Nscan: Fast internet-wide scanner
   Nscan is a fast Network scanner optimized for internet-wide scanning purposes and inspired by Masscan and Zmap. It has itâs own tiny TCP/IP stack and uses Raw sockets to send TCP SYN probes. It doesnât need to set SYN Cookies so it doesnât wastes time checking if a received packet is a result of itâs own scan, that makes Nscan faster than other similar scanners.
Nscan has a cool feature that allows you to extend your scan by chaining found ip:port to another scripts where they might check for vulnerabilities, exploit targets, look for Proxies/VPNsâŠ
Install Nscan
Installing Nscan on Debian/Ubuntu boxes:$ git clone https://github.com/OffensivePython/Nscan$ cd Nscan/nscan$ chmod +x nscan.py$ ./nscan.pyUsage: nscan.py x.x.x.x/x [options]nscan.py iface load/unload : Load/Unload Nscan alias interfacenscan.py resume filename.conf: resume previous scanOptions: -h, --help show this help message and exit -p PORTS, --port=PORTS Port(s) number (e.g. -p21-25,80) -t THREADS, --threads=THREADS Threads used to send packets (default=1) --import=IMPORTS Nscan scripts to import (e.g. --import=ssh_key:22+check_proxy:80-85,8080) -b, --banner Fetch banners -n COUNT Number of results to get -o FILE, --output=FILE Output file -c N,T, --cooldown=N,T Every N (int) packets sent sleep P (float) (Default=1000,1)Usage
Nscan is simple to use, it works just the way you expect.If this your first run, you need to load nscan alias interface before launching a Scan
$ ./nscan.py iface loadPress enter key to load nscan alias interface[....] Running /etc/init.d/networking restart is deprecated because it may not [warnable some interfaces ... (warning).[ ok ] Reconfiguring network interfaces...done.Nscan alias interface loaded: 10.0.2.16Simple Scan:
To scan your local network for port 22,80:$ ./nscan.py 192.168.0.0/16 -p22,80 _ __ / | / /_____________ _____ / |/ / ___/ ___/ __ `/ __ \ / /| (__ ) /__/ /_/ / / / //_/ |_/____/\___/\__,_/_/ /_/ @OffensivePython 1.0URL: https://github.com/OffensivePython/NscanScanning [192.168.0.0 -> 192.169.0.0] (65536 hosts/2 ports)[MAIN] Starting the scan (Fri Jan 30 07:11:02 2015)...Scanning the Entire Internet:
Scan the entire IPv4 address space for port 80$ ./nscan.py 0.0.0.0/0 -p80Multi-threading the scan:
use â-tâ to specify how many sending thread you want to use, it decreases the elapsed time of the scan by n times:$ ./nscan.py 192.168.0.0/16 -p3389,5900-5910 -t3 Grabbing banners and saving logs in a file:
use â-bâ to grab banners and â-oâ to save logs in a file$ ./nscan.py 192.168.0.0/16 -p3389,5900-5910 -t3 -b -o nscan.logScanning to find N results:
In order to stop the scan after receiving 10 results:$ ./nscan.py 192.168.0.0/16 -p443 -b -n10Importing Nscripts:
To import Nscripts, use ââimportâ with filename (without extension â.pyâ) and specify the port and/or range of ports$ ./nscan.py xxx.xxx.161.152/24 -p1080 --import=proxy:1080 _ __ / | / /_____________ _____ / |/ / ___/ ___/ __ `/ __ \ / /| (__ ) /__/ /_/ / / / //_/ |_/____/\___/\__,_/_/ /_/ @OffensivePython 1.0URL: https://github.com/OffensivePython/NscanScanning [xxx.xxx.161.152 -> xxx.xxx.162.0] (104 hosts/1 ports)[MAIN] Starting the scan (Fri Jan 30 09:14:14 2015)[SEND] Sent: 104 packets[RECV] Received: 7 packets[MAIN] xxx.xxx.161.152:1080[MAIN] xxx.xxx.161.173:1080[MAIN] xxx.xxx.161.195:1080[MAIN] xxx.xxx.161.196:1080[MAIN] xxx.xxx.161.194:1080[MAIN] xxx.xxx.161.239:1080[MAIN] xxx.xxx.161.193:1080[PROXY] xxx.xxx.161.152:1080 | SOCKS4[PROXY] xxx.xxx.161.195:1080 | SOCKS4[PROXY] xxx.xxx.161.196:1080 | SOCKS4[PROXY] xxx.xxx.161.194:1080 | SOCKS4[PROXY] xxx.xxx.161.193:1080 | SOCKS4[MAIN] Packets sent in 0.0 minutes[MAIN] Total elapsed time: 0.7 minutes[MAIN] Done (Fri Jan 30 09:14:58 2015)This will chain every ip:port that has the port 1080,3127,3128,3129 open:
$ ./nscan.py xxx.xxx.xxx.xxx/xx -p8080,1080,3127-3129 --import=proxy:1080,3127-3129Suspending/Resuming a Scan:
If you have a large range of hosts to scan, and your bandwidth canât finish the scan really quick, You can suspend a scan and resume it later where itâs stopped.To suspend a running scan, hit [CTRL]+C, Nscan will save where itâs paused in âresume.confâ. The resume configuration file looks something like this:
$ cat resume.conf[NSCAN]hosts = [167772160, 184549376L]ports = [[80, 81]]threads = 1imports = Nonebanner = Truecount = Noneoutput = Noneindexes = [(16777216L, 4194304L, -249, 16776967L, 249)]cooldown = (1000, 1.0)$ ./nscan.py resume resume.confCooling Down the Transfer rate:
This is a very important option to regulate Nscan with your bandwidth, If you donât choose this properly, Nscan will probably knock off your router and force it to restart since it sends more traffic than your router could handle. You can specify the number of packets that needs to be sent before Nscan should cool down and sleep for a while$ ./nscan.py 10.0.0.0./16 -p21-25,8080 --cooldown=100,0.1If you have a gigabit Ethernet connection, you probably want to disable this:
$ ./nscan.py 0.0.0.0./0 -p21-25,8080 --cooldown=[ANY],0Write your Own Nscripts
Every nscan script should have a run() function, that takes two arguments:queue: queue where your script receives ip:port
event: This tells your script that Nscan is completed the scan, and waiting for your script to finsish before it exits
Make sure that your script is under â~/nscan/nscriptsâ folder.
Every Nscript has this simple skeleton:
import Queueimport logging# Import any module you need heredefrun(queue, event): whileTrue: if queue.empty() and event.isSet(): # If the Scan is completed and the queue is empty (no more results)breakelse: try: ip, port = queue.get(False, TIMEOUT) # Should be non-blocking# Do something useful with IP:PORTexceptKeyboardInterrupt: # Scan suspended, should exitbreakexcept Queue.Empty: # No resultspassSCRIPT = 'MYSCRIPT'logging.info('[{}] {}:{} | {}'.format(SCRIPT, IP, PORT, 'MY RESULTS'))