Nmap Script Cheat Sheet
By Hideki Ishiguro at
Because it' 2022 now, I know that this post might be useless for many hackers. However, that's for me and some newbies.
Nmap Scripting Engine (NSE) is a useful feature of Nmap that makes it possible to obtain additional information for the target.
You can use them by adding the "--script" (sometimes, "--script-args") option with the nmap command.
Default Common Script
nmap -sC <ip>Port 21: FTP
nmap --script ftp-anon -p 21 <ip>Port 22: SSH
nmap --script ssh-auth-methods --script-args="ssh.user=<username>" -p 22 <ip>
nmap --script ssh-brute -p 22 <ip>
nmap --script ssh* -p 22 <ip>Port 53, 5353: DNS
nmap --script dns-nsec-enum --script-args dns-nsec-enum.domains example.com -p 53 <ip>
nmap --script dns-random-srcport -p 53 <ip>
nmap --script dns-recursion -p 53 <ip>
nmap --script dns-service-discovery -p 53 <ip>Port 67, 68: DHCP (Server), DHCP (Client)
nmap --script broadcast-dhcp-discover -p 67,68 <ip>Port 69: TFTP (Trivial File Transfer Protocol)
nmap -sU --script tftp-enum -p 69 <ip>Port 80: HTTP
nmap --script http-devframework -p 80 <ip>
nmap --script http-enum -p 80 <ip>
nmap --script http-methods -p 80 <ip>
nmap --script http-sql-injection -p 80 <ip>port 88: Kerberos
nmap --script krb5-enum-users --script-args krb5-enum-users.realm='example.local' -p 88 <ip>Port 111: NFS (Network File System)
nmap --script nfs-ls -p 111 <ip>
nmap --script nfs-statfs -p 111 <ip>
nmap --script nfs-showmount -p 111 <ip>Port 123: NTP (Network Time Protocol)
nmap -sU --script ntp-info -p 123 <ip>
nmap -sU --script ntp-monlist -p 123 <ip>
nmap -sU --script ntp* -p 123 <ip>Port 135: MSRPC
nmap --script msrpc-enum -p 135 <ip>Port 139, 445: SMB
nmap --script smb-brute -p 445 <ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <ip>
nmap --script smb-protocols -p 445 <ip>
nmap --script smb-vuln* -p 445 <ip>Port 161: SNMP (Simple Network Management Protocol)
nmap -sU --script snmp-info -p 161 <ip>
nmap -sU --script snmp-interfaces -p 161 <ip>
nmap -sU --script snmp-processes -p 161 <ip>
nmap -sU --script snmp-sysdescr -p 161 <ip>Port 389, 636: LDAP
nmap --script ldap-brute -p 389 <ip>
nmap --script ldap-search -p 389 <ip>
nmap --script "ldap* and not brute" -p 389 <ip>Port 1433: MSSQL (Microsoft SQL Server)
nmap --script ms-sql-info -p 1433 <ip>
nmap --script ms-sql-config -p 1433 <ip>
nmap --script ms-sql-empty-password -p 1433 <ip>
nmap --script ms-sql-xp-cmdshell -p 1433 <ip>Port 3306: MySQL
nmap --script mysql-enum -p 3306 <ip>
nmap --script mysql-info -p 3306 <ip>
nmap --script mysql-brute -p 3306 <ip>
nmap --script mysql-databases -p 3306 <ip>
nmap --script mysql-users -p 3306 <ip>Port 3389: RDP (Remote Desktop Protocol)
nmap --script rdp-enum-encryption -p 3389 <ip>
nmap --script rdp-ntlm-info -p 3389 <ip>Port 9100: PJL (Printer Job Language)
nmap --script pjl-ready-message -p 9100 <ip>Common Vulnerabilities
nmap --script vuln <ip>