PickYourTechPickYourTech home
scan4all logo

scan4all

Unified, fast, multi-protocol vulnerability scanner for red teams

Vulnerability Scanners

scan4all combines port scanning, service enumeration, and over 15,000 POCs into a single, cross‑platform Go binary for automated red‑team assessments.

Overview

Overview

scan4all is a Go‑based, cross‑platform scanner that unifies port discovery, service fingerprinting, and vulnerability exploitation. It bundles popular tools such as vscan, nuclei, subfinder, and ksubdomain, delivering more than 15,000 proof‑of‑concept checks in one executable.

Capabilities & Deployment

The tool supports 146 protocols, intelligent password blasting with custom dictionaries, and smart SSL analysis that auto‑generates sub‑domain targets. Results can be exported as JSON, CSV, TXT, or streamed directly to Elasticsearch for real‑time dashboards. Installation is straightforward via go install or pre‑built releases, and it runs on Linux, Windows, and macOS. Optional nmap integration provides faster scans when available, though it requires a root password environment variable.

Who Benefits

Security teams, penetration testers, and researchers looking for a single, highly configurable binary to automate reconnaissance, credential spraying, and large‑scale vulnerability assessment will find scan4all especially valuable.

Highlights

Integrated vscan, nuclei, subfinder, and ksubdomain in one binary
Supports 146 protocols and over 90,000 port‑scanning rules
Intelligent password blasting with custom dictionaries
Smart SSL analysis with automatic sub‑domain enumeration

Pros

  • Highly customizable via config.json
  • Cross‑platform Go binary works on Linux, Windows, macOS
  • Large POC library (>15k) enables fast vulnerability detection
  • Built‑in Elasticsearch integration for centralized result storage

Considerations

  • Relies on external tools like nmap for some scans
  • High network traffic may cause incomplete results on poor connections
  • Root password must be set in an environment variable for nmap usage
  • Complex configuration can be overwhelming for beginners

Managed products teams compare with

When teams consider scan4all, these hosted platforms usually appear on the same shortlist.

Qualys VMDR logo

Qualys VMDR

Risk-based vulnerability management with automated prioritization and patching.

Rapid7 InsightVM logo

Rapid7 InsightVM

Vulnerability management with live dashboards, unified agent, and risk-based prioritization

Tenable Vulnerability Management logo

Tenable Vulnerability Management

Risk-based vulnerability management for continuous discovery, prioritization, and remediation

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • Security teams needing automated multi‑protocol scanning
  • Penetration testers who prefer a single binary for reconnaissance
  • Organizations integrating scan results into SIEM or Elasticsearch
  • Researchers evaluating large POC datasets

Not ideal when

  • Environments with strict outbound traffic limits
  • Users seeking a lightweight single‑protocol scanner
  • Teams without Go or Docker setup for installation
  • Scenarios requiring minimal false‑positive tuning out of the box

How teams use it

Comprehensive external network assessment

Identify open ports, services, and applicable exploits across thousands of IPs in a single run.

Web application fingerprinting and vulnerability detection

Automatically generate fingerprints and run 15k+ POCs to surface web‑specific flaws.

Credential spraying across multiple services

Perform password blasting on RDP, SSH, MySQL, etc., using custom dictionaries and prioritize high‑value targets.

Continuous monitoring with Elasticsearch

Stream scan results into Elasticsearch for real‑time dashboards and alerting.

Tech snapshot

Go94%
Python4%
Shell1%
Ruby1%
JavaScript1%
Batchfile1%

Tags

bugbountypentest-toolattacknmapvulnerability-detection0daytoolsnucleihackersecurity-scannersshvulnerabilities-scansecurity-toolshacktoolsautovulnerability-scannersgolangreconbrute-forcebugbounty-tools

Frequently asked questions

How do I install scan4all?

Use `go install github.com/GhostTroops/scan4all@<version>` or download a release binary; it runs on Linux, Windows, and macOS.

Do I need nmap for scanning?

scan4all uses naabu by default; nmap is optional and automatically enabled if present, offering faster scans but requiring a root password environment variable.

Can I customize password dictionaries?

Yes, custom dictionaries can be defined in `config/config.json` for password blasting and POC loading.

What output formats are supported?

Results can be saved as JSON, TXT, CSV, printed to STDOUT, or bulk‑uploaded to Elasticsearch.

Is HTTP request smuggling detection included?

Yes, scan4all detects CL‑TE, TE‑CL, TE‑TE, CL_CL, and BaseErr smuggling techniques.

Project at a glance

Dormant
Visit siteView repo
Stars
5,943
Watchers
5,943
Forks
711
LicenseBSD-3-Clause
Repo age3 years old
Last commit2 years ago
Primary languageGo

Last synced yesterday