Skip to content

Nmap Cheat Sheet

Nmap Scripting Engine (NSE)

NSE (Nmap Scripting Engine) allows Nmap to run Lua-based scripts to automate: - Vulnerability detection - Service enumeration - Authentication testing - Exploit validation - Information gathering

Official docs:
https://nmap.org/nsedoc/scripts/

NSE Script Usage

nmap --script script_name target
nmap --script=script_name target

Multiple scripts: 

nmap --script script1,script2 target

Default scripts: 

nmap -sC target
nmap --script default target

NSE Script Categories (With Explanations)

auth

Authentication-related checks such as weak credentials and login mechanisms.

Examples: - SSH password checks - FTP authentication testing

broadcast

Uses broadcast traffic to discover hosts and services on the local network.

Examples: - DHCP discovery - Broadcast-based device discovery

brute

Performs brute-force attacks against network services.

Examples: - SSH brute force - FTP brute force - SMB brute force

default

Safe and commonly useful scripts executed with -sC.

Used for: - Basic service enumeration - Safe information gathering

discovery

Discovers network services, hosts, and configurations.

Examples: - SNMP enumeration - Network share discovery

dos

Tests for Denial of Service vulnerabilities.

⚠️ May disrupt services — use carefully.

exploit

Attempts to exploit known vulnerabilities to validate exposure.

Examples: - SMB exploits - Service-specific exploits

external

Uses external services or APIs.

Examples: - WHOIS lookups - Geolocation services

fuzzer

Sends malformed or unexpected input to test service robustness.

intrusive

Scripts that may affect target stability or integrity.

Used in: - Advanced penetration testing - Controlled lab environments

malware

Detects malware indicators or backdoors.

Examples: - Known malware signatures - Backdoored services

safe

Scripts that are non-intrusive and safe.

Ideal for: - Reconnaissance - Production environments

version

Provides enhanced service version detection.

Works alongside -sV.

vuln

Checks for known vulnerabilities.

Most commonly used category for: - Vulnerability scanning - Exposure assessment

NSE Category Usage Examples

nmap --script vuln target
nmap --script auth,brute target
nmap --script discovery,safe target

Danger

Use Nmap and NSE scripts only on systems you own or have explicit permission to test.