The Nmap Scripting Engine (NSE) revolutionized the capabilities of Nmap. It was introduced during Google's Summer of Code in 2007, and it has become an arsenal by itself with almost 500 official scripts. Although the first scripts were aimed at improving service and host detection, people quickly started submitting scripts for other tasks. Today, there are 14 categories covering a broad range of tasks, from network discovery to detection and exploitation of security vulnerabilities. You can use NSE scripts to brute-force accounts with weak passwords, find online hosts with different broadcast requests, sniff the network, discover forgotten backup files in web servers, detect the latest SSL 3.0 vulnerability known as Poodle, and even exploit vulnerabilities in popular software.

The script collection grows rapidly, so I recommend staying up-to-date by subscribing to the Nmap Development mailing list, located at http://nmap.org/mailman/listinfo/dev. Nmap's community is very active, so I encourage you to always keep an updated copy among your penetration testing tools.

NSE scripts are great for drafting proof-of-concept code since the modules are written in Lua, a simple yet powerful language. It allows us to quickly program any task we have in mind with the help of the available NSE libraries. Its flexible syntax is easy to learn, and I'm sure you will find yourself loving it after experimenting with it for a day.

This chapter will introduce you to NSE, covering several topics from installation and development environment setup to advanced usage tips. If you are familiar with the following topics, you may skip this chapter:

If you are not familiar with NSE already, this chapter will get you prepared for what is coming in the next chapters. For those with some experience, I still recommend going through this chapter as I'm including advanced tips related to script selection and usage. Fire up your terminals and let's get to work.