Skip to main content

Overview

scan4all is a powerful security scanning tool that can be adapted to various environments. Choosing the right scanning strategy is crucial for effective vulnerability detection while minimizing disruption and detection.

External Network Scanning

Asset Collection

Before scanning external targets, collect comprehensive asset information:
  • Domain names
  • IP ranges (C-class segments)
  • Related IP addresses
  • Subdomains
Basic external scan: 
scan4all -l input.txt -ceyeapi <your-api-key> -ceyedomain <your-domain>.ceye.io -csv -o output.csv
The input file supports multiple formats: URLs, domain names, C-class segments, and IP addresses. Note that URL addresses skip port scanning.

Subdomain Discovery

For internet bug bounty targets, enable subdomain enumeration: 
export EnableSubfinder=true
./scan4all -host target.com
Subdomain enumeration is slow. Only enable it for comprehensive reconnaissance on authorized targets.

SSL Certificate Analysis

Enable deep SSL analysis to discover additional domains: 
export ParseSSl=true
./scan4all -host target.com
This automatically:
  • Extracts domain names from SSL certificates
  • Scans discovered subdomains (e.g., *.example.com)
  • Adds targets to the scanning queue automatically

Internal Network Scanning

Efficient Network Sweeps

Direct B-class segment scanning with scan4all is slow due to extensive port scanning. Use a two-phase approach:
  1. Quick host discovery with fscan
  2. Detailed vulnerability scanning with scan4all on live hosts:
scan4all -l ips.txt -ceyeapi <your-api-key> -ceyedomain <your-domain>.ceye.io -csv -o output.csv

Smart Processing Features

scan4all automatically optimizes internal network scans:
  • IP consolidation: Merges port scans when multiple domains resolve to the same IP
  • Multi-IP handling: Scans all IPs associated with a domain name automatically

WAF and Rate Limiting

Two-Phase Approach

When facing WAF protection or IP blocking: Phase 1 - Fingerprinting only: 
scan4all -l input.txt -np -csv -o output.csv
The -np flag skips port scanning, allowing you to gather fingerprints before triggering WAF alerts. Phase 2 - POC detection: 
scan4all -l urls.txt -ceyeapi <your-api-key> -ceyedomain <your-domain>.ceye.io -csv -o poc_output.csv
This approach ensures you at least obtain an asset fingerprint list, even if full scanning is blocked.

URL Precision Scanning

For targeted scanning of specific URLs with context: 
export UrlPrecise=true
./scan4all -l urls.txt
This mode is ideal when you have exact URLs with paths and want focused scanning without port discovery.

Port Scanning Strategies

Using nmap (Default)

By default, scan4all detects and uses nmap for faster scanning: 
export PPSSWWDD=yourRootPassword
export priorityNmap=true
./scan4all -l targets.txt
Advantages:
  • Faster than masscan with optimized parameters
  • Better service detection
Disadvantages:
  • May produce incomplete results on poor networks due to large traffic packets

Using naabu

Disable nmap to use naabu (built-in port scanner): 
priorityNmap=false ./scan4all -tp http -list targets.txt -v
View scanning progress: 
./scan4all -l targets.txt -stats=true

Skip Port Scanning

When working with existing port scan results: 
noScan=true ./scan4all -l list.txt -v
# Works with nmap XML output
./scan4all -l nmapResult.xml -v
For authenticated scanning of web applications: 
Cookie='PHPSession=xxxx' ./scan4all -host example.com
This parameter is compatible with:
  • nuclei POC checks
  • httpx fingerprinting
  • go-poc execution
  • X-ray POC scanning
  • File fuzzing
  • HTTP Request Smuggling detection

Honeypot Detection

Enable honeypot detection to avoid wasting time on decoys: 
export EnableHoneyportDetection=true
./scan4all -l targets.txt
This feature is disabled by default. Enable only when you suspect honeypot deployments.

Smart Scanning Features

Automatic Supply Chain Analysis

scan4all automatically:
  • Identifies supply chain components
  • Analyzes dependencies
  • Scans related infrastructure

HTTP Anomaly Detection

The tool intelligently handles:
  • Abnormal HTTP response pages
  • Fingerprint calculation and learning
  • 404 page similarity detection

Result Deduplication

Automatic caching prevents redundant scanning:
  • Stores results in .DbCache directory
  • Speeds up subsequent scans of the same targets
  • Configure in config/config.json
{
  "CacheName": ".DbCache",
  "autoRmCache": "true"
}
Set autoRmCache to false to preserve cache between scans for better performance.

Best Practices Summary

  1. Start broad, then narrow: Begin with fingerprinting, then focus on vulnerable services
  2. Adapt to environment: Use appropriate strategies for external vs. internal networks
  3. Respect rate limits: Use two-phase scanning when WAF is detected
  4. Leverage intelligence: Enable SSL parsing and subdomain enumeration for comprehensive coverage
  5. Optimize scanning: Choose the right port scanner for your network conditions
  6. Use authentication: Provide cookies for authenticated application scanning
  7. Cache wisely: Preserve cache for repeat scans of similar targets

Build docs developers (and LLMs) love

Get started for freeTalk to us