Nmap scripting engine categories:
- auth — Probes for information about service authentication and bypasses. Does not conduct brute-force attacks.
- broadcast — Host/network probes using broadcast packets.
- brute — Attempt to brute-force service credentials.
- default — A curated list of fast, reliable scripts. Can also be called using -sC.
- discovery — Gather additional information about scanned machines/ports.
- dos — Scripts that may crash machines/services.
- exploit — Attempt to actually exploit identified services.
- external — Scripts that send data to third-party services.
- fuzzer — Fuzz identified services.
- intrusive — Scripts that may crash a service, generate lots of log messages, or are otherwise noise / may be considered malicious.
- malware — Test for the possible presence of malware on the target.
- safe — The opposite of “intrusive”: scripts that are unlikely to be noisy or perceived as malicious (no guarantees though).
- version — Scripts called by -sV. Unlike “default”, this category cannot be called directly.
- vuln — Check for potential vulnerabilities. I’ve found that scripts in this category generate a lot of false positives.
You can also run your own scripts.