Port Scanner Shootout Part 4: The Results
The Disclaimer
Before getting into the results, I want to put a disclaimer here. These tests are simply exploratory and I have no promotion of one tool over another outside of the results of the tests and the analysis of the tools capabilities.
The Scoreboard - Utility
Each tool that we are testing has a variety of options in their scanning utility. Not just different types of scanning, but different output formats, levels of detail, and other individual utility. Below is a chart showing the different capabilities of the tools.
As far as the volume of different scanning types and utility options, our reigning champion NMAP is far beyond the competition. That being said we see two of our challengers have taken a interesting but sneaky approach by focusing on scanning speed of simple TCP scans, and accommodating direct input into NMAP. When scanning for open TCP ports a target, the most effective methodology is actually performing two separate scans: The first one, a light TCP SYN scan, will perform a fast scan simply to determine whitch ports are open. The second scan, which takes much longer, is a detailed scan often pulling banner information containing the service version information . The trick is the second scan will only be on the ports that were returned as open from the first scan. If it was a simple piping of commands, I would say that this does not constitute functionality of the tool, but for Naabu and Rustscan they are built directly into the tool.
It would seem that simply including NMAP functionality is the easy way to get the most utility out of a tool you create, but our contenders have a few other tricks up their sleeves that make quite an interesting tool. Which one is our champion of utility? Lets see!
Utility Winner: Naabu
Naabu takes the cake for the shear volume of functions and ease of use. Not only does it incorporate all the utility of NMAP, but its functionality focused around web application testing and design to be easily incorporated with other tools, make it our top contender. Of all of its capabilities there are a few that are what put it over the top. First is its deduplication of IP addresses when resolving domains in the scanning process. There are entirely separate tools that many use to tackle this task alone, but having the functionality included is great. The other amazing feature is its ability to perform passive scanning on a target by querying the Shodan Internetdb API. These combined with its ease of install, and ability to seamlessly integrate with Project Discovery's other tools, make it a single solution for all of your port scanning needs. Oh yeah, its also pretty dang fast.
The Scoreboard - Speed
Now for the main event! Which tool will perform our array of scanning tasks the fastest.
Lets take a look at how our contenders performed in each set of tests.
Test 1 - Metsploitable3 Local Host
Test 2 - hackerone.com Remote Host
Test 3 - 103.48.139.0/24 Remote Subnet
Speed Winner: Rustscan
Across all three scenarios, Rustscan showed its dominance. Performing a full port scan of a single local target in 6.7 is nothing short of incredible, especially while maintaining scanning accuracy. Even more so when scanning single ports across a subnet. The design of Rustscan's manipulation of the open file limit is its key to success. During this test, we didn't even test its true capabilities as the creators intend it to be run within a Docker container for even greater performance. Even without the container, the stand alone install version of Rustscan performed incredibly.
Conclusions
As part of the shootout, I thought it would be interesting to test more than just the simple max speed, but test the speeds of different settings and scans to determine how much impact each of them had on our tests. While most of our tools were focused on simple TCP SYN scans, NMAP was also tested with its different timing templates and scanning types. Against a single local target, a full port scan from NMAP can come in at a reasonable time with great accuracy. As we slowed it down it became unreasonably slow. Now these slower templates are specifically for IDS/IPS evasion which wasn't tested here, but it is interesting to see the impact on time. I actually had to lower the scope when using T2 and lower due to the estimated time being well over 2 days!
We can see that our optimization of each tool had a significant impact on its performance, but the tests revealed a few interesting conclusions:
Banner grabbing and service version scanning has varying impact on scanning speed. We can see with Masscan it added only a couple seconds to an already short scan.
Adding the detection evasion options of fragmentation and appending a garbage string had little to no effect on speed or accuracy. It would be safe to say that you could add these to all of your scans with out any negative side effects.
Asynchronous scanning performs significantly faster than Synchronous scanning.
Multi-threading allows for faster scanning as well as scanning of multiple targets in parallel.
This whole experiment has been incredibly fun for for learning about port scanners, and for learning about setting up testing environments. All of the tools that were tested are fantastic and have their own uses, but congratulations to the makers of Naabu and Rustscan for making the fastest and most useful port scanners in our arsenal.
Thanks for reading. If you liked this, check out my other content:
Last updated
