ScanCannon v1.5

A Bash script for efficient credentials-based attack surface enumeration and general reconnaissance of massive external network ranges.

ScanCannon handles the enumeration of extremely large networks (such as The Internet) at high of speeds as the infrastructure can handle, specifically looking for credentials-based attack surfaces and APIs. It uses masscan to quickly identify open ports, then calls nmap to gain detailed information on the systems and services listening on those ports, thus compensating for the lack of acureacy in masscan. Final artifact is an array of flat text files full of IPs, hostnames, and interesting services that you can easily load up into the next tool in your killchain.

Table of Contents

• What is ScanCannon?
• Prerequisites
• Installation
• Quick Start
• Configuration
• Usage Examples
• Progress Tracking
• Understanding Output
• Safety & Legal Considerations
• Troubleshooting
• FAQ
• Known Issues
• License

What is ScanCannon?

Features

• High-speed network enumeration using masscan for initial discovery
• Detailed service detection using nmap for discovered hosts
• API endpoint detection using nmap NSE scripts and targeted curl probing (with -a flag)
• Full ASN-based network discovery — resolves all A records, queries whois for CIDR + ASN, then discovers ALL prefixes announced by the ASN via RADB. Works for both -d (domain) and -c (CIDR) inputs with interactive range selection.
• Comprehensive output formats including flat files for easy import into other tools
• Automatic domain/subdomain discovery from scan results
• Service categorization for common credential attack vectors (SSH, FTP, HTTP, SMB, etc.)
• Advanced progress tracking with real-time visual feedback, ETA calculations, and phase monitoring
• Automatic cleanup and file organization
• Cross-platform support (Linux, MacOS, WSL2)

Target Services

ScanCannon focuses on these high-value services for security assessment:

TCP Services:

• 21 - FTP (File Transfer Protocol)
• 22 - SSH (Secure Shell)
• 23 - Telnet
• 53 - DNS (Domain Name System)
• 80 - HTTP (Web servers)
• 135 - MSRPC (Microsoft RPC)
• 139 - NetBIOS Session Service
• 443 - HTTPS (Secure web servers)
• 445 - Microsoft-DS (SMB/CIFS)
• 990 - SFTP (Secure FTP)
• 1701 - L2F (Layer 2 Forwarding)
• 1723 - PPTP (Point-to-Point Tunneling Protocol)

UDP Services (with -u flag):

• 53 - DNS (Domain Name System)
• 161 - SNMP (Simple Network Management Protocol)
• 500 - ISAKMP (Internet Security Association and Key Management Protocol)

This focused approach dramatically reduces scan time while ensuring all high-value attack surface services are discovered.

Prerequisites

• Root/Administrator privileges (required for raw packet manipulation)
• Masscan v1.0.3+ - High-speed port scanner
• Nmap v7.0.1+ - Network discovery and security auditing
• Standard Unix tools: dig, whois, wget, awk, sed
• curl (optional, required for API endpoint detection with -a flag)

Quick Start

Command Syntax

sudo ./scancannon.sh [-u] [-a] <-d domain | -c CIDR> [...]

At least one -d or -c flag is required. Both flags are repeatable and can be combined.

Options:

• -d domain : Discover all networks for a domain (resolves all A records → whois → ASN → RADB prefix lookup; repeatable; accepts URLs too)
• -c CIDR : Discover all networks related to a CIDR (whois → ASN → RADB prefix lookup; repeatable)
• -u : Perform UDP scan on common ports (53, 161, 500) using nmap (significantly slower)
• -a : Perform API endpoint detection on HTTP/HTTPS services (requires curl)

Both -d and -c run full ASN-based network discovery and present an interactive selection menu where you choose which discovered ranges to scan.

Examples

# Scan a network by CIDR (includes ASN discovery of related networks)
sudo ./scancannon.sh -c 203.0.113.0/24

# Discover all networks for a domain (resolves all IPs → ASN → all announced prefixes)
sudo ./scancannon.sh -d example.com

# Combine domain + CIDR (both are scanned)
sudo ./scancannon.sh -d example.com -c 10.0.0.0/24

# Include UDP scanning (slower but more comprehensive)
sudo ./scancannon.sh -u -d example.com

# Include API endpoint detection
sudo ./scancannon.sh -a -c 203.0.113.0/24

# Combine all flags
sudo ./scancannon.sh -ua -d example.com -c 10.0.0.0/24

Configuration

Basic Configuration

The main configuration is handled through scancannon.conf:

# Key settings you may want to adjust:
rate = 5000.00           # Packets per second (start low!)
excludefile = exclude.txt # Networks to exclude from scanning
# Only scan ports that ScanCannon actually uses - much more efficient!
ports = 21,22,23,53,80,135,139,443,445,990,1701,1723

Exclusion List

Edit exclude.txt to add networks you want to skip:

# Add networks to exclude (one per line)
192.168.0.0/16    # Private networks
10.0.0.0/8        # Private networks
172.16.0.0/12     # Private networks
127.0.0.0/8       # Loopback

Automatic Network Configuration

ScanCannon automatically prompts for network adapter configuration every time you run it. This ensures optimal performance by helping masscan achieve maximum scanning speed. The script will:

1. Detect network interfaces and let you choose which one to use
2. Automatically configure adapter-ip and adapter-mac settings
3. Find your default gateway and configure router-mac settings
4. Update scancannon.conf with the detected settings

# Every time you run ScanCannon:
sudo ./scancannon.sh -c 192.168.1.0/24

# You'll always see:
=== Network Adapter Configuration ===
For optimal performance, ScanCannon can automatically configure your network adapter settings.
This helps masscan achieve maximum scanning speed by bypassing the kernel network stack.

Would you like to automatically configure network adapter settings? [y/N]: y

# If multiple interfaces exist:
Multiple network interfaces found:
  [1] eth0 - IP: 192.168.1.100, MAC: aa:bb:cc:dd:ee:ff
  [2] wlan0 - IP: 10.0.0.50, MAC: 11:22:33:44:55:66
Select interface [1-2]: 1

# Configuration is automatically applied to scancannon.conf
# Answer 'N' if you want to keep existing settings or configure manually

Manual Network Configuration (Advanced)

If you prefer manual configuration or need to customize settings, you can edit scancannon.conf directly:

# Network adapter settings for maximum performance:
adapter-ip = 192.168.1.100    # Your machine's IP address
adapter-mac = aa:bb:cc:dd:ee:ff  # Your network card's MAC address
router-mac = 11:22:33:44:55:66   # Your router's MAC address

Why These Settings Matter:

• adapter-ip: Your machine's IP address on the scanning interface

  • Masscan uses this to craft packets with the correct source IP
  • Must match the IP of the interface you're scanning from

• adapter-mac: Your network card's MAC address

  • Used for raw packet transmission to bypass kernel networking
  • Improves performance by avoiding OS network stack overhead

• router-mac: Your default gateway's MAC address

  • Required for masscan to send packets directly to the router
  • Enables maximum scanning speed by bypassing ARP lookups

When These Settings Help:

• High-speed scans (>10,000 pps) - significantly improves performance
• Large network ranges - reduces packet loss and improves accuracy
• Dedicated scanning systems - maximizes hardware utilization
• Virtual machines - may be required for proper packet transmission

Manual Detection Commands:

# Linux - Get IP, MAC, and gateway:
ip addr show                    # Your IP and MAC
ip route show                   # Default gateway IP
arp -a | grep $(ip route | grep default | awk '{print $3}')  # Gateway MAC

# macOS - Get IP, MAC, and gateway:
ifconfig                        # Your IP and MAC
netstat -rn                     # Default gateway IP
arp -a | grep $(netstat -rn | grep default | awk '{print $2}')  # Gateway MAC

Important: Masscan requires MAC addresses in dash format (aa-bb-cc-dd-ee-ff), not colon format (aa:bb:cc:dd:ee:ff). The automatic configuration handles this conversion, but if configuring manually, ensure you use dashes.

Understanding Output

ScanCannon creates organized output in the results/ directory:

results/
├── 203_0_113_0_24/                    # Per-network results
│   ├── masscan_output.bin             # Binary masscan results
│   ├── masscan_output.txt             # Text masscan results
│   ├── hosts_and_ports.txt            # Discovered hosts:ports
│   ├── nmap_files/                    # Individual nmap scans
│   ├── gnmap_files/                   # Greppable nmap output
│   ├── nmap_xml_files/                # XML nmap output
│   ├── interesting_servers/           # Categorized services
│   │   ├── ssh_servers.txt            # SSH servers found
│   │   ├── http_servers.txt           # Web servers found
│   │   ├── ftp_servers.txt            # FTP servers found
│   │   ├── api_servers.txt            # API endpoints found (with -a)
│   │   ├── api_details.txt            # API detection details (with -a)
│   │   └── ...                        # Other services
│   ├── resolved_subdomains.txt        # Discovered domains
│   └── resolved_root_domains.csv      # Domain details with WHOIS
├── all_int