Skip to main content
Network scanning in an OSINT context is passive-first: before using active scanners, check passive intelligence platforms such as Shodan, Censys, and Nmap-online to avoid leaving traces on target systems.
Active port scanning without authorization may be illegal in your jurisdiction. Use passive sources first, and only run active scans against systems you own or have explicit written permission to test.

Tools

ToolSpeedURLIdeal Use
NmapMediumhttps://nmap.orgComplete scan with OS and service detection
MasscanVery fasthttps://github.com/robertdavidgraham/masscanInternet-scale port sweeps
RustScanVery fasthttps://github.com/RustScan/RustScanFast initial discovery, then hand off to Nmap
NucleiTemplate-basedhttps://github.com/projectdiscovery/nucleiAutomated vulnerability detection via templates

Speed comparison

# Scan 65k ports on 1 IP
nmap: ~5 minutes
rustscan: ~10 seconds then nmap
masscan: ~5 seconds (less detail)
1

Passive recon first

Check Shodan and Censys for already-indexed results on the target IP range before running active scans.
2

Fast port discovery with RustScan

Use RustScan to identify open ports in seconds, then pass the discovered port list to Nmap for deeper analysis.
3

Service and version detection with Nmap

Run Nmap with -sV and -sC flags against the ports identified by RustScan for OS fingerprinting and service banner grabbing.
4

Vulnerability scan with Nuclei

Run Nuclei against confirmed services using community templates to identify known vulnerabilities and misconfigurations.

Build docs developers (and LLMs) love

Get started for freeTalk to us