loading
loading
Network
A simple Node.js network scanner.
overview
evilscan sweeps an IP address or a subnet for open ports using a full TCP connect scan. Written in Node.js, it covers the everyday port-sweep needs: choose the ports or ranges to test with --port, set how many sockets run at once with --concurrency, and bound each connection with --timeout so a slow host does not stall the run.
It adds context to a plain open-port list. Banner grabbing reads what a service announces, reverse DNS resolution attaches hostnames, optional GeoIP tags each result with a location, and a status filter keeps only the port states you want. Results come out as JSON, XML, or console text via --display so they slot into the next stage.
On Trickest, evilscan is a Network node that takes an IP address or subnet and writes a folder and a file. Run it to find open ports across a range, emit JSON, and pass the live services to a probing or scanning stage downstream.
source github.com/eviltik/evilscan
use cases
Point evilscan at a single IP or a CIDR range with --port to find which TCP ports answer across a whole segment in one pass.
Turn on --banner, --reverse, and --geo so every open port arrives with the service banner, a reverse-DNS hostname, and a GeoIP location, not a bare port number.
Set --display=json so open ports feed cleanly into an httpx or nuclei stage instead of staying as console text.
Adjust --concurrency and --timeout to balance speed against accuracy on flaky hosts, and use --status to keep only the port states you care about.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| ip-address-or-subnet | STRING | · | IP address or subnet to scan (positional target). |
| ports | STRING | --port | Port(s) or ranges to scan, e.g. --port=21,22,23,5900-5902. |
| scan-method | STRING | --scan | Scan method: tcpconnect (full connect, default). |
| status | STRING | --status | Port states to include: T timeout, R refused, O open (default), U unreachable. |
| concurrency | STRING | --concurrency | Maximum number of simultaneous sockets open (default 500). |
| timeout | STRING | --timeout | Maximum milliseconds before closing a connection (default 2000). |
| banner | BOOLEAN | --banner | Grab and display the service banner for each open port. |
| result-format | STRING | --display | Result output format: json, xml, or console. |
Showing key inputs. evilscan exposes 14 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| geoip | BOOLEAN | --geo | Display a GeoIP location for each result (free MaxMind data). |
| ports | STRING | --port | Port(s) or ranges to scan, e.g. --port=21,22,23,5900-5902. |
| banner | BOOLEAN | --banner | Grab and display the service banner for each open port. |
| status | STRING | --status | Port states to include in results: T timeout, R refused, O open (default), U unreachable. |
| timeout | STRING | --timeout | Maximum milliseconds before closing a connection (default 2000). |
| hugescan | BOOLEAN | --hugescan | Allow an IP/port combination count greater than 16,580,355. |
| progress | BOOLEAN | --progress | Display a progress indicator every second. |
| valid-dns | BOOLEAN | --reversevalid | Only display results with a valid reverse DNS, unless ports are specified. |
| concurrency | STRING | --concurrency | Maximum number of simultaneous sockets open (default 500). |
| scan-method | STRING | --scan | Scan method: tcpconnect (full connect, default). tcpsyn and udp are listed but not yet implemented. |
| banner-length | STRING | --bannerlen | Number of banner bytes to grab (default 512). |
| result-format | STRING | --display | Result output format: json, xml, or console. |
| display-dns-lookup | BOOLEAN | --reverse | Display the reverse DNS lookup for each host. |
| ip-address-or-subnet | STRING | · | IP address or subnet to scan (positional target). |
example
# TCP connect sweep of a subnet, grab banners, emit JSONevilscan 198.51.100.0/24 --port=22,80,443,8080 --banner --reverse --display=json{"ip":"198.51.100.10","port":22,"status":"open","banner":"SSH-2.0-OpenSSH_8.9p1 Ubuntu"}{"ip":"198.51.100.10","port":80,"status":"open","banner":"nginx/1.24.0"}{"ip":"198.51.100.10","port":443,"status":"open","banner":"nginx/1.24.0"}{"ip":"198.51.100.23","port":22,"status":"open","banner":"SSH-2.0-OpenSSH_9.6"}{"ip":"198.51.100.23","port":8080,"status":"open","banner":"gunicorn/21.2.0"}{"ip":"198.51.100.42","port":443,"status":"open","banner":"Apache/2.4.57"}{"ip":"198.51.100.77","port":22,"status":"open","banner":""}guidance
Use evilscan for a straightforward TCP connect port sweep of an IP or subnet with banner and reverse-DNS context. For very large, high-speed internet-scale scanning, a tool like masscan is faster. evilscan is the simple, scriptable Node.js option for bounded ranges.
Asynchronous internet-scale port scanner. Far faster for huge ranges; evilscan is simpler with banner and reverse-DNS extras.
Fast Go port scanner built for recon pipelines. A sibling for the same port-sweep role.
faq
related
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A subnet feeds evilscan, which sweeps it for open ports and passes the results to httpx so live services land as a queryable output.
Facts on this page come from the live Trickest tool library.