Overview
Optimizing scan4all performance is crucial for large-scale security assessments. This guide covers configuration options, hardware considerations, and best practices for maximum efficiency.
Port Scanning Optimization
nmap Configuration
scan4all uses optimized nmap parameters by default:
nmap -n --unique --resolve-all -Pn --min-hostgroup 64 --max-retries 0 \
--host-timeout 10m --script-timeout 3m -oX {filename} \
--version-intensity 9 --min-rate 10000 -T4
--min-hostgroup 64: Scans 64 hosts in parallel--min-rate 10000: Minimum packet rate of 10,000 per second--max-retries 0: No retries for faster completion-T4: Aggressive timing template
You can customize nmap parameters in config/config.json under the "nmap" key.
naabu Configuration
Configure naabu settings in config/config.json:
{
"naabu": {
"TopPorts": "1000",
"ScanAllIPS": true
}
}
TopPorts: Number of most common ports to scan (default: 1000)ScanAllIPS: Scan all IPs when a domain resolves to multiple addresses
Choosing the Right Scanner
| Scanner | Best For | Speed | Accuracy |
|---|
| nmap | Good networks, detailed fingerprinting | Fast | High |
| naabu | Poor networks, basic port detection | Very Fast | Medium |
export PPSSWWDD=yourRootPassword
export priorityNmap=true
./scan4all -l targets.txt
priorityNmap=false ./scan4all -l targets.txt
DNS Configuration
Optimize DNS resolution for faster scanning:
{
"naabu_dns": {
"resolver": ["8.8.8.8", "1.1.1.1"],
"rate-limit": 150
}
}
Thread Configuration
nuclei Threads
Configure POC scanning parallelism:
{
"nuclei": {
"threads": 50,
"bulk-size": 25,
"rate-limit": 150
}
}
Higher thread counts increase speed but may trigger rate limiting or WAF detection. Start conservative and increase gradually.
httpx Configuration
Optimize HTTP probing:
{
"httpx": {
"threads": 50,
"rate-limit": 150,
"timeout": 10
}
}
Elasticsearch Threads
For result storage performance:
Increase this value when writing large volumes of results to Elasticsearch.
Cache Management
Enable Caching
Caching dramatically improves performance on repeated scans:
{
"CacheName": ".DbCache",
"autoRmCache": "false"
}
- Avoids rescanning known targets
- Speeds up incremental assessments
- Reduces network traffic
Cache behavior:
autoRmCache: true - Automatically deletes cache after scanautoRmCache: false - Preserves cache for next scan
Disable auto-removal when scanning similar targets repeatedly (e.g., continuous monitoring).
System Optimization
File Descriptor Limits
For large-scale scanning, increase system limits:
Check current limits:
ulimit -a
awk '{print $1}' /proc/sys/fs/file-nr
/etc/security/limits.conf:
* soft nofile 819200
* hard nofile 819200
Docker Elasticsearch Optimization
When using Elasticsearch for results:
docker run --restart=always --ulimit nofile=65536:65536 \
-p 9200:9200 -p 9300:9300 -d --name es \
-v $PWD/logs:/usr/share/elasticsearch/logs \
-v $PWD/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \
-v $PWD/config/jvm.options:/usr/share/elasticsearch/config/jvm.options \
-v $PWD/data:/usr/share/elasticsearch/data \
hktalent/elasticsearch:7.16.2
config/jvm.options):
Set to 50% of available RAM, but not exceeding 31GB.
Network Optimization
Bandwidth Considerations
Optimal scanning rates by connection:
| Connection | Recommended Rate | Max Threads |
|---|
| 1 Gbps LAN | 10,000 pps | 100 |
| 100 Mbps | 5,000 pps | 50 |
| Poor/Remote | 1,000 pps | 25 |
Network Quality Detection
If experiencing packet loss or incomplete results:
-
Reduce scan rate:
# Edit config/config.json
"nmap": "nmap ... --min-rate 5000 ..."
-
Switch to naabu:
priorityNmap=false ./scan4all -l targets.txt
-
Enable retries:
Modify nmap command to include
--max-retries 1
Target List Preparation
Deduplicate and sort:
sort -u targets.txt -o targets_clean.txt
# Group by resolved IP
for domain in $(cat domains.txt); do
echo "$domain,$(dig +short $domain)" >> domain_ip.csv
done
Precision Scanning
For URL lists with specific paths:
export UrlPrecise=true
./scan4all -l urls.txt
Disable Expensive Features
When speed is critical:
# Disable subdomain enumeration (very slow)
export EnableSubfinder=false
# Disable SSL deep parsing
export ParseSSl=false
# Disable honeypot detection
export EnableHoneyportDetection=false
./scan4all -l targets.txt
Skip Specific Scan Types
Port scanning only:
./scan4all -l targets.txt -verify=false -np
noScan=true ./scan4all -l nmap_results.xml
Password Brute Force Optimization
Custom Dictionaries
Use targeted dictionaries instead of default wordlists:
{
"ssh_username": "custom/ssh_users.txt",
"ssh_pswd": "custom/top100_passwords.txt",
"HydraUser": "custom/common_users.txt",
"HydraPass": "custom/common_passwords.txt"
}
Smaller, targeted dictionaries are faster and often more effective than large generic wordlists.
Disable Password Brute Force
If not needed:
priorityNmap=false ./scan4all -l targets.txt
config/config.json by setting empty dictionary paths.
Enable Statistics
Track scanning progress:
./scan4all -l targets.txt -stats=true
Verbose Logging
For debugging performance issues:
./scan4all -l targets.txt -v -debug
Verbose logging significantly slows down scanning. Use only for troubleshooting small batches.
Index Optimization
Initialize indices before large scans:
Bulk Insert Configuration
{
"enableEsSv": true,
"esthread": 16,
"esUrl": "http://127.0.0.1:9200/%s_index/_doc/%s"
}
Query Optimization
Use specific queries instead of scanning all results:
# Query specific host
http://127.0.0.1:9200/nmap_index/_doc/_search?q=_id:192.168.0.111
# Query with field filter
http://127.0.0.1:9200/nuclei_index/_doc/_search?q=host:"1.2.3.4:8080"
Parallel Execution
For very large assessments, split targets and run multiple instances:
# Split target list
split -l 1000 targets.txt batch_
# Run parallel instances
for batch in batch_*; do
./scan4all -l $batch -o results_$batch.csv &
done
wait
Ensure your system has sufficient resources (CPU, memory, network) for parallel execution.