticsearch)
Step 3: For each service, find its NSE scripts in the NSEDoc
Step 4: Note: which category is each script? (safe/intrusive/vuln)
Step 5: Also run on Kali terminal:
ls /usr/share/nmap/scripts/ | grep -i [servicename]
Compare what’s installed vs what NSEDoc lists
Step 6: For one of your three services, run:
nmap –script-help [script-name]
Note what arguments are accepted
Step 2: Pick any 3 services you recently found open in a scan
(e.g. RDP, MySQL, MongoDB, Redis, Elasticsearch)
Step 3: For each service, find its NSE scripts in the NSEDoc
Step 4: Note: which category is each script? (safe/intrusive/vuln)
Step 5: Also run on Kali terminal:
ls /usr/share/nmap/scripts/ | grep -i [servicename]
Compare what’s installed vs what NSEDoc lists
Step 6: For one of your three services, run:
nmap –script-help [script-name]
Note what arguments are accepted
✅ What you just learned: NSEDoc at nmap.org is the NSE reference — always check it before running scripts on real targets so you know whether a script is categorised as safe, intrusive, or exploit-level. A script in the ‘dos’ category should never be run without careful consideration; a script in ‘safe’ can be run during any authorised scan. The –script-help command is the fastest way to understand what a specific script does and what arguments it accepts without searching online.
📸 Share your three service script discoveries in #nmap-scripts on Discord. Tag #nmapscripts2026
🧠 QUICK CHECK — NSE Scripts
What is the difference between running nmap -sC and nmap –script=vuln against a target?
📋 The 10 Scripts — Quick Reference
smb-vuln-ms17-010EternalBlue — one of the most critical Windows vulnerabilities still found in production
smb-enum-usersSMB user enumeration — user list for password spraying
http-enumWeb directory discovery — finds admin panels, phpMyAdmin, robots.txt
http-methodsDangerous HTTP methods — PUT, DELETE, TRACE indicate misconfiguration
ssl-heartbleedHeartbleed detection — still present in legacy systems
ftp-anonAnonymous FTP — immediate data access without credentials
smtp-open-relayOpen mail relay — spam/phishing infrastructure risk
vulnersCVE lookup per service version — requires -sV
http-titleWeb title fingerprinting — fastest way to triage dozens of web servers
ssh-auth-methodsSSH auth check — password auth enabled = brute force viable
❓ Frequently Asked Questions
What is the Nmap Scripting Engine (NSE)?
Lua-based framework extending Nmap with 600+ scripts for automated enumeration, vulnerability detection, and exploitation. Scripts in /usr/share/nmap/scripts/ run with –script flag. Categories: default, safe, vuln, intrusive, exploit, dos, brute.
What is the difference between -sC and –script=vuln?
-sC = default category (safe enumeration, low noise). –script=vuln = vulnerability category (active CVE probing, higher noise, IDS alerts). Use -sC for standard scans; –script=vuln for authorised vulnerability assessments.
How do I find Nmap scripts for a specific service?
ls /usr/share/nmap/scripts/ | grep SERVICE or browse nmap.org/nsedoc/. Use nmap –script-help SCRIPTNAME for usage details. Update script database: sudo nmap –script-updatedb.
Which scripts are most useful for penetration testing?
smb-vuln-ms17-010 (EternalBlue), http-enum (web dirs), ftp-anon (anon FTP), vulners (CVE lookup), ssl-heartbleed, smtp-open-relay, ssh-auth-methods, http-methods (PUT/DELETE). These cover the most common high-severity findings on internal assessments.
Are Nmap scripts safe for production servers?
Default scripts (-sC) are generally safe. Vuln scripts are intrusive and trigger IDS. Exploit/dos scripts should never run on production without explicit authorisation and lab testing. Always check –script-help and the script category before running.
← Related
Nmap Commands — Complete Reference 2026
Related →
180-Day Kali Linux Course
📚 Further Reading
- Nmap Commands Complete Reference 2026 — The complete Nmap command reference with every flag and scan type — the companion guide to NSE that covers port scanning, OS detection, and timing options alongside script usage.
- Enum4linux Tutorial 2026 — Day 15 covers dedicated SMB enumeration — use Enum4linux after smb-enum-users confirms user accounts exist for deeper RID cycling and share enumeration that Nmap scripts do not perform.
- 180-Day Kali Linux Mastery Course — The complete course hub — NSE scripts appear throughout the Kali course from Day 1 Nmap foundations through advanced service exploitation in Days 30+.
- Nmap NSEDoc — Official Script Database — The official NSE script documentation — every script with description, category, arguments, and example output. The definitive reference before running any NSE script on an authorised target.
- Vulscan — Enhanced NSE Vulnerability Scanner — A community NSE script that extends Nmap’s vulnerability detection by querying multiple CVE databases simultaneously — more comprehensive than vulners alone for version-based vulnerability lookup.
Leave a Reply