How to Detect CVEs Using Nmap Vulnerability Scan Scripts

When evaluating top solutions for identifying vulnerabilities, Nmap is often not ranked among the best. That’s understandable — its core strength lies in network discovery and reconnaissance rather than serving as a dedicated vulnerability scanner. However, it’s important to recognize that Nmap offers powerful features that can effectively support vulnerability assessments.

With flexible scripting and advanced service detection, Nmap can help uncover misconfigurations and risks across an infrastructure — so calling it merely a “network mapper” or “port scanner” hardly does it justice.

In our recent list of top port scanning tools, we already explored Nmap’s scanning capabilities. In this article, we’ll focus on its extensive features for detecting vulnerabilities.

Before You Begin

Before proceeding with installation and usage, it’s important to briefly address the potential risks involved and clarify how Nmap is licensed.

Legal Warning: Use Nmap Responsibly

Before running Nmap or its scripting engine against any network, be aware that unauthorized scanning, exploitation, or brute-force attempts may be illegal. Many organizations treat such activity as a violation of policy, and it can trigger legal action or incident response procedures. Even with the best intentions, running intrusive or exploitative scripts against systems you do not own or explicitly have permission to test is considered unethical — and in many regions, a criminal offense.

Nmap is a powerful tool designed for security professionals, researchers, and system administrators. Use it only on infrastructure you own or are authorized to assess.

Nmap Custom License

Nmap is an open source project with a dual licensing model¹. It’s free for individuals and organizations to use, but its inclusion in proprietary products is restricted. This model helps fund ongoing development through commercial OEM licensing, while still ensuring that the source code remains publicly available.

The result is a sustainable project that values transparency, welcomes community contributions, and maintains user trust in its security and quality.

Installing Nmap

Nmap is often preinstalled on certain operating systems, including Kali Linux and BackBox.

For most users, the easiest way to install Nmap is by downloading it directly from the official Nmap website. This option is especially recommended for Windows users.

On most Linux distributions, you can install Nmap using the system’s package manager. For example, on Debian/Ubuntu, use the following commands:

sudo apt update
sudo apt install nmap

On macOS, the simplest method is using Homebrew:

brew install nmap

Nmap Scripting Engine

In the context of vulnerability assessment, the most powerful Nmap’s feature is the Nmap Scripting Engine (NSE). This system allows Nmap to go far beyond basic scanning by running lightweight scripts written in Lua² to detect misconfigurations, weak credentials, and known vulnerabilities across a wide range of services and protocols.

Nmap comes with hundreds of ready-to-use scripts, organized into functional categories:

The “Count” column above shows how many scripts are available in each NSE category, giving you a sense of the breadth and focus of Nmap’s built-in vulnerability detection capabilities.

NSE transforms Nmap into a highly adaptable vulnerability scanner — capable of identifying everything from outdated SSL configurations to exposed admin panels and CVE-specific flaws.

Using Vulnerability Detection Scripts in Nmap

Let’s walk through the practical steps for running vulnerability detection scripts against a target system using Nmap.

Running All Vulnerability Scripts (vuln)

To scan a host or network for known CVEs and common misconfigurations:

nmap --script vuln target.com

This command tells Nmap to execute all scripts in the vuln category, checking for a wide range of publicly documented vulnerabilities.

Using Exploitation Scripts (exploit)

Some scripts attempt safe exploitation to verify vulnerabilities. You can run all exploit scripts like this:

nmap --script exploit target.com

Checking Authentication Issues (auth) and Brute-force (brute)

To identify weak authentication mechanisms or perform basic brute-force tests:

nmap --script auth target.com
nmap --script brute target.com

You can also combine multiple categories in a single scan:

nmap --script "vuln,exploit,auth,brute" target.com

Using Intrusive and Default Scripts

Some vulnerability checks and CVE probes are marked as intrusive or included in the default category. To include these in your assessment:

nmap --script intrusive target.com
nmap --script default target.com

Example: Comprehensive Vulnerability Sweep

To maximize coverage, you can run all relevant categories in a single command:

nmap -p- --script "vuln,exploit,auth,brute,intrusive,default" target.com

• -p- scans all ports (optional, for thoroughness).
• The --script argument accepts a comma-separated list of categories.

After running these scans, carefully review the output. Nmap will report detected CVEs, vulnerabilities, or weak authentication findings directly in its results.

Using Third-party NSE Scripts

While Nmap includes hundreds of built-in scripts, its functionality can be extended with third-party NSE scripts. These scripts are developed and shared by the community to cover niche protocols, newly discovered vulnerabilities, or specialized scanning tasks.

Some of the most notable third-party NSE script sources will be reviewed later in this article, but in general, widely used sources include:

• GitHub – Search for repositories with nse or nmap-scripts tags. Many security researchers and organizations publish their own script sets.
• SecLists NSE Scripts – Part of the larger SecLists project, offering curated NSE scripts for discovery and exploitation.
• Exploit-DB – Some PoC exploits are published with NSE script implementations.

To use third-party scripts, simply download them into your local Nmap scripts directory (typically located at /usr/share/nmap/scripts/).

You can then run them just like any built-in script using the –script option:

nmap --script custom-script.nse target.com

To improve performance, Nmap uses an indexed database of available scripts. If you add, remove, or update scripts manually, it’s important to refresh this index by running:

nmap --script-updatedb

This ensures that Nmap recognizes all current scripts during scanning.

Passive Detection with Nmap Vulners

When assessing systems for known vulnerabilities, not all scanning methods are created equal. Nmap supports both active and passive approaches to vulnerability detection, each with its own benefits and trade-offs.

How Nmap Vulners Works

The Vulners NSE script (vulners.nse) enables Nmap to perform passive vulnerability detection by collecting version and software information from open ports and matching it against the extensive Vulners.com vulnerability database. Rather than launching attacks or intrusive probes, it passively fingerprints software and then queries the Vulners API for known issues tied to those versions.

Typical workflow:

1. Nmap scans the target, identifies service banners and software versions.
2. The Vulners script sends this information to the Vulners.com API.
3. The API responds with a list of relevant CVEs, advisories, and known exploits for each detected software version.
4. Nmap displays these findings in the output — without triggering suspicious activity on the target system.

Example Usage

You can run the Vulners script during a standard service/version scan:

nmap -sV --script vulners target.com

This approach is safe for most environments and can provide valuable insight into exposed vulnerabilities — without the risks of traditional exploitation.

About Vulners.com API

Vulners.com is an open-source vulnerability intelligence platform that aggregates CVEs, security advisories, and exploit data from dozens of sources. Its public API allows tools like Nmap to programmatically search for vulnerabilities based on software versions, making it ideal for integration into passive scanning workflows. The Vulners NSE script leverages this API to map service versions directly to known CVEs, offering up-to-date and detailed vulnerability intelligence as part of your Nmap scan results.

Nmap Vulscan – Offline Alternative

Another popular and flexible solution for enriching Nmap with vulnerability intelligence is Vulscan. Vulscan is an open-source NSE script and auxiliary toolkit maintained by the SCIP AG team that transforms Nmap into a passive vulnerability scanner.

Vulscan operates by collecting software and version information from Nmap’s service/version scan (-sV). Instead of directly probing for vulnerabilities, it passively compares these findings against offline CSV databases containing CVEs, security advisories, and exploit references from multiple sources. These databases are downloaded and maintained separately from the script itself.

Vulscan vs. Vulners

While both Vulscan and Vulners focus on passive detection by matching software versions to known CVEs, they differ in implementation:

• Vulners queries the Vulners.com cloud API in real time for up-to-date vulnerability data.
• Vulscan uses locally stored, regularly updated vulnerability databases (CSV files). This makes Vulscan usable even in offline environments and gives you control over the vulnerability sources and update frequency.

Getting Started with Vulscan

1. Clone the Vulscan repository and copy it to your Nmap scripts directory:

   git clone https://github.com/scipag/vulscan.git
   cp vulscan/vulscan.nse /usr/local/share/nmap/scripts/
   cp -r vulscan /usr/local/share/nmap/scripts/

2. Update the Vulscan databases:

   Vulscan’s CSV data sources are stored in the vulscan directory. You can update them using the provided scripts or by downloading the latest files from the Vulscan GitHub.

3. Run Nmap with the Vulscan script:

   nmap -sV --script vulscan/vulscan.nse target.com

   By default, Vulscan will check all supported databases. You can specify a particular database with the vulscandb script argument, for example:

   nmap -sV --script vulscan/vulscan.nse --script-args vulscandb=cve.csv target.com

When Vulscan is run, it matches detected banners to thousands of known vulnerabilities — providing immediate context for each discovered service, often including CVE IDs, vulnerability descriptions, and external references.

Netlas – Web Alternative

For those who prefer a web-based approach to vulnerability intelligence, Netlas offers an extensive search engine for internet-facing assets and their associated exposures. Unlike Nmap, Netlas requires no installation and provides an intuitive web interface to search, analyze, and correlate open ports, banners, SSL certificates, and known vulnerabilities across the global internet.

Netlas aggregates scan data from multiple sources, mapping services and CVEs to millions of hosts. This makes it a convenient solution for passive reconnaissance, large-scale infrastructure reviews, or quickly checking for public exposures — without running any local scans or scripts.

Book Your Netlas Demo

Chat with our team to explore how the Netlas platform can support your security research and threat analysis.

Pick a Time

Writing Your Own NSE Script

Once you get comfortable with Nmap and see what its scripts can do, you may want to write your own custom script. This is useful if you need to check for something specific that isn’t covered by existing scripts. Nmap makes it straightforward to create and use your own scripts for these cases.

Minimal Example

Each NSE script is a small Lua file with a .nse extension and typically includes:

• Head section: Metadata, description, author, license, and categories.
• Action function: The main logic to run during the scan.
• Rule functions: Define when the script should run (e.g., for certain ports or services).

Below is a simple script that checks if a web server’s root page contains the word “admin”:

-- http-check-admin.nse
description = [[Checks if 'admin' appears in the root HTML page.]]
author = "Your Name"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}

portrule = shortport.http

action = function(host, port)
  local http = require "http"
  local response = http.get(host, port, "/")
  if response.body and response.body:match("admin") then
    return "The string 'admin' was found in the root page."
  else
    return nil
  end
end

Save your script to Nmap’s scripts directory. Then update the script database and run your script:

nmap --script-updatedb
nmap -p 80 --script http-check-admin.nse target.com

When you run the custom script, Nmap will include the script’s results in its output. For example:

PORT   STATE SERVICE
80/tcp open  http
| http-check-admin:
|   The string 'admin' was found in the root page.

If the string is not found, the script will not display any output for that port.

Tips and Resources for Developing NSE Scripts

A comprehensive manual for NSE scripting is beyond the scope of this article, but we recommend exploring the resources listed below to deepen your understanding and improve your scripting skills:

• Explore and Leverage Nmap’s Built-in Libraries: NSE provides a rich set of libraries for working with protocols like HTTP, SMB, DNS, SSL/TLS, and more. These libraries help you handle connections, parse responses, and interact with services at a high level. Start with browsing the NSE library documentation.

• Study Existing Scripts: One of the best ways to get started is by reviewing existing NSE scripts. Analyze how scripts are structured, how categories are used, and how common tasks (such as parsing responses or reporting results) are handled. This will help you adopt best practices and avoid common mistakes.

• Choose Script Categories Thoughtfully: Assign your script to categories that reflect its purpose and risk level. Use safe for non-intrusive actions, and intrusive, vuln, or exploit for scripts that might impact target systems or confirm vulnerabilities. Proper categorization helps users understand potential impact before running your script.

• Test Safely and Thoroughly: Always test new scripts in a controlled, non-production environment. Consider edge cases: unexpected input, unusual protocol behavior, or network errors. Confirm that your script fails gracefully and never disrupts services unless explicitly intended.

• Follow the Official Documentation: The Nmap Scripting Engine documentation provides a comprehensive overview of script structure, available APIs, and execution flow. For technical Lua details, consult the official Lua 5.4 reference manual, which explains syntax, standard libraries, and advanced language features.

By combining these practices — and using the resources above — you’ll be able to create powerful, reliable, and responsible NSE scripts that extend Nmap’s capabilities for your unique use cases.

Key Takeaways

Nmap is far more than a simple port scanner — it is a flexible, powerful platform for network mapping, service identification, and vulnerability assessment. In this article, we focused on Nmap’s extensive features for detecting vulnerabilities, including both built-in and third-party scripts.

Key points covered:

• Nmap’s Scripting Engine (NSE) transforms Nmap into a modular vulnerability scanner, allowing active and passive detection of misconfigurations, weak credentials, and known CVEs.
• Active vulnerability detection can be performed with built-in scripts from categories like vuln, exploit, auth, and intrusive, as well as with regularly updated third-party script packs targeting high-profile and recent CVEs.
• Passive detection using scripts like vulners.nse and vulscan.nse enables safe mapping of vulnerabilities by version matching, either via cloud APIs or offline databases, with minimal risk to target systems.
• Third-party NSE script collections greatly expand Nmap’s capabilities, letting you address newly disclosed or specialized vulnerabilities faster than waiting for official script updates.
• You can develop your own NSE scripts to address custom protocols, newly discovered vulnerabilities, or specific internal requirements — leveraging Lua and Nmap’s rich scripting libraries to tailor your security assessments.

By combining Nmap’s built-in capabilities, active community scripts, and external resources, you can build a robust, customizable, and legally compliant vulnerability assessment workflow. Just remember: always scan only with proper authorization, review any third-party scripts before use, and balance active probing with passive intelligence based on your environment and goals.