NSCAN: FAST INTERNET WIDE SCANNER
Nscan is a fast Network scanner optimized for internet-wide scanning purposes and inspired by Masscan and Zmap. It has it's own tiny TCP/IP stack and uses Raw sockets to send TCP SYN probes. It doesn't need to set SYN Cookies so it doesn't wastes time checking if a received packet is a result of it's own scan, that makes Nscan faster than other similar scanners.
Nscan has a cool feature that allows you to extend your scan by chaining found ip:port to another scripts where they might check for vulnerabilities, exploit targets, look for Proxies/VPNs...
Nscan is a free tool, but consider donating here: 1Gi5Rpz5RBEUpGknSwyRgqzk7b5bQ7Abp2
Getting Nscan to Work
Installing Nscan on Debian/Ubuntu boxes:| 
1 
2 
3 | $ git clone https://github.com/OffensivePython/Nscan$ cdNscan/nscan$ chmod+x nscan.py | 
| 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 | $ ./nscan.pyUsage: nscan.py x.x.x.x/x[options]nscan.py iface load/unload: Load/UnloadNscan aliasinterfacenscan.py resume filename.conf: resume previous scanOptions:  -h, --help            show this help message and exit  -p PORTS, --port=PORTS                        Port(s) number (e.g. -p21-25,80)  -t THREADS, --threads=THREADS                        Threads used to send packets (default=1)  --import=IMPORTS      Nscan scripts to import(e.g.                        --import=ssh_key:22+check_proxy:80-85,8080)  -b, --banner          Fetch banners  -n COUNT              Number of results to get  -o FILE, --output=FILE                        Output file  -c N,T, --cooldown=N,T                        Every N (int) packets sent sleepP (float)                        (Default=1000,1) | 
Usage
Nscan is simple to use, it works just the way you expect.If this your first run, you need to load nscan alias interface before launching a Scan
| 
1 
2 
3 
4 
5 
6 | $ ./nscan.py iface loadPress enter key to load nscan aliasinterface[....] Running /etc/init.d/networkingrestart is deprecated because it may not [warnable some interfaces ... (warning).[ ok ] Reconfiguring network interfaces...done.Nscan aliasinterface loaded: 10.0.2.16 | 
Simple Scan
To scan your local network for port 22,80:| 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 | $ ./nscan.py 192.168.0.0/16-p22,80    _   __                       / | / /__________________   /  |/ / ___/ ___/ __ `/ __ \ / /|  (__  ) /__//_// / / //_/|_/____/\___/\__,_/_//_/@OffensivePython             1.0URL: https://github.com/OffensivePython/NscanScanning [192.168.0.0 -> 192.169.0.0] (65536 hosts/2ports)[MAIN] Starting the scan (Fri Jan 30 07:11:02 2015)... | 
Scanning the Entire Internet
Scan the entire IPv4 address space for port 80| 
1 | $ ./nscan.py 0.0.0.0/0-p80 | 
Multithreading the Scan
use '-t' to specify how many sending thread you want to use, it decreases the elapsed time of the scan by n times:| 
1 | $ ./nscan.py 192.168.0.0/16-p3389,5900-5910 -t3  | 
Grabbing banners and Saving logs in a file
use '-b' to grab banners and '-o' to save logs in a file| 
1 | $ ./nscan.py 192.168.0.0/16-p3389,5900-5910 -t3 -b -o nscan.log | 
Scanning to find N results
In order to stop the scan after receiving 10 results:| 
1 | $ ./nscan.py 192.168.0.0/16-p443 -b -n10 | 
Importing Nscripts
To import Nscripts, use '--import' with filename (without extension '.py') and specify the port and/or range of ports| 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 | $ ./nscan.py xxx.xxx.161.152/24-p1080 --import=proxy:1080    _   __                       / | / /__________________   /  |/ / ___/ ___/ __ `/ __ \ / /|  (__  ) /__//_// / / //_/|_/____/\___/\__,_/_//_/@OffensivePython             1.0URL: https://github.com/OffensivePython/NscanScanning [xxx.xxx.161.152 -> xxx.xxx.162.0] (104 hosts/1ports)[MAIN] Starting the scan (Fri Jan 30 09:14:14 2015)[SEND] Sent: 104 packets[RECV] Received: 7 packets[MAIN] xxx.xxx.161.152:1080[MAIN] xxx.xxx.161.173:1080[MAIN] xxx.xxx.161.195:1080[MAIN] xxx.xxx.161.196:1080[MAIN] xxx.xxx.161.194:1080[MAIN] xxx.xxx.161.239:1080[MAIN] xxx.xxx.161.193:1080[PROXY] xxx.xxx.161.152:1080 | SOCKS4[PROXY] xxx.xxx.161.195:1080 | SOCKS4[PROXY] xxx.xxx.161.196:1080 | SOCKS4[PROXY] xxx.xxx.161.194:1080 | SOCKS4[PROXY] xxx.xxx.161.193:1080 | SOCKS4[MAIN] Packets sent in0.0 minutes[MAIN] Total elapsed time: 0.7 minutes[MAIN] Done (Fri Jan 30 09:14:58 2015) | 
This will chain every ip:port that has the port 1080,3127,3128,3129 open:
| 
1 | $ ./nscan.py xxx.xxx.xxx.xxx/xx-p8080,1080,3127-3129 --import=proxy:1080,3127-3129 | 
Suspending/Resuming a Scan
If you have a large range of hosts to scan, and your bandwidth can't finish the scan really quick, You can suspend a scan and resume it later where it's stopped.To suspend a running scan, hit [CTRL]+C, Nscan will save where it's paused in 'resume.conf'. The resume configuration file looks something like this:
| 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 | $ catresume.conf[NSCAN]hosts = [167772160, 184549376L]ports = [[80, 81]]threads = 1imports = Nonebanner = Truecount = Noneoutput = Noneindexes = [(16777216L, 4194304L, -249, 16776967L, 249)]cooldown = (1000, 1.0) | 
| 
1 | $ ./nscan.py resume resume.conf | 
Cooling Down the Transfer rate
This is a very important option to regulate Nscan with your bandwidth, If you don't choose this properly, Nscan will probably knock off your router and force it to restart since it sends more traffic than your router could handle. You can specify the number of packets that needs to be sent before Nscan should cool down and sleep for a while| 
1 | $ ./nscan.py 10.0.0.0./16-p21-25,8080 --cooldown=100,0.1 | 
If you have a gigabit Ethernet connection, you probably want to disable this:
| 
1 | $ ./nscan.py 0.0.0.0./0-p21-25,8080 --cooldown=[ANY],0 | 
Write Your Own Nscripts
Every nscan script should have a run() function, that takes two arguments:- queue: queue where your script receives ip:port
- event: This tells your script that Nscan is completed the scan, and waiting for your script to finsish before it exits
Every Nscript has this simple skeleton:
| 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 | importQueueimportlogging# Import any module you need heredefrun(queue, event):    whileTrue:        ifqueue.empty() andevent.isSet():            # If the Scan is completed and the queue is empty (no more results)            break        else:            try:                ip, port =queue.get(False, TIMEOUT) # Should be non-blocking                # Do something useful with IP:PORT            exceptKeyboardInterrupt: # Scan suspended, should exit                break            exceptQueue.Empty: # No results                pass | 
| 
1 
2 | SCRIPT ='MYSCRIPT'logging.info('[{}] {}:{} | {}'.format(SCRIPT, IP, PORT, 'MY RESULTS')) | 
 


