Profile picture
Daniel Miller ✝ @bonsaiviking
, 19 tweets, 13 min read Read on Twitter
#Nmap comes with 586 #NSE scripts. 148 of them are default (-sC) or version (-sV) scripts. The rest (438) have to be invoked directly or by category, so many folks don't use them. Here are my top 18 NSE scripts you should run in 2018: #DiscoveringNSE
#DiscoveringNSE 1/18: Fingerprint 100s of web apps and embedded devices with http-enum. Got Nikto? http-enum uses that fingerprint file, too. nmap.org/nsedoc/scripts… Found a device with a web interface? Check for default creds with http-default-accounts. nmap.org/nsedoc/scripts…
#DiscoveringNSE 2/18: Import a list of targets to scan directly from the XML output of another scan with targets-xml. Lots of scripts that discover new addresses let you scan them in the same command with --script-args newtargets nmap.org/nsedoc/scripts…
#DiscoveringNSE 3/18: Enumerate subdomains with dns-brute. Brute-force resolve common hostnames and SRV records against discovered DNS servers. nmap.org/nsedoc/scripts…
#DiscoveringNSE 4/18: All 38 scripts in the "broadcast and safe" categories. Find targets & discover services like ATAoE, DB2, DHCP, DNSSD, Dropbox, NetBIOS, OSPF2, UPnP, WPAD, and XDMCP on your local LAN: --script 'broadcast and safe' nmap.org/nsedoc/categor…
#DiscoveringNSE 5/18: Use Hollywood-style byte-by-byte bruteforce to find #IPv6 PTR DNS records with dns-ip6-arpa-scan. nmap.org/nsedoc/scripts…
#DiscoveringNSE 6/18: IPv6 network address ranges are absurdly large. Find and scan #IPv6 targets on your local LAN with targets-ipv6-multicast-* scripts. nmap.org/nsedoc/scripts…
#DiscoveringNSE 7/18: Find internal/private IP addresses leaked in some HTTP services and SSL certificates with http-bigip-cookie, ssl-cert-intaddr, http-internal-ip-disclosure nmap.org/nsedoc/scripts…
#DiscoveringNSE 8/18: Hack the Gibson or other IBM mainframe systems with scripts by @mainframed767: tn3270-screen, tso-enum, tso-brute, vtam-enum, cics-info, cics-enum, cics-user-enum, cics-brute nmap.org/nsedoc/scripts…
#DiscoveringNSE 9/18: Shameless self-promotion: I've done a bunch to improve auth support for #VNC scripts, adding Apple Remote Desktop, VeNCrypt, Tight, and TLS types. Enumerate with vnc-info, brute force with vnc-brute, grab screen info with vnc-title. nmap.org/nsedoc/scripts…
#DiscoveringNSE 10/18: Check general web security with fast scripts & deep spiders like http-security-headers, http-cookie-flags, http-crossdomainxml, http-csrf, http-errors, http-dombased-xss, http-fileupload-exploiter, http-rfi-spider nmap.org/nsedoc/scripts…
#DiscoveringNSE 11/18: Formidible SSH security checks with new libssh2-based scripts: ssh-publickey-acceptance, ssh-run, ssh-auth-methods, ssh-brute nmap.org/nsedoc/scripts…
#DiscoveringNSE 12/18: Enumerate all SMB versions with smb-protocols. nmap.org/nsedoc/scripts… Then take advantage of awesome new SMB2 support by @calderpwn: smb2-vuln-uptime, smb2-capabilities, smb2-security-mode, smb2-time nmap.org/nsedoc/scripts…
#DiscoveringNSE 13/18: The "external" NSE category contains scripts that query third-party services. Use shodan-api to query @shodanhq with Nmap: nmap.org/nsedoc/scripts… (Other fun external scripts: http-xssed, http-google-malware, targets-asn, asn-query)
#DiscoveringNSE 14/18: Geolocate your targets and plot them on @googlemaps, thanks to @mak_kolybabi. Run one of the ip-geolocation scripts along with ip-geolocation-map-kml (or use your API key with -google or -bing). nmap.org/nsedoc/scripts…
#DiscoveringNSE 15/18: NSE has 73 #BruteForce credential testing scripts. Why not check out http-form-brute, which can handle all sorts of complicated CSRF and cookie schemes, and works great against Django, Wordpress, MediaWiki, Joomla, and Drupal. nmap.org/nsedoc/scripts…
#DiscoveringNSE 16/18: Spider a site for emails, IP addresses, #creditcard numbers, SSN, or write your own custom patterns with http-grep nmap.org/nsedoc/scripts…
#DiscoveringNSE 17/18: Check for weak TLS/SSL configurations everywhere, even SMTP, RDP, VNC, etc. with ssl-enum-ciphers (Related scripts include ssl-dh-params, ssl-heartbleed, ssl-poodle, tls-ticketbleed, etc.) nmap.org/nsedoc/scripts…
#DiscoveringNSE 18/18: Keep up with the latest big #vulnerabilities like #Struts RCE (http-vuln-cve2017-5638), Intel #AMT privesc (http-vuln-cve2017-5689), MS17-010 (smb-vuln-ms17-010), and lots more. nmap.org/nsedoc/scripts…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Daniel Miller ✝
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!