Skip to main content

Overview

Scan options control the fundamental behavior of scan4all, including scan type, network configuration, external tool integration, and operational modes.

Scan Type

-s, -scan-type
string
default:"s"
Type of port scan technique to use.Values:
  • s - SYN scan (half-open scan, requires root/admin privileges)
  • c - CONNECT scan (full TCP connection, no special privileges required)
SYN scans are faster and more stealthy but require elevated permissions. CONNECT scans work without privileges but are slower and more detectable.Examples:
# SYN scan (default, requires root)
sudo scan4all -host example.com -s s

# CONNECT scan (no privileges needed)
scan4all -host example.com -s c
SYN scans require root/administrator privileges. The tool will automatically fall back to CONNECT scan if privileges are insufficient.

Network Configuration

-source-ip
string
Source IP address to use in outgoing TCP packets.Useful when the scanning machine has multiple network interfaces and you want to specify which IP to use for scanning.Example:
scan4all -host example.com -source-ip 192.168.1.100
-i, -interface
string
Network interface to use for port scanning.Specify which network adapter to use for sending packets. Useful on systems with multiple network interfaces.Examples:
# Use specific interface
scan4all -host example.com -i eth0

# Use wireless interface
scan4all -host example.com -interface wlan0
-il, -interface-list
boolean
List all available network interfaces and public IP address, then exit.Useful for determining which interface to use with the -i flag.Example:
scan4all -il
Output includes:
  • Interface names
  • MAC addresses
  • IP addresses
  • MTU values
  • Interface flags
  • External/public IP

DNS Resolution

-sa, -scan-all-ips
boolean
default:"false"
Scan all IP addresses associated with a DNS record.When a domain has multiple A records (DNS round-robin), this option scans all resolved IPs instead of just the first one.Example:
# Scan only first resolved IP (default)
scan4all -host example.com

# Scan all IPs for the domain
scan4all -host example.com -sa
Enable this for comprehensive coverage of load-balanced or geo-distributed services.
-r
string
Custom DNS resolvers for domain name resolution.Provide comma-separated DNS server addresses or a file containing resolver addresses. Useful for using specific DNS servers or bypassing local DNS.Examples:
# Use Google and Cloudflare DNS
scan4all -host example.com -r 8.8.8.8,1.1.1.1

# Use resolvers from file
scan4all -host example.com -r resolvers.txt
Resolver file format:
8.8.8.8
8.8.4.4
1.1.1.1

Proxy Support

-proxy
string
SOCKS5 proxy address for routing scan traffic.Route scan traffic through a SOCKS5 proxy server. Useful for scanning from different geographic locations or through authorized access points.Format: host:port or socks5://host:portExamples:
# Use SOCKS5 proxy
scan4all -host example.com -proxy 127.0.0.1:1080

# With socks5:// prefix
scan4all -host example.com -proxy socks5://proxy.example.com:1080
Only SOCKS5 protocol is supported. HTTP/HTTPS proxies are not supported.

Nmap Integration

-nmap
boolean
default:"false"
Invoke nmap scan on discovered open ports.Status: Deprecated - Use -nmap-cli instead.Automatically runs basic nmap scans on hosts with open ports for detailed service detection.Example:
scan4all -host example.com -nmap
This flag is deprecated. Use -nmap-cli for better control over nmap execution.
-nmap-cli
string
Custom nmap command to execute on scan results.Specify the exact nmap command line to run on targets with discovered open ports. Provides full control over nmap options.Examples:
# Service version detection
scan4all -host example.com -nmap-cli 'nmap -sV'

# OS detection and service versions
scan4all -host example.com -nmap-cli 'nmap -sV -O'

# NSE scripts
scan4all -host example.com -nmap-cli 'nmap -sV --script=default'

# Aggressive scan
scan4all -host example.com -nmap-cli 'nmap -A'
The nmap command should be the full command without the target - scan4all automatically appends discovered targets.

Vulnerability Scanning

-ceyeapi
string
Ceye.io API key for out-of-band vulnerability detection.Ceye.io is a service for detecting blind vulnerabilities through DNS and HTTP callbacks.Example:
scan4all -host example.com -ceyeapi "your-api-key"
-ceyedomain
string
Ceye.io subdomain for receiving callbacks.Your unique Ceye.io identifier for DNS/HTTP monitoring.Example:
scan4all -host example.com -ceyeapi "key" -ceyedomain "subdomain.ceye.io"
-np
boolean
default:"false"
Skip POC (Proof of Concept) vulnerability checks.Disables the vulnerability scanning phase, performing only port scanning and service detection.Example:
# Port scan only, no vulnerability checks
scan4all -host example.com -np
Use this flag for faster scans when you only need port enumeration or when vulnerability scanning is not authorized.

Operational Modes

-resume
boolean
default:"false"
Resume a previously interrupted scan.scan4all saves scan state to resume.cfg. Use this flag to continue from where the scan stopped.Example:
# Start scan (might be interrupted)
scan4all -l large_targets.txt -o results.txt

# Resume if interrupted
scan4all -resume
Resume functionality requires that the previous scan was not using -stream mode.
-stream
boolean
default:"false"
Enable stream mode for real-time results.Stream mode outputs results immediately as they’re discovered. This mode disables:
  • Resume capability
  • Nmap integration
  • Port verification
  • Retry logic
  • Host shuffling
Example:
# Stream results in real-time
scan4all -l targets.txt -stream

# Stream to file
scan4all -l targets.txt -stream -o results.txt
Stream mode is ideal for:
  • Very large scans
  • CI/CD integration
  • Real-time monitoring
  • Immediate result processing
-passive
boolean
default:"false"
Display passive port information using Shodan InternetDB API.Query Shodan’s InternetDB for known open ports without performing active scanning. Requires internet connectivity.Example:
# Passive reconnaissance
scan4all -host example.com -passive
Passive mode does not send any packets to the target. It only queries public databases.

Version Management

-update
boolean
default:"false"
Update scan4all to the latest version from GitHub releases.Automatically downloads and installs the newest version of scan4all.Example:
scan4all -update

Configuration Examples

Stealth Scan with Custom DNS

scan4all -host example.com -s s -rate 200 -r 1.1.1.1 -source-ip 192.168.1.100

Comprehensive Scan with Nmap

scan4all -host example.com -p 1-65535 -verify -nmap-cli 'nmap -sV -O'

Fast Reconnaissance

scan4all -host example.com -tp 100 -np -stream

Proxy-Based Scan

scan4all -l targets.txt -proxy 127.0.0.1:1080 -r 8.8.8.8

Multi-IP Domain Scan

scan4all -host cdn-service.com -sa -p 80,443 -ec

Best Practices

  1. Use appropriate scan type: SYN for speed, CONNECT for compatibility
  2. Configure DNS carefully: Custom resolvers for reliability
  3. Enable stream mode: For large scans or real-time processing
  4. Use resume capability: For long-running scans that might be interrupted
  5. Integrate nmap wisely: Only when detailed service detection is needed
  6. Disable POC checks: When only port enumeration is required
  7. Check all IPs: Use -sa for load-balanced services

Build docs developers (and LLMs) love

Get started for freeTalk to us