How to use Nmap for Vulnerability Scan?

Nmap, or community mapper, is a toolkit for capability and penetration checking out all over a community, together with port scanning and vulnerability detection.

Nmap scripting engine (NSE) Script is without doubt one of the most well liked and robust features of Nmap. These Nmap vulnerability scan scripts are utilized by penetration testers and hackers to read about commonplace identified vulnerabilities.

Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed knowledge safety problems. It serves as a reference type for detecting vulnerabilities and threats comparable to the safety of data programs.

In this newsletter, we’ll take a look at how to use Nmap for Vulnerability Scan.

Let’s get began!

Nmap Installation

Nmap is pre-installed in nearly each Linux distribution. In case it’s lacking, you wish to have to set up it manually. It may also be simply put in with the next command.

apt-get set up nmap

And you’ll additionally set up it via cloning the professional git repository.

git clone

Next, navigate to that listing and set up the necessities the use of the under instructions.

make set up

This tool’s most up-to-date model, in addition to binary installers for Windows, macOS, and Linux (RPM), are to be had here.

Vulnerability scan with Nmap

Nmap-vulners, vulscan, and vuln are the typical and most well liked CVE detection scripts within the Nmap seek engine. These scripts permit you to uncover necessary details about gadget safety flaws.


One of essentially the most well known vulnerability scanners is Nmap-vulners. Let’s take a look at how to arrange this software in addition to how to run a fundamental CVE scan. The Nmap script engine searches HTTP responses to determine CPEs for the given script.


To set up the Nmap-vulners script, navigate to the Nmap scripts listing the use of the next command.

cd /usr/percentage/nmap/scripts/

The Next step is to clone the git repository.

git clone

After cloning the git repository, you received’t want to do anything for the configuration. The software shall be mechanically put in.

And if you need to see the NSE scripts found in Nmap-vulners database, use ls command. It will show the entire .nse extension scripts at the terminal.


It’s simple to use NSE scripts. Simply move the -script argument to our Nmap command to instruct what NSE script to use.

nmap -sV --script vulners [--script-args mincvss=<arg_val>] <goal>

Don’t disregard to move “-sV” argument whilst the use of NSE scripts. Nmap-vulners won’t be able to get admission to the Vulners exploit database if it does no longer obtain any model data from Nmap. So, the -sV parameter is needed always.

Example command

The syntax is somewhat simple. Just name the script with “–script” choice and specify the vulners engine and goal to start scanning.

nmap -sV --script nmap-vulners/ <goal>

If you want to scan any explicit ports, simply upload “-p” choice to the top of the command and move the port quantity you need to scan.

nmap -sV --script nmap-vulners/ <goal> -p80,223

Nmap – vuln

NSE scripts are labeled in accordance to a collection of predetermined classes to which every script belongs. Authentication, broadcast, brute power, intrusive, malware, secure, model, and vuln are one of the most classes. You can in finding the entire class kinds of NSE scripts and their levels here.

The scripts which come underneath the “vuln” class glance for explicit identified vulnerabilities and best document again if any are recognized within the goal gadget.

nmap -sV --script vuln <goal>


Vulscan is an NSE script that assists Nmap in detecting vulnerabilities on goals primarily based on products and services and model detections. vulscan is sort of a module for Nmap that transforms it right into a vulnerability scanner. The Nmap choice -sV lets in for per-service model detection, which is used to determine possible exploits for the detected vulnerabilities within the gadget. 

Currently, the next pre-installed databases are to be had:

  • exploitdb.csv
  • osvdb.csv
  • securitytracker.csv
  • openvas.csv
  • scipvuldb.csv
  • xforce.csv
  • securityfocus.csv
  • cve.csv


To set up the Vulscan, First, move to the Nmap scripts listing via the use of the next command.

cd /usr/percentage/nmap/scripts/

The Next step is to clone the git repository and set up the entire necessities.

git clone

ln -s `pwd`/scipag_vulscan /usr/percentage/nmap/scripts/vulscan 

Vulscan makes use of pre-configured databases stored in the neighborhood on our gadget. To replace the database, move to the updater listing. Type the next command right into a terminal to navigate to the updater listing.

cd vulscan/utilities/updater/

Next, alternate the permissions of the document to be run within the gadget.

chmod +x

And after all, replace the exploit databases with the under command.



Let’s use vulscan to do a Nmap vulnerability scan. The vulscan NSE script can be utilized in the similar manner as nmap-vulners.

nmap -sV --script vulscan <goal>

By default, Vulscan will seek the entire databases concurrently. It takes a large number of time to question data the use of the entire databases. Using the vulscandb parameter, you’ll move just one CVE database at a time.

--script-args vulscandb=database_name

Example Command

nmap -sV --script vulscan --script-args vulscandb=exploit.csv <goal> -p 80,233

Individual vulnerability Scanning

Individual vulnerability scans will also be carried out using specific scripts inside of every class. Here is an inventory of all 600+ NSE scripts and 139 NSE libraries.


  • http-csrf: Cross-Site Request Forgery (CSRF) vulnerabilities are detected via this script.
nmap -sV --script http-csrf <goal>
  • http-sherlock: Intends to exploit the “shellshock” vulnerability in internet programs.
nmap -sV --script http-sherlock <goal>
  • http-slowloris-attack: Without launching a DoS assault, this script assessments a internet server or a goal gadget for vulnerability to carry out the Slowloris DoS assault.
nmap -sV --script http-slowloris-check <goal>
  • http-vmware-path-vuln: VMWare ESX, ESXi, and Server are all examined for a path-traversal vulnerability
nmap -sV --script http-vmware-path-vuln <goal>
  • http-passwd: Attempts to retrieve /and many others/passwd or boot.ini to see if a internet server is inclined to listing traversal.
nmap -sV --script http-passwd <goal>
  • http-internal-ip-disclosure: When sending an HTTP/1.0 request with no Host header, this examine determines if the internet server leaks its inside IP handle.
nmap -sV --script http-internal-ip-disclosure <goal>
  • http-vuln-cve2013-0156: Detects Ruby on Rails servers which are inclined to DOS assaults and command injection.
nmap -sV --script http-vuln-cve2013-0156 <target-address>

And after all, here’s a record of all NSE scripts which come underneath the “vuln” class.

Is your gadget able to detecting Nmap scans?

Reconnaissance is the primary segment in moral hacking and penetration checking out. Hackers use the reconnaissance segment to find flaws and loopholes in a gadget to assault. Therefore protection programs must be in a position to locate them.

You will obtain signals in the event you use SIEM (Security Information and Event Management )equipment, firewalls, and different defensive measures. And here’s a record of the most efficient SIEM Tools to Secure Your trade and group from Cyberattacks. These equipment even lend a hand in logging Nmap scans. Vulnerability scans are profitable since early identity can avert long run harm to the programs.


I am hoping you discovered this newsletter very helpful in studying how to use Nmap for vulnerability scan.

You will also be serious about studying the record of Open Source Web Security Scanners to in finding vulnerabilities.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button