Skip to main content

Overview

scan4all integrates with Nmap to provide powerful port scanning capabilities. When available, Nmap is automatically detected and used for fast, comprehensive port scanning with optimized parameters that can outperform masscan in many scenarios.

Enabling Nmap Integration

Prerequisites

Nmap must be installed on your system: 
# Ubuntu/Debian
sudo apt-get install nmap

# macOS
brew install nmap

# CentOS/RHEL
sudo yum install nmap

Root Password Configuration

Nmap integration requires root privileges for SYN scanning. You must set the PPSSWWDD environment variable with your root password.
export PPSSWWDD=yourRootPassword

Configuration

Enable Priority Nmap

By default, Nmap scanning is enabled when available. Control this behavior with the priorityNmap flag: 
# Enable Nmap (default)
priorityNmap=true ./scan4all -l targets.txt

# Disable Nmap, use naabu instead
priorityNmap=false ./scan4all -l targets.txt
In config/config.json: 
{
  "priorityNmap": true,
  "nmapScan": "echo $PPSSWWDD|sudo -S nmap ",
  "nmap": "nmap -n --unique --resolve-all -Pn --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m -oX {filename} --version-intensity 9 --min-rate 10000 -T4 "
}

Optimized Nmap Parameters

scan4all uses carefully tuned Nmap parameters for maximum performance: 
nmap -F --top-ports=65535 \
  -n --unique --resolve-all \
  -Pn \
  -sU -sS \
  --min-hostgroup 64 \
  --max-retries 0 \
  --host-timeout 10m \
  --script-timeout 3m \
  --version-intensity 9 \
  --min-rate 2000 \
  -T4

Parameter Breakdown

ParameterPurpose
-F --top-ports=65535Fast scan of common ports
-n --unique --resolve-allNo DNS resolution, unique results
-PnSkip host discovery (treat all hosts as online)
-sU -sSUDP and TCP SYN scanning
--min-hostgroup 64Scan groups of 64 hosts in parallel
--max-retries 0No retries for speed
--host-timeout 10mMaximum time per host
--version-intensity 9Aggressive version detection
--min-rate 2000Send at least 2000 packets/second
-T4Aggressive timing template
The XRate variable in config/doNmapScan.sh controls the minimum packet rate. Default is 2000 packets/second.

Using Nmap Scan Results

Direct Import

You can import existing Nmap XML results directly, skipping the port scanning phase: 
# Import Nmap XML results
./scan4all -l nmapResult.xml -v

# This automatically sets noScan=true
noScan=true ./scan4all -l nmapResult.xml -v

Custom Nmap Scans

Run your own Nmap scan and import results: 
# Run custom Nmap scan
sudo nmap -sS -sV -oX custom_scan.xml -iL targets.txt

# Import into scan4all
./scan4all -l custom_scan.xml -v

Skip Port Scanning

When you already have scan results or want to test specific URLs: 
# Skip all port scanning
noScan=true ./scan4all -l urls.txt -v

# Useful for:
# - Testing known URLs
# - Re-scanning previous results
# - Vulnerability-only scans

Advantages and Limitations

Advantages

Speed

Optimized parameters provide faster scanning than default configurations

Accuracy

Nmap’s mature service detection provides reliable fingerprinting

Protocol Support

Supports 146 protocols with 90,000+ port scanning rules

Limitations

Network Traffic ConsiderationsNmap generates significant network traffic. In poor network conditions, this may lead to:
  • Incomplete results due to packet loss
  • Network congestion
  • Potential detection by security systems
For unreliable networks, consider using naabu instead with priorityNmap=false.

Scan Progress

Monitor scanning progress with statistics: 
./scan4all -l targets.txt -stats=true

Alternative: Naabu

When Nmap is not available or priorityNmap=false, scan4all falls back to naabu: 
# Use naabu for port scanning
priorityNmap=false ./scan4all -l targets.txt -v
Naabu configuration in config/config.json: 
{
  "naabu": {
    "TopPorts": "http",
    "ScanAllIPS": true,
    "Threads": 50,
    "EnableProgressBar": false
  }
}

Script Integration

The Nmap integration is handled by config/doNmapScan.sh. You can customize this script for your needs:
config/doNmapScan.sh
#!/bin/bash
XRate=2000
function doMasScan {
    if [[ -f $1 ]] ; then
        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4 -iL $1 -oX $2
    else
        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4 $1 -oX $2
    fi
}
doMasScan $1 $2

Best Practices

  1. Set Environment Variable: Always export PPSSWWDD before scanning
  2. Test Network: Verify network stability before large scans
  3. Adjust Rate: Modify XRate if experiencing packet loss
  4. Monitor Progress: Use -stats=true for long-running scans
  5. Save Results: Import Nmap XML for repeat analysis without rescanning

Troubleshooting

Nmap Not Found

# Check if Nmap is installed
which nmap

# Install if missing
sudo apt-get install nmap

Permission Denied

# Ensure PPSSWWDD is set
echo $PPSSWWDD

# Re-export if needed
export PPSSWWDD=yourPassword

Incomplete Results

# Reduce scan rate for unstable networks
# Edit config/doNmapScan.sh and lower XRate
XRate=500  # Slower but more reliable

# Or disable Nmap entirely
priorityNmap=false ./scan4all -l targets.txt

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us