Network Scanning — Nmap & Friends
Port scans, service / version detection, and "what's listening on this /16."
Before you exploit anything you need a target list. Network scanning maps live hosts, open ports, and running services. For DAST / template-based vuln checks see Vulnerability Scanners (Nuclei). For subdomain / asset surface see Subdomain & Asset Discovery. On the defensive side, scanning logs feed Network IDS (Suricata / Zeek) and SIEM (Wazuh).
The universal scanner
- ★ ★ Nmap — universal; TCP / UDP / SYN / connect / version / OS / NSE scripts. The reference tool every pentester knows by heart. Free, GPL.
- NSE scripts — 600+ scripts (
--script vuln,--script ssl-enum-ciphers,--script smb-vuln-*). Don't sleep on these — many add-on scanners are just NSE wrappers. - Zenmap — the official Nmap GUI; useful for results review and topology graphs.
- Nmap output formats —
-oAwrites.nmap,.gnmap,.xmlsimultaneously; pipe.gnmapinto grep for fast triage.
- NSE scripts — 600+ scripts (
Speed-first scanners
- ★ Masscan (Robert Graham) — asynchronous TCP scanner; scans the entire IPv4 internet in minutes. Use this then hand the live ports to Nmap for service detection. Free.
- ★ RustScan — modern Rust scanner; 65k ports in seconds; shells out to Nmap for service detection. The current "fast first pass" default for many bug-bounty hunters. Free.
- Zmap (University of Michigan) — internet-wide research scanner; sister to Masscan, slightly more academic. Free.
- Naabu (ProjectDiscovery) — Go-based fast TCP/UDP port scanner; integrates cleanly with the rest of the ProjectDiscovery toolkit. Free.
- Unicornscan — older async scanner; less maintained.
Lighter / interactive
- Angry IP Scanner — cross-platform GUI; quick LAN sweeps; great for non-CLI users.
- netdiscover — ARP-based local-net host enumeration.
- arp-scan — fast layer-2 discovery on a subnet.
- fping / hping3 — ping sweep / crafted packet probing.
Target list management
- CIDR math:
prips,nmap -sL -n <cidr>,mapcidr(ProjectDiscovery). - dnsx / massdns — resolve a 1M-host wordlist to IPs in seconds; see Subdomain Discovery.
- shodan / censys CLI — pull pre-scanned port data without touching the target; see OSINT & Recon.
Service-specific deep scanners
- enum4linux-ng — SMB / NetBIOS enumeration.
- smbmap — SMB share discovery + listing.
- rpcclient — Samba RPC enumeration.
- snmpwalk / onesixtyone — SNMP enumeration.
- showmount / nfs-ls — NFS exports.
- smtp-user-enum / kerbrute — user enumeration over SMTP / Kerberos.
Practical pipelines
- ★ Masscan-then-Nmap:
masscan -p1-65535 --rate 10000 10.0.0.0/8 -oG live.txt→ feed live IP:port pairs tonmap -sV -sC -p<ports> -iL targets.txt. - RustScan one-liner:
rustscan -a 10.0.0.0/24 -- -sV -sC -oA scan(RustScan handles fast discovery, hands tail to Nmap). - Stay quiet:
-T2or-T1plus randomized order; don't blast SYNs through a CrowdSec'd box.
Detection (blue team flip side)
- Scan-style traffic shows up loud in Suricata / Zeek.
- CrowdSec blocks scanning IPs at the edge.
- Honeypots (T-Pot) are designed to soak scanner traffic and report it.
Pick this if…
- Default port + service scanner: Nmap (with NSE).
- Fastest first sweep of a /16 or larger: Masscan or RustScan, then Nmap for versions.
- Bug-bounty asset → port pipeline: Naabu + httpx + Nuclei (ProjectDiscovery suite).
- GUI / non-CLI: Zenmap or Angry IP Scanner.
- No-touch reconnaissance: Shodan / Censys queries.