The terminal cursor blinks. You type nmap grpcs://target --script yourscript, and the scan begins.
Nmap does not natively support grpcs:// URLs like it does HTTP or HTTPS. But scanning gRPC over TLS is possible if you know how to set up the right prefixes and scripts. The “Nmap GRPCS prefix” method is about feeding the scanner the correct transport and port details so your scan works across encrypted service definitions.
gRPC uses HTTP/2 as its transport. For gRPC over TLS, this means Nmap must negotiate TLS with ALPN set to h2. Without this, probes fail or return incomplete results. You can handle the Nmap GRPCS prefix by mapping grpcs to ssl in your NSE script options, or by specifying the TLS handshake explicitly in your arguments.
Example command:
nmap -p 443 --script grpc-info --script-args grpc-info.target=/helloworld.Greeter grpc-server=ssl:example.com
Here, the ssl: acts as the functional Nmap GRPCS prefix, even though Nmap itself calls it SSL. The NSE script then uses this channel to send gRPC reflection or specific method calls. By chaining with scripts like grpc-dump or your own custom NSE, you enumerate available services, methods, and descriptors securely.
For scanning internal microservices, run Nmap against your service endpoints with the prefix and the gRPC-aware NSE scripts. Always match port numbers to your deployment. --script-args grpc-info.use_tls=true ensures proper encryption handling. To test reflection or schema exposure, point the script directly at the host:
nmap -p 50051 --script grpc-reflect --script-args grpc-reflect.use_tls=true,grpc-reflect.host=ssl:grpc.internal.local
Understanding the Nmap GRPCS prefix is about mapping the right transport layer in your commands so your TLS gRPC scans behave consistently. Pair it with service-specific NSE scripts, and you can baseline, test, and audit gRPC endpoints without guesswork.
Want to see automated gRPC endpoint scanning with zero config? Check out hoop.dev and watch it run in minutes.