Scanning gRPC Services with Nmap

Nmap has powerful NSE (Nmap Scripting Engine) scripts for identifying and probing gRPC services. A gRPC endpoint won’t speak plain HTTP, so basic banner grabbing fails. When Nmap detects one, you can use specialized scripts to map methods, enumerate services, and validate targets—without guessing.

A standard Nmap scan with -sV might show a port running HTTP/2 but no clear details. Adding --script grpc* unlocks deeper inspection for gRPC endpoints. These scripts use protocol-specific handshakes to pull service definitions and method names. If a .proto reflection service is available, Nmap can list RPC methods directly, speeding reconnaissance and service mapping.

Example:

nmap -p 50051 --script grpc-info <target>

This will attempt to communicate with the gRPC reflection service on the target port. The output can reveal:

• Service names
• Available RPC methods
• Parameter and return types

You can also chain gRPC NSE scripts with vulnerability scans to detect misconfigurations, exposed debug endpoints, and weak authentication in microservice backends. This is critical when scanning Kubernetes clusters, internal APIs, or cloud workloads.

When scanning gRPC with Nmap, keep scope and permissions in mind. Because gRPC uses HTTP/2, it often runs over TLS on ports like 443, 50051, or custom service ports. Use --script-args in Nmap to set custom headers, metadata, or authentication tokens if the service requires them.

Nmap gRPC scanning is part of a fast, targeted workflow for identifying and mapping API attack surfaces. With the right script set, you can go from a raw port number to a detailed service map in minutes—no fuzzing, no blind guessing.

Run it. See what your gRPC services are really exposing. Then plug the results straight into hoop.dev and watch them come alive in a secure, interactive session—up and running in minutes.