I know that the -sC and -A options run the "default" category of scripts (--script=default):
https://nmap.org/book/nse-usage.html
I've searched the nmap script folder for a default sub-folder, but cannot seem to find any.
How can I see what scripts are included in the different categories of nmap scripts?
The scripts included in the default category (and every other category) can be found here in the NSE documentation.
Edit: additionally, you can look into each script in your scripts directory to find a line like this:
categories = {"default", "safe"}
This will tell you every category that the script is a member of, and allows you to change the membership of any script, as well as create custom categories if you wish.
The --script-help option accepts the same boolean-and-wildcard syntax as the --script option and can be used to get information about all the scripts that would be selected. If you need to extract just the names of the scripts, you can use the XML output format:
nmap --script-help default -oX - | awk -F\" '/^<script /{print $2}' | xargs basename -s .nse
This lists all the scripts in the "default" category. The awk command extracts the file path, and the basename command removes the ".nse" file extension. You can use other combinations like "safe and not default" to see what those would select (in this case, scripts that are considered "safe" but not in the default category because they may require extra script arguments to run or may take a long time.)
