Anyone who knows a fast way to do a portscan? Trying to probe 65535 ports in under 30 seconds.

Maybe by distribution of the task (no expert, just the first thought coming to mind)

@possum parallel scans?

@netikras i tried it using python but with threads i get random issues where threads just get stuck because of a slow port

@netikras Yes, but as @resdac said, a slow port in one thread (or however parallel polling is achieved) could be a problem

@possum that's what timeouts are for

Are you trying to do a full TCP connection?
It might be faster if you just send 65535 SYN packets via raw sockets and listen for any ACK or RST ones coming back.

@sbiewald imo that is a very good idea if the target is likely to have hundreds or thousands of ports open. Ports that are not open are acknowledged by rst anyway, effectively causing a failfast ioexception.

Correct me if I'm wrong, but your solution reduces time only for successful port tests, which is usually ~10/65535 cases?

Maybe you'd like to take a look into nmap, Unicornscan, Angry IP Scanner, Netcat or Zenmap.

I prefer nmap every time.

Check out nmap
It's fast and has API's too

Might have found a solution with zmap and pfring but the installation is going rough

This is a problem I've run into frequently. Because of other hosts on the network, bandwidth limitations, cross talk, long cable runs or other things that cause signal degradation, fragmentation errors, the need to try closed ports multiple times in case a packet was simply dropped, etc

There's just too many factors. Even if you are trying ports in parallel, there's just a point where it's too fast to trust the results. Ports that you know for a fact are open report closed or filtered. Because the network is failing to deliver responses before the timeout.

My best suggestions are:
1) limit the ports you want scanned
2) scan at night or when it taking forever isn't a big deal
3) scan always, on a loop. Slowly. if a port was open 2 hrs ago, it's probably open now if it's a legitimate service. Is 2 hours too old for that specific port? Do that one again as needed in real-time.

I prefer 3 because let's be honest, if it takes 2hrs to run, then the first port tested is 2 hrs old anyways.

I've sort of completed my research. In general, nmap is the slowest of them all. Masscan is reasonable. But custom python is like 4h for roughly 250 hosts (65535 ports).