Friday, July 11, 2025

How to Write Custom Nmap NSE Scripts (Real Example: WordPress Website Detection)

Nmap is one of the most widely used open-source tools for network discovery and vulnerability scanning by Pentesters. The Nmap Scripting Engine (NSE), one of the key features of Nmap, enables us to create custom scripts that automate a variety of tasks, from straightforward service checks to intricate vulnerability exploits. In this blog post, I will teach you how to write your own Nmap NSE scripts.



Nmap NSE scripts 

Nmap NSE scripts is a powerful feature of Nmap, which allows you to write custom scripts to automate network and vulnerability tasks. It's useful because it extends Nmap's functionality for advanced network discovery, checking for vulnerabilities, and even exploiting flaws in addition to port scanning. It helps in automating complicated tasks, and it's also highly customizable as per our needs.

Nmap NSE Structure and How it Works 

Nmap Nse scripts use the Lua light weight programming language. Every Nmap NSE script is Lua file with a specific structure. The key parts include 

Metadata and Scripts Discription : The script's description and metadata provide information about its purpose, author, and categories (such as vulnerability, discovery etc).

Execution rules: This determines when the script will execute, for instance, by focusing on particular ports or services. Usually this is done by defining a port rule or a host rule 

Main action Function: This is the main core of the script where logic lives. It receives the information like the host, port, etc, then runs the script tasks and returns results. By default on Kali Nmap scripts are stored in /usr/share/nmap/scripts/ and they are categorized according to their functionality and use such as discovery, vulnerability, and brute force.





It's best to use the help feature in Nmap to understand more about the particular script using the help option as below.

nmap --script-help <script-name>

The main objective of this blog post is to help you write your custom Nmap NSE script. To achieve this, I will highly advise you to first look at the default built-in Nmap NSE scripts to understand their structure and functionality. Nmap NSE Script has three main components the Head, the Rule, the Action. For more details, please have a look at the official Nmap NSE guide. Understanding them will make it easier for you to write your own scripts 


Custom Nmap NSE Script to Detect Wordpress

The Custom NSE Script finds whether the target website is running on WordPress or not by checking common paths found on WordPress website like /wp-login.php /readme.html and wp-admin to achieve this we first import Lua modules such as http for sending web requests, shortport for selecting which ports to scan and stdnse for handling strings and helper functions. The NSE script is placed in safe and discovery categories. The portrule makes sure that Nmap runs on http ports. portrule uses shortport.http to run the script only on HTTP ports The action which forms the core of the NSE script  gets an optional base path "/" then loops through the urls whcih we mentioned above like wp-login.php etc which are found commonly on WordPress websites by sending a HTTP GET request, if any of these URLs return 200 successful it records them and finally at end of the scan  says WordPress detected as shown in the image below.



 





0 comments : Post Yours! Read Comment Policy ▼
PLEASE NOTE:
We have Zero Tolerance to Spam. Chessy Comments and Comments with Links will be deleted immediately upon our review.

 
Google+