Jered Bare

Cool Things You Can Do With NMAP

Disclaimer: This post is only for informational purposes. Use these scripts at your own risk and always ask for permission. Insert spiderman-great-power-great-responsibility-uncle-ben.jpg

I haven't wrote anything in a while, but I want to write a short article on some cool things you can do with NMAP.
NMAP is more than just a port scanner/discovery tool, you have a whole NSE scripting library full of useful scripts that can do hundreds of things. Personally, I love and use NMAP every day and I hope you will do the same.

New to NMAP? Check out a few commands from my Cheat Sheet.

Checkout for a list of scripts and how to use them.

The website used in the examples ( is mine and I've taken it down before publishing this post.

Brute force protocols

Use Case: Telnet in particular. Password auditing within your environment...which I HIGHLY recommended you get permission. This script is more for playing around at home in your own lab environment. Use this script at your own risk.

Enumerate SSL Ciphers and Scan for TLS Certificates

Use Case: Sometimes developers will be snarky and will setup their own self signed certificates and will use insecure ciphers. You can scan your entire environment for self signed certs and weak ciphers such as 3DES which is vulnerable to SWEET32.

Finding VMWare Versions

Use Case: Don't have a very good inventory or can't afford a vulnerability/discovery scanner? Use this script to find version of VMWare across your environment.

Secondary Vulnerability Scanner

Use Case: Tagging from the above post; did you know you can scan your network for vulnerabilities with NMAP? Utilizing the vuln NSE script you can do just that. Please do not replace any security scanners with this script. This is only to supplement your current tools.

The video below takes too long and doesn't show much of anything. This scan takes a bit to complete.

Check for HTTP Security Headers

Use Case: Need a way to check if HTTP Security headers are implemented correctly? NMAP can do that very quickly. This is a good way to check server headers if you've recently implemented secure HTTP headers.

This is just a small preview of the capabilities of this amazing tool. I highly encourage you to check out to check out this amazing tool. I'll will be writing more on the NSE scripting engine in the future.

I'm an Information Security Professional living in the heart of the Midwest. I have a passion for Information Security and a technology junkie. Connect with me on Twitter: @jeredbare