Custom scan for web servers

I want to find every web applications which exist inside our network, as I know a lot of stuff is deployed internally without the knowledge of our team (infosec).
The goal is to find all internal web applications, so they can be added to a queue of security testing.
So I thought about creating a custom scan for that purpose. What I can see that might fit is the HTTP Server Type/Version. Would that be enough, or any other ideas of possible scans that would help me to reach the goal?

Yes, the most basic scan configuration that will detect web-application services would be to clone the “Basic” scan configuration which only includes 2 items in the “Port scanners” family and 1 item in the “Service detection” family, and simply add the “Services” VT (

To make sure that all devices are included in the scan you would want to make sure the alive-test includes more than just ICMP ping, such as TCP-ACK/TCP-SYN and if you are worried about web-servers on non-standard ports, you should use the “All TCP and Nmap top 100 UDP” port list.

However, for more complete results, you may want to include other VTs from the Service detection family such as:
* Embedded Web Server Detection (HTTP)
* Directory Scanner
* Detect HTTP Traffic sent to SSL/TLS enabled Web Server
* Hidden WWW server name
* HTTP Everything
* Secure HyperText Transfer Protocol (S-HTTP) Detection
* Service Detection with ‘GET’ Request
* Services (
* Thin Webserver Detection

For web security scanning include families such as:
* Web Application Abuses
* Web Servers
* Product Detection

1 Like


I’m making some configurations to test the best options.

Thanks for the guidance.