Nmap NSE Scripts for Vulnerability Scanning (2026 Guide)
Updated March 2026
The Nmap Scripting Engine (NSE) is a built-in framework that extends Nmap from a port scanner into a vulnerability detection platform, with over 600 Lua scripts included in the standard distribution (Nmap.org). You point it at discovered services, and it checks for known CVEs, misconfigurations, weak authentication, and backdoors without needing a separate tool.
Having used Nmap across hundreds of security assessments over the years, NSE is the part that separates casual scanning from actual vulnerability work. The port scan tells you what is running. NSE tells you what is broken.
When the Heartbleed vulnerability affected hundreds of thousands of systems in 2014, Nmap's developers shipped a detection script within 48 hours (Nmap.org). That speed of response, combined with community-maintained scripts covering everything from SMB exploits to database enumeration, is why NSE remains the go-to for practitioners who need fast, scriptable vulnerability detection.
Practical security guides delivered weekly. Subscribe to CyberDesserts for no-fluff content from 20+ years in the field.
What Is the Nmap Scripting Engine?
NSE is a scripting framework built into Nmap that runs Lua scripts alongside or after your scans. If you followed our Nmap Network Scanning guide, you already know how to find open ports and identify services. NSE answers the next question: what vulnerabilities exist on those services?
Scripts execute automatically based on what Nmap discovers. Find an open port 443? NSE can check for Heartbleed, weak ciphers, and certificate issues in the same scan pass. Find MySQL on 3306? It can enumerate databases, test default credentials, and match the version against known CVEs.
NSE performs four core security functions:
- Service Enumeration extracts detailed information about running services, including versions, configurations, and user accounts
- Vulnerability Detection checks for known CVEs and security flaws without exploiting them
- Brute Force Testing attempts authentication against common services like SSH, HTTP, and FTP
- Exploitation actively exploits vulnerabilities (authorised testing only)
The power of NSE is integration. Unlike standalone vulnerability scanners, everything happens within your existing Nmap workflow. One tool chain from discovery through to vulnerability assessment.
NSE Script Categories Explained
NSE organises its 600+ scripts into 14 categories based on function and risk level. Understanding these categories is essential because they control what runs and how aggressive it gets.
| Category | Risk Level | Purpose |
|---|---|---|
| default | Safe | Fast, reliable scripts that run with -sC. Banner grabbing, basic service info. |
| safe | Safe | Non-intrusive checks that will not crash services or trigger alerts. |
| vuln | Low-Med | Checks for specific known vulnerabilities. Only reports if a flaw is found. |
| discovery | Low | Advanced network discovery beyond basic scanning. DNS enumeration, subdomain brute forcing. |
| auth | Medium | Authentication bypass, default credentials, weak authentication detection. |
| brute | Medium-High | Brute force password attacks. Triggers account lockouts and generates logs. |
| intrusive | High | High-risk checks that might crash services or consume significant resources. |
| exploit | Critical | Actively exploits vulnerabilities. Only use with explicit written authorisation. |
| malware | Safe | Detects malware, backdoors, and compromised systems on target hosts. |
| dos | Critical | Denial of service attacks. May disrupt services. Use with extreme caution. |
| version | Safe | Enhanced version detection scripts that supplement -sV results. |
| broadcast | Low | Sends broadcast packets to discover hosts and services on the local network. |
| external | Varies | Scripts that query external services (whois, DNS lookups, vulnerability databases). |
| fuzzer | High | Sends unexpected data to services to find crashes and bugs. Can destabilise targets. |
The risk boundary that matters most: default, safe, and vuln are appropriate for production network audits and authorised assessments. Everything above auth requires explicit authorisation, a controlled environment, and documented approval. Running exploit or dos scripts against production systems without written permission is both illegal and irresponsible.
Scripts can belong to multiple categories. The ssl-heartbleed script, for example, sits in vuln, safe, and discovery because it checks for a vulnerability without any risk of crashing the target.
How would you activate all scripts in the vuln category?
nmap --script vuln target.com
That single flag runs every script tagged with the vuln category against your target. Combine it with -sV for version detection and the scripts have more context to work with.
Which categories should you never run on production systems? The dos, exploit, and fuzzer categories can crash services, corrupt data, or cause outages. The brute category generates massive log entries and can lock out legitimate user accounts. Keep these in your lab environments.
What Does --script vuln Do?
The --script vuln flag tells Nmap to run every script in the vuln category against discovered services. This is your primary vulnerability assessment workflow, and understanding exactly what it does matters more than most people realise.
When you run:
nmap -sV --script vuln target.com
Nmap first performs service detection (-sV), then passes those results to every vuln-category script. Each script checks whether the detected service version matches a known vulnerability. If it finds one, the output explicitly marks it as VULNERABLE with the relevant CVE reference.
Here is what it checks for (this is not exhaustive, but covers the scripts practitioners encounter most often):
- SSL/TLS vulnerabilities including Heartbleed (CVE-2014-0160), POODLE, and weak cipher suites
- SMB vulnerabilities including EternalBlue (MS17-010), MS08-067, and SMB signing issues
- HTTP vulnerabilities including Shellshock, Apache Struts RCE (CVE-2017-5638), and slowloris susceptibility
- DNS vulnerabilities including zone transfer misconfiguration
- Authentication weaknesses across multiple protocols
The output is clear when something is found:
PORT STATE SERVICE
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in OpenSSL
| State: VULNERABLE
| Risk factor: High
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
When nothing is found, most vuln scripts produce no output at all. No news is good news.
One thing that catches people out: --script vuln does NOT include the popular vulners.nse or vulscan.nse scripts. Those are external scripts that need separate installation. The vuln category only contains scripts bundled with the Nmap distribution. I have seen pentesters assume they are getting CVE database matching from --script vuln when they are actually only getting the built-in checks. If you want CVE matching against service versions, you need vulners.nse (covered in the next section).
The syntax variations --script vuln and --script=vuln are identical. Both work. Use whichever you prefer.
How to Use vulners.nse for CVE Detection
The vulners.nse script queries the vulners.com API to match detected service versions against their CVE database. It is one of the most popular third-party NSE scripts because it automates what practitioners used to do manually: scan a service, note the version, then search for known vulnerabilities against that version.
Important: vulners.nse is not included with Nmap by default. You need to install it separately from the nmap-vulners GitHub repository.
Installation:
cd /usr/share/nmap/scripts/
sudo git clone https://github.com/vulnersCom/nmap-vulners.git
sudo cp nmap-vulners/vulners.nse .
sudo nmap --script-updatedb
Once installed, the basic usage is:
nmap -sV --script vulners target.com
The -sV flag is mandatory here. Without version detection, vulners.nse has nothing to match against. It needs to know the exact service version to query the CVE database.
Filtering Results with mincvss
By default, vulners.nse returns every CVE match regardless of severity. On a server running multiple services, this can produce pages of low-severity results that bury the critical findings. The mincvss argument filters output by CVSS score.
nmap -sV --script vulners --script-args mincvss=7.0 target.com
This only displays CVEs with a CVSS score of 7.0 or higher (High and Critical severity). For a quick triage during a time-pressured assessment, I typically start at mincvss=9.0 to find critical issues first, then widen to 7.0 for the full high-severity picture.
Other useful thresholds:
mincvss=9.0shows Critical only. Start here when time is short.mincvss=7.0shows High and Critical. This is the sweet spot for most assessments.mincvss=5.0includes Medium severity. Useful for compliance audits that require medium findings.
vulners.nse vs vulscan.nse
Both scripts match service versions to CVE databases, but they work differently:
- vulners.nse queries the vulners.com API live, so results are always current. Requires internet access during the scan.
- vulscan.nse uses local offline databases (NVD, Exploit-DB, etc.) that you download and update manually. Works without internet but results depend on when you last updated.
For most assessments, vulners.nse is the better choice. Use vulscan when you are scanning air-gapped networks or environments where outbound API calls are restricted.
Building your security toolkit? Our Cybersecurity Skills Roadmap maps out what to learn and in what order.
NSE Scripts for Specific Vulnerability Detection
Beyond the vuln category and vulners.nse, NSE includes scripts that target individual vulnerabilities and protocols. The queries I see most often from practitioners involve a handful of high-value scripts.
ssl-heartbleed: Detecting CVE-2014-0160
The ssl-heartbleed script tests whether a server is vulnerable to the Heartbleed bug in OpenSSL, which allows attackers to read server memory contents including private keys and session data.
nmap -p 443 --script ssl-heartbleed target.com
The output is binary: VULNERABLE or nothing. The script sits in the vuln, safe, and discovery categories, meaning it is safe to run against production systems. Despite Heartbleed being disclosed in 2014, unpatched instances still exist. It remains one of the most commonly requested NSE checks in CTF environments and real-world audits alike.
SMB Vulnerability Scripts
The smb-vuln-* wildcard runs all SMB vulnerability detection scripts at once:
nmap -p 445 --script smb-vuln-* target-range
This checks for EternalBlue (MS17-010, the exploit behind WannaCry), MS08-067, and other critical Windows SMB flaws. Indispensable when auditing Windows environments.
NSE Script Quick Reference
This table covers the scripts that appear most frequently in workflows and requests. Each entry includes the exact script name, category membership, and a ready-to-use command.
| Script Name | Categories | What It Does | Command |
|---|---|---|---|
| ssl-heartbleed | vuln, safe, discovery | Heartbleed detection (CVE-2014-0160) | nmap -p 443 --script ssl-heartbleed target |
| smb-vuln-ms17-010 | vuln, safe | EternalBlue detection | nmap -p 445 --script smb-vuln-ms17-010 target |
| http-shellshock | vuln, intrusive | Bash Shellshock in CGI scripts | nmap -p 80 --script http-shellshock target |
| vulners | external (install separately) | CVE matching via vulners.com API | nmap -sV --script vulners target |
| vulscan | external (install separately) | Offline CVE matching | nmap -sV --script vulscan target |
| ssh-auth-methods | auth, safe | Lists SSH authentication methods | nmap -p 22 --script ssh-auth-methods target |
| http-enum | discovery, safe | Web directory and file enumeration | nmap -p 80 --script http-enum target |
| http-security-headers | discovery, safe | Checks for missing security headers | nmap -p 80 --script http-security-headers target |
| http-waf-detect | discovery, safe | Detects web application firewalls | nmap -p 80 --script http-waf-detect target |
| mysql-info | default, safe, discovery | MySQL server information disclosure | nmap -p 3306 --script mysql-info target |
| http-config-backup | discovery, safe | Finds exposed config backup files | nmap -p 80 --script http-config-backup target |
| dns-brute | discovery, safe | Brute forces DNS subdomains | nmap --script dns-brute target.com |
| ftp-anon | default, auth, safe | Checks for anonymous FTP access | nmap -p 21 --script ftp-anon target |
| http-vuln-cve2017-5638 | vuln | Apache Struts RCE detection | nmap -p 80 --script http-vuln-cve2017-5638 target |
Use nmap --script-help=script-name to see available arguments for any script. The full NSE script library is browsable at nmap.org/nsedoc.
Essential Vulnerability Scanning Workflows
Individual scripts are useful, but real assessments combine multiple scan techniques. These are the workflows I reach for most often.
Quick Vulnerability Assessment
sudo nmap -sS -sV --script vuln -oA vuln-scan target.com
SYN scan for speed (-sS), version detection for context (-sV), all built-in vulnerability scripts (--script vuln), and output saved in all formats (-oA). This is the standard starting point for any authorised assessment.
Full CVE Matching with Severity Filter
sudo nmap -sS -sV --script vulners --script-args mincvss=7.0 -oA cve-scan target.com
Same foundation, but using vulners.nse instead of the built-in vuln category. The mincvss=7.0 filter cuts noise and surfaces only High and Critical severity CVEs. Run this after the quick assessment to get the CVE-level detail.
Web Application Enumeration
nmap -p 80,443 --script http-enum,http-headers,http-methods,http-security-headers target.com
Targeted web assessment: enumerates directories and files, grabs HTTP headers, lists allowed HTTP methods, and checks for missing security headers. All safe-category scripts, appropriate for production web servers.
SMB Security Audit
nmap -p 445 --script smb-vuln-* internal-network/24
Sweeps an entire subnet for known SMB vulnerabilities. The * wildcard matches all smb-vuln scripts. Essential for Windows environment audits where EternalBlue and related exploits remain a real threat.
Database Exposure Check
nmap -sV -p 1433,3306,5432,27017 --script "*-info,*-enum" target-range
Scans common database ports (MSSQL, MySQL, PostgreSQL, MongoDB) and runs info and enumeration scripts. Identifies exposed databases, default configurations, and information disclosure.
Backdoor and Malware Detection
nmap -sV --script malware target.com
Checks for known backdoors including NSA's DoublePulsar and backdoored versions of UnrealIRCd, vsftpd, and ProFTPd (Nmap.org). Fast to run and safe for production systems.
Advanced NSE Techniques and Script Arguments
Once you are comfortable with the basics, script arguments and advanced techniques give you much finer control.
Customising Scripts with --script-args
Many scripts accept arguments that change their behaviour. The general syntax is:
nmap --script=script-name --script-args arg1=value1,arg2=value2 target
Common examples:
# vulners.nse: only show CVEs with CVSS 7.0+
nmap -sV --script vulners --script-args mincvss=7.0 target
# http scripts: set a custom user agent
nmap -p 80 --script "http-*" --script-args http.useragent="Mozilla/5.0" target
# brute scripts: set thread count (authorised testing only)
nmap -p 22 --script ssh-brute --script-args brute.threads=5 target
Use nmap --script-help=script-name to see what arguments any script accepts.
Combining Multiple Script Categories
nmap -sV --script "vuln,safe" target.com
The comma-separated list runs scripts from both categories. This is more thorough than vuln alone because safe-category scripts add enumeration data that helps you understand the attack surface around any vulnerabilities found.
Forcing Scripts to Run on Non-Standard Ports
nmap -p 8443 --script +ssl-heartbleed target.com
The + prefix forces a script to run even when Nmap did not detect the expected service on that port. Useful when services run on non-standard ports or when initial detection was inconclusive.
Wildcard Script Selection
nmap --script "http-vuln-*" target.com
The * wildcard matches all scripts starting with http-vuln-. This runs every HTTP vulnerability check without needing to list them individually.
Reading NSE Output
NSE results appear inline with your scan output. Here is how to read them:
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /admin/: Possible admin folder
| /backup/: Backup folder detected
|_ /uploads/: Upload directory found
|
| http-vuln-cve2017-5638:
| VULNERABLE:
| Apache Struts Remote Code Execution (CVE-2017-5638)
| State: VULNERABLE
| Risk factor: High
|_ Check results: System likely vulnerable
Script names appear prefixed with a pipe character (|). VULNERABLE findings are explicitly marked with state and risk factor. CVE references link to further research. When a script finds nothing, it typically produces no output.
Always save your results with -oA filename. The XML output (-oX) integrates with Metasploit, Burp Suite, and vulnerability management platforms for downstream analysis.
Integrating NSE with Your Security Stack
NSE is most powerful as part of a larger toolchain:
- NSE + Metasploit: Identify vulnerabilities with NSE, import the XML output into Metasploit's database with
db_import, and use matching exploit modules - NSE + Searchsploit: Take CVE numbers from vulners.nse output and search for local exploit code with
searchsploit - NSE + Burp Suite: Use http-enum findings as targets for deeper web application testing
- NSE + your SIEM: Import scan results via the ELK Stack to track vulnerability trends over time
For enterprise organisations that need to scale automated testing with an easy-to-use interface and reporting, Pentera leads the innovation in continuous security validation, including guided remediation paths and threat intelligence integration.
Legal and Ethical Boundaries
Scripts in the exploit, dos, brute, and intrusive categories can damage systems. Running them without explicit written authorisation is illegal and unethical.
Start with default and safe categories. Use vuln on authorised targets only. Never run exploit or dos on production systems. Test in labs first using platforms like TryHackMe, HackTheBox, or your own VMs.
If you are building a practice environment, our Cybersecurity Practice Lab Setup guide walks through the full process. Apply the same principles from our Linux Basics for Hackers guide: safe, authorised, and documented testing only.
Frequently Asked Questions
What does nmap --script vuln do?
It runs every NSE script in the vuln category against your target, checking for known vulnerabilities like Heartbleed, EternalBlue, and Shellshock. Combine it with -sV for best results: nmap -sV --script vuln target.com. It does not include external scripts like vulners.nse.
How would you activate all scripts in the vuln category?
Use nmap --script vuln target.com or equivalently nmap --script=vuln target.com. Both syntaxes work identically and run every script tagged with the vuln category.
What is the Nmap Scripting Engine (NSE)?
NSE is a built-in Nmap framework that runs Lua scripts for vulnerability detection, service enumeration, brute force testing, and exploitation. Over 600 scripts are included in the standard Nmap distribution, organised into 14 categories by function and risk level.
What does the vulners.nse mincvss argument do?
The mincvss argument filters vulners.nse output by minimum CVSS score. Setting --script-args mincvss=7.0 only displays CVEs rated High or Critical, cutting through low-severity noise. Useful values: 9.0 for critical only, 7.0 for high and critical, 5.0 for medium and above.
Is vulners.nse included with Nmap by default?
No. vulners.nse is a third-party script maintained on GitHub. You need to download it separately from the nmap-vulners repository and copy it to your Nmap scripts directory. Run nmap --script-updatedb after installation.
What are the NSE script categories?
NSE has 14 categories: default, safe, vuln, discovery, auth, brute, intrusive, exploit, malware, dos, version, broadcast, external, and fuzzer. Each category groups scripts by function and risk level. Use default and safe freely. Use vuln on authorised targets. Treat everything else with caution.
Which NSE category should you never run on production systems?
The dos, exploit, and fuzzer categories can crash services, corrupt data, or cause outages. The brute category triggers account lockouts and generates massive log entries. These categories should only be used in controlled lab environments with explicit authorisation.
Summary
NSE turns Nmap from a port scanner into a vulnerability assessment platform. The --script vuln category gives you built-in detection for critical flaws like Heartbleed and EternalBlue. The vulners.nse script adds CVE database matching with severity filtering through the mincvss argument. Combined with the network scanning fundamentals and Linux command proficiency, NSE completes your reconnaissance and vulnerability assessment toolkit.
Start with --script vuln for built-in checks. Add vulners.nse for CVE matching. Use individual scripts like ssl-heartbleed and smb-vuln-* for targeted testing. Save everything with -oA and feed it into the rest of your security stack.
New NSE workflows, vulnerability detection techniques, and hands-on guides published weekly. Subscribers get practical security content from 20+ years in the field. No vendor pitches, no fluff.
Last updated: March 2026
Key Resources
- Official NSE Documentation - Complete NSE reference guide
- NSE Script Library - Browse and search all 600+ scripts
- Vulners NSE Script - Popular CVE matching script (GitHub)
- NSE Script Writing Guide - Learn to write custom Lua scripts
References and Sources
- Nmap.org. "Chapter 9. Nmap Scripting Engine." Official documentation covering NSE capabilities, script categories, and the 48-hour Heartbleed response timeline.
- Nmap.org. "NSE Script Documentation." Complete reference for all bundled scripts including category membership and usage.
- vulnersCom. "nmap-vulners." GitHub repository. Third-party NSE script for CVE matching via the vulners.com API.
- Netlas (2025). "How to Detect CVEs Using Nmap Vulnerability Scan Scripts." NSE vulnerability detection methodology and integration analysis.
Previous in Series:
Member discussion