nmap skip port scan but execute --script?

Question

I'm trying to use nmap with a script which works with a normal scan. But when executing nmap -sn --script=... it just finds the host (target) and stops.

What would the command be to scan the target with the script but not do a port scan?

Answer 1

NSE (Nmap Scripting Engine) scripts are designed to run based on the return value of at least one of four functions (called Rules)defined in the script:

• prerule() - This function is run once at the beginning of the entire scan. If it returns true, then the action function is called with no arguments.
• portrule(host, port) - This function is run once for every open port on every host. If it returns true, then the action(host, port) function is run for that host and port combination.
• hostrule(host) - This function is run once for every host that is found to be up. If it returns true, then the action(host) function is run for that host.
• postrule() - This function works the same as the prerule but is run after all hosts have been scanned.

So when you scan with -sn ("skip port scan"), the portrule scripts will not run at all, since there are "no open ports." The best way to do a targeted script scan is to determine what the relevant ports are and specify them with -p. For instance, if I wanted to run ssh-hostkey without doing a full port scan, I would do this: nmap -p 22 --script ssh-hostkey <targets>