بنقرة واحدة
port-mass-scan
Port scan /8-/24 with Masscan+RustScan and nmap banners.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Port scan /8-/24 with Masscan+RustScan and nmap banners.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | port-mass-scan |
| description | Port scan /8-/24 with Masscan+RustScan and nmap banners. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| platforms | ["linux"] |
| compatibility | Requires curl, nmap, python3, masscan, subfinder, httpx, nuclei |
| metadata | {"tags":["recon","port-scan","masscan","rustscan","nmap","infrastructure"],"category":"recon","related_skills":["port-service-discovery","iot-camera-recon","exchange-owa-attack"]} |
High-speed port scanning methodology using RustScan for single hosts and Masscan for large IP ranges. RustScan provides 400x speedup over Nmap for 1000-port scans (3-10s vs 5-10min). Masscan handles /8 and /16 ranges that Nmap cannot. Battle-tested on 5000+ scans across Brazilian ISPs, PRODERJ government networks, and OVH cloud infrastructure.
subdomain-enumeration — scan resolved IPs for non-HTTP services.deep-invade — expand attack surface beyond web ports.terminal tool with masscan, rustscan, and nmap installed.# Single host — RustScan (3-10 seconds for 1000 ports)
rustscan -a TARGET -r 1-65535 -- -sV
# /24 range — Masscan (2-5 minutes)
masscan -p1-65535 --rate=10000 -iL targets.txt -oJ scan.json
# /8 range — Masscan with banner grab (hours)
masscan -p80,443,8080,8443,22,3306,6379 --rate=50000 --banners -iL /8_range.txt -oJ scan.json
| Scenario | Tool | Command | Time |
|---|---|---|---|
| Single host, all ports | RustScan | rustscan -a IP -r 1-65535 | 3-10s |
| /24 range, common ports | Masscan | masscan -p1-1000 --rate=10000 -iL /24.txt | 2-5 min |
| /16 range, web ports | Masscan | masscan -p80,443,8080,8443 --rate=50000 -iL /16.txt | 10-30 min |
| /8 camera hunt | Masscan | masscan -p554,80,8010 --rate=100000 -iL /8.txt | Hours |
| Banner grab (1 IP) | Masscan | masscan -p1-65535 --banners --source-ip ETH0_IP IP | 1-5 min |
| Tool | 1000 ports (1 host) | /24 (1000 ports each) | /8 (web ports) | Accuracy |
|---|---|---|---|---|
| Nmap | 5-10 min | ~30 min | Impossible (days) | 99% |
| RustScan | 3-10s | 15-30s | ~2 min | 98% (then Nmap -sV) |
| Masscan | 15-20s | 2-5 min | 30-60 min | 99% (TCP) |
TARGET="$1"
OUTDIR="/root/output/ports"
mkdir -p "$OUTDIR"
echo "[*] RustScan: all 65535 ports on $TARGET"
# Fast scan + auto Nmap service detection
rustscan -a "$TARGET" -r 1-65535 -b 500 --accessible -- -sV -oN "$OUTDIR/${TARGET}_rustscan.nmap"
echo "[*] Open ports:"
grep 'open' "$OUTDIR/${TARGET}_rustscan.nmap" || echo " None"
# For WAF/IDS evasion: slower batch size
rustscan -a "$TARGET" -r 1-65535 -b 100 -t 1500 -- -sV
RANGE_FILE="$1" # One IP or CIDR per line
OUTDIR="/root/output/ports"
mkdir -p "$OUTDIR"
# Step 1: Fast common ports scan
echo "[*] Masscan: common ports on $(wc -l < "$RANGE_FILE") targets"
masscan -p80,443,22,3306,6379,27017,8080,8443,554,21,25,5432,3389 \
--rate=10000 -iL "$RANGE_FILE" -oJ "$OUTDIR/masscan_common.json" --wait=10
# Step 2: Full port scan on targets with hits
grep -oP '"ip":"[^"]+"' "$OUTDIR/masscan_common.json" | sort -u | \
sed 's/"ip":"//;s/"//' > "$OUTDIR/hits.txt"
echo "[*] Full scan on $(wc -l < "$OUTDIR/hits.txt") targets with open ports"
masscan -p1-65535 --rate=5000 -iL "$OUTDIR/hits.txt" \
-oJ "$OUTDIR/masscan_full.json" --wait=30
TARGET="$1"
OUTDIR="/root/output/ports"
# Banner grabbing requires a separate IP for the TCP handshake
SOURCE_IP=$(hostname -I | awk '{print $1}')
echo "[*] Masscan banner grab from source IP: $SOURCE_IP"
masscan -p1-10000 --rate=5000 --banners --source-ip "$SOURCE_IP" \
"$TARGET" -oJ "$OUTDIR/${TARGET}_banners.json"
# Alternative: two-phase (Masscan ports → Nmap services)
masscan -p1-65535 --rate=10000 "$TARGET" -oG "$OUTDIR/${TARGET}_grepable.txt" --wait=10
OPEN_PORTS=$(grep -oP 'Host: \S+ \(\)\s+Ports:\s+\K[^#]+' "$OUTDIR/${TARGET}_grepable.txt" | \
grep -oP '\d+/open' | cut -d/ -f1 | tr '\n' ',' | sed 's/,$//')
if [[ -n "$OPEN_PORTS" ]]; then
echo "[*] Nmap service detection on ports: $OPEN_PORTS"
nmap -sV -p "$OPEN_PORTS" "$TARGET" -oN "$OUTDIR/${TARGET}_services.nmap"
fi
# Scan Brazilian ISP ranges for cameras (from Vivo, Claro, Oi)
echo "[*] Camera hunt on Claro 3G/4G ranges"
masscan -p554,80,8010,8011 --rate=50000 \
--range 177.0.0.0-177.255.255.255 -oJ cameras_claro.json
echo "[*] Camera hunt on Vivo ranges"
masscan -p554,80,8010,8011 --rate=50000 \
--range 187.0.0.0-187.255.255.255 -oJ cameras_vivo.json
# Post-process: probe discovered cameras for snapshots
grep -oP '"ip":"[^"]+"' cameras_*.json | sed 's/"ip":"//;s/"//' | sort -u | \
while read ip; do
# Axis camera snapshot
code=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 3 "http://$ip:8010/axis-cgi/jpg/image.cgi")
[[ "$code" == "200" ]] && echo "[CAMERA] Axis: $ip:8010"
# Generic RTSP
code=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 3 "http://$ip:554/")
[[ "$code" != "000" ]] && echo "[RTSP] $ip:554"
done
# On machine 1 (shard 1/4):
masscan -p1-65535 --rate=50000 --shard 1/4 -iL /8_range.txt -oJ shard1.json
# On machine 2 (shard 2/4):
masscan -p1-65535 --rate=50000 --shard 2/4 -iL /8_range.txt -oJ shard2.json
# On machine 3 (shard 3/4):
masscan -p1-65535 --rate=50000 --shard 3/4 -iL /8_range.txt -oJ shard3.json
# On machine 4 (shard 4/4):
masscan -p1-65535 --rate=50000 --shard 4/4 -iL /8_range.txt -oJ shard4.json
# Merge results
cat shard*.json | jq -s '.[]' > merged.json
sudo.--rate=50000 or lower for stealth. Use -T4 equivalent by setting appropriate --rate.--source-ip, Masscan must complete a full TCP handshake which tears down the connection. Use the two-phase approach (Masscan ports → Nmap services) for reliable service detection.-sU for UDP.--resume paused.conf.--excludefile is critical. Always exclude your own IPs and RFC 1918 ranges to avoid scanning yourself.-sV for service version.