::The following info was taken from http://nmap.org/book/nse.html
WHAT IS IT?
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing
and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.
and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.
Scripts are written in the embedded Lua programming language2. The language itself is well documented in the books Programming in Lua, Second Edition and Lua 5.1 Reference Manual. The reference manual is also freely available online3, as is the first edition of Programming in Lua4. Given the availability of these excellent general Lua programming references, this document only covers aspects and extensions specific to Nmap's scripting engine.
HOW DO I USE IT?
NSE is activated with the -sC option (or --script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output. Two types of scripts are supported: service and host scripts. Service scripts relate to a certain open port (service) on the target host, and any results they
produce are included next to that port in the Nmap output port table. Host scripts, on the other hand, run no more than once against each target IP and produce results below the port table.
NSE is activated with the -sC option (or --script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output. Two types of scripts are supported: service and host scripts. Service scripts relate to a certain open port (service) on the target host, and any results they
produce are included next to that port in the Nmap output port table. Host scripts, on the other hand, run no more than once against each target IP and produce results below the port table.
SHOW ME WHAT TO TYPE...
Example 1 shows a typical script scan. Service scripts producing output in this example are ssh-hostkey, which provides the system's RSA and DSA SSH keys, and rpcinfo, which queries portmapper to enumerate available services. The only host script producing output in this example is smb-os-discovery, which collects a variety of information from SMB servers. Nmap discovered all of this information in a third of a second.
Example 1. Typical NSE output
# nmap -sC -p22,111,139 -T4 localhost
Starting Nmap ( http://nmap.org )
Interesting ports on flog (127.0.0.1):
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: 1024 b1:36:0d:3f:50:dc:13:96:b2:6e:34:39:0d:9b:1a:38 (DSA)
|_ 2048 77:d0:20:1c:44:1f:87:a0:30:aa:85:cf:e8:ca:4c:11 (RSA)
111/tcp open rpcbind
| rpcinfo:
| 100000 2,3,4 111/udp rpcbind
| 100024 1 56454/udp status
|_ 100000 2,3,4 111/tcp rpcbind
139/tcp open netbios-ssn
Host script results:
| smb-os-discovery: Unix
| LAN Manager: Samba 3.0.31-0.fc8
|_ Name: WORKGROUP
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
Interesting ports on flog (127.0.0.1):
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: 1024 b1:36:0d:3f:50:dc:13:96:b2:6e:34:39:0d:9b:1a:38 (DSA)
|_ 2048 77:d0:20:1c:44:1f:87:a0:30:aa:85:cf:e8:ca:4c:11 (RSA)
111/tcp open rpcbind
| rpcinfo:
| 100000 2,3,4 111/udp rpcbind
| 100024 1 56454/udp status
|_ 100000 2,3,4 111/tcp rpcbind
139/tcp open netbios-ssn
Host script results:
| smb-os-discovery: Unix
| LAN Manager: Samba 3.0.31-0.fc8
|_ Name: WORKGROUP
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
I DO NOT HAVE TIME TO WRITE MY OWN SCRIPTS!!
Listed are the build-in scripts preloaded on NMAP 5.61TEST4 (Release January 2012)
address-info.nse
afp-brute.nse
afp-ls.nse
afp-path-vuln.nse
afp-serverinfo.nse
afp-showmount.nse
amqp-info.nse
asn-query.nse
auth-owners.nse
auth-spoof.nse
backorifice-brute.nse
backorifice-info.nse
banner.nse
bitcoin-getaddr.nse
bitcoin-info.nse
bitcoinrpc-info.nse
bittorrent-discovery.nse
broadcast-avahi-dos.nse
broadcast-db2-discover.nse
broadcast-dhcp-discover.nse
broadcast-dns-service-discovery.nse
broadcast-dropbox-listener.nse
broadcast-listener.nse
broadcast-ms-sql-discover.nse
broadcast-netbios-master-browser.nse
broadcast-novell-locate.nse
broadcast-pc-anywhere.nse
broadcast-pc-duo.nse
broadcast-ping.nse
broadcast-rip-discover.nse
broadcast-sybase-asa-discover.nse
broadcast-upnp-info.nse
broadcast-wake-on-lan.nse
broadcast-wpad-discover.nse
broadcast-wsdd-discover.nse
citrix-brute-xml.nse
citrix-enum-apps-xml.nse
citrix-enum-apps.nse
citrix-enum-servers-xml.nse
citrix-enum-servers.nse
couchdb-databases.nse
couchdb-stats.nse
creds-summary.nse
cvs-brute-repository.nse
cvs-brute.nse
daap-get-library.nse
daytime.nse
db2-das-info.nse
db2-discover.nse
dhcp-discover.nse
dns-blacklist.nse
dns-brute.nse
dns-cache-snoop.nse
dns-fuzz.nse
dns-nsec-enum.nse
dns-random-srcport.nse
dns-random-txid.nse
dns-recursion.nse
dns-service-discovery.nse
dns-update.nse
dns-zeustracker.nse
dns-zone-transfer.nse
domcon-brute.nse
domcon-cmd.nse
domino-enum-users.nse
dpap-brute.nse
drda-brute.nse
drda-info.nse
epmd-info.nse
finger.nse
firewalk.nse
ftp-anon.nse
ftp-bounce.nse
ftp-brute.nse
ftp-libopie.nse
ftp-proftpd-backdoor.nse
ftp-vsftpd-backdoor.nse
ftp-vuln-cve2010-4221.nse
ganglia-info.nse
giop-info.nse
gopher-ls.nse
hadoop-datanode-info.nse
hadoop-jobtracker-info.nse
hadoop-namenode-info.nse
hadoop-secondary-namenode-info.nse
hadoop-tasktracker-info.nse
hbase-master-info.nse
hbase-region-info.nse
hddtemp-info.nse
hostmap.nse
http-affiliate-id.nse
http-apache-negotiation.nse
http-auth.nse
http-awstatstotals-exec.nse
http-axis2-dir-traversal.nse
http-backup-finder.nse
http-barracuda-dir-traversal.nse
http-brute.nse
http-cakephp-version.nse
http-cors.nse
http-date.nse
http-default-accounts.nse
http-domino-enum-passwords.nse
http-email-harvest.nse
http-enum.nse
http-favicon.nse
http-form-brute.nse
http-google-malware.nse
http-grep.nse
http-headers.nse
http-iis-webdav-vuln.nse
http-joomla-brute.nse
http-litespeed-sourcecode-download.nse
http-majordomo2-dir-traversal.nse
http-malware-host.nse
http-method-tamper.nse
http-methods.nse
http-open-proxy.nse
http-open-redirect.nse
http-passwd.nse
http-php-version.nse
http-put.nse
http-robots.txt.nse
http-robtex-reverse-ip.nse
http-title.nse
http-trace.nse
http-unsafe-output-escaping.nse
http-userdir-enum.nse
http-vhosts.nse
http-vmware-path-vuln.nse
http-vuln-cve2011-3192.nse
http-vuln-cve2011-3368.nse
http-waf-detect.nse
http-wordpress-brute.nse
http-wordpress-enum.nse
http-wordpress-plugins.nse
iax2-version.nse
imap-brute.nse
imap-capabilities.nse
informix-brute.nse
informix-query.nse
informix-tables.nse
ip-geolocation-geobytes.nse
ip-geolocation-geoplugin.nse
ip-geolocation-ipinfodb.nse
ip-geolocation-maxmind.nse
ipidseq.nse
ipv6-node-info.nse
irc-botnet-channels.nse
irc-brute.nse
irc-info.nse
irc-unrealircd-backdoor.nse
iscsi-brute.nse
iscsi-info.nse
jdwp-version.nse
krb5-enum-users.nse
ldap-brute.nse
ldap-novell-getpass.nse
ldap-rootdse.nse
ldap-search.nse
lexmark-config.nse
lltd-discovery.nse
maxdb-info.nse
metasploit-xmlrpc-brute.nse
modbus-discover.nse
mongodb-databases.nse
mongodb-info.nse
ms-sql-brute.nse
ms-sql-config.nse
ms-sql-dump-hashes.nse
ms-sql-empty-password.nse
ms-sql-hasdbaccess.nse
ms-sql-info.nse
ms-sql-query.nse
ms-sql-tables.nse
ms-sql-xp-cmdshell.nse
mysql-audit.nse
mysql-brute.nse
mysql-databases.nse
mysql-empty-password.nse
mysql-info.nse
mysql-users.nse
mysql-variables.nse
nat-pmp-info.nse
nbstat.nse
ncp-enum-users.nse
ncp-serverinfo.nse
nessus-brute.nse
netbus-auth-bypass.nse
netbus-brute.nse
netbus-info.nse
netbus-version.nse
nexpose-brute.nse
nfs-ls.nse
nfs-showmount.nse
nfs-statfs.nse
notepad.exe
nping-brute.nse
nrpe-enum.nse
ntp-info.nse
ntp-monlist.nse
omp2-brute.nse
omp2-enum-targets.nse
openlookup-info.nse
openvas-otp-brute.nse
oracle-brute.nse
oracle-enum-users.nse
oracle-sid-brute.nse
ovs-agent-version.nse
p2p-conficker.nse
path-mtu.nse
pgsql-brute.nse
pjl-ready-message.nse
pop3-brute.nse
pop3-capabilities.nse
pptp-version.nse
qscan.nse
quake3-info.nse
quake3-master-getservers.nse
realvnc-auth-bypass.nse
resolveall.nse
reverse-index.nse
rexec-brute.nse
rlogin-brute.nse
rmi-dumpregistry.nse
rpcinfo.nse
rtsp-methods.nse
rtsp-url-brute.nse
script.db
servicetags.nse
sip-brute.nse
sip-enum-users.nse
skypev2-version.nse
smb-brute.nse
smb-check-vulns.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse
smb-mbenum.nse
smb-os-discovery.nse
smb-psexec.nse
smb-security-mode.nse
smb-server-stats.nse
smb-system-info.nse
smbv2-enabled.nse
smtp-brute.nse
smtp-commands.nse
smtp-enum-users.nse
smtp-open-relay.nse
smtp-strangeport.nse
smtp-vuln-cve2010-4344.nse
smtp-vuln-cve2011-1720.nse
smtp-vuln-cve2011-1764.nse
sniffer-detect.nse
snmp-brute.nse
snmp-interfaces.nse
snmp-ios-config.nse
snmp-netstat.nse
snmp-processes.nse
snmp-sysdescr.nse
snmp-win32-services.nse
snmp-win32-shares.nse
snmp-win32-software.nse
snmp-win32-users.nse
socks-open-proxy.nse
sql-injection.nse
ssh-hostkey.nse
ssh2-enum-algos.nse
sshv1.nse
ssl-cert.nse
ssl-enum-ciphers.nse
ssl-google-cert-catalog.nse
ssl-known-key.nse
sslv2.nse
stuxnet-detect.nse
svn-brute.nse
targets-ipv6-multicast-echo.nse
targets-ipv6-multicast-invalid-dst.nse
targets-ipv6-multicast-slaac.nse
targets-sniffer.nse
targets-traceroute.nse
telnet-brute.nse
telnet-encryption.nse
tftp-enum.nse
unusual-port.nse
upnp-info.nse
vnc-brute.nse
vnc-info.nse
vuze-dht-info.nse
wdb-version.nse
whois.nse
wsdd-discover.nse
x11-access.nse
xmpp-brute.nse
xmpp-info.nse
