loading
loading
Network
A fast network scanner optimized for internet-wide scanning, inspired by Masscan and Zmap.
overview
nscan scans for open ports with its own tiny TCP/IP stack and raw sockets, sending TCP SYN probes the way Masscan and Zmap do. It skips SYN cookies, so it does not spend time checking whether a received packet came from its own scan, which keeps it fast across wide ranges of hosts and ports.
Beyond raw port state, nscan can grab service banners and run imported scripts against matched ports, so a scan can both find what is open and pull a first signal about what is listening. A cooldown control paces packet sending to stay within the limits of the host and the network.
On Trickest, nscan takes a target IP and a port set and writes a file and a folder of results. Use it as the port-discovery stage feeding a prober or a service scanner, with banners captured inline when you want service hints in the same pass.
use cases
Point nscan at a target IP or CIDR range with a broad port set and let its raw-socket SYN engine cover the range fast, the way an internet-wide scan needs.
Enable --banner so each open port returns a first service hint in the same pass, without a separate probing run.
Use --import to check specific services, such as an SSH key check on port 22 or a proxy check across a web port range, as ports are found.
Tune --cooldown to sleep between batches of packets so a wide scan does not overrun the host or the upstream network.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| ip | STRING | · | Target IP address or CIDR range to scan. |
| port | STRING | --port | Ports to scan (single, list, or range). |
| style | STRING | -s | Scan type, S for SYN or U for UDP (default S). |
| cooldown | STRING | --cooldown | After every N packets sent, sleep P seconds (default 1000,1). |
| fetch-banners | BOOLEAN | --banner | Fetch service banners for open ports. |
| import-script | STRING | --import | nscan scripts to import (e.g. ssh_key:22+check_proxy:80-85,8080). |
| results-count | STRING | -n | Number of results to return. |
Showing key inputs. nscan exposes 7 inputs in total.
example
# SYN scan a /24 for common ports and grab bannersnscan 198.51.100.0/24 --port 22,80,443,8080 -s S --banner --cooldown 1000,1198.51.100.12 22 open198.51.100.12 80 open198.51.100.45 443 open198.51.100.77 8080 open203.0.113.9 22 open SSH-2.0-OpenSSH_9.6203.0.113.9 80 open Server: nginx/1.24.0203.0.113.21 443 openguidance
Reach for nscan when you need fast port discovery across wide IP ranges with its own packet stack. It finds open ports and can grab banners, but it is not a vulnerability scanner, so feed its output to a prober or nuclei. For mature Go-based scanning, masscan and naabu are close siblings.
The internet-wide SYN scanner nscan is modeled on. Larger ecosystem, nscan adds inline banner and script support.
Go port scanner that integrates cleanly with httpx and nuclei. nscan leans toward raw-socket speed.
Single-port internet-wide research scanner. nscan handles multi-port scans with banners in one tool.
faq
related
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A target IP feeds nscan, which finds open ports and passes them to httpx for probing before the live ports land as a queryable output.
Facts on this page come from the live Trickest tool library.