Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/GhostTroops/scan4all/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Optimizing scan4all performance is crucial for large-scale security assessments. This guide covers configuration options, hardware considerations, and best practices for maximum efficiency.

Port Scanning Optimization

nmap Configuration

scan4all uses optimized nmap parameters by default: 
nmap -n --unique --resolve-all -Pn --min-hostgroup 64 --max-retries 0 \
  --host-timeout 10m --script-timeout 3m -oX {filename} \
  --version-intensity 9 --min-rate 10000 -T4
Key optimizations:
  • --min-hostgroup 64: Scans 64 hosts in parallel
  • --min-rate 10000: Minimum packet rate of 10,000 per second
  • --max-retries 0: No retries for faster completion
  • -T4: Aggressive timing template
You can customize nmap parameters in config/config.json under the "nmap" key.

naabu Configuration

Configure naabu settings in config/config.json: 
{
  "naabu": {
    "TopPorts": "1000",
    "ScanAllIPS": true
  }
}
Options:
  • TopPorts: Number of most common ports to scan (default: 1000)
  • ScanAllIPS: Scan all IPs when a domain resolves to multiple addresses

Choosing the Right Scanner

ScannerBest ForSpeedAccuracy
nmapGood networks, detailed fingerprintingFastHigh
naabuPoor networks, basic port detectionVery FastMedium
Enable nmap (recommended): 
export PPSSWWDD=yourRootPassword
export priorityNmap=true
./scan4all -l targets.txt
Use naabu only: 
priorityNmap=false ./scan4all -l targets.txt

DNS Configuration

Optimize DNS resolution for faster scanning: 
{
  "naabu_dns": {
    "resolver": ["8.8.8.8", "1.1.1.1"],
    "rate-limit": 150
  }
}

Thread Configuration

nuclei Threads

Configure POC scanning parallelism: 
{
  "nuclei": {
    "threads": 50,
    "bulk-size": 25,
    "rate-limit": 150
  }
}
Higher thread counts increase speed but may trigger rate limiting or WAF detection. Start conservative and increase gradually.

httpx Configuration

Optimize HTTP probing: 
{
  "httpx": {
    "threads": 50,
    "rate-limit": 150,
    "timeout": 10
  }
}

Elasticsearch Threads

For result storage performance: 
{
  "esthread": 8
}
Increase this value when writing large volumes of results to Elasticsearch.

Cache Management

Enable Caching

Caching dramatically improves performance on repeated scans: 
{
  "CacheName": ".DbCache",
  "autoRmCache": "false"
}
Benefits:
  • Avoids rescanning known targets
  • Speeds up incremental assessments
  • Reduces network traffic
Cache behavior:
  • autoRmCache: true - Automatically deletes cache after scan
  • autoRmCache: false - Preserves cache for next scan
Disable auto-removal when scanning similar targets repeatedly (e.g., continuous monitoring).

System Optimization

File Descriptor Limits

For large-scale scanning, increase system limits: Check current limits: 
ulimit -a
awk '{print $1}' /proc/sys/fs/file-nr
Increase open file limit: 
ulimit -n 819200
Make permanent (Linux): Edit /etc/security/limits.conf: 
* soft nofile 819200
* hard nofile 819200

Docker Elasticsearch Optimization

When using Elasticsearch for results: 
docker run --restart=always --ulimit nofile=65536:65536 \
  -p 9200:9200 -p 9300:9300 -d --name es \
  -v $PWD/logs:/usr/share/elasticsearch/logs \
  -v $PWD/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \
  -v $PWD/config/jvm.options:/usr/share/elasticsearch/config/jvm.options \
  -v $PWD/data:/usr/share/elasticsearch/data \
  hktalent/elasticsearch:7.16.2
JVM heap size (config/jvm.options): 
-Xms4g
-Xmx4g
Set to 50% of available RAM, but not exceeding 31GB.

Network Optimization

Bandwidth Considerations

Optimal scanning rates by connection:
ConnectionRecommended RateMax Threads
1 Gbps LAN10,000 pps100
100 Mbps5,000 pps50
Poor/Remote1,000 pps25

Network Quality Detection

If experiencing packet loss or incomplete results:
  1. Reduce scan rate: 
    # Edit config/config.json
"nmap": "nmap ... --min-rate 5000 ..."
  2. Switch to naabu: 
    priorityNmap=false ./scan4all -l targets.txt
  3. Enable retries: Modify nmap command to include --max-retries 1

Input Optimization

Target List Preparation

Deduplicate and sort: 
sort -u targets.txt -o targets_clean.txt
Consolidate IPs: When multiple domains resolve to the same IP, scan4all automatically merges port scans. Pre-consolidating can speed up planning: 
# Group by resolved IP
for domain in $(cat domains.txt); do
  echo "$domain,$(dig +short $domain)" >> domain_ip.csv
done

Precision Scanning

For URL lists with specific paths: 
export UrlPrecise=true
./scan4all -l urls.txt
This skips port discovery when full URLs are provided, focusing only on the specified endpoints.

Feature Toggles for Performance

Disable Expensive Features

When speed is critical: 
# Disable subdomain enumeration (very slow)
export EnableSubfinder=false

# Disable SSL deep parsing
export ParseSSl=false

# Disable honeypot detection
export EnableHoneyportDetection=false

./scan4all -l targets.txt

Skip Specific Scan Types

Port scanning only: 
./scan4all -l targets.txt -verify=false -np
Vulnerability detection only (requires existing scan results): 
noScan=true ./scan4all -l nmap_results.xml

Password Brute Force Optimization

Custom Dictionaries

Use targeted dictionaries instead of default wordlists: 
{
  "ssh_username": "custom/ssh_users.txt",
  "ssh_pswd": "custom/top100_passwords.txt",
  "HydraUser": "custom/common_users.txt",
  "HydraPass": "custom/common_passwords.txt"
}
Smaller, targeted dictionaries are faster and often more effective than large generic wordlists.

Disable Password Brute Force

If not needed: 
priorityNmap=false ./scan4all -l targets.txt
Or configure in config/config.json by setting empty dictionary paths.

Monitoring Performance

Enable Statistics

Track scanning progress: 
./scan4all -l targets.txt -stats=true

Verbose Logging

For debugging performance issues: 
./scan4all -l targets.txt -v -debug
Verbose logging significantly slows down scanning. Use only for troubleshooting small batches.

Elasticsearch Performance

Index Optimization

Initialize indices before large scans: 
./config/initEs.sh

Bulk Insert Configuration

{
  "enableEsSv": true,
  "esthread": 16,
  "esUrl": "http://127.0.0.1:9200/%s_index/_doc/%s"
}

Query Optimization

Use specific queries instead of scanning all results: 
# Query specific host
http://127.0.0.1:9200/nmap_index/_doc/_search?q=_id:192.168.0.111

# Query with field filter
http://127.0.0.1:9200/nuclei_index/_doc/_search?q=host:"1.2.3.4:8080"

Parallel Execution

For very large assessments, split targets and run multiple instances: 
# Split target list
split -l 1000 targets.txt batch_

# Run parallel instances
for batch in batch_*; do
  ./scan4all -l $batch -o results_$batch.csv &
done

wait
Ensure your system has sufficient resources (CPU, memory, network) for parallel execution.

Performance Checklist

  • Set appropriate file descriptor limits (ulimit -n 819200)
  • Choose optimal port scanner for your network (nmap vs. naabu)
  • Configure thread counts based on target count and resources
  • Enable caching for repeated scans (autoRmCache: false)
  • Use targeted dictionaries for password brute forcing
  • Disable unnecessary features (subdomain enum, SSL parsing)
  • Deduplicate and clean target lists before scanning
  • Monitor with -stats=true for large scans
  • Configure Elasticsearch with adequate heap size
  • Consider parallel execution for massive target sets