6. Low_Footprint_Alternatives
Scenario 6: Low-Footprint Alternatives — When Nmap Says "Filtered"
Position: Scanning through SOCKS proxy or in low-noise environments
Goal: Discover open ports and services when Nmap returns "filtered" — using tools that work through proxies or generate less noise
Visual Overview
graph TD
A[Need to scan ports?] --> B{Through SOCKS proxy?}
B -->|Yes| C[Naabu -proxy OR proxychains+nmap -sT]
B -->|No| D{Need stealth / low noise?}
D -->|Yes| E[Naabu rate 100-300 OR curl]
D -->|No| F{Fast subnet sweep?}
F -->|Yes| G[Masscan rate 500]
F -->|No| H{CTF / lab speed?}
H -->|Yes| I[RustScan]
H -->|No| J[Standard nmap]
style A fill:#ff6600
style C fill:#00aa00
style E fill:#00aa00
style G fill:#ffaa00
style I fill:#ff4444Why Nmap Shows 'Filtered' Through Proxies
This is the most common confusion when scanning through SOCKS proxies. The short answer: you're using the wrong scan type.
The Core Problem: SYN Scan vs SOCKS Proxy
When you run proxychains nmap -sS <target>, here's what actually happens:
-sS(SYN scan) sends raw IP-layer SYN packets directly from your machine- SOCKS5 proxies operate at the application layer — they expect a full TCP
connect()call - Raw SYN packets never enter the TCP stream the proxy mediates
- The packets either bypass the proxy entirely or get dropped by the proxy's firewall
- Result: nmap reports "filtered" because it never gets a response through the proxy
The Solution: TCP Connect Scan
-sT (TCP CONNECT scan) works because:
- Calls the OS
connect()syscall - libc intercepts it
- proxychains LD_PRELOAD hooks
connect()→ routes through SOCKS5 - Full 3-way handshake completes at the target through the proxy
- nmap gets a real open/closed/filtered determination
Scan Type Compatibility
| Scan Type | Flag | Works Through SOCKS? | Why |
|---|---|---|---|
| TCP SYN | -sS |
❌ No | Raw packet, bypasses proxy |
| TCP Connect | -sT |
✅ Yes | Uses connect() syscall |
| UDP | -sU |
❌ No | Raw packet |
| ACK | -sA |
❌ No | Raw packet |
| ICMP Ping | -PE |
❌ No | ICMP, not TCP |
Mandatory Flags for Proxy Scanning
Always use these together when scanning through a SOCKS proxy:
| Flag | Why It's Required |
|---|---|
-sT |
Only scan type that traverses SOCKS proxy |
-Pn |
Skip ICMP ping — ICMP won't traverse SOCKS, shows all hosts as "down" |
-n |
No DNS resolution — DNS queries leak to local resolver, bypassing proxy |
-T2 |
Slow timing — proxies add 50-200ms latency; default T3 causes false "filtered" timeouts |
The T2 timing trap: The most common mistake after fixing the scan type. Default -T3 has a 1-second timeout per probe. Proxies add 50-200ms per hop. On a multi-hop chain, this pushes you over the timeout threshold, causing nmap to report "filtered" even for open ports. Always use -T2 through proxies.
Tool Selection Guide
| Tool | Speed | Stealth | Proxy Support | Root Required | Best For |
|---|---|---|---|---|---|
| Naabu | 🟡 Fast | 🟢 Low noise | ✅ Native (-proxy) |
No (CONNECT) / Yes (SYN) | Proxy scanning, pipelines |
| RustScan | 🔴 Very fast | 🔴 Very loud | ❌ None (issue #407) | No | CTF/lab speed |
| Masscan | 🔴 Extreme | 🔴 Very loud | ❌ None | Yes | Subnet sweeps |
| curl | 🟢 Slow | 🟢 Minimal | ✅ Native (--socks5) |
No | HTTP checks, banners |
| proxychains+nmap | 🟡 Medium | 🟡 Medium | ✅ Via proxychains | No | Full nmap through proxy |
Risk indicators: 🟢 Low · 🟡 Medium · 🟠 Elevated · 🔴 High
Naabu
Naabu is a fast port scanner from ProjectDiscovery with native SOCKS5 proxy support, rate control, and direct nmap handoff. It's the go-to replacement when nmap returns "filtered" through a proxy.
Installation
# Binary download (recommended — no Go toolchain needed)
NAABU_VER=$(curl -s https://api.github.com/repos/projectdiscovery/naabu/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | tr -d 'v')
curl -sL "https://github.com/projectdiscovery/naabu/releases/download/v${NAABU_VER}/naabu_${NAABU_VER}_linux_amd64.zip" -o /tmp/naabu.zip
unzip -q /tmp/naabu.zip naabu -d /usr/local/bin/ && chmod +x /usr/local/bin/naabu
# Go install (requires Go toolchain)
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
Commands
# Quiet targeted scan — top 20 ports, rate-limited
naabu -host 172.30.0.100 -top-ports 20 -rate 200 -silent
# TCP CONNECT scan (no root required)
naabu -host 172.30.0.100 -s c -top-ports 100 -rate 300 -silent
# SYN scan (requires root/NET_ADMIN — faster, lower noise)
sudo naabu -host 172.30.0.100 -s s -top-ports 100 -rate 200 -silent
# Through SOCKS proxy — native support, no proxychains needed
naabu -host 172.30.0.100 -proxy 172.30.0.60:1080 -top-ports 20 -silent
# JSON output for pipeline processing
naabu -host 172.30.0.100 -top-ports 100 -json -silent
# Nmap handoff — discover ports fast, then deep-scan only open ones
echo 172.30.0.100 | naabu -silent -nmap-cli 'nmap -sV -sC -oA nmap-output'
# All ports scan
naabu -host 172.30.0.100 -p - -rate 500 -silent
# Passive mode (Shodan lookup — zero packets sent)
naabu -host example.com -passive -silent
OPSEC Risk
| Mode | Noise Level | Packets | Notes |
|---|---|---|---|
SYN scan (-s s) |
🟢 Low | ~1 per port | Requires root. Fastest, cleanest. |
CONNECT scan (-s c) |
🟡 Medium | ~3 per port (full handshake) | No root needed. Slightly louder. |
| Default rate (1000 pps) | 🔴 High | Burst | Designed for VPS. Reduce to 100-300 from local. |
| Rate 100-300 pps | 🟢 Low | Controlled | Recommended for stealth. |
Via proxy (-proxy) |
🟡 Medium | Proxy overhead | Source IP hidden, but proxy traffic visible. |
Passive (-passive) |
🟢 Zero | 0 | Shodan lookup only. No active scanning. |
Key Flags
| Flag | Description | Example |
|---|---|---|
-host |
Target IP or hostname | -host 172.30.0.100 |
-p |
Port list or range | -p 80,443,8080 or -p - (all) |
-top-ports N |
Scan top N common ports | -top-ports 100 |
-rate N |
Packets per second | -rate 200 |
-s c|s |
Scan type: connect or SYN | -s c |
-proxy ip:port |
SOCKS5 proxy (native) | -proxy 172.30.0.60:1080 |
-silent |
Output open ports only | -silent |
-json |
JSON output for pipelines | -json |
-nmap-cli 'cmd' |
Hand off to nmap | -nmap-cli 'nmap -sV' |
-passive |
Shodan lookup, no scanning | -passive |
-ip-version 4 |
IPv4 only (skip IPv6) | -ip-version 4 |
Pitfalls
Default rate is too high from local: Naabu defaults to 1000 pps — tuned for VPS with good connectivity. From a local machine or through a proxy, reduce to -rate 100-300 to avoid dropped packets and false negatives.
SYN scan requires root/NET_ADMIN: Without it, naabu silently falls back to CONNECT scan. Add cap_add: NET_ADMIN to your Docker container or run with sudo.
-nmap flag is deprecated: Use -nmap-cli 'nmap ...' instead. The old -nmap flag was removed in recent versions.
libpcap required for SYN mode: Install libpcap-dev (Ubuntu) or libpcap (Alpine) before using -s s.
IPv6 enabled by default: Naabu scans both IPv4 and IPv6 by default. Use -ip-version 4 to restrict to IPv4 only.
Pipeline Integration
# Naabu → nmap (discover fast, enumerate deep)
naabu -host 172.30.0.100 -p - -rate 1000 -silent -o ports.txt
ports=$(cat ports.txt | cut -d: -f2 | tr '\n' ',' | sed 's/,$//')
nmap -p "$ports" -sV -sC 172.30.0.100
# Naabu → httpx (find web services)
echo 172.30.0.100 | naabu -silent | httpx -silent
# Subfinder → Naabu → httpx (full external recon pipeline)
subfinder -d example.com -silent | naabu -silent | httpx -silent
RustScan
RustScan is an ultra-fast port scanner designed for speed — it finds open ports in seconds then hands off to nmap for service detection. It has NO native SOCKS proxy support (GitHub issue #407). Use it for CTF/lab environments where speed matters more than stealth.
Installation
# .deb package (Ubuntu/Debian)
RUSTSCAN_VER=$(curl -s https://api.github.com/repos/RustScan/RustScan/releases/latest | grep '"tag_name"' | cut -d'"' -f4)
curl -sL "https://github.com/RustScan/RustScan/releases/download/${RUSTSCAN_VER}/rustscan_${RUSTSCAN_VER#v}_amd64.deb" -o /tmp/rustscan.deb
dpkg -i /tmp/rustscan.deb
# Docker (no install needed)
docker run -it --rm --ulimit nofile=5000 rustscan/rustscan -a 172.30.0.100
Commands
# Basic scan — top 1000 ports
rustscan -a 172.30.0.100
# With ulimit (CRITICAL — prevents "too many open files" error)
sudo rustscan --ulimit 5000 -a 172.30.0.100
# Stealth mode — slow batch, long timeout
rustscan -a 172.30.0.100 -b 10 -T 5000 # 10 ports/batch, 5s timeout
# Port range
rustscan --ulimit 5000 -a 172.30.0.100 --range 1-1000
# Nmap handoff — full service detection
sudo rustscan --ulimit 5000 -a 172.30.0.100 -- -sV -sC
# Full enum with scripts
sudo rustscan --ulimit 5000 -a 172.30.0.100 -- -n -Pn -sV --script "default,safe,vuln"
OPSEC Risk
| Mode | Noise Level | Notes |
|---|---|---|
| Default | 🔴 Very loud | Thousands of SYN packets per second |
-b 10 -T 5000 |
🟠 Elevated | Slower but still detectable |
| Any mode | 🔴 No proxy | Cannot route through SOCKS — source IP exposed |
Key Flags
| Flag | Description | Example |
|---|---|---|
-a |
Target address | -a 172.30.0.100 |
--ulimit N |
Open file limit (CRITICAL) | --ulimit 5000 |
-b N |
Batch size (ports per batch) | -b 10 |
-T N |
Timeout in ms | -T 5000 |
--range |
Port range | --range 1-1000 |
-- |
Pass remaining flags to nmap | -- -sV -sC |
Pitfalls
--ulimit is mandatory: Without it, RustScan hits the OS open file limit and crashes with "too many open files". Always set --ulimit 5000 or higher.
No UDP scanning: RustScan only does TCP. Use nmap for UDP.
No native proxy support: Cannot use SOCKS5 proxy. Use Naabu -proxy instead.
Nmap required for service detection: RustScan only finds open ports. Pass -- -sV -sC to get service versions and scripts.
Masscan
Masscan uses its own TCP/IP stack for extreme speed — it can scan the entire internet in under 6 minutes. In lab environments, use low rates (100-500 pps) to avoid overwhelming targets and missing ports.
Installation
# Ubuntu/Debian
apt-get install -y masscan
# macOS
brew install masscan
# Build from source
git clone https://github.com/robertdavidgraham/masscan && cd masscan && make
Commands
# Targeted scan — common ports, controlled rate
sudo masscan -p80,443,8080,22,21,25 172.30.0.100 --rate=500
# Port range scan
sudo masscan -p1-1000 172.30.0.100 --rate=100
# Full port scan (all 65535)
sudo masscan -p1-65535 172.30.0.100 --rate=1000
# Specify interface (required on VPN/tun0)
sudo masscan -p1-1000 172.30.0.100 --rate=500 -e eth0
# Banner grabbing
sudo masscan -p80 172.30.0.100 --banners --source-port 61000
# Output formats
sudo masscan -p1-1000 172.30.0.100 --rate=500 -oL masscan.txt # list format
sudo masscan -p1-1000 172.30.0.100 --rate=500 -oX masscan.xml # XML
sudo masscan -p1-1000 172.30.0.100 --rate=500 -oJ masscan.json # JSON
Port Extraction Pipeline
# Extract open ports from masscan list output → feed to nmap
sudo masscan -p1-65535 172.30.0.100 --rate=1000 -oL mscan.txt
ports=$(awk '/open/ {print $3}' mscan.txt | sort -un | tr '\n' ',' | sed 's/,$//')
nmap -p "$ports" -sV -sC 172.30.0.100
OPSEC Risk
| Mode | Noise Level | Notes |
|---|---|---|
| Default rate | 🔴 Extreme | 100 pps default is still very loud |
--rate=100 |
🔴 High | Detectable by any IDS |
--rate=500 |
🔴 Very loud | Fast but obvious |
| Any mode | 🔴 No proxy | Own TCP stack, cannot use SOCKS |
Own TCP stack conflicts with OS: Masscan bypasses the OS TCP stack. On some systems, the OS sends RST packets in response to masscan's SYN-ACK, disrupting banner grabbing. Use --source-port 61000 to work around this.
Key Flags
| Flag | Description | Example |
|---|---|---|
-p |
Port list or range | -p80,443 or -p1-65535 |
--rate |
Packets per second | --rate=500 |
-e |
Network interface | -e tun0 |
--banners |
Grab service banners | --banners |
--source-port |
Source port (avoids RST) | --source-port 61000 |
-oL/-oX/-oJ |
Output format | -oL out.txt |
Pitfalls
Root required: Masscan always requires root (raw socket access).
No proxy support: Masscan's own TCP stack cannot route through SOCKS proxies.
Rate too high = missed ports: Paradoxically, scanning too fast causes packet loss and missed open ports. Start at --rate=500 and tune down if results seem incomplete.
Interface required on VPN: When using tun0/VPN, always specify -e tun0. Without it, masscan may use the wrong interface.
curl
curl is not a port scanner, but it's the lowest-footprint tool for HTTP service verification. It blends with normal web traffic, supports SOCKS5 natively, and provides timing metrics for latency analysis.
Commands
# HTTP status code check
curl -s -o /dev/null -w "%{http_code}" --connect-timeout 3 http://172.30.0.100/
# Response headers (service fingerprinting)
curl -sI --connect-timeout 3 http://172.30.0.100/
# Page title grab
curl -sL http://172.30.0.100/ | grep -i '<title>'
# Multi-port HTTP check loop
for port in 80 443 8080 8443 8888; do
code=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 2 http://172.30.0.100:$port/ 2>/dev/null)
echo "port $port: $code"
done
# Banner grab via telnet:// scheme (raw TCP)
curl -s --connect-timeout 2 telnet://172.30.0.100:22
# Timing metrics (latency analysis)
curl -s -o /dev/null -w "Connect: %{time_connect}s Total: %{time_total}s Code: %{http_code}\n" \
--connect-timeout 5 http://172.30.0.100/
# Through SOCKS proxy (native support)
curl -s --socks5 172.30.0.60:1080 http://172.30.0.100/
# HTTPS through proxy (ignore cert)
curl -sk --socks5 172.30.0.60:1080 https://172.30.0.100/
# Parallel checks with xargs
echo -e "80\n443\n8080\n8443" | xargs -P4 -I{} curl -sk -o /dev/null \
-w "port {}: %{http_code}\n" --connect-timeout 2 http://172.30.0.100:{}/
OPSEC Risk
| Mode | Noise Level | Notes |
|---|---|---|
| Single HTTP GET | 🟢 Minimal | Indistinguishable from browser traffic |
| Multi-port loop | 🟢 Low | Sequential, slow — looks like normal browsing |
| Via SOCKS proxy | 🟢 Low | Source IP hidden, traffic looks normal |
Parallel (xargs -P) |
🟡 Medium | Multiple simultaneous connections |
Key Flags
| Flag | Description | Example |
|---|---|---|
-s |
Silent (no progress bar) | -s |
-I |
HEAD request (headers only) | -sI |
-o /dev/null |
Discard body | -o /dev/null |
-w "format" |
Write-out format string | -w "%{http_code}" |
--connect-timeout N |
Connection timeout (seconds) | --connect-timeout 3 |
-k |
Ignore SSL cert errors | -sk |
-L |
Follow redirects | -sL |
--socks5 ip:port |
SOCKS5 proxy | --socks5 172.30.0.60:1080 |
-A "agent" |
Custom User-Agent | -A "Mozilla/5.0" |
telnet://ip:port |
Raw TCP connection | telnet://172.30.0.100:22 |
Pitfalls
HTTP only, not a port scanner: curl can only check application-layer services. It cannot determine if a port is open/closed/filtered at the TCP level — use naabu or nmap for that.
No parallel scanning natively: curl is single-threaded. Use xargs -P N for parallel checks, but be aware this increases noise.
HTTPS cert errors: Use -k to ignore self-signed certificates in lab environments.
Proxy Scanning
Scanning through a SOCKS proxy requires specific tool choices and flags. See Why Nmap Shows 'Filtered' Through Proxies for the technical explanation. This section covers the practical commands.
For C2 SOCKS tunnel setup (SSH -D, chisel, ligolo), see 4. C2_SOCKS.md. This section assumes a SOCKS5 proxy is already running at 172.30.0.60:1080.
Mandatory Flags Reference
When scanning through any SOCKS proxy, these flags are non-negotiable:
| Flag | Why Required | Without It |
|---|---|---|
-sT |
Only scan type that traverses SOCKS | Raw packets bypass proxy, "filtered" result |
-Pn |
Skip ICMP ping | ICMP won't traverse SOCKS, all hosts show "down" |
-n |
No DNS resolution | DNS leaks to local resolver, bypasses proxy |
-T2 |
Slow timing | Proxy latency causes false "filtered" timeouts |
proxychains + nmap
The standard approach for tools without native proxy support. Uses a runtime config to avoid modifying the system-wide /etc/proxychains4.conf.
# Create runtime proxychains config (do NOT modify /etc/proxychains4.conf)
docker exec noise-attacker bash -c \
'printf "strict_chain\nproxy_dns\n[ProxyList]\nsocks5 172.30.0.60 1080\n" > /tmp/proxychains-socks.conf'
# Basic proxy scan — top 20 ports
proxychains4 -f /tmp/proxychains-socks.conf -q nmap -sT -Pn -n --top-ports 20 -T2 172.30.0.100
# Quick recon with reason codes
proxychains4 -f /tmp/proxychains-socks.conf -q nmap -sT -Pn -n --top-ports 100 -T2 --reason 172.30.0.100
# Service detection through proxy
proxychains4 -f /tmp/proxychains-socks.conf -q nmap -sT -Pn -n -sV -T2 \
--script=banner,http-title --data-length 50 -f 172.30.0.100
# Full port scan through proxy (slow — use only when needed)
proxychains4 -f /tmp/proxychains-socks.conf -q nmap -sT -Pn -n -p- -T2 \
--reason --data-length 40 -f 172.30.0.100
-q flag on proxychains4: Suppresses the "[proxychains] ... TCP connection" debug output that clutters results. Always use it.
Why runtime config? Modifying /etc/proxychains4.conf system-wide breaks other tools that rely on it (e.g., SSH tunnel-based proxychains tests). Use -f /tmp/proxychains-socks.conf to keep configs isolated.
Naabu Native Proxy (Recommended)
Naabu has built-in SOCKS5 support — no proxychains needed:
# Port scan through SOCKS proxy
naabu -host 172.30.0.100 -top-ports 20 -proxy 172.30.0.60:1080 -silent
# Full port scan through proxy
naabu -host 172.30.0.100 -p - -proxy 172.30.0.60:1080 -rate 200 -silent
# Reach internal-only target via proxy
naabu -host 172.30.1.100 -top-ports 20 -proxy 172.30.0.60:1080 -silent
curl Through SOCKS
For HTTP service verification through proxy:
# HTTP check through SOCKS
curl -s --socks5 172.30.0.60:1080 http://172.30.0.100/
# HTTPS (ignore cert)
curl -sk --socks5 172.30.0.60:1080 https://172.30.0.100/
# Status code only
curl -s --socks5 172.30.0.60:1080 -o /dev/null -w "%{http_code}" http://172.30.0.100/
# Reach internal-only target (not directly accessible from attacker)
curl -s --socks5 172.30.0.60:1080 http://172.30.1.100/ --connect-timeout 5
OPSEC Risk
| Method | Noise Level | Notes |
|---|---|---|
| proxychains+nmap -T2 | 🟡 Medium | Source IP hidden, but scan pattern visible at proxy |
| Naabu -proxy | 🟢 Low | Native proxy, rate-controlled, less overhead |
| curl --socks5 | 🟢 Minimal | Single HTTP request, blends with normal traffic |
| proxychains+nmap -T3 | 🔴 High | Default timing causes false "filtered" AND is loud |
proxychains4 Configuration Reference
# Minimal config for SOCKS5 proxy
strict_chain
proxy_dns
[ProxyList]
socks5 172.30.0.60 1080
# Dynamic chain (skip unavailable proxies)
dynamic_chain
proxy_dns
[ProxyList]
socks5 172.30.0.60 1080
# Multi-hop chain
strict_chain
proxy_dns
[ProxyList]
socks5 172.30.0.60 1080
socks5 172.30.1.50 1080
proxy_dns is mandatory: Without it, DNS queries go to your local resolver, leaking your real IP and bypassing the proxy for hostname resolution.
Multi-Stage Pipelines
The real power of these tools comes from chaining them together: fast discovery → deep enumeration → service fingerprinting.
The 4-Stage Workflow
Stage 1: Fast port discovery → Naabu or Masscan (seconds)
Stage 2: Deep nmap enumeration → nmap -sV -sC on discovered ports only (minutes)
Stage 3: HTTP service enum → httpx on web ports (seconds)
Stage 4: Targeted scripts → nmap NSE or manual checks
Naabu → nmap (Recommended)
# Discover all open ports fast, then deep-scan only those
naabu -host 172.30.0.100 -p - -rate 1000 -silent -o /tmp/ports.txt
ports=$(cat /tmp/ports.txt | cut -d: -f2 | tr '\n' ',' | sed 's/,$//')
nmap -p "$ports" -sV -sC 172.30.0.100
# One-liner using naabu's built-in nmap handoff
echo 172.30.0.100 | naabu -silent -nmap-cli 'nmap -sV -sC -oA /tmp/nmap-output'
Masscan → nmap
# Masscan for fast discovery, nmap for deep enumeration
sudo masscan -p1-65535 172.30.0.100 --rate=1000 -oL /tmp/mscan.txt
ports=$(awk '/open/ {print $3}' /tmp/mscan.txt | sort -un | tr '\n' ',' | sed 's/,$//')
nmap -p "$ports" -sV -sC 172.30.0.100
Naabu → httpx (Web Service Discovery)
# Find all web services across a subnet
echo 172.30.0.100 | naabu -silent | httpx -silent
# With status codes and titles
echo 172.30.0.100 | naabu -silent | httpx -status-code -title -silent
Proxy Pipeline (Through SOCKS)
# Discover ports through proxy, then enumerate via proxy
naabu -host 172.30.0.100 -p - -proxy 172.30.0.60:1080 -silent -o /tmp/proxy-ports.txt
ports=$(cat /tmp/proxy-ports.txt | cut -d: -f2 | tr '\n' ',' | sed 's/,$//')
proxychains4 -f /tmp/proxychains-socks.conf -q nmap -sT -Pn -n -p "$ports" -sV -T2 172.30.0.100
Port Extraction One-Liners
# From naabu output (format: ip:port)
cat naabu-output.txt | cut -d: -f2 | tr '\n' ',' | sed 's/,$//'
# From masscan list output (format: open tcp PORT IP DATE)
awk '/open/ {print $3}' masscan.txt | sort -un | tr '\n' ',' | sed 's/,$//'
# From nmap greppable output (-oG)
grep "Ports:" nmap.gnmap | grep -oP '\d+/open' | cut -d/ -f1 | tr '\n' ',' | sed 's/,$//'
Quick Reference
One Command Per Tool
| Tool | Best Single Command | Notes |
|---|---|---|
| Naabu | naabu -host <IP> -top-ports 100 -rate 200 -silent |
Low noise, no root |
| Naabu (proxy) | naabu -host <IP> -proxy 172.30.0.60:1080 -silent |
Native SOCKS5 |
| RustScan | sudo rustscan --ulimit 5000 -a <IP> -- -sV |
Fast + nmap handoff |
| Masscan | sudo masscan -p1-1000 <IP> --rate=500 |
Subnet sweeps |
| curl | curl -sI --connect-timeout 3 http://<IP>/ |
HTTP fingerprint |
| proxychains+nmap | proxychains4 -f /tmp/proxychains-socks.conf -q nmap -sT -Pn -n --top-ports 20 -T2 <IP> |
Full nmap through proxy |
Decision Matrix
| Situation | Use This |
|---|---|
| Nmap shows "filtered" through proxy | naabu -proxy or proxychains4 -f ... nmap -sT -Pn -n -T2 |
| Need stealth, no proxy | naabu -rate 100-200 -s s (SYN, low rate) |
| Fast subnet sweep | masscan -p1-1000 <subnet>/24 --rate=500 |
| HTTP service check only | curl -sI http://<IP>/ |
| CTF/lab, speed > stealth | rustscan --ulimit 5000 -a <IP> |
| Reach internal-only target | curl --socks5 172.30.0.60:1080 http://<internal-IP>/ |
| Discover then enumerate | naabu -p - -silent | nmap handoff |
Lab Testing
The noise-lab/ directory contains Docker-based test infrastructure to empirically measure the noise (packet counts) of each tool.
Setup
# Start all containers (including new socks-proxy, filtered-target, internal-web)
cd noise-lab
docker compose up -d --build
# Verify all containers running
docker compose ps
Run Alternative Scanner Tests (Scenario 5)
# Measures packet counts for naabu, rustscan, masscan, curl vs nmap baselines
bash noise-lab/tests/scenario5.sh
# Results in JSON format
ls noise-lab/results/scenario5/
cat noise-lab/results/scenario5/naabu_syn_top20.json
Run Proxy Scanning Tests (Scenario 6)
# Tests proxychains+nmap, naabu -proxy, curl --socks5, internal-only targets, filtered target
bash noise-lab/tests/scenario6.sh
# Results
ls noise-lab/results/scenario6/
Lab Network Layout
| Container | IP | Role |
|---|---|---|
| noise-attacker | 172.30.0.20 | Scanner (your machine) |
| noise-target | 172.30.0.100 | Multi-service target |
| noise-socks-proxy | 172.30.0.60 / 172.30.1.50 | SOCKS5 proxy (dual-homed) |
| noise-filtered-target | 172.30.0.70 | Port 80 filtered (iptables DROP) |
| noise-internal-web | 172.30.1.100 | Internal-only web (corpnet) |
Sniffer limitation: The noise-sniffer container shares the target's (172.30.0.100) network namespace. It can only measure traffic that reaches the target's NIC. Tests targeting 172.30.1.100 (internal-web) or 172.30.0.70 via proxy are functional-only — packet counts will be 0 or near-0.