Port Scanner Shootout Part 2: The Contenders

Tool testing is quite a bit of fun, but there are so many tools available today, choosing which ones to include in he test was a bit daunting. The best way to start is to define what we need out of our tools in order to be considered for the running. This can be tricky as there are so many tasks that can accomplished with port scanning.

One way around the need for so many features, is to have integrations with a well known tool that contains those features already. When reviewing our contenders, we have found that most of them focus on simple TCP SYN scanning, and then integrate with a tool called NMAP for all other tasks. We will detail why they do that later in this write-up, but this was not a bad choice.

So what qualifications do we need? Here are the must haves for consideration.

• Ability to perform TCP SYN and Connect scanning - These basic types are the core functions of a port scanner. These are required for any security auditing task.

• Ability to target both single and multiple hosts - Depending on if it is broad range scanning or a full port audit, the ability to select your target is crucial.

• Ability to scan single, multiple, and full range of ports. - Some tasks only need one port scanned, others need a full audit. Flexibility is key to functionality.

• Ability to perform detailed scans such as service versions or banner checks OR easily integrate with a tool that can perform these tasks accurately and efficiently - With the utility of the command line, it is not hard to chain or "pipe" tool outputs together to accomplish multiple tasks with the same entry. That being said, sometimes doing so can be difficult if the subsequent tools accept input in parameters that are not available from the first tool's output. If functionality is not available in a tool, they should provide easy methodology to send its output into a second tool without much headache.

• Currently maintained - As operating systems develop and technologies progress, tools must be maintained to fix bugs and ensure compatibility.

Now, lets get to our contenders!

The Reigning Champion: NMAP

One of the oldest port scanning tools, but the one that has become the de-facto standard for all port scanning. Originally released back in 1997, it has grown to incorporate different utilities requested by its user base that include its own scripting engine, operating system scanning, and tons of supporting functions like GUIs and distributed scanning add-ons.

Scanning with NMAP goes far beyond TCP scans. One of its larger benefits is its ability to connect to an open port and read the service banner available on the port. This information often has details such as the running service and its version, that is important for tasks like vulnerability scanning. It can take these one step further and make an educated guess on the operating system based on the running services and their versions.

The final cherry on top of NMAP is its scripting engine. There are a huge collection of scripts from both the creator and the community, that can perform a slew of different tasks including fuzzing, vulnerability testing, and enumeration.

For more information on this tool, check out the links below or the tool entry in my guide here: https://s0cm0nkey.gitbook.io/s0cm0nkeys-security-reference-guide/red-offensive/testing-methodology/scanning-active-recon/nmap

Documentation and Reference

• https://nmap.org/book/toc.html

• NSEDoc Reference Portal

• https://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717

• https://blogs.sans.org/pen-testing/files/2013/10/NmapCheatSheetv1.1.pdf

• https://blog.zsec.uk/nmap-rtfm/

• https://gtfobins.github.io/gtfobins/nmap/

• https://nmap.org/book/performance-timing-templates.html

• Operator Handbook: NMAP - pg. 222

• Penetration Testing: Port Scanning with NMAP - pg.125

• NMAP Scripting

  • https://nmap.org/book/man-nse.html

  • Ultimate List of Nmap NSE Scripts (Interactive Spreadsheet) - InfosecMatter

• Supplimentary tools

  • WebMap - Nmap Web Dashboard and Reporting

  • Zenmap - the NMAP GUI

The Challengers

Masscan

A popular contender in the space, Masscan claims to be an "Internet Scale" port scanner that can scan a large range at incredibly fast paces. The key to its success is the concept of Asynchronous scanning. As opposed to the synchronous scanning of NMAP, Asynchronous scanning allows multiple network connection attempts (probes) to be sent and processed at the same time. This is largely due to its "ad hoc TCP/IP stack".

With a face-melting theoretical maximum of 10 million packets at once, the limitation will be on the TCP/IP stack processing such a large volume of packets, and the host system that is running the scan. Since no one needs a packet scanner that works at 100% efficiency at 10 million packets per second, it has adjustable settings including packet rate and timeouts. Masscan also is the only one of our contenders that boasts its own banner detection utility. Even if it did not have this functionality, it has a flexible and grep-able output that can be used to pipe directly into other tools such as NMAP for more detailed scanning. These utilities combined with a tool syntax similar to NMAP, this solid contender should be both familiar and adjustable to your device and network's performance.

• Pros

  • Has a theoretical maximum of 10 million packets per second.

  • Unique probe randomization function

• Cons

  • Cannot scan with DNS Names

• https://github.com/robertdavidgraham/masscan

• https://danielmiessler.com/study/masscan/

• https://securitytrails.com/blog/masscan

Naabu

Naabu is a newer scanner from https://projectdiscovery.io/, an open-source software company that makes some of the most popular security tools focusing on Web-Application Security and Bug-Bounty Hunting. Naabu is the first of our contenders to be written in Go. While most security tools have traditionally been written in C or Python, Go tools tend to boast very fast operating times as well as great stability.

The notable features of this tool is its design with functionality in mind. It is intended to be used in conjunction with some of the other tools in Project Discovery's arsenal, as well as other common tools like NMAP. Its output is quite flexible and defaults to a format that can be fed directly into other tools without manipulation. They took this one step further and incorporated a function that allows piping the output of Naabu directly into NMAP for more detailed scanning. As it is intended for web-application testing, it supports DNS resolution so you can target a domain instead of an ip address. This is handy when you are given the target of a domain that may be hosted across multiple targets. It even has a function that de-duplicates found IP addresses to reduce wasted scanning. Naabu is a fast and light weight contender that is built for compatibility in mind.

• Pros

  • Fast and stable coding in Go.

  • Supports DNS resolution with de-duplication of found IP addresses.

  • Easily pipe output into NMAP or other Project Discovery tools.

  • Passive scanning mode that pulls in Shodan API information.

• Cons

  • Can only perform TCP SYN and Connect Scanning.

• https://github.com/projectdiscovery/naabu

• https://securityonline.info/naabu-fast-port-scanner/

Rustscan

The final contender in our tests, Rustscan is often referred to as "The Modern Port Scanner". Taking our port scanning into the incredibly fast language of Rust, Rust scan boasts incredibly fast speeds and the capability to scan all 65k ports of a target in under three seconds. While still a simple SYN and CONNECT scanner, it boasts full scripting engine support and automatic export of results into NMAP for detailed scanning. (Can be disabled for simple scanning). One other interesting feature is its adaptive performance. Without adjusting specific scanning parameters, Rustscan will analyze the performance of previous output and adjust it's self for best performance.

The key to Rustscan's speed is its management of internal threads. In order to provide its asynchronous scanning capabilities, it creates a thread for each scanned port in its scanning batch. Due to this, you can have thousands of threads running per scan, all dependent on the maximum number of open files your operating system allows. Luckily, in the documentation, the creators of Rustscan provide some details on how to maximize the tool and how to determine how many open files your system can handle.

• Pros

  • Scans all 65k ports in 3 seconds.

  • Full scripting engine support. Automatically pipe results into Nmap, or use our scripts (or write your own) to do whatever you want.

  • Adaptive learning. RustScan improves the more you use it.

• Cons

  • Cannot run scans on IPs in parallel

• https://github.com/RustScan/RustScan

• https://reconshell.com/rustscan-faster-port-scanning-tool/

• https://rustscan.github.io/Rustscan/

• https://github.com/RustScan/RustScan/wiki/Things-you-may-want-to-do-with-RustScan-but-don't-understand-how

• https://www.geeksforgeeks.org/rustscan-faster-nmap-scanning-with-rust/

• https://github.com/RustScan/RustScan/wiki/Common-Problems-and-their-Solutions

The Honorable Mentions

There were many other port scanners that we considered in this test, but most did not satisfy the testing requirements we laid out in Part 1. Still, researching these does provide some insight into the needs of different port scanners and the solutions that some developers are trying to provide. Lets take a look at a few of them.

Older tools that inspired us

• Scanrand - Written by the legendary Dan Kaminsky, it is one of the first tools to introduce Asynchronous scanning. Scanrand was developed to use two separate processes, one for sending and one for receiving probes. It also has some interesting utilities such as a built in traceroute function. Sadly, much like the rest of the tools in his Paketto suite of tools, it has not seen development in a long time.

  • https://dankaminsky.com/

  • https://www.vulnerabilityassessment.co.uk/scanrand.htm/

  • https://manned.org/scanrand/b9a07a7a

• Knocker - Written way back in 2002, Knocker was a new twist is port scanners by introducing processing by multiple threads. This allowed scanning at a much faster rate than previous synchronous scanning tools. Sadly, beyond a bug fix, there hasnt been much development of the tool in a long time.

  • https://knocker.sourceforge.io/

  • https://github.com/gabgio/knocker

• PNScan - A tool in the same vein as Knocker, PNscan is a port scanner that was built to use multiple threads to increase scanning speed. An interesting feature of this tool is its ability to dynamically adjust the number of operating threads to have the best performance with the given task.

  • https://github.com/ptrrkssn/pnscan

• Unicornscan - Unicornscan is a comparatively newer port scanner that brings an interesting design change to the table. It is built as an attempt at a Userland Distributed TCP/IP stack. Theoretically, by moving the processing of the network connections associated with port scanning to from the kernel to the user allocated processing resources, you can achieve better performance. The tool also boasted a ton of features that rivaled NMAP with its abilities. Sadly, the tool is no longer maintained.

  • https://www.kali.org/tools/unicornscan/

  • https://linuxhint.com/unicornscan_beginner_tutorial/

  • https://www.geeksforgeeks.org/unicornscan-penetration-testing-tool-in-kali-linux/

Special Use Scanners

• Zmap - A tool specifically designed for "large-scale studies of the hosts and services that compose the public Internet", Zmap is part of a larger suite of utilities under the Zmap banner. The Zmap tool itself can be used for scanning specific ports across a large array of addresses in a short amount of time. This tool is used in combination with the other utilities like Zgrab2, which gathers detailed application information on the discovered ports. Sadly, Zmap only supports scanning for specific ports and is not intended to be used to scan all open ports for a target like you would in a security audit.

  • https://github.com/zmap/zmap

  • https://zmap.io/

  • https://github.com/zmap/zgrab2

• AngryIP Scanner - One of the more popular port scanning utilities is often flagged as malware by many anti-virus engines. AngryIP scanner is an auditing focused port scanner with a few interesting features, specifically its ability to be executed on its own without installation. Sadly, it is this functionality that makes it so popular with threat actors and has caused it to appear on many blacklists. Still, it is one of the few tools with a GUI and great reporting. As it is designed for network auditing, it does a great job of tracking hosts and services. However, without the ability to perform multiple types of scanning, and its force of ICMP ping packets, it just doesn't suffice for our test purposes.

  • https://angryip.org/

  • https://github.com/angryip/ipscan

• Scantron - A scanning utility that uses a network of SSH tunnels in a server client model to perform distributed NMAP and Masscan scans.

  • https://github.com/opsdisk/scantron

• Scanless - An interesting utility that runs port scans using third party port scanning web services to perform the scan for the user indirectly.

  • https://github.com/vesche/scanless

• Unimap - An NMAP supporting tool that de-duplicates resolved IP addresses when performing large scale NMAP scans on a single domain.

  • https://github.com/Edu4rdSHL/unimap

• Advanced Port Scanner - A free network scanner packed with tons of features and an awesome GUI. Sadly it is Windows only.

  • https://www.advanced-port-scanner.com/

To Be Continued...

Now that we have the premise and the players, we will set up the environments for our tests and determine the optimal settings for our tools.