Skip to main content

Overview

scan4all integrates with nmap to provide comprehensive port scanning and service detection across 146 protocols. This extensive protocol coverage enables thorough network reconnaissance and service fingerprinting.
Network service scanning is enabled by default when priorityNmap=true. The tool uses optimized nmap parameters for faster scanning than masscan in most scenarios.

Integration Architecture

Primary Scanner

nmap - When priorityNmap=true (default)Comprehensive service detection with optimized parameters for speed

Alternative Scanner

naabu - When priorityNmap=falseFast port scanning without service detection

Port Scanning Engine

Nmap Integration

Default Mode (priorityNmap=true): 
# Uses nmap with optimized parameters
./scan4all -host target.com

# View scanning progress
./scan4all -host target.com -stats=true
Key Features:
  • 146 protocol detection via nmap service fingerprints
  • 90,000+ port scanning rules
  • Service version detection
  • OS fingerprinting
  • Script scanning capabilities
Network Traffic: Nmap scanning generates significant network traffic. In poor network conditions, this may lead to incomplete results. Consider using naabu for faster, lighter scanning.

Naabu Alternative

Fast Mode (priorityNmap=false): 
# Use naabu for fast port scanning
priorityNmap=false ./scan4all -host target.com

# Scan specific protocol ports
priorityNmap=false ./scan4all -tp http -list targets.txt
Features:
  • Faster scanning in poor network conditions
  • Lower network traffic
  • HTTP-related ports when -tp http specified
  • SYN scan support

Skip Port Scanning

Import Existing Results: 
# Skip port scanning, use existing results
noScan=true ./scan4all -list targets.txt

# Import nmap XML results
noScan=true ./scan4all -list nmap_results.xml
When noScan=true, nmap results default to being processed without additional scanning, allowing you to leverage existing reconnaissance data.

Protocol Categories

The 146 supported protocols span multiple categories:

Common Network Services

  • HTTP (80, 8080, 8000, 8008, 8888)
  • HTTPS (443, 8443)
  • HTTP-Proxy (3128, 8080)
  • HTTP-Alt (591, 8008, 8080, 8081)
  • HTTPS-Alt (832, 981, 1311, 7002, 7021, 7023, 7025, 7777, 8333, 8531, 8888)
  • WebDAV (WebDAV over HTTP/HTTPS)
  • SOAP (Simple Object Access Protocol)
  • REST APIs
  • SMTP (25, 587, 465)
  • POP3 (110)
  • POP3S (995)
  • IMAP (143)
  • IMAPS (993)
  • Submission (587)
  • FTP (21)
  • FTPS (990)
  • SFTP (22, via SSH)
  • TFTP (69, UDP)
  • NFS (2049)
  • SMB/CIFS (139, 445)
  • AFP (Apple Filing Protocol)
  • WebDAV
  • MySQL (3306)
  • PostgreSQL (5432)
  • Microsoft SQL Server (1433)
  • Oracle (1521)
  • MongoDB (27017)
  • Redis (6379)
  • Cassandra (9042)
  • CouchDB (5984)
  • Elasticsearch (9200, 9300)
  • InfluxDB (8086)
  • MemcacheD (11211)
  • SSH (22)
  • Telnet (23)
  • RDP (3389)
  • VNC (5900-5903)
  • X11 (6000-6063)
  • rlogin (513)
  • rexec (512)
  • rsh (514)
  • LDAP (389)
  • LDAPS (636)
  • Kerberos (88)
  • Active Directory (Multiple ports)
  • DNS (53, TCP/UDP)
  • SNMP (161, 162, UDP)
  • SNMP-Trap (162, UDP)
  • NetBIOS (137-139)
  • WMI (Windows Management Instrumentation)
  • WinRM (5985, 5986)
  • SSH (Management access)
  • AMQP (5672)
  • MQTT (1883, 8883)
  • Kafka (9092)
  • RabbitMQ (5672, 15672)
  • ActiveMQ (61616)
  • ZeroMQ
  • WebSocket (80, 443)
  • Tomcat (8080, 8005, 8009)
  • Weblogic (7001, 7002)
  • JBoss (8080, 4444, 8083)
  • WebSphere (9060, 9043)
  • GlassFish (4848, 8080, 8181)
  • Jetty
  • SIP (5060, 5061)
  • H.323 (1720)
  • RTP (Real-time Transport Protocol)
  • RTSP (554)
  • IAX (4569)
  • SOCKS4 (1080)
  • SOCKS5 (1080)
  • HTTP-Proxy (3128, 8080)
  • OpenVPN (1194)
  • IPSec (500, 4500, UDP)
  • PPTP (1723)
  • L2TP (1701)
  • MQTT (1883)
  • CoAP (5683, UDP)
  • Modbus (502)
  • BACnet (47808, UDP)
  • UPnP (1900, UDP)
  • RTSP (554)
  • Modbus TCP (502)
  • DNP3 (20000)
  • BACnet (47808)
  • Ethernet/IP (44818)
  • Profinet (34962-34964)
  • S7 (102)
  • OPC (135, 4840)
  • RTSP (554)
  • RTMP (1935)
  • HLS (HTTP-based)
  • MPEG-DASH
  • ICY (SHOUTcast)
  • Git (9418)
  • SVN (3690, HTTP/HTTPS)
  • CVS (2401)
  • Perforce (1666)
  • Mercurial (HTTP-based)
  • IPP (631)
  • LPD (515)
  • JetDirect (9100)
  • NTP (123, UDP)
  • Time (37)
  • Daytime (13)
  • Syslog (514, UDP)
  • SNMP (161, UDP)
  • Graphite (2003, 2004)
  • StatsD (8125, UDP)
  • Prometheus (9090)
  • RADIUS (1812, 1813, UDP)
  • TACACS+ (49)
  • Kerberos (88)
  • OAuth (HTTP-based)
  • SAML (HTTP-based)
  • Echo (7, TCP/UDP)
  • Discard (9, TCP/UDP)
  • Chargen (19, TCP/UDP)
  • Finger (79)
  • Gopher (70)
  • Whois (43)
  • IRC (6667, 6697)
  • XMPP (5222, 5223)

Service Detection

Version Detection

scan4all leverages nmap’s service version detection to identify:
  • Service name and version
  • Operating system fingerprinting
  • Device type identification
  • Service configuration details
Example Output: 
22/tcp    open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
80/tcp    open  http        nginx 1.18.0
443/tcp   open  ssl/http    nginx 1.18.0
3306/tcp  open  mysql       MySQL 8.0.32

Fingerprinting

HTTP Fingerprinting

  • 7000+ web fingerprints
  • httpx integration
  • vscan fingerprints (eHoleFinger, localFinger)
  • Custom scan4all fingerprints

Service Fingerprinting

  • Nmap service probes
  • Banner grabbing
  • Protocol-specific detection
  • Custom fingerprint extensions

Port Range Configuration

Default Scanning

# Scan default ports
./scan4all -host target.com

# Scan all ports
./scan4all -host target.com -p-

# Scan specific ports
./scan4all -host target.com -p 80,443,8080

# Scan port range
./scan4all -host target.com -p 1-10000

Protocol-Specific Ports

# HTTP-related ports only
./scan4all -tp http -host target.com

# Common service ports
./scan4all -top-ports 1000 -host target.com

Nmap Configuration

Environment Setup

Root Password Required: Nmap requires root privileges for SYN scanning. Set your root password as an environment variable:
export PPSSWWDD=yourRootPassword
Configuration Script: config/doNmapScan.sh

Optimized Parameters

From the documentation, scan4all uses optimized nmap parameters that are:
  • Faster than masscan in good network conditions
  • More comprehensive service detection
  • Better fingerprinting accuracy
The tool automatically selects optimal nmap parameters based on the target and scan type. No manual parameter tuning is required for most scenarios.

Multi-Target Scanning

Input Formats

./scan4all -host example.com
./scan4all -host 192.168.1.100

./scan4all -host 192.168.1.0/24
./scan4all -host 10.0.0.0/16

# Text file with hosts/IPs/CIDRs
./scan4all -list targets.txt

# Nmap XML results
./scan4all -list nmap_results.xml

# Pipe from other tools
cat hosts.txt | ./scan4all

# From subdomain enumeration
subfinder -d example.com | ./scan4all

# Direct URL scanning
./scan4all -u https://example.com

# Precise URL scanning
UrlPrecise=true ./scan4all -l urls.txt

Intelligence Features

Smart Processing

IP Consolidation

Multiple Domains, Same IPWhen multiple domains resolve to the same IP, scan4all automatically merges port scans to improve efficiency.

DNS Analysis

Multiple IPs per DomainAutomatically identifies and scans all IPs associated with a domain (DNS round-robin, CDN, etc.).

SSL Certificate Intelligence

Smart SSL Analysis: Automatically correlates and scans domain names discovered in SSL certificates (e.g., *.example.com).
Enable Subdomain Traversal: 
# Enable subdomain enumeration from SSL certs
export EnableSubfinder=true
./scan4all -host example.com
Performance Impact: Subdomain traversal via SSL analysis can significantly slow scanning. Enable only when comprehensive subdomain discovery is required.

Subdomain Integration

scan4all integrates with subfinder for comprehensive subdomain enumeration: 
# Enable subfinder integration
export EnableSubfinder=true
./scan4all -host example.com
Discovered Subdomains:
  • From SSL certificates
  • From subfinder database
  • From DNS records
  • Automatically added to scan targets

Service-Specific Detection

Web Services

HTTP/HTTPS Detection:
  • Landing page identification
  • Sensitive file detection with custom dictionaries
  • HTTP smuggling detection (CL-TE, TE-CL, TE-TE, CL-CL, BaseErr)
  • HTTP Request Smuggling
  • Web cache vulnerability scanning
Fingerprinting:
  • httpx fingerprints
  • vscan fingerprints (eHoleFinger, localFinger)
  • Custom scan4all fingerprints
  • Framework detection
  • CMS identification

Database Services

Automatic Detection & Testing:
  • Port scanning detects database services
  • Automatic password testing when priorityNmap=true
  • Version fingerprinting
  • Configuration detection

Application Servers

Detection Capabilities:
  • Weblogic (with nuclei integration for T3/IIOP)
  • Tomcat (version and manager detection)
  • JBoss (version and exposed interfaces)

Output & Reporting

Output Formats

# Console output
./scan4all -host target.com

# JSON format
./scan4all -host target.com -json output.json

# CSV format
./scan4all -host target.com -csv output.csv

# Plain text
./scan4all -host target.com -output results.txt

Elasticsearch Integration

Strongly Recommended: Store results in Elasticsearch for centralized analysis and correlation.
Setup: 
# Start Elasticsearch
mkdir -p logs data
docker run --restart=always --ulimit nofile=65536:65536 \
  -p 9200:9200 -p 9300:9300 -d --name es \
  -v $PWD/logs:/usr/share/elasticsearch/logs \
  -v $PWD/data:/usr/share/elasticsearch/data \
  hktalent/elasticsearch:7.16.2

# Initialize indices
./config/initEs.sh
Query Results: 
# Search by target
curl "http://127.0.0.1:9200/nmap_index/_doc/_search?q=_id:192.168.0.111"

# Search by service
curl "http://127.0.0.1:9200/nmap_index/_search?q=service:http"
Result Indexing:
  • Each tool’s results stored separately
  • Nmap results: nmap_index
  • Hydra results: hydra_index
  • Nuclei results: nuclei_index
  • Custom indices configurable

Advanced Features

Scanning Progress

# View real-time scanning progress
./scan4all -host target.com -stats=true

Honeypot Detection

Intelligent Honeypot Detection: Automatically identifies and skips honeypots to avoid wasting time and resources.
Enable Honeypot Detection: 
EnableHoneyportDetection=true ./scan4all -host target.com
Disabled by Default: Honeypot detection is disabled by default for performance.

HTTP Abnormal Page Detection

Smart Processing:
  • Fingerprint calculation and learning
  • 404 detection using similarity algorithms
  • Automatic baseline establishment
  • False positive reduction

Supply Chain Analysis

Automated Detection:
  • Supply chain identification
  • Dependency analysis
  • Vulnerability correlation
  • Risk assessment

Integration with Other Tools

Nuclei Integration

# Enable nuclei for vulnerability scanning
enableNuclei=true ./scan4all -host target.com
Nuclei Capabilities:
  • 15,000+ POC detection
  • CVE detection
  • Misconfiguration detection
  • Exposed panel detection
  • Technology-specific vulnerabilities

VScan Integration

POC Coverage:
  • X-ray 2.0 300+ POCs
  • Go POCs
  • Custom scan4all POCs

Log4j-Scan Integration

# Setup log4j-scan
mkdir ~/MyWork/
cd ~/MyWork/
git clone https://github.com/hktalent/log4j-scan
Features:
  • Blocks target info from DNS Log Server (privacy protection)
  • Elasticsearch integration
  • Batch processing

Performance Optimization

Network Considerations

Good Network

Use nmap (priorityNmap=true)
  • Comprehensive detection
  • Service fingerprinting
  • Version detection

Poor Network

Use naabu (priorityNmap=false)
  • Faster scanning
  • Lower traffic
  • Basic port detection

Scanning Speed

# Fast scan (top 100 ports)
./scan4all -top-ports 100 -host target.com

# Balanced scan (default)
./scan4all -host target.com

# Comprehensive scan (all ports)
./scan4all -p- -host target.com

Thread Configuration

# Increase concurrent scanning
./scan4all -host target.com -threads 100

# Reduce for stability
./scan4all -host target.com -threads 10

Configuration Files

Main Configuration

File: config/config.json Configurable Options:
  • Port ranges
  • Protocol lists
  • Fingerprint databases
  • Dictionary locations
  • Timeout values
  • Thread limits
  • Output formats
  • Integration settings

Custom Dictionaries

HTTP File Fuzzing:
  • Custom sensitive file dictionaries
  • Path traversal wordlists
  • Backup file patterns
Service Fingerprints:
  • Custom protocol fingerprints
  • Service version signatures
  • Banner patterns

Troubleshooting

Solution: Install nmap before using scan4all:
# Ubuntu/Debian
sudo apt-get install nmap

# macOS
brew install nmap

# Or use naabu instead
priorityNmap=false ./scan4all -host target.com
Causes:
  • High network latency
  • Packet loss
  • Firewall interference
  • Target overload
Solutions:
  • Switch to naabu: priorityNmap=false
  • Reduce thread count
  • Increase timeout values
  • Scan in smaller batches
Problem: Nmap requires root for SYN scansSolution:
export PPSSWWDD=yourRootPassword
./scan4all -host target.com
Alternative: Run with sudo (not recommended)
Optimizations:
  • Use top ports: -top-ports 1000
  • Disable honeypot detection (default)
  • Disable subdomain enumeration
  • Use naabu instead of nmap
  • Increase thread count
  • Skip unnecessary protocols
Indicators:
  • All ports show closed
  • No service detection
  • Timeout errors
Solutions:
  • Verify firewall rules
  • Try different source ports
  • Use timing templates
  • Consider alternative scanning methods

Security Considerations

Legal Authorization: Only scan networks and systems you own or have explicit permission to test. Unauthorized port scanning may be illegal in your jurisdiction.

Stealth Considerations

  • Nmap scanning is detectable by IDS/IPS systems
  • Adjust timing to avoid detection
  • Consider scan frequency
  • Monitor for defensive responses
  • Use appropriate scanning windows

Best Practices

  1. Authorization: Always obtain written permission
  2. Scope Definition: Clearly define target scope
  3. Timing: Scan during approved windows
  4. Rate Limiting: Avoid overwhelming targets
  5. Documentation: Log all scanning activities
  6. Notification: Inform stakeholders before scanning

Integration Workflows

Reconnaissance Pipeline

# 1. Subdomain enumeration
subfinder -d example.com -o subdomains.txt

# 2. Port scanning with scan4all
./scan4all -list subdomains.txt -o scan_results.txt

# 3. Vulnerability detection
enableNuclei=true ./scan4all -list subdomains.txt

# 4. Results to Elasticsearch
# (automatic when ES configured)

Manual Workflow

# 1. External nmap scan
nmap -p- -sV -oX nmap_results.xml target.com

# 2. Import to scan4all
noScan=true ./scan4all -list nmap_results.xml

# 3. Automated testing
priorityNmap=true ./scan4all -list nmap_results.xml

Protocol Overview

Complete protocol support overview

Password Cracking

Authentication testing protocols

Usage Guide

Detailed usage examples

Build docs developers (and LLMs) love

Get started for freeTalk to us