DevDigest

How to Use Nmap Scripting Engine (NSE) in Termux

Master the Nmap Scripting Engine in Termux. Learn how to automate scans, uncover vulnerabilities, and boost your recon game with powerful NSE scripts.

Tags: , , , , , , , , ,
Filipina techie Calista using a laptop with Termux open, seated on a city rooftop at night, lights in the background and terminal glow on her glasses. Pin It!
Calista scans networks from the rooftop using the Nmap Scripting Engine in Termux—urban recon meets open-source power.

The first time I used the Nmap Scripting Engine, I was just poking around—expecting a basic port scan. What I got instead was a goldmine. Default credentials, exposed services, even a misconfigured internal dashboard. All from a single command. That’s when it hit me: Nmap Scripting Engine isn’t just a feature—it’s an entire toolkit hidden in plain sight.

In Termux, using NSE gives your Android device real teeth. It’s the difference between simply scanning and truly knowing what’s running behind that IP address.

Ready to unlock the secrets of NSE and turn your Termux setup into a portable reconnaissance powerhouse? Let’s dive in.

Before proceeding, make sure you have Nmap installed in your Termux environment. You can follow our Nmap installation guide here for step-by-step instructions.

Table of Contents

Pin It!
Pin It!
Pin It!

What is Nmap Scripting Engine (NSE)?

Before we dive into commands, let’s talk about what makes the Nmap Scripting Engine (NSE) such a powerful tool. NSE extends Nmap’s capabilities far beyond simple port scanning. It allows users to automate a wide range of network tasks using small scripts written in Lua—ranging from version detection to brute-force logins, vulnerability scanning, and even backdoor detection.

The real magic? NSE makes deep reconnaissance fast, repeatable, and incredibly accessible—even on mobile devices via Termux.

Learn more about basic Nmap commands in our Basic Network Scans with Nmap in Termux guide.

Pin It!

· · ─ ·𖥸· ─ · ·

Running Your First NSE Script

Let’s say you want to find out the title of a webpage hosted on a specific IP. NSE makes that as simple as this:

nmap --script=http-title -p 80 192.168.1.1

What it does:

  • Scans port 80 (HTTP)
  • Uses the http-title script to retrieve the <title> tag of the hosted webpage

Sample output:

PORT   STATE SERVICE
80/tcp open  http
| http-title: Welcome to nginx!

That’s insight in seconds—no browser required..

· · ─ ·𖥸· ─ · ·

Exploring NSE Script Categories

Nmap includes hundreds of pre-installed scripts, all grouped by category. You can list them using:

nmap --script-help

Here are a few useful categories to get you started:

CategoryPurpose
defaultStandard scripts run with -sC
authAuthentication bypass and checks
bruteLogin brute-force attempts
vulnVulnerability detection
discoveryGeneral information gathering
malwareBackdoor and botnet detection

To run multiple scripts from a category:

nmap --script=auth 192.168.1.1

· · ─ ·𖥸· ─ · ·

Use Cases for NSE

The following examples demonstrate how to use NSE scripts in different scenarios.

Example 1: Enumerating Web Directories

NSE can be used to enumerate directories on a web server using the http-enum script. This is useful for uncovering hidden directories or sensitive files on a target web application.

$ nmap --script http-enum -p 80 <target>

Output:

PORT   STATE SERVICE
80/tcp open  http
| http-enum:
|   /admin/  [Status: 403, Size: 304]
|   /backup/ [Status: 200, Size: 1024]
|   /test/   [Status: 404, Size: 512]

Explanation:
This output shows that Nmap has scanned port 80 of the target and used the http-enum script to find available directories. The /admin/ directory returned a 403 Forbidden status, meaning it exists but is restricted. The /backup/ directory is accessible with a 200 OK status, while /test/ does not exist (404 Not Found). This type of information is essential when performing web application testing to discover sensitive or overlooked files.

Example 2: Brute-forcing DNS Records

Another useful NSE script is dns-brute, which brute-forces DNS subdomains. This is helpful for uncovering subdomains that are not listed in public records.

$ nmap --script dns-brute <target>

Output:

Starting dns-brute scan against target.com
| dns-brute:
|   www.target.com - 93.184.216.34
|   mail.target.com - 93.184.216.34
|   ftp.target.com - 93.184.216.34
|   dev.target.com - No record found

Explanation:
Here, the dns-brute script found the subdomains www.target.com, mail.target.com, and ftp.target.com, all pointing to the IP 93.184.216.34. The script did not find any records for dev.target.com. Subdomain enumeration is vital in a penetration test, as it reveals additional attack surfaces that could be exploited.

Example 3: Vulnerability Detection

One of the most powerful features of NSE is the ability to use scripts for vulnerability detection. The vuln category groups multiple scripts designed to detect known vulnerabilities in services.

$ nmap --script vuln -p 80,443 <target>

Output:

PORT   STATE SERVICE
80/tcp open  http
| http-vuln-cve2017-5638:
|   VULNERABLE:
|   Apache Struts CVE-2017-5638 Remote Code Execution
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       Apache Struts 2 vulnerability allows remote attackers to execute arbitrary code.
|
|_http-vuln-cve2017-9805:
|   VULNERABLE:
|   Apache Struts CVE-2017-9805 Remote Code Execution

Explanation:
In this example, Nmap detected vulnerabilities on port 80. Specifically, it found CVE-2017-5638 and CVE-2017-9805, both associated with Apache Struts. These vulnerabilities allow remote code execution, making them critical issues that should be addressed immediately. The vuln script set is useful for auditing systems and detecting unpatched services.

· · ─ ·𖥸· ─ · ·

Where Are NSE Scripts Stored?

On Termux, or any Linux-based system with Nmap installed, scripts are typically stored in:

/data/data/com.termux/files/usr/share/nmap/scripts/

Here, you’ll find a treasure trove of .nse files, organized by function. You can also drop your own Lua-based scripts here.

To run a custom script:

nmap --script=/full/path/to/myscript.nse 192.168.1.1

And just like that, Nmap becomes whatever tool you need it to be.

· · ─ ·𖥸· ─ · ·

Creating Custom NSE Scripts

In addition to the built-in scripts, you can also write your own NSE scripts for custom tasks. This is particularly useful if you need to perform highly specialized scans. NSE scripts are written in Lua, and Termux allows you to easily manage and execute your own scripts.

Here’s an example of a simple custom NSE script:

description = [[
  A custom script to ping hosts and report status.
]]

categories = {"discovery"}

action = function(host)
  return "Host " .. host.ip .. " is up!"
end

Save the script in your Nmap scripts folder and run it like so:

$ nmap --script my_custom_script.nse <target>

Output:

Host 192.168.1.1 is up!
Host 192.168.1.2 is up!

Explanation:
This basic custom script checks if a host is alive and returns a simple message indicating that it’s reachable. Custom scripts can be tailored to specific needs, making NSE a flexible and powerful tool.

· · ─ ·𖥸· ─ · ·

Nmap Scripting Engine in Termux = Mobile Recon Mastery

You’ve now seen what the Nmap Scripting Engine can do—on your phone, no less. From quick recon to deep enumeration, NSE brings real automation to your scans. Running these scripts in Termux isn’t just convenient—it’s powerful, stealthy, and portable.

Once you experience what NSE can uncover, you’ll wonder how you ever did recon without it.

Keep exploring. Combine NSE with other tools in Termux, build your script library, and level up your skills—because mobile hacking isn’t the future, it’s the now.

How to Perform Advanced Nmap Scanning in Termux

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments (

)