Welcome to Day 12! Today we're going to learn about NSE Discovery Scripts - these are like having a team of detectives working with your Nmap scanner. While basic Nmap finds open ports, discovery scripts find hidden information, network details, and services you might not even know exist!
After today, you'll be able to:
- Understand what discovery scripts are and why they're useful
- Run basic discovery scripts to find network information
- Discover hidden hosts, services, and network details
- Use scripts safely and responsibly
- Save and understand discovery results
You're in a dark room with a flashlight (regular Nmap). You can see:
- Doors that are open (open ports)
- Signs on doors (service names)
- What's written on the signs (banners)
Discovery scripts give you night vision goggles! Now you can also see:
- Hidden doors you didn't know were there
- What's behind each door
- Who lives in the building
- How everything is connected
Without discovery scripts:
You run: nmap 192.168.1.1
You see: Port 80 is open (web server)
That's it.
With discovery scripts:
You run: nmap --script discovery 192.168.1.1
You see: Port 80 is open (Apache 2.4.6)
AND: There's a /admin page hidden
AND: The server is running WordPress
AND: There are 3 other devices on the network
AND: The server shares files via SMB# List all discovery scripts (on Linux/Mac)
ls /usr/share/nmap/scripts/ | grep -i discover
# You'll see scripts like:
broadcast-dhcp-discover.nse
broadcast-ping.nse
dns-brute.nse
http-enum.nse
smb-enum-shares.nse
snmp-info.nse
targets-sniffer.nse
# Count how many discovery scripts
ls /usr/share/nmap/scripts/*discover*.nse | wc -l
ls /usr/share/nmap/scripts/*enum*.nse | wc -lThis script is perfect for beginners - it just reads the title of web pages.
# Basic usage - find webpage titles
nmap --script http-title -p 80,443,8080,8443 192.168.1.1
# What it does:
1. Connects to web ports (80, 443, etc.)
2. Asks for the webpage
3. Reads the <title> tag
4. Shows you what it finds
# Sample output:
PORT STATE SERVICE
80/tcp open http
| http-title: Welcome to Router Administration
443/tcp open ssl/http
| http-title: Secure Login - Router Admin1. http-enum - Find Hidden Web Pages
This is like trying common door handles to see what opens.
# Find common web directories and files
nmap --script http-enum -p 80,443 192.168.1.1
# What it checks:
/admin - Administration pages
/backup - Backup files
/config - Configuration files
/test - Test pages
/phpinfo.php - PHP information page
/robots.txt - Hints about the website
# Sample findings:
| http-enum:
| /admin/: Possible admin folder
| /backup/: Backup directory
| /robots.txt: Robots file
| /test/: Test pageThis finds folders that Windows computers are sharing on the network.
# Find shared folders on Windows computers
nmap --script smb-enum-shares -p 445 192.168.1.100
# Common shares it finds:
ADMIN$ - Administrative share (hidden)
C$ - C drive share (hidden)
IPC$ - Inter-process communication
Shared - Public shared folder
Documents - Documents folder share
# Sample output:
| smb-enum-shares:
| ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Shared:
| Type: STYPE_DISKTREE
| Comment: Public Share
| Anonymous access: READ/WRITE <-- Security issue!This tries common subdomain names to find hidden parts of a website.
# Find subdomains of a website
nmap --script dns-brute example.com
# Common subdomains it tries:
www.example.com - Main website
mail.example.com - Email server
ftp.example.com - FTP server
admin.example.com - Admin panel
dev.example.com - Development site
test.example.com - Testing site
blog.example.com - Blog
api.example.com - API server
# Sample findings:
| dns-brute:
| DNS Brute-force hostnames:
| www.example.com - 192.168.1.100
| mail.example.com - 192.168.1.101
| ftp.example.com - 192.168.1.102This sends broadcast messages to find devices that don't respond to normal scans.
# Find all devices on your local network
sudo nmap --script broadcast-ping
# What it does:
1. Sends "Who's there?" message to entire network
2. Listens for responses
3. Shows all devices that answer
# Sample output:
| broadcast-ping:
| IP: 192.168.1.1 MAC: aa:bb:cc:dd:ee:ff (Router Manufacturer)
| IP: 192.168.1.100 MAC: 11:22:33:44:55:66 (Computer Manufacturer)
| IP: 192.168.1.101 MAC: 77:88:99:aa:bb:cc (Phone Manufacturer)
| IP: 192.168.1.150 MAC: dd:ee:ff:aa:bb:cc (Printer Manufacturer)Let's discover everything on your home network.
# Step 1: Find your network range
# Windows:
ipconfig
# Look for: IPv4 Address and Subnet Mask
# Example: 192.168.1.50 with mask 255.255.255.0
# Means network is: 192.168.1.0/24
# Linux/Mac:
ifconfig
# Or: ip addr show
# Step 2: Find all devices
sudo nmap -sn 192.168.1.0/24
# Step 3: For each device found, run discovery
# Example for router (usually .1):
nmap --script "http-enum and smb-os-discovery" 192.168.1.1
# Step 4: Document findings
# Create a simple network map:
# - Router: 192.168.1.1 (has web admin)
# - Computer: 192.168.1.100 (shares files)
# - Phone: 192.168.1.101
# - Printer: 192.168.1.150Let's discover everything about a web server.
# Target: Your own local web server or a test server
# Step 1: Basic port scan
nmap -p 80,443,8080,8443 webserver
# Step 2: Web discovery
nmap --script "http-*" -p 80,443,8080,8443 webserver
# This runs scripts like:
http-title - Page titles
http-headers - Server headers
http-methods - Allowed methods (GET, POST, etc.)
http-enum - Hidden pages
http-robots.txt - Robots file
# Step 3: Document what you find
# Example documentation:
# Server: Apache 2.4.6
# Technologies: PHP 7.4, WordPress
# Hidden pages: /admin/, /backup/, /config/
# Security: No authentication on /admin/Discover information about Windows computers on your network.
# Step 1: Find Windows computers
# They usually have port 445 open (SMB)
nmap -p 445 192.168.1.0/24
# Step 2: For each Windows computer found
nmap --script "smb-os-discovery and smb-enum-shares" -p 445 [ip-address]
# Step 3: Document findings
# Example:
# Computer: WIN10-PC (192.168.1.100)
# OS: Windows 10 Pro 21H2
# Shares: ADMIN$ (hidden), C$ (hidden), Public (read/write)
# Users: Administrator, User1, GuestDiscovery scripts add extra information to Nmap's normal output. Let's break down what you see:
Sample discovery output:
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /admin/: Admin login page
| /backup/: Directory listing
| /config/: Configuration files
|_ /robots.txt: Contains 5 disallowed entries
443/tcp open https
| ssl-cert: Subject: commonName=router.local
| Issuer: commonName=router.local
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2023-01-01
|_Not valid after: 2024-12-31- PORT: Which port was scanned
- STATE: Open/closed/filtered
- SERVICE: What usually runs on that port
- Script output (after |): What the script found
- Each | shows a different finding
- |_ shows the last finding
- Indented information is detailed data
-
Only Scan What You Own
- Your own computer: 127.0.0.1 (localhost)
- Your home network devices
- Test servers you control
- NEVER scan other people's systems without permission
-
Start Small and Slow
myterminal # Bad: Scan everything at once nmap --script discovery 192.168.1.0/24 # Good: Start with one host nmap --script http-title 127.0.0.1 # Better: Test one script at a time nmap --script http-enum 127.0.0.1 -
Understand What Scripts Do
- Some scripts just look at information (safe)
- Some scripts try to access things (could cause problems)
- Some scripts might crash services (dangerous)
# Safe scripts (good for beginners)
nmap --script safe target
# These scripts just look at public information
# They won't crash services or cause damage
# Common safe discovery scripts:
http-title - Reads webpage titles
ssh-hostkey - Gets SSH key fingerprint
smb-os-discovery - Reads Windows system info (safe version)
dns-brute - Tries DNS names (doesn't attack)
# Advanced scripts (use carefully)
http-enum - Tries to access hidden pages
smb-enum-shares - Tries to access shared folders
snmp-brute - Tries SNMP passwords# Error: NSOCK ERROR [0.1230s] ssl-init: ...
# Or: WARNING: No scripts were found!
# Solution 1: Check script exists
ls /usr/share/nmap/scripts/http-title.nse
# Solution 2: Update Nmap
sudo apt update && sudo apt upgrade nmap
# Solution 3: Check spelling
# Correct: http-title
# Wrong: http_title, httptitle, http title# Script runs but shows no results
# Possible reasons:
1. No services running on scanned ports
Solution: Check if port is actually open
2. Service doesn't respond to script probes
Solution: Try different scripts
3. Firewall blocking script probes
Solution: Check firewall settings
4. Script needs specific version of service
Solution: Check script documentation# Some scripts can be slow
# Especially: dns-brute, http-enum
# Solutions:
# 1. Add timeout
nmap --script dns-brute --script-timeout 2m target
# 2. Use smaller search lists
nmap --script http-enum --script-args http-enum.fingerprintfile=small_list.txt
# 3. Run fewer scripts at once
# Instead of: nmap --script discovery
# Use: nmap --script http-title,http-headers# Step 1: Scan localhost (your own computer)
nmap 127.0.0.1
# Step 2: Run safe discovery scripts
nmap -sC 127.0.0.1
# Step 3: Try specific discovery scripts
nmap --script http-title 127.0.0.1
nmap --script ssh-hostkey 127.0.0.1
# Questions to answer:
1. What services are running on your computer?
2. What did the discovery scripts find?
3. Was anything surprising?# Use a test web server (your own or a practice site)
# Step 1: Basic scan
nmap -p 80,443 test-server
# Step 2: Web discovery
nmap --script http-title,http-headers,http-enum test-server -p 80,443
# Step 3: Document findings
# Create a simple report:
# Server: [what you found]
# Technologies: [what's running]
# Hidden pages: [what was discovered]
# Security notes: [anything concerning]
# Practice site suggestion: scanme.nmap.org
nmap --script http-title scanme.nmap.org -p 80# Discover your home router (usually 192.168.1.1 or 192.168.0.1)
# Step 1: Find router IP
# Windows: ipconfig | findstr "Gateway"
# Linux/Mac: netstat -rn | grep default
# Step 2: Basic scan
nmap router-ip
# Step 3: Discovery scan
nmap --script "http-* and smb-*" router-ip
# Questions:
1. What model router do you have?
2. What admin interface does it use?
3. Are there any shared folders?
4. What other services are running?# Save in normal text format
nmap --script discovery -oN discovery-results.txt target
# Save in XML format (good for tools)
nmap --script discovery -oX discovery-results.xml target
# Save in all formats at once
nmap --script discovery -oA discovery-results target
# Creates: .nmap, .xml, .gnmap files
# View saved results
cat discovery-results.nmapCreate a simple organization system:
# Create folders for different scans
mkdir -p nmap-scans/{daily,weekly,projects}
# Daily quick scans
nmap --script broadcast-ping -oA nmap-scans/daily/$(date +%Y%m%d)
# Project scans
nmap --script discovery -oA nmap-scans/projects/home-network-$(date +%Y%m%d) 192.168.1.0/24
# Keep a log of what you scanned
echo "$(date): Scanned home network with discovery scripts" >> scan-log.txt- Begin with one script at a time
- Use
-sCfirst (safe scripts only) - Test on your own systems first
- Read the script output carefully
- When a script finds something interesting, research it
- Google terms you don't understand
- Try different scripts on the same target
- Compare results from different scripts
Week 1: http-title, http-headers Week 2: http-enum, smb-os-discovery Week 3: dns-brute, broadcast-ping Week 4: Combine multiple scripts
- Finding security holes automatically
- Checking for common vulnerabilities
- Understanding risk levels
- Reporting vulnerabilities responsibly
- Try one new script each day
- Read the script source code (it's in Lua)
- Join online communities
- Practice on safe, legal targets
Q: Are discovery scripts illegal? A: Using them on your own systems is fine. Using them without permission on others' systems is illegal.
Q: Can discovery scripts damage my computer? A: Safe scripts won't. Some advanced scripts might cause issues if services are unstable.
Q: How do I know which scripts are safe?
A: Start with -sC or --script safe. Read script descriptions with --script-help.
Q: Why don't I see any results?
A: Make sure services are running on scanned ports. Check if scripts are actually being run (use -v for verbose output).
- Use
nmap --script-help script-namefor script info - Check Nmap documentation online
- Join beginner cybersecurity forums
- Practice in isolated virtual machines
# Basic discovery commands:
nmap -sC target # Run safe scripts
nmap --script http-title target # One specific script
nmap --script "http-*" target # All http scripts
nmap --script discovery target # All discovery scripts
# Common discovery scripts:
http-title - Webpage titles
http-enum - Hidden web pages
smb-enum-shares - Shared folders
dns-brute - Subdomains
broadcast-ping - Network devices
# Saving results:
-oN filename.txt # Normal text
-oX filename.xml # XML format
-oA filename # All formats# Your mission: Fully discover a test network
# Use: Your home network OR a virtual lab
# Phase 1: Find all devices
sudo nmap --script broadcast-ping
# Phase 2: For each device found
# Scan for open ports
nmap -F [device-ip]
# Phase 3: Run appropriate discovery
# If web ports open (80,443):
nmap --script "http-*" [device-ip]
# If Windows ports open (445):
nmap --script "smb-*" [device-ip]
# Phase 4: Document everything
# Create a network map document
# List all devices and what you found
# Note any security concerns🎉 Congratulations on completing Day 12! You've taken a huge step forward in your cybersecurity journey. You're no longer just scanning ports - you're discovering hidden information and building a complete picture of networks.
"Discovery is not just finding what's there; it's understanding what could be there. Today you learned to look beyond the obvious."
Remember: With great power comes great responsibility. Use your new discovery skills to protect and secure, not to intrude or harm. Happy (ethical) discovering!