Skip to main content

Overview

This guide covers advanced scan4all features including DNSLOG integration, nmap integration, network interface configuration, and optimization settings.

DNSLOG Integration

DNSLOG functionality enables detection of blind vulnerabilities that require out-of-band verification: 
scan4all -host target.com -ceyeapi <your-api-key> -ceyedomain <your-subdomain>.ceye.io
You need a Ceye.io account to get your API key and subdomain.

How DNSLOG Works

1

Register with Ceye.io

Create an account and obtain your unique subdomain and API key
2

Configure scan4all

scan4all -host 192.168.1.1 \
  -ceyeapi xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
  -ceyedomain abc123.ceye.io
3

Detect Blind Vulnerabilities

scan4all will automatically:
  • Inject payloads with your ceye domain
  • Monitor for DNS/HTTP callbacks
  • Confirm vulnerabilities via out-of-band channels

Vulnerabilities Detected with DNSLOG

  • Blind SQL Injection
  • Blind XXE (XML External Entity)
  • SSRF (Server-Side Request Forgery)
  • Remote Code Execution
  • Log4Shell and similar vulnerabilities
Some POCs require DNSLOG to function properly. Without DNSLOG configuration, certain vulnerabilities may not be detected.

Nmap Integration

Import Nmap Results

Skip internal port scanning and use existing nmap XML results: 
scan4all -l nmap-results.xml -v
This is useful when:
  • You’ve already performed comprehensive port scans
  • You want to add vulnerability checks to nmap results
  • You’re integrating scan4all into existing workflows

Custom Nmap Commands

Execute custom nmap scans on discovered targets: 
scan4all -host 192.168.1.0/24 -nmap-cli 'nmap -sV -sC -T4'

scan4all -host target -nmap-cli 'nmap -sV'
The nmap binary must be installed and accessible in your system PATH.

Network Configuration

Source IP Specification

Specify the source IP address for packets: 
scan4all -host target -source-ip 192.168.1.50
Useful for:
  • Multi-homed systems
  • Source IP restrictions
  • Bypassing simple IP-based filters

Network Interface Selection

Choose a specific network interface for scanning: 
scan4all -host target -i eth0

List Available Interfaces

Display all network interfaces and your public IP: 
scan4all -il
Example Output:
Terminal
$ scan4all -il

Interface eth0:
MAC: 00:0c:29:12:34:56
Addresses: 192.168.1.100/24 fe80::20c:29ff:fe12:3456/64
MTU: 1500
Flags: up|broadcast|multicast

Interface lo:
MAC:
Addresses: 127.0.0.1/8 ::1/128
MTU: 65536
Flags: up|loopback|running

External IP: 203.0.113.45

Combined Network Configuration

scan4all -host target -source-ip 192.168.1.50 -i eth0

DNS Resolution

Custom DNS Resolvers

Specify custom DNS servers for resolution: 
scan4all -host target.com -r 8.8.8.8,1.1.1.1

DNS Resolvers from File

Use a file containing DNS servers: 
scan4all -host target.com -r resolvers.txt
resolvers.txt: 
8.8.8.8
1.1.1.1
9.9.9.9
208.67.222.222

Optimization Settings

Retry Configuration

Control the number of retry attempts for port scanning: 
scan4all -host target -retries 5
Default is 3 retries. Higher values increase accuracy but slow down scans.

Timeout Settings

Adjust port connection timeout in milliseconds: 
scan4all -host target -timeout 2000
Default is 1000ms (1 second). Adjust based on:
  • Network latency
  • Target responsiveness
  • Scan speed requirements

Warm-up Time

Delay between scan phases in seconds: 
scan4all -host target -warm-up-time 5
Default is 2 seconds. Useful for:
  • Avoiding rate limiting
  • Allowing network buffers to clear
  • Reducing IDS/IPS detection

Ping Probes

Enable ping verification to identify active hosts: 
scan4all -host 192.168.1.0/24 -ping
Benefits:
  • Faster scans by skipping offline hosts
  • Reduced network traffic
  • Improved accuracy

TCP Verification

Validate discovered ports with additional TCP connection attempts: 
scan4all -host target -verify
Reduces false positives by double-checking open ports.

Resume Functionality

Resume Interrupted Scans

Scan4all can resume interrupted scans: 
scan4all -resume
Resume data is automatically saved to resume.cfg. This is useful for:
  • Long-running scans that get interrupted
  • Network connectivity issues
  • System crashes or reboots
Stream mode (-stream) disables resume functionality.

Stream Mode

Enable stream mode for continuous, real-time scanning: 
scan4all -host target -stream
Stream mode characteristics:
  • Results displayed as soon as discovered
  • No result buffering
  • Disables resume, nmap integration, verify, and retries
  • Lower memory usage
  • Ideal for integration with other tools

Stream Mode Pipeline

subfinder -d example.com -silent | scan4all -stream -silent | grep "443" > https-hosts.txt

Passive Scanning

Query Shodan InternetDB for port information without active scanning: 
scan4all -host 1.1.1.1 -passive
Passive mode uses the free Shodan InternetDB API. No API key required.
Benefits:
  • Completely passive (no packets sent to target)
  • Fast results
  • No IDS/IPS triggering
  • Historical port data
Limitations:
  • Only works for public IPs
  • Data may be outdated
  • Limited to Shodan’s coverage

Update Scan4all

Update to the latest version: 
scan4all -update
This will:
  • Check for the latest release
  • Download and install updates
  • Preserve your configuration

Practical Advanced Examples

1

Comprehensive Scan with DNSLOG

scan4all -host target.com \
  -tp 1000 \
  -ceyeapi <your-key> \
  -ceyedomain <your-domain>.ceye.io \
  -json -o results.json
2

Optimized Fast Scan

scan4all -host 192.168.1.0/24 \
  -ping \
  -c 50 \
  -rate 2000 \
  -timeout 500 \
  -tp 100
3

Stealthy Slow Scan

scan4all -host target.com \
  -c 5 \
  -rate 50 \
  -timeout 3000 \
  -warm-up-time 10 \
  -retries 5
4

Nmap Integration Workflow

# Step 1: Fast port discovery
scan4all -host 192.168.1.0/24 -tp 1000 -np -o ports.txt

# Step 2: Detailed nmap scan on discovered ports
scan4all -host 192.168.1.0/24 -nmap-cli 'nmap -sV -sC -A'

Configuration Best Practices

Balance Speed and Accuracy

Adjust rate, timeout, and retries based on network conditions

Use DNSLOG for Blind Vulns

Configure Ceye.io for comprehensive vulnerability detection

Leverage Nmap Integration

Combine scan4all’s speed with nmap’s detailed service detection

Passive Recon First

Use passive mode to gather initial intelligence without alerting targets

Advanced Options Reference

OptionDescriptionDefault
-ceyeapiCeye.io API keyNone
-ceyedomainCeye.io subdomainNone
-nmap-cliCustom nmap commandNone
-source-ipSource IP addressAuto
-iNetwork interfaceAuto
-rDNS resolversSystem
-retriesRetry attempts3
-timeoutConnection timeout (ms)1000
-warm-up-timePhase delay (seconds)2
-pingEnable ping probesfalse
-verifyTCP verificationfalse
-resumeResume from resume.cfgfalse
-streamStream modefalse
-passivePassive Shodan lookupfalse
-updateUpdate scan4allfalse

Next Steps

Proxy Configuration

Learn to route scans through proxies for anonymity and access control

Build docs developers (and LLMs) love

Get started for freeTalk to us