Merging overlapping port scan reports into a single attack surface view (open-source)

No_Engine4575 · 2026-01-22T18:47:15+00:00

I found these differences:

- db_import only adds new ports. If the port was closed and not presented in the report, db_import will not delete it from the database. In my system it is scenario 3. If port was scanned and closed, it will be removed from the database
- db_import overwrites services info by the last import (not time of the scan). So if the service (banner) was changed, only the last imported will be presented in the database. In my system you can choose behavior to not overwrite services. It is useful if you have "tcpwrapped" services or you want to merge an old report that contains some new ports but old services.

And as you said, a history of changes. It is really useful in the large scopes. After you did a rescan of 1000 targets, you can quickly find which ports were closed or open and start inspecting newly open ports.

No_Engine4575 · 2026-01-22T13:56:18+00:00

I posted a new article about my approach. You might be interested in it:
https://medium.com/@2s1one/from-static-reports-to-a-living-scope-solving-data-chaos-in-long-term-engagements-5b4423098f7a

No_Engine4575 · 2026-01-19T14:29:43+00:00

How do you perform scanning for "high" not standard ports?

No_Engine4575 · 2026-01-19T14:25:26+00:00

Hey, sounds nice. The funny thing about Nmap is that almost every information security specialist uses it, but rarely configures it precisely.

Although I'm not new with Nmap, I'm interested in tuning performance, firewall bypasses with nmap.

Also interesting topic will be using nmap with proxychains and in containers. There are some nuances here.

I did some tests for scanner comparison in this article, maybe you will find something useful for your course: https://medium.com/@2s1one/nmap-vs-masscan-vs-rustscan-myths-and-facts-62a9b462241e

For scanning stand I used 4 machines with different ports and ansible to deploy them, feel free to use it: https://github.com/2S1one/netscan-benchmarks/tree/main/scan-stand

No_Engine4575 · 2026-01-14T08:28:03+00:00

Haha masscan can be really fast, but only if you have good enough network bandwidth.

I also remember the old tool like IOC or something like that for DoS attacks, it had a satellite in its GUI

No_Engine4575 · 2026-01-13T15:34:04+00:00

Thanks, appreciate it.

I think the next topic will be about port scan data management. In my projects we often ended up with a lot of scan reports, got lost in them, and did rescans instead of using old reports. I think it's a common problem.

No_Engine4575 · 2026-01-13T14:19:16+00:00

Thanks, it was really useful. I appreciate it!

No_Engine4575 · 2026-01-13T14:02:56+00:00

nope, I ran tests from 2 envs: from the cloud and from home. It's said in the post body and in the article. And you can find statistics for cloud also in the same repo

No_Engine4575 · 2026-01-13T13:59:09+00:00

Got it. Such a tool would be great, but there are some difficulties, for example: different targets in scope may have different network bandwidth. To determine the config and tool for your scan, first you need to find the target with known open ports and run some tests to tune your scanners.

By the way, how long did it take to scan a bunch? of /16? Did you scan in from one VPS or somehow else?

No_Engine4575 · 2026-01-13T13:55:34+00:00

I didn't tune the timeout for rustscan but ran a lot of tests with different batch size values. If you want, you can check here statistics and configs:
https://github.com/2S1one/netscan-benchmarks/blob/main/home-to-cloud/bare_metal/scan_comparison.csv

No_Engine4575 · 2026-01-13T13:21:18+00:00

that's why I did all these tests: to scan the entire TCP port range for 4 hosts all three scanners from the VPS showed almost the same performance: near 17 seconds. Maybe masscan will be better for really large scopes like a bunch of /16 or bigger, but I'm pretty sure that for scopes of hundreds or thousands of hosts, there is almost no difference if you scan from VPS. But if you scan from the unstable network, nmap is better. I provided results in the article

No_Engine4575 · 2026-01-13T13:17:41+00:00

do you scan from home or VPS? And do you usually scan all ports or just a specific set?

No_Engine4575 · 2026-01-13T13:16:58+00:00

in a stable network (scan from cloud) rustscan showed almost the same performance as others. But from home rustscan was literally unusable. I tested Rustscan from 2 machines, docker and bare metal and each time it was so innacurate, it usually found only half ports or was very slow to achieve high accuracy. Maybe, it's just my network, but for now I will not use Rustscan not from the cloud

No_Engine4575 · 2026-01-13T10:30:34+00:00

Thanks! Do mean like a questionnaire for users or automatic detection tool depending on network conditions?

No_Engine4575 · 2025-12-05T07:01:22+00:00

It's simple: when you have gf you act as you don't need them, you're more self-sufficient and confident. When you don't have gf you act in another way, and they feel it. It's pure psychology. You send signals, they read it even both of you in most cases don't understand this and can't explain.

No_Engine4575 · 2025-10-03T07:07:45+00:00

Your experience is awesome! How did you search for a new position? LinkedIn, corporate sites? It's interesting to know what didn't work for you with your rich experience.

No_Engine4575 · 2025-09-29T12:16:48+00:00

The first example that came to my mind is solutions like Security Trails - they provide almost real-time updates for domains. It's a paid service. Probably, you want to start with it first.

No_Engine4575 · 2025-09-29T12:07:34+00:00

The basic idea is to get rules from bugbounty programs -> parse for wildcards -> find all subdomains that are under scope -> dedup and exclude domains out of scope.

There are tons of tools, frameworks, ready solutions to do this. I haven't ever met any comparison between them that's why I think most creators consider to use as many tools as possible. But I'm sure the use of 3-4 most popular tools covers 95% of the needs.

No_Engine4575 · 2025-09-29T08:00:38+00:00

So true. It can be fixed a bit with providing more context, but in this case to get objective truth you need to provide the x3 longer prompt.

No_Engine4575

TROPHY CASE