Nmap Beyond the Basics

Everyone knows nmap -sV target. But Nmap’s scripting engine (NSE) turns a port scanner into a full reconnaissance framework.

We look at three scripts that changed how I approach engagements: http-enum for directory brute-forcing, ssl-heartbleed for quick Heartbleed checks, and smb-vuln-ms17-010 for EternalBlue detection. Combining these with --script-args and custom output formats (XML piped into xsltproc) creates repeatable, auditable scan reports.

The key upgrade is moving from “one clever command” to a staged workflow. I run discovery, service fingerprinting, and targeted scripts as separate passes with saved outputs. That keeps scans explainable and prevents noisy false conclusions from a single overloaded run.

A practical scan sequence

1. Host discovery and top ports for map-building.
2. Full TCP scan on confirmed hosts.
3. Service/version detection only where it matters.
4. Focused NSE scripts based on exposed surface.
5. Archive XML and a human-readable report together.

For real operations, reproducibility beats heroics. If results cannot be replayed or audited, they are weak evidence.

NSE discipline

NSE is powerful, but script selection should follow scope and authorization. Many scripts are intrusive. Treat them like controlled tests, not default checkboxes. I keep a small approved script set per engagement type, then expand only with explicit reason.

Related reading:

• Giant Log Lenses: Testing Wide Content
• Format String Attacks Demystified