Blog

Nmap Script Cheat Sheet

Pentesting

Because it' 2022 now, I know that this post might be useless for many hackers. However, that's for me and some newbies.

Nmap Scripting Engine (NSE) is a useful feature of Nmap that makes it possible to obtain additional information for the target.
You can use them by adding the "--script" (sometimes, "--script-args") option with the nmap command.


Default Common Script

nmap -sC <ip>

Port 21: FTP

nmap --script ftp-anon -p 21 <ip>

Port 22: SSH

nmap --script ssh-auth-methods --script-args="ssh.user=<username>" -p 22 <ip>
nmap --script ssh-brute -p 22 <ip>
nmap --script ssh* -p 22 <ip>

Port 53, 5353: DNS

nmap --script dns-nsec-enum --script-args dns-nsec-enum.domains example.com -p 53 <ip>
nmap --script dns-random-srcport -p 53 <ip>
nmap --script dns-recursion -p 53 <ip>
nmap --script dns-service-discovery -p 53 <ip>

Port 67, 68: DHCP (Server), DHCP (Client)

nmap --script broadcast-dhcp-discover -p 67,68 <ip>

Port 69: TFTP (Trivial File Transfer Protocol)

nmap -sU --script tftp-enum -p 69 <ip>

Port 80: HTTP

nmap --script http-devframework -p 80 <ip>
nmap --script http-enum -p 80 <ip>
nmap --script http-methods -p 80 <ip>
nmap --script http-sql-injection -p 80 <ip>

port 88: Kerberos

nmap --script krb5-enum-users --script-args krb5-enum-users.realm='example.local' -p 88 <ip>

Port 111: NFS (Network File System)

nmap --script nfs-ls -p 111 <ip>
nmap --script nfs-statfs -p 111 <ip>
nmap --script nfs-showmount -p 111 <ip>

Port 123: NTP (Network Time Protocol)

nmap -sU --script ntp-info -p 123 <ip>
nmap -sU --script ntp-monlist -p 123 <ip>
nmap -sU --script ntp* -p 123 <ip>

Port 135: MSRPC

nmap --script msrpc-enum -p 135 <ip>

Port 139, 445: SMB

nmap --script smb-brute -p 445 <ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <ip>
nmap --script smb-protocols -p 445 <ip>
nmap --script smb-vuln* -p 445 <ip>

Port 161: SNMP (Simple Network Management Protocol)

nmap -sU --script snmp-info -p 161 <ip>
nmap -sU --script snmp-interfaces -p 161 <ip>
nmap -sU --script snmp-processes -p 161 <ip>
nmap -sU --script snmp-sysdescr -p 161 <ip>

Port 389, 636: LDAP

nmap --script ldap-brute -p 389 <ip>
nmap --script ldap-search -p 389 <ip>
nmap --script "ldap* and not brute" -p 389 <ip>

Port 1433: MSSQL (Microsoft SQL Server)

nmap --script ms-sql-info -p 1433 <ip>
nmap --script ms-sql-config -p 1433 <ip>
nmap --script ms-sql-empty-password -p 1433 <ip>
nmap --script ms-sql-xp-cmdshell -p 1433 <ip>

Port 3306: MySQL

nmap --script mysql-enum -p 3306 <ip>
nmap --script mysql-info -p 3306 <ip>
nmap --script mysql-brute -p 3306 <ip>
nmap --script mysql-databases -p 3306 <ip>
nmap --script mysql-users -p 3306 <ip>

Port 3389: RDP (Remote Desktop Protocol)

nmap --script rdp-enum-encryption -p 3389 <ip>
nmap --script rdp-ntlm-info -p 3389 <ip>

Port 9100: PJL (Printer Job Language)

nmap --script pjl-ready-message -p 9100 <ip>

Common Vulnerabilities

nmap --script vuln <ip>