Skip to main content

Overview

scan4all supports multiple methods for specifying scan targets, making it flexible for various workflows.

Single Host

Scan a single IP address or hostname: 
scan4all -host 127.0.0.1

scan4all -host example.com

Multiple Hosts

Provide multiple targets separated by commas: 
scan4all -host 192.168.1.1,192.168.1.2,192.168.1.3
Mix IP addresses and hostnames: 
scan4all -host 10.0.0.1,example.com,192.168.1.100

CIDR Notation

Scan entire network ranges using CIDR notation: 
scan4all -host 192.168.1.0/24
Scanning large CIDR ranges can take significant time and generate substantial network traffic. Always ensure you have authorization.

File Input

Provide targets from a file, one per line: 
scan4all -l targets.txt

File Format

The input file can contain mixed target types:
targets.txt
192.168.1.1
192.168.1.0/24
example.com
http://10.0.0.1:8080
https://example.com
192.168.2.100
  • IP addresses will be port scanned
  • CIDR ranges will be expanded and scanned
  • Domain names will be resolved and scanned
  • Full URLs will skip port scanning and be tested directly

Standard Input (Pipe)

scan4all can read targets from stdin, enabling integration with other tools: 
echo "192.168.1.1" | scan4all

Pipeline Examples

Pipe subdomain enumeration results directly to scan4all:
subfinder -d example.com -silent | scan4all

URL Input

When providing full URLs, scan4all skips port scanning and tests the endpoint directly: 
scan4all -host http://127.0.0.1:7001

scan4all -host https://example.com/admin
URL input is useful when:
  • You already know the service port
  • You want to test specific web applications
  • You want to skip the port scanning phase

Excluding Targets

Exclude Specific Hosts

Exclude specific IP addresses or hosts from the scan: 
scan4all -host 192.168.1.0/24 -eh 192.168.1.1,192.168.1.254

Exclude from File

Exclude targets listed in a file: 
scan4all -host 192.168.1.0/24 -ef exclude.txt
exclude.txt: 
192.168.1.1
192.168.1.254
192.168.1.100

CDN Detection and Exclusion

scan4all can detect and skip CDN IP addresses to avoid scanning edge servers: 
scan4all -host example.com -ec
When -ec (exclude CDN) is enabled:
  • CDN IPs are detected automatically
  • Only ports 80 and 443 are scanned on CDN hosts
  • Full port scans are skipped for CDN ranges

Scan All Associated IPs

By default, scan4all resolves hostnames to a single IP. To scan all IPs associated with a DNS record: 
scan4all -host example.com -sa
This is useful for:
  • Load-balanced services
  • Round-robin DNS
  • Hosts with multiple A records

Practical Examples

1

Single Target Quick Scan

scan4all -host 192.168.1.100
2

Multiple Networks from File

Create networks.txt:
192.168.1.0/24
10.0.0.0/24
172.16.0.0/24
Run scan:
scan4all -l networks.txt
3

Scan with Exclusions

scan4all -host 192.168.1.0/24 -eh 192.168.1.1,192.168.1.254
4

Pipeline Integration

nmap -sL 192.168.1.0/24 -n | grep "Nmap scan" | awk '{print $5}' | scan4all

Input Best Practices

Use Files for Large Scans

Store targets in files for better organization and repeatability

Leverage Pipelines

Combine with other reconnaissance tools for automated workflows

Exclude Known Assets

Use exclusion lists to avoid scanning critical infrastructure

Test Before Full Scan

Start with a small range to verify settings before large scans

Next Steps

Port Selection

Learn how to control which ports are scanned

Build docs developers (and LLMs) love

Get started for freeTalk to us