scan4all provides flexible port scanning capabilities through dual-engine support: nmap for comprehensive protocol detection and naabu for high-speed scanning. The scanner supports 146 protocols and 90000+ rules inherited from nmap’s extensive fingerprint database.
Scanning Engines Nmap Integration By default, scan4all uses nmap when available for fast and accurate scanning. Nmap is automatically detected on your system and used when priorityNmap=true (default).
Root Password Requirement : Using nmap requires setting the root password as an environment variable:export PPSSWWDD = yourRootPassword
Advantages of nmap:
Comprehensive protocol detection (146+ protocols)
Extensive service version detection
OS fingerprinting capabilities
Optimized parameters for faster scanning than masscan
Considerations:
High network traffic due to packet size
May produce incomplete results on poor network connections
Requires root/administrator privileges
Naabu Engine When nmap is unavailable or priorityNmap=false, scan4all falls back to the integrated naabu engine for pure Go-based port scanning.
Benefits:
No external dependencies
Fast SYN scanning with customizable rate limits
Built-in connection retry logic
Cross-platform compatibility
Port Selection Methods Specific Ports Scan specific ports using the -p or -port flag:
# Scan single port scan4all -host 192.168.1.1 -p 80 # Scan multiple ports (comma-separated) scan4all -host 192.168.1.1 -p 80,443,8080,8443 # Scan port ranges scan4all -host 192.168.1.1 -p 1-1000 # Combine ports and ranges scan4all -host 192.168.1.1 -p 22,80,443,8000-9000
Top Ports Use preset port lists with the -top-Ports or -tp flag:
# Scan top 1000 ports from nmap database scan4all -host 192.168.1.1 -top-Ports 1000 # Scan HTTP-related ports (default behavior) scan4all -host 192.168.1.1 -top-Ports http # Scan top 100 ports scan4all -host 192.168.1.1 -tp 100
When no port specification is provided, scan4all defaults to scanning HTTP-related common ports for web application security testing.
Port Exclusion Exclude specific ports from scanning:
# Exclude single port scan4all -host 192.168.1.1 -exclude-Ports 22 # Exclude multiple ports scan4all -host 192.168.1.1 -ep 22,23,3389 # Exclude from file scan4all -host 192.168.1.1 -Ports-file excluded_ports.txt
Scan Types SYN Scan (Default) SYN scanning is the default and fastest method, requiring root privileges:
# Explicit SYN scan scan4all -host 192.168.1.1 -scan-type s # Short form scan4all -host 192.168.1.1 -s s
How SYN Scanning Works:
Sends SYN packet to target port
Receives SYN-ACK if port is open
Sends RST to close connection (stealth)
No full TCP handshake = faster and stealthier
TCP Connect Scan Use full TCP connection when root access is unavailable:
scan4all -host 192.168.1.1 -scan-type CONNECT
TCP Connect scans are slower and more detectable than SYN scans as they complete the full three-way handshake.
Rate Limiting Control scanning speed with the -rate parameter (packets per second):
# Default rate: 1000 packets/second scan4all -host 192.168.1.1 -rate 1000 # Faster scan (may trigger IDS/IPS) scan4all -host 192.168.1.1 -rate 5000 # Slower, stealthier scan scan4all -host 192.168.1.1 -rate 100
Thread Control Adjust concurrent workers with the -c flag:
# Default: 25 worker threads scan4all -host 192.168.1.1 -c 25 # More threads for faster scanning scan4all -host 192.168.1.1 -c 100 # Fewer threads for resource-constrained systems scan4all -host 192.168.1.1 -c 10
Timeout and Retries # Set connection timeout (milliseconds) scan4all -host 192.168.1.1 -timeout 1000 # Longer timeout for slow networks scan4all -host 192.168.1.1 -timeout 5000
Warm-up Time Add delay between scan phases:
# Default: 2 seconds between phases scan4all -host 192.168.1.1 -warm-up-time 2 # No delay for maximum speed scan4all -host 192.168.1.1 -warm-up-time 0
Advanced Features CDN Detection and Exclusion Automatically skip full port scans for CDN IPs, only checking ports 80 and 443:
scan4all -host www.example.com -exclude-cdn # or scan4all -host www.example.com -ec
Host Verification Ping Probes: # Verify host is alive before scanning scan4all -host 192.168.1.1 -ping
TCP Verification: # Re-validate discovered ports with TCP handshake scan4all -host 192.168.1.1 -verify
Network Interface Selection
List Available Interfaces
scan4all -interface-list # or scan4all -il
Select Interface
scan4all -host 192.168.1.1 -interface eth0 # or scan4all -host 192.168.1.1 -i eth0
Specify Source IP
scan4all -host 192.168.1.1 -source-ip 192.168.1.100
Skipping Port Scans For URL Targets When providing complete URLs, port scanning is automatically skipped:
# Direct URL scan - no port discovery scan4all -host http://example.com:8080
Manual Skip with noScan Force skip port scanning:
noScan = true ./scan4all -l urls.txt -v
Using Nmap Results Import and process existing nmap scan results:
# nmap XML results automatically skip port scanning scan4all -l nmap_results.xml -v
When using nmap result files, noScan=true is automatically enabled.
Monitoring Scan Progress Enable real-time statistics display:
# Show scan statistics scan4all -host 192.168.1.0/24 -stats # Adjust statistics update interval (seconds) scan4all -host 192.168.1.0/24 -stats -stats-interval 10 # or scan4all -host 192.168.1.0/24 -stats -si 10
Statistics Display: Scanning: 192.168.1.0/24 Ports scanned: 45000/65535 Hosts alive: 12/254 Open ports found: 156 Elapsed: 00:02:34
Custom Resolvers Use custom DNS resolvers for domain resolution:
# Single resolver scan4all -host example.com -r 8.8.8.8 # Multiple resolvers (comma-separated) scan4all -host example.com -r 8.8.8.8,1.1.1.1,208.67.222.222 # Resolvers from file scan4all -host example.com -r resolvers.txt
resolvers.txt example: 8.8.8.8 1.1.1.1 208.67.222.222
Scan Modes Stream Mode Optimized for continuous scanning with reduced features:
scan4all -host 192.168.1.1 -stream
Stream mode disables:
Resume capability
Nmap integration
Port verification
Retry logic
Result shuffling
Use only for real-time streaming scenarios. Resume Mode Resume interrupted scans:
scan4all -host 192.168.1.0/24 -resume
Resume data is stored in resume.cfg and automatically updated during scans.
Multi-IP Domain Scanning scan4all automatically detects and scans all IPs associated with a domain:
# Automatically scans all DNS A records scan4all -host example.com # Force scan all IPs scan4all -host example.com -scan-all-ips # or scan4all -host example.com -sa
When multiple domains in a target list resolve to the same IP, scan4all intelligently merges port scans to improve efficiency.
JSON Output scan4all -host 192.168.1.1 -json -o results.json
Output structure: { "host" : "192.168.1.1" , "port" : 80 , "protocol" : "tcp" , "service" : "http" , "version" : "Apache/2.4.41" }
Port scan results are saved to port.results.json.
CSV Output scan4all -host 192.168.1.1 -csv -o results.csv
Port scan results are saved to port.results.csv.
Standard Output # Verbose output to console scan4all -host 192.168.1.1 -v # Silent mode (results only) scan4all -host 192.168.1.1 -silent # Disable colors scan4all -host 192.168.1.1 -no-color # or scan4all -host 192.168.1.1 -nc
Example Workflows Quick Web Scan
Comprehensive Network Scan
Stealth Scan
High-Speed Scan
# Fast HTTP port scan for web applications scan4all -host example.com -top-Ports http -v
Integration with Other Features Port scanning feeds into scan4all’s complete workflow:
After port discovery, scan4all automatically:
Detects services running on open ports
Performs web fingerprinting on HTTP/HTTPS services
Initiates password brute forcing on authentication services
Runs POC checks for detected technologies
Fuzzes for sensitive files on web servers
Best Practices
Start with Default Settings
Use default configuration for initial scans: scan4all -host target.com -v
Adjust Based on Network
Tune rate and threads based on network stability:
Good network: -rate 3000 -c 50
Poor network: -rate 500 -c 10
Enable Verification for Accuracy
Use -verify flag for critical scans to confirm results: scan4all -host target.com -verify
Monitor Progress
Enable statistics for long-running scans: scan4all -host 192.168.0.0/16 -stats -si 5