As every coin has two side as a same way we know only the single side of Nmap which is port scanning. While researching I found that a lot more other than port scanning and banner grabbing can be done with the use of Nmap. We can use Nmap for web application pen-testing and exploitation too. Yeah it won't work as efficiently as of MSF. This can replace the use of acunetix and other paid version scanner.

10. Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| admin.vulnweb.com - 176.28.50.165
| firewall.vulnweb.com - 176.28.50.165
|_ dev.vulnweb.com - 176.28.50.165

12. Host script results:
| hostmap-bfk:
| hosts:
| www.nmap.org
| 173.255.243.189
| seclists.org
| sectools.org
| svn.nmap.org
| nmap.org
| hb.insecure.org
| insecure.org
| images.insecure.org
| 189.243.255.173.in-addr.arpa
|_ www.insecure.org

15. Script Output
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-email-harvest:
| Spidering limited to: maxdepth=3; maxpagecount=20
| root@examplec.com
|_ postmaster@example.com

17. Script Output
| ms-sql-info:
| Windows server name: WINXP
| 192.168.100.128PROD:
| Instance name: PROD
| Version:
| Named pipe: 192.168.100.128pipeMSSQL$PRODsqlquery
| Clustered: No | 192.168.100.128SQLFIREWALLED:
| Instance name: SQLFIREWALLED
| Version:
| name: Microsoft SQL Server 2008 RTM
| Product: Microsoft SQL Server 2008
| Service pack level: RTM
| TCP port: 4343
| Clustered: No

19. Script Output
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: regsvc DoS: NOT VULNERABLE
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)

23. Script Output
PORT STATE SERVICE REASON
80/tcp open http syn-ack
|http-stored-xss:
|Found the following stored XSS vulnerabilities:
|
| Payload: ghz>hzx
|Uploaded on: /guestbook.php
|Description: Unfiltered '>' (greater than sign). An indication of potential XSS
vulnerability.
| Payload: zxc'xcv
| Uploaded on: /guestbook.php

25. Script Output
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-dombased-xss:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=some-very-
random-page.com
| Found the following indications of potential DOM based XSS:
|
| Source: document.write("<OPTION
value=1>"+document.location.href.substring(document.location.href.indexOf("defaul
t=")
| Pages: http://some-very-random-page.com:80/, http://some-very- random-
page.com/foo.html

27. PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-csrf:
|Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=some-very-
random-page.com
| Found the following CSRF vulnerabilities :
|
| Path: http://www.example.com/c/334/watches.html
| Form id: custom_price_filters
|_ Form action: /c/334/rologia-xeiros-watches.html

30. Script Output
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| Testing page /post.html
|
| Successfully uploaded and executed payloads:
| Filename: 1.php, MIME: text/plain
|_ Filename: 1.php3, MIME: text/plain

32. Script Output
PORT STATE SERVICE REASON
443/tcp open https syn-ack
| http-open-redirect:
|_
https://foobar.target.se:443/redirect.php?url=http%3A%2f%2fscanme.nmap.org
%2f

35. Script Output
| [192.168.100.128PROD]
| Credentials found:
| webshop_reader:secret => Login Success
| testuser:secret1234 => PasswordMustChange
|_ lordvader:secret1234 => Login Success