How to Detect CVEs Using Nmap Vulnerability Scan Scripts

June 10, 2025

11 min read

Nmap is more than a port scanner — it features powerful scripting for vulnerability detection, CVE mapping, and security assessment with custom scripts.
Jump to comments ()
LinkedIn
Telegram
Reddit

When evaluating top solutions for identifying vulnerabilities, Nmap is often not ranked among the best. That’s understandable — its core strength lies in network discovery and reconnaissance rather than serving as a dedicated vulnerability scanner. However, it’s important to recognize that Nmap offers powerful features that can effectively support vulnerability assessments.

With flexible scripting and advanced service detection, Nmap can help uncover misconfigurations and risks across an infrastructure — so calling it merely a “network mapper” or “port scanner” hardly does it justice.

In our recent list of top port scanning tools, we already explored Nmap’s scanning capabilities. In this article, we’ll focus on its extensive features for detecting vulnerabilities.

Who created Nmap?
Nmap was created by Gordon Lyon, widely known in the cybersecurity community by his pseudonym Fyodor. He is the founder and lead developer behind several well-known open security projects, including Nmap.org, Insecure.org, SecLists.org, and SecTools.org. He began developing the Nmap Security Scanner in 1997, turning what started as a personal passion project into one of the most respected tools in network security. Fyodor now works full-time on Nmap and related projects through his company, Nmap Software LLC.

Before You Begin

Before proceeding with installation and usage, it’s important to briefly address the potential risks involved and clarify how Nmap is licensed.

Before running Nmap or its scripting engine against any network, be aware that unauthorized scanning, exploitation, or brute-force attempts may be illegal. Many organizations treat such activity as a violation of policy, and it can trigger legal action or incident response procedures. Even with the best intentions, running intrusive or exploitative scripts against systems you do not own or explicitly have permission to test is considered unethical — and in many regions, a criminal offense.

Unauthorized scanning is illegal
Always obtain explicit written authorization before scanning any system you do not own or control. This is especially important when using intrusive techniques, as such actions can trigger security alerts, disrupt services, or violate organizational policies and legal requirements.

Nmap is a powerful tool designed for security professionals, researchers, and system administrators. Use it only on infrastructure you own or are authorized to assess.

Nmap Custom License

Nmap is an open source project with a dual licensing model1. It’s free for individuals and organizations to use, but its inclusion in proprietary products is restricted. This model helps fund ongoing development through commercial OEM licensing, while still ensuring that the source code remains publicly available.

The result is a sustainable project that values transparency, welcomes community contributions, and maintains user trust in its security and quality.

Installing Nmap

Nmap is often preinstalled on certain operating systems, including Kali Linux and BackBox.

For most users, the easiest way to install Nmap is by downloading it directly from the official Nmap website. This option is especially recommended for Windows users.

On most Linux distributions, you can install Nmap using the system’s package manager. For example, on Debian/Ubuntu, use the following commands:

sudo apt update
sudo apt install nmap

On macOS, the simplest method is using Homebrew:

brew install nmap
Zenmap – Nmap’s Graphical Interface
For users who prefer a graphical interface, Zenmap, the official Nmap GUI, is also available. It can be installed alongside Nmap on most systems using the same package manager or installer, depending on your platform.

Nmap Scripting Engine

In the context of vulnerability assessment, the most powerful Nmap’s feature is the Nmap Scripting Engine (NSE). This system allows Nmap to go far beyond basic scanning by running lightweight scripts written in Lua2 to detect misconfigurations, weak credentials, and known vulnerabilities across a wide range of services and protocols.

Nmap comes with hundreds of ready-to-use scripts, organized into functional categories:

Built-in NSE Script Categories
CategoryDescriptionCount
authScripts related to authentication methods, including bypass or checks.38
broadcastSends broadcast queries to discover hosts or services on a local network.47
brutePerforms brute-force authentication attempts against various services.73
defaultScripts run when the -sC or --script=default option is used.123
discoveryScripts that help identify hosts, services, and network topology.307
dosDenial-of-service checks; may crash or exhaust service resources.11
exploitScripts that attempt limited exploitation to confirm the presence of vulns.45
externalRelies on third-party services or external data sources.33
fuzzerSends malformed input to discover implementation flaws.3
infoProvides informational output not fitting other categories.1
intrusiveScripts that may crash services, be detectable, or affect system behavior.211
malwareDetects known malware infections, backdoors, or suspicious behaviors.10
safeScripts considered non-intrusive and unlikely to affect the target system.348
versionEnhances or supplements version detection results.47
vulnChecks for known vulnerabilities, misconfigurations, and CVEs.104

The “Count” column above shows how many scripts are available in each NSE category, giving you a sense of the breadth and focus of Nmap’s built-in vulnerability detection capabilities.

NSE transforms Nmap into a highly adaptable vulnerability scanner — capable of identifying everything from outdated SSL configurations to exposed admin panels and CVE-specific flaws.

What is an NSE Script?
An NSE (Nmap Scripting Engine) script is a modular extension written in Lua that enhances Nmap’s scanning capabilities. NSE scripts can perform tasks such as vulnerability detection, brute-force attacks, service enumeration, or even protocol fuzzing — enabling Nmap to go far beyond basic port scanning.

Using Vulnerability Detection Scripts in Nmap

Let’s walk through the practical steps for running vulnerability detection scripts against a target system using Nmap.

Running All Vulnerability Scripts (vuln)

To scan a host or network for known CVEs and common misconfigurations:

nmap --script vuln target.com

This command tells Nmap to execute all scripts in the vuln category, checking for a wide range of publicly documented vulnerabilities.

Using Exploitation Scripts (exploit)

Some scripts attempt safe exploitation to verify vulnerabilities. You can run all exploit scripts like this:

nmap --script exploit target.com
Exploit Scripts Are Dangerous
Exploit scripts can actively attempt to exploit vulnerabilities, which may disrupt system stability or compromise security. Use them only with explicit authorization and extreme caution.

Checking Authentication Issues (auth) and Brute-force (brute)

To identify weak authentication mechanisms or perform basic brute-force tests:

nmap --script auth target.com
nmap --script brute target.com

You can also combine multiple categories in a single scan:

nmap --script "vuln,exploit,auth,brute" target.com

Using Intrusive and Default Scripts

Some vulnerability checks and CVE probes are marked as intrusive or included in the default category. To include these in your assessment:

nmap --script intrusive target.com
nmap --script default target.com

Example: Comprehensive Vulnerability Sweep

To maximize coverage, you can run all relevant categories in a single command:

nmap -p- --script "vuln,exploit,auth,brute,intrusive,default" target.com
  • -p- scans all ports (optional, for thoroughness).
  • The --script argument accepts a comma-separated list of categories.

After running these scans, carefully review the output. Nmap will report detected CVEs, vulnerabilities, or weak authentication findings directly in its results.

Using Third-party NSE Scripts

While Nmap includes hundreds of built-in scripts, its functionality can be extended with third-party NSE scripts. These scripts are developed and shared by the community to cover niche protocols, newly discovered vulnerabilities, or specialized scanning tasks.

Some of the most notable third-party NSE script sources will be reviewed later in this article, but in general, widely used sources include:

  • GitHub – Search for repositories with nse or nmap-scripts tags. Many security researchers and organizations publish their own script sets.
  • SecLists NSE Scripts – Part of the larger SecLists project, offering curated NSE scripts for discovery and exploitation.
  • Exploit-DB – Some PoC exploits are published with NSE script implementations.
Use with Caution
Always review and understand third-party scripts before running them — especially if they perform authentication, brute-force, or exploitation tasks. These scripts may introduce unexpected behavior, legal risk, or instability if used blindly or against unauthorized targets.

To use third-party scripts, simply download them into your local Nmap scripts directory (typically located at /usr/share/nmap/scripts/).

You can then run them just like any built-in script using the –script option:

nmap --script custom-script.nse target.com

To improve performance, Nmap uses an indexed database of available scripts. If you add, remove, or update scripts manually, it’s important to refresh this index by running:

nmap --script-updatedb

This ensures that Nmap recognizes all current scripts during scanning.

Passive Detection with Nmap Vulners

When assessing systems for known vulnerabilities, not all scanning methods are created equal. Nmap supports both active and passive approaches to vulnerability detection, each with its own benefits and trade-offs.

What is Passive Scanning?
Passive scanning is a technique that identifies vulnerabilities by analyzing information already exposed by services — such as banners or version numbers — without sending intrusive probes or exploit attempts. This approach minimizes the risk of detection or disruption, but may not always confirm the presence of a vulnerability.

How Nmap Vulners Works

The Vulners NSE script (vulners.nse) enables Nmap to perform passive vulnerability detection by collecting version and software information from open ports and matching it against the extensive Vulners.com vulnerability database. Rather than launching attacks or intrusive probes, it passively fingerprints software and then queries the Vulners API for known issues tied to those versions.

Typical workflow:

  1. Nmap scans the target, identifies service banners and software versions.
  2. The Vulners script sends this information to the Vulners.com API.
  3. The API responds with a list of relevant CVEs, advisories, and known exploits for each detected software version.
  4. Nmap displays these findings in the output — without triggering suspicious activity on the target system.

Example Usage

You can run the Vulners script during a standard service/version scan:

nmap -sV --script vulners target.com

This approach is safe for most environments and can provide valuable insight into exposed vulnerabilities — without the risks of traditional exploitation.

About Vulners.com API

Vulners.com is an open-source vulnerability intelligence platform that aggregates CVEs, security advisories, and exploit data from dozens of sources. Its public API allows tools like Nmap to programmatically search for vulnerabilities based on software versions, making it ideal for integration into passive scanning workflows. The Vulners NSE script leverages this API to map service versions directly to known CVEs, offering up-to-date and detailed vulnerability intelligence as part of your Nmap scan results.

Nmap Vulscan – Offline Alternative

Another popular and flexible solution for enriching Nmap with vulnerability intelligence is Vulscan. Vulscan is an open-source NSE script and auxiliary toolkit maintained by the SCIP AG team that transforms Nmap into a passive vulnerability scanner.

Vulscan operates by collecting software and version information from Nmap’s service/version scan (-sV). Instead of directly probing for vulnerabilities, it passively compares these findings against offline CSV databases containing CVEs, security advisories, and exploit references from multiple sources. These databases are downloaded and maintained separately from the script itself.

Vulscan vs. Vulners

While both Vulscan and Vulners focus on passive detection by matching software versions to known CVEs, they differ in implementation:

  • Vulners queries the Vulners.com cloud API in real time for up-to-date vulnerability data.
  • Vulscan uses locally stored, regularly updated vulnerability databases (CSV files). This makes Vulscan usable even in offline environments and gives you control over the vulnerability sources and update frequency.

Getting Started with Vulscan

  1. Clone the Vulscan repository and copy it to your Nmap scripts directory:

    git clone https://github.com/scipag/vulscan.git
    cp vulscan/vulscan.nse /usr/local/share/nmap/scripts/
    cp -r vulscan /usr/local/share/nmap/scripts/
  2. Update the Vulscan databases:

    Vulscan’s CSV data sources are stored in the vulscan directory. You can update them using the provided scripts or by downloading the latest files from the Vulscan GitHub.

  3. Run Nmap with the Vulscan script:

    nmap -sV --script vulscan/vulscan.nse target.com

    By default, Vulscan will check all supported databases. You can specify a particular database with the vulscandb script argument, for example:

    nmap -sV --script vulscan/vulscan.nse --script-args vulscandb=cve.csv target.com

When Vulscan is run, it matches detected banners to thousands of known vulnerabilities — providing immediate context for each discovered service, often including CVE IDs, vulnerability descriptions, and external references.

Netlas – Web Alternative

For those who prefer a web-based approach to vulnerability intelligence, Netlas offers an extensive search engine for internet-facing assets and their associated exposures. Unlike Nmap, Netlas requires no installation and provides an intuitive web interface to search, analyze, and correlate open ports, banners, SSL certificates, and known vulnerabilities across the global internet.

Netlas aggregates scan data from multiple sources, mapping services and CVEs to millions of hosts. This makes it a convenient solution for passive reconnaissance, large-scale infrastructure reviews, or quickly checking for public exposures — without running any local scans or scripts.

Calendar

Book Your Netlas Demo

Chat with our team to explore how the Netlas platform can support your security research and threat analysis.

Writing Your Own NSE Script

Once you get comfortable with Nmap and see what its scripts can do, you may want to write your own custom script. This is useful if you need to check for something specific that isn’t covered by existing scripts. Nmap makes it straightforward to create and use your own scripts for these cases.

Minimal Example

Each NSE script is a small Lua file with a .nse extension and typically includes:

  • Head section: Metadata, description, author, license, and categories.
  • Action function: The main logic to run during the scan.
  • Rule functions: Define when the script should run (e.g., for certain ports or services).

Below is a simple script that checks if a web server’s root page contains the word “admin”:

-- http-check-admin.nse
description = [[Checks if 'admin' appears in the root HTML page.]]
author = "Your Name"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}

portrule = shortport.http

action = function(host, port)
  local http = require "http"
  local response = http.get(host, port, "/")
  if response.body and response.body:match("admin") then
    return "The string 'admin' was found in the root page."
  else
    return nil
  end
end

Save your script to Nmap’s scripts directory. Then update the script database and run your script:

nmap --script-updatedb
nmap -p 80 --script http-check-admin.nse target.com

When you run the custom script, Nmap will include the script’s results in its output. For example:

PORT   STATE SERVICE
80/tcp open  http
| http-check-admin:
|   The string 'admin' was found in the root page.

If the string is not found, the script will not display any output for that port.

Tips and Resources for Developing NSE Scripts

A comprehensive manual for NSE scripting is beyond the scope of this article, but we recommend exploring the resources listed below to deepen your understanding and improve your scripting skills:

  • Explore and Leverage Nmap’s Built-in Libraries: NSE provides a rich set of libraries for working with protocols like HTTP, SMB, DNS, SSL/TLS, and more. These libraries help you handle connections, parse responses, and interact with services at a high level. Start with browsing the NSE library documentation.

  • Study Existing Scripts: One of the best ways to get started is by reviewing existing NSE scripts. Analyze how scripts are structured, how categories are used, and how common tasks (such as parsing responses or reporting results) are handled. This will help you adopt best practices and avoid common mistakes.

  • Choose Script Categories Thoughtfully: Assign your script to categories that reflect its purpose and risk level. Use safe for non-intrusive actions, and intrusive, vuln, or exploit for scripts that might impact target systems or confirm vulnerabilities. Proper categorization helps users understand potential impact before running your script.

  • Test Safely and Thoroughly: Always test new scripts in a controlled, non-production environment. Consider edge cases: unexpected input, unusual protocol behavior, or network errors. Confirm that your script fails gracefully and never disrupts services unless explicitly intended.

  • Follow the Official Documentation: The Nmap Scripting Engine documentation provides a comprehensive overview of script structure, available APIs, and execution flow. For technical Lua details, consult the official Lua 5.4 reference manual, which explains syntax, standard libraries, and advanced language features.

By combining these practices — and using the resources above — you’ll be able to create powerful, reliable, and responsible NSE scripts that extend Nmap’s capabilities for your unique use cases.

Key Takeaways

Nmap is far more than a simple port scanner — it is a flexible, powerful platform for network mapping, service identification, and vulnerability assessment. In this article, we focused on Nmap’s extensive features for detecting vulnerabilities, including both built-in and third-party scripts.

Key points covered:

  • Nmap’s Scripting Engine (NSE) transforms Nmap into a modular vulnerability scanner, allowing active and passive detection of misconfigurations, weak credentials, and known CVEs.
  • Active vulnerability detection can be performed with built-in scripts from categories like vuln, exploit, auth, and intrusive, as well as with regularly updated third-party script packs targeting high-profile and recent CVEs.
  • Passive detection using scripts like vulners.nse and vulscan.nse enables safe mapping of vulnerabilities by version matching, either via cloud APIs or offline databases, with minimal risk to target systems.
  • Third-party NSE script collections greatly expand Nmap’s capabilities, letting you address newly disclosed or specialized vulnerabilities faster than waiting for official script updates.
  • You can develop your own NSE scripts to address custom protocols, newly discovered vulnerabilities, or specific internal requirements — leveraging Lua and Nmap’s rich scripting libraries to tailor your security assessments.

By combining Nmap’s built-in capabilities, active community scripts, and external resources, you can build a robust, customizable, and legally compliant vulnerability assessment workflow. Just remember: always scan only with proper authorization, review any third-party scripts before use, and balance active probing with passive intelligence based on your environment and goals.


  1. The open source version is released under the Nmap Public Source License. For embedding into commercial products, the Nmap OEM license↩︎

  2. Lua is a lightweight, embeddable scripting language with a simple syntax and small runtime footprint. It is used in Nmap to write modular and efficient scripts. See the official Lua reference manual for language details. ↩︎

LinkedIn
Telegram
Reddit