Nmap
Nmap Nmap is the Swiss Army knife of network mappers, scripting port scans, OS fingerprinting, and service versions across subnets with NSE plugins for vuln detection. Fire up its CLI for SYN sweeps or full connects, piping outputs to grep for targeted recon in your toolkit. Open-source legend from Gordon Lyon, it's the network navigator for pentesters charting topologies with surgical precision.
Explore →Masscan
Masscan Masscan is the internet-scale scanner that blasts through ports at gigabit speeds, mimicking Nmap's banner grabbing for massive subnets without the wait. Tune rates via CLI for controlled floods, exporting open hosts for follow-up probes in recon chains. Open-source from robertdavidgraham, it's the velocity vanguard for analysts scanning the web's underbelly.
Explore →ZMap
ZMap ZMap is the single-packet IPv4 scanner for rapid host discovery, probing the entire internet for open ports with modular output for blackhole detection or census data. Compile its C code, run on ranges with -p flags, and pipe to ZGrab for service details. Open-source from zmap-io, it's the global gazer for researchers mapping exposed surfaces at scale.
Explore →RustScan
RustScan RustScan is the ultra-fast port scanner that pipes open ports straight to Nmap for service enum, blending speed with depth for efficient recon without manual chaining. Install via cargo, target IPs with -- -sV for version scans, and customize scripts for tailored outputs. Open-source from RustScan, it's the turbo tuner for pentesters accelerating discovery pipelines.
Explore →Naabu
Naabu Naabu is the Go-based port scanner with host discovery and service probing, outputting JSON for easy integration into recon tools like Nuclei for vuln chaining. Run on CIDRs with -top-ports for quick hits, tuning exclusions for focused sweeps. Open-source from projectdiscovery, it's the port pioneer for OSINT pros templating network baselines.
Explore →Unicornscan
Unicornscan Unicornscan is the asynchronous TCP/UDP scanner with statistical analysis for banner grabbing and port states, ideal for stealthy sweeps on large nets. Compile its C code, target ranges with /tcp flags, and parse stats for anomaly spotting. Open-source from unicornscan, it's the stat sleuth for network explorers crunching data from distant scans.
Explore →ZGrab2
ZGrab2 ZGrab2 is the banner grabber that follows ZMap's discoveries, fetching service details like HTTP headers or SSH versions for enriched recon datasets. Run its Go binary on host lists with -field options, exporting JSON for SIEM feeds. Open-source from zmap-io, it's the detail digger for researchers enriching port maps with protocol intel.
Explore →fping
fping fping is the parallel ping sweeper for alive host discovery, wordlisting IPs with ICMP for quick subnet baselines without sequential waits. Compile from C, run on ranges with -a for alive lists, scripting for alive-dead diffs. Open-source from tmat, it's the heartbeat hunter for network nomads templating host viability checks.
Explore →netdiscover
netdiscover netdiscover is the passive ARP scanner for LAN host mapping, sniffing broadcasts to list MACs, vendors, and IPs without active probes for stealthy recon. Run its C binary on interfaces with -P for passive mode, exporting for ARP spoofing setups. Open-source from Netdiscover, it's the silent surveyor for internal pentesters charting local nets.
Explore →Angry IP Scanner