by Nmap is not only a port scanner that could be used for scanning ports on a machine but also contains a script engine that offers the ability to execute scripts that could be used for more in-depth discovery of a target.
Nmap includes a variety of ready-made scripts that could be used for that reason.You can run scripts one at a time or you can execute scripts by category.Of course Nmap offers the option to execute multiple scripts at a time.
Currently the Nmap has the following Script Categories:
Execute Scripts Related to Authentication
As you can see from the image below we have selected to execute the Auth scripts against a target in our network.From the results we can see that Nmap has successfully discover the users accounts on the remote machine and the Domain name.
Run Default Scripts
The default scripts category will expose information about the operating system,the workgroup name, the netbios names etc.You can see the image below for more details:
Running Scripts that contacting external sources
There is a category of scripts called external that performs an automatic Web Whois to the target and discovers additional information like the geographical location,the name of the organization and the net range.
Executing the Discovery Scripts
This category of scripts is ideal when we need to have as much information as possible for a specific target.The next two images are a sample of what kind of information could be delivered to us when we run the Discovery Scripts.
Scanning with Safe Scripts
This category could be used when we want to run scripts that are less intrusive to the target so it will be less likely to cause any disruption to the remote system.As we can see in the next two images the scripts have discovered the router IP address,the domain name of the network and the master browser.
Check targets for common vulnerabilities
Another category of scripts is the vuln.These kind of scripts will check your target host for common vulnerabilities.In the example below the target is running Windows XP.
As we can see the Nmap scripts have successfully discovered the vulnerability that affects Windows XP operating systems.With those kind of scripts we can have an early indication of vulnerable targets and what exploits we should use as a start.
Update the Script Database
You can use the command nmap –script-updatedb in order to update the scripts database.
Have in mind that you can browse the database scripts in order to find the ones you need.The default storage location of the scripts in Windows is at:
C:\Program Files\Nmap\scripts
and in Unix Versions
/usr/share/nmap/scripts or
/usr/local/share/nmap/scripts
Conclusion
The drawback of executing scripts by category is that the scan will take longer because the Nmap Scripting Engine will run all the scripts in the category.From the other hand this is the easiest way and you will not tangle with hundreds of scripts.
However the best option is to know what kind of information you want to retrieve in order to select the appropriate scripts from each category.Also it is always good to know how to produce your own scripts that will cover exactly your needs.
Penetration Testing Lab 
Excellent article
Pretty useful article, this one goes to my favs for sure, thanks!
awesome post mate, keep up the good work
Hi, useful article this one…..I am currently using nmap 6.25 for testing some features on IPv6 networks…It seems I cannot get the discovery script to run for an ipv4 and ipv6 address which is on another subnet… For example say my host is 2001:3::21( Ipv4 address 10.0.3.21) and I need to scan 2001:1::28 (Ipv4 address 10.0.1.28 ). when i run the script it returns all the ipv6 hosts of 2001:3 but not for 2001:1 which is the intended target. I need to find available Ipv6 hosts of another subnet from my machine.Is there some way to do that? Can someone help please?
It’s actually a nice and helpful piece of info.
I am happy that you simply shared this useful info with us.
Please keep us informed like this. Thanks for sharing.