I did not find any protocol documentation but I assume it is a relatively simple protocol and could be easily reverse-engineered by looking at the network traffic with Wireshark.
Setting up a suitable test server or emulating it may of course be a problem unless the implementer is a C64 wizard.
Checking whether DANE is configured properly would be a great use of NSE, combining our DNS and SSL NSE libraries into a useful script that could help security researchers and domain administrators alike.
In progress as dnssec-check-config: https://github.com/nmap/nmap/pull/497 DNS names have all sorts of special rules and things that we would like to handle better. Public suffix handling could replace the (outdated) whitelist of TLDs in
They can be discussed here and will also be moved to another section (and potentially discussed further) by the NSE team when they do periodic reviews.
Extend smbv2-enabled to enumerate the SMB versions available.
The "high-priority" section is for ideas that are definitely wanted.
Only Nmap developers should move things into these latter two categories.
Note: edit/comment on this security.stackexchange answer if/when this is done: https://security.stackexchange.com/a/155773/9209 This script can DOS an Oracle My SQL server from version 5.6.13 till 5.7.17. The script is here: https://github.com/nmap/nmap/pull/877. This script would attempt to extract a list of files, versions, and other high-level information from a server that implements Language Server Protocol.
Script args should be supported that would cause additional information -- chunks of source code, ideally -- to be exported.
Ofcourse there might also be popular protocols that are unregistered. I assume the script could try connecting to the root resource by default but in that case it won't be able to connect to Web Sockets under other resource names.