Advanced Nmap: NSE Scripts for Internal Recon in a Simulated Corporate Lab

Nmap is not dead, and anyone who thinks otherwise has never opened /usr/share/nmap/scripts. The NSE collection ships more than 600 Lua scripts covering everything from legacy service fingerprinting like JD Edwards to Active Directory enumeration via unauthenticated LDAP. Inside a simulated corporate lab built with GOAD or Ludus, NSE replaces dozens of one-off tools and returns structured XML, which makes the whole tooling chain reproducible. Before any exotic flag, the non-negotiable point is written scope: with no formal authorization, scanning is as wrong as opening someone elses mailbox. We assume an owned, isolated, documented lab here.

Start with the basics done right. An initial sweep with nmap -sS -p- --min-rate 5000 -oA full_tcp 10.10.0.0/24 gives you a complete TCP inventory in minutes over a /24 with low latency. A focused second pass, nmap -sV -sC -p$(cat ports.txt) -oA versioned -iL hosts.txt, runs the default scripts (safe and discovery categories) against the actual open ports. This two-stage flow avoids the classic sin of launching -A across a full /16, which floods probes, lights up the SIEM, and still leaves you without reliable data. If you do not have a lab yet, Web Pentesting From Scratch: Building a Safe Lab with DVWA, Juice Shop and Burp Suite is a tight, reproducible reference.

Where NSE truly shines is in service-specific enumeration. For SMB, scripts like smb-os-discovery, smb2-security-mode, smb-enum-shares, and smb-vuln-ms17-010 reconstruct Windows topology without valid credentials in many cases. For LDAP, ldap-search with (objectClass=user) filters surfaces service accounts, descriptions with passwords pasted in them (more common than anyone admits), and weak password policies. In a GOAD-style AD environment this recon feeds straight into the attack laid out in Active Directory Pentest: Step-by-Step Kerberoasting in a GOAD Lab, where Kerberoasting depends on SPNs identified during recon.

Useful output is parseable output. Always use -oA basename, which produces nmap, gnmap, and XML at once. The XML feeds nmap-parse-output, dnmap, or a custom Python script using python-libnmap. In larger teams, ingesting XML into Elasticsearch and correlating with Sigma rules turns offensive recon into blue team input, closing the loop described in Purple Team in Practice: Building a Red vs Blue Feedback Loop. Avoid dumping raw output into an LLM prompt for a summary: beyond the leakage risk, you lose fields like reason_ttl that are gold for spotting an inline IPS.

Custom scripts are the real power move. Writing NSE in Lua is simpler than people fear: a single file under ~/.nmap/scripts/ with portrule, action, and categories already runs. In an authorized red team engagement it pays to build checks for internal-specific CVEs, such as unsafe Jenkins configurations or exposed Spring Boot Actuator endpoints. Combine with http-enum, http-title, and http-shellshock to sweep entire application farms in seconds. For the next phase, once you have a foothold and want to pivot into other VLANs, Pivoting with Chisel and Ligolo-ng: Segmented Networks in a Pentest Lab picks up assuming recon is already done.

Mind timing and stateful firewalls. -T4 breaks plenty of old IDS sensors, but today it raises easy alerts in modern XDR. For a realistic lab, tune --max-retries 2, --host-timeout 30m, and --scan-delay 100ms against Suricata NIDS. Use --source-port 53 or --data-length 24 to test sloppy rules that trust the source port, a pattern unfortunately still alive. On long engagements, segment targets per maintenance window and log everything, including failed scans, because they often hint at interesting ACLs worth manual review later.

In the end, NSE does not replace thinking. Nmap finds ports and guesses versions; correlating findings, prioritizing exploit paths, and respecting scope limits is still human work. Practical takeaway: build a three-layer pipeline, broad sweep with -sS -p-, enumeration with -sV --script "safe,discovery", and validation with service-specific NSE, always exporting XML for downstream parsing. In two hours you will map a corporate /24 better than many paid automated scanners do. And remember, without written authorization, none of this is a pentest, it is a crime.