Tooling

Network Scanning — Nmap & Friends

Port scans, service / version detection, and "what's listening on this /16."

Before you exploit anything you need a target list. Network scanning maps live hosts, open ports, and running services. For DAST / template-based vuln checks see Vulnerability Scanners (Nuclei). For subdomain / asset surface see Subdomain & Asset Discovery. On the defensive side, scanning logs feed Network IDS (Suricata / Zeek) and SIEM (Wazuh).

The universal scanner

  • ★ ★ Nmap — universal; TCP / UDP / SYN / connect / version / OS / NSE scripts. The reference tool every pentester knows by heart. Free, GPL.
    • NSE scripts — 600+ scripts (--script vuln, --script ssl-enum-ciphers, --script smb-vuln-*). Don't sleep on these — many add-on scanners are just NSE wrappers.
    • Zenmap — the official Nmap GUI; useful for results review and topology graphs.
    • Nmap output formats-oA writes .nmap, .gnmap, .xml simultaneously; pipe .gnmap into grep for fast triage.

Speed-first scanners

  • Masscan (Robert Graham) — asynchronous TCP scanner; scans the entire IPv4 internet in minutes. Use this then hand the live ports to Nmap for service detection. Free.
  • RustScan — modern Rust scanner; 65k ports in seconds; shells out to Nmap for service detection. The current "fast first pass" default for many bug-bounty hunters. Free.
  • Zmap (University of Michigan) — internet-wide research scanner; sister to Masscan, slightly more academic. Free.
  • Naabu (ProjectDiscovery) — Go-based fast TCP/UDP port scanner; integrates cleanly with the rest of the ProjectDiscovery toolkit. Free.
  • Unicornscan — older async scanner; less maintained.

Lighter / interactive

  • Angry IP Scanner — cross-platform GUI; quick LAN sweeps; great for non-CLI users.
  • netdiscover — ARP-based local-net host enumeration.
  • arp-scan — fast layer-2 discovery on a subnet.
  • fping / hping3 — ping sweep / crafted packet probing.

Target list management

  • CIDR math: prips, nmap -sL -n <cidr>, mapcidr (ProjectDiscovery).
  • dnsx / massdns — resolve a 1M-host wordlist to IPs in seconds; see Subdomain Discovery.
  • shodan / censys CLI — pull pre-scanned port data without touching the target; see OSINT & Recon.

Service-specific deep scanners

  • enum4linux-ng — SMB / NetBIOS enumeration.
  • smbmap — SMB share discovery + listing.
  • rpcclient — Samba RPC enumeration.
  • snmpwalk / onesixtyone — SNMP enumeration.
  • showmount / nfs-ls — NFS exports.
  • smtp-user-enum / kerbrute — user enumeration over SMTP / Kerberos.

Practical pipelines

  • Masscan-then-Nmap: masscan -p1-65535 --rate 10000 10.0.0.0/8 -oG live.txt → feed live IP:port pairs to nmap -sV -sC -p<ports> -iL targets.txt.
  • RustScan one-liner: rustscan -a 10.0.0.0/24 -- -sV -sC -oA scan (RustScan handles fast discovery, hands tail to Nmap).
  • Stay quiet: -T2 or -T1 plus randomized order; don't blast SYNs through a CrowdSec'd box.

Detection (blue team flip side)

  • Scan-style traffic shows up loud in Suricata / Zeek.
  • CrowdSec blocks scanning IPs at the edge.
  • Honeypots (T-Pot) are designed to soak scanner traffic and report it.

Pick this if…

  • Default port + service scanner: Nmap (with NSE).
  • Fastest first sweep of a /16 or larger: Masscan or RustScan, then Nmap for versions.
  • Bug-bounty asset → port pipeline: Naabu + httpx + Nuclei (ProjectDiscovery suite).
  • GUI / non-CLI: Zenmap or Angry IP Scanner.
  • No-touch reconnaissance: Shodan / Censys queries.

On this page