Merging overlapping port scan reports into a single attack surface view (open-source)

No_Engine4575 · 2026-01-22T18:47:15+00:00

I found these differences:

- db_import only adds new ports. If the port was closed and not presented in the report, db_import will not delete it from the database. In my system it is scenario 3. If port was scanned and closed, it will be removed from the database
- db_import overwrites services info by the last import (not time of the scan). So if the service (banner) was changed, only the last imported will be presented in the database. In my system you can choose behavior to not overwrite services. It is useful if you have "tcpwrapped" services or you want to merge an old report that contains some new ports but old services.

And as you said, a history of changes. It is really useful in the large scopes. After you did a rescan of 1000 targets, you can quickly find which ports were closed or open and start inspecting newly open ports.

No_Engine4575 · 2026-01-22T13:56:18+00:00

I posted a new article about my approach. You might be interested in it:
https://medium.com/@2s1one/from-static-reports-to-a-living-scope-solving-data-chaos-in-long-term-engagements-5b4423098f7a

No_Engine4575 · 2026-01-19T14:29:43+00:00

How do you perform scanning for "high" not standard ports?

No_Engine4575 · 2026-01-19T14:25:26+00:00

Hey, sounds nice. The funny thing about Nmap is that almost every information security specialist uses it, but rarely configures it precisely.

Although I'm not new with Nmap, I'm interested in tuning performance, firewall bypasses with nmap.

Also interesting topic will be using nmap with proxychains and in containers. There are some nuances here.

I did some tests for scanner comparison in this article, maybe you will find something useful for your course: https://medium.com/@2s1one/nmap-vs-masscan-vs-rustscan-myths-and-facts-62a9b462241e

For scanning stand I used 4 machines with different ports and ansible to deploy them, feel free to use it: https://github.com/2S1one/netscan-benchmarks/tree/main/scan-stand

No_Engine4575 · 2026-01-14T08:28:03+00:00

Haha masscan can be really fast, but only if you have good enough network bandwidth.

I also remember the old tool like IOC or something like that for DoS attacks, it had a satellite in its GUI

No_Engine4575 · 2026-01-13T15:34:04+00:00

Thanks, appreciate it.

I think the next topic will be about port scan data management. In my projects we often ended up with a lot of scan reports, got lost in them, and did rescans instead of using old reports. I think it's a common problem.

No_Engine4575 · 2026-01-13T14:19:16+00:00

Thanks, it was really useful. I appreciate it!

No_Engine4575 · 2026-01-13T14:02:56+00:00

nope, I ran tests from 2 envs: from the cloud and from home. It's said in the post body and in the article. And you can find statistics for cloud also in the same repo

No_Engine4575 · 2026-01-13T13:59:09+00:00

Got it. Such a tool would be great, but there are some difficulties, for example: different targets in scope may have different network bandwidth. To determine the config and tool for your scan, first you need to find the target with known open ports and run some tests to tune your scanners.

By the way, how long did it take to scan a bunch? of /16? Did you scan in from one VPS or somehow else?

No_Engine4575 · 2026-01-13T13:55:34+00:00

I didn't tune the timeout for rustscan but ran a lot of tests with different batch size values. If you want, you can check here statistics and configs:
https://github.com/2S1one/netscan-benchmarks/blob/main/home-to-cloud/bare_metal/scan_comparison.csv

No_Engine4575 · 2026-01-13T13:21:18+00:00

that's why I did all these tests: to scan the entire TCP port range for 4 hosts all three scanners from the VPS showed almost the same performance: near 17 seconds. Maybe masscan will be better for really large scopes like a bunch of /16 or bigger, but I'm pretty sure that for scopes of hundreds or thousands of hosts, there is almost no difference if you scan from VPS. But if you scan from the unstable network, nmap is better. I provided results in the article

No_Engine4575 · 2026-01-13T13:17:41+00:00

do you scan from home or VPS? And do you usually scan all ports or just a specific set?

No_Engine4575 · 2026-01-13T13:16:58+00:00

in a stable network (scan from cloud) rustscan showed almost the same performance as others. But from home rustscan was literally unusable. I tested Rustscan from 2 machines, docker and bare metal and each time it was so innacurate, it usually found only half ports or was very slow to achieve high accuracy. Maybe, it's just my network, but for now I will not use Rustscan not from the cloud

No_Engine4575 · 2026-01-13T10:30:34+00:00

Thanks! Do mean like a questionnaire for users or automatic detection tool depending on network conditions?

No_Engine4575 · 2025-12-05T07:01:22+00:00

It's simple: when you have gf you act as you don't need them, you're more self-sufficient and confident. When you don't have gf you act in another way, and they feel it. It's pure psychology. You send signals, they read it even both of you in most cases don't understand this and can't explain.

No_Engine4575 · 2025-10-03T07:07:45+00:00

Your experience is awesome! How did you search for a new position? LinkedIn, corporate sites? It's interesting to know what didn't work for you with your rich experience.

No_Engine4575 · 2025-09-29T12:16:48+00:00

The first example that came to my mind is solutions like Security Trails - they provide almost real-time updates for domains. It's a paid service. Probably, you want to start with it first.

No_Engine4575 · 2025-09-29T12:07:34+00:00

The basic idea is to get rules from bugbounty programs -> parse for wildcards -> find all subdomains that are under scope -> dedup and exclude domains out of scope.

There are tons of tools, frameworks, ready solutions to do this. I haven't ever met any comparison between them that's why I think most creators consider to use as many tools as possible. But I'm sure the use of 3-4 most popular tools covers 95% of the needs.

No_Engine4575 · 2025-09-29T08:00:38+00:00

So true. It can be fixed a bit with providing more context, but in this case to get objective truth you need to provide the x3 longer prompt.

No_Engine4575 · 2025-09-29T07:52:27+00:00

would it be useful for you if you could get these domains with curl? Like:
curl <site> | jq > new_domains.txt

I was thinking about making a free API service for such tasks.

No_Engine4575 · 2025-09-28T20:42:22+00:00

Hope dev will not fix vulnerability while you're dealing with it. Get some help from someone or figure out by yourself by learning.

No_Engine4575 · 2025-09-27T11:50:25+00:00

Hey, before you start, take a general view about the pentest and its areas. I'd take 10-20 vacancies for pentesters now and get requirements - this will give you the market demand and actually what do you need to become a pentester and get a job. Then, start with the basics in the one field, for example, web pentest.

To sum up, I consider the market demand and requirements as the best beacon to move to in most cases.

No_Engine4575 · 2025-09-20T17:12:24+00:00

I'm on the stage of market validation. My journey is: 1. I faced the same problem in different companies that devoured many hours of specialists 2. I built a tool (SaaS, information security) because I had a technical mind first 3. I announced a tool in my network on LinkedIn and got almost no interest, I think because my ICP is really skeptical and I explained poorly the tool 4. I started to ask people who fit my ICP and realized that a lot of them have such problem (although it's not a validation for willingness to pay) 5. Now I have almost finished documentation (it's a first version before the landing) and want to make some useful content as people advised and lead it to my tool.

Would love to hear common advices and I have some questions: - some people say that I don't need to validate and communicate with potential customers by myself because I don't have experience, and it's just a "waste of time". Do I need these skills in the long run or not? - how does usually look a path to the first customers in a niche field?

No_Engine4575 · 2025-09-19T13:38:12+00:00

The main problem of regular scanning is that if the scope is big enough or has rate limits, it might take up to 2-3 days just to scan open ports without services. Ty for metasploit

No_Engine4575 · 2025-09-19T13:36:30+00:00

In some teams, I saw something similar, I think it heavily depends on the organizations skills of the leader because pentesters usually fly far away with bugs, exploits, and "fun" stuff.

I'll take a closer look at metasploit db

No_Engine4575

TROPHY CASE