- Scan with nmap fast! Allows you to scan targets with Masscan and run Nmap on discovered ports with possibility of custom options. Nmap on steroids. *
- Allows to scan targets in multiple formats.
- Can output results in domain:port format.
- Works in stdin/stdout mode, so you can pipe results to other tools.
The JFScan (Just Fu*king Scan) is a wrapper around a super-fast
JFScans logic of input & output processing:
Please follow installation instructions before running. Do not run the JFScan under a root, it’s not needed since we set a special permissions on the masscan binary.
usage: jfscan [-h] -t TARGETS [--resolvers RESOLVERS] [-m MODULES] (-p PORTS | -tp TOP_PORTS) [-r MAX_RATE] [-oi] [-od] [-q] [--nmap] [--nmap-options NMAP_OPTIONS] [--nmap-threads NMAP_THREADS] [--nmap-output NMAP_OUTPUT]
JFScan - Just Fu*king Scan
-h, --help show this help message and exit
-t TARGETS, --targets TARGETS
list of targets, accepted form is: domain name, IPv4, IPv6, URL
custom resolvers separated by a comma, e. g., 188.8.131.52,184.108.40.206
-m MODULES, --modules MODULES
modules separated by a comma, available modules: enum_amass, enum_crtsh
-p PORTS, --ports PORTS
ports, can be a range or port list: 0-65535 or 22,80,100-500,...
-tp TOP_PORTS, --top-ports TOP_PORTS
scan only N of the top ports, e. g., --top-ports 1000
-r MAX_RATE, --max-rate MAX_RATE
max kpps rate
-i INTERFACE, --interface INTERFACE
interface for masscan and nmap to use
-oi, --only-ips output only IP adresses, default: all resources
-od, --only-domains output only domains, default: all resources
-q, --quite output only results
--nmap run nmap on discovered ports
nmap arguments, e. g., --nmap-options='-sV' or --nmap-options='-sV --script ssh-auth-methods'
number of nmaps to run concurrently, default 8
path to save output file in XML format (same as nmap option -oX)
Scan targets for only for ports 80 and 443 with rate of 10 kpps:
$ jfscan -p 80,443 -t targets.txt -r 10000
Scan targets for only for ports 80 and 443 and utilize a crt.sh subdomain enumeration modules:
$ jfscan -p 80,443 -t targets.txt -m enum_crtsh
Scan targets for top 1000 ports and utilize crt.sh module:
$ jfscan --top-ports 1000 -t targets.txt -m enum_crtsh
You can also specify targets on stdin and pipe it to nuclei:
$ cat targets.txt | jfscan --top-ports 1000 -m enum_crtsh | httpx -silent | nuclei
Utilize nmap to gather more info about discovered services:
$ cat targets.txt | jfscan -p 0-65535 --nmap --nmap-options="-sV --scripts ssh-auth-methods"
The targets.txt can contain targets in the following forms:
- Before installation, make sure you have the latest version of Masscan installed (tested version is 1.3.2).
First, install a libpcap-dev (Debian based distro) or libcap-devel (Centos based distro):
sudo apt install libpcap-dev
Next, clone the official repository and install:
sudo apt-get --assume-yes install git make gcc
git clone https://github.com/robertdavidgraham/masscan
sudo make install
- The Masscan requires root permissions to run. Since running binaries under root is not good idea, we will set a CAP_NET_RAW capability to the binary:
sudo setcap CAP_NET_RAW+ep /usr/bin/masscan
- For installation of JFscan a python3 and pip3 is required.
sudo apt install python3 python3-pip
- Install JFScan:
$ git clone https://github.com/nullt3r/jfscan.git
$ cd jfscan
$ pip3 install .
If you can’t run the jfscan directly from command line you should check if $HOME/.local/bin is in your path.
Add the following line to your
- Additional steps: For enum_amass module to work, install Amass:
snap install amass
Read file LICENSE.
I am not responsible for any damages. You are responsible for your own actions. Attacking targets without prior mutual consent is illegal.
- Running enum_amass will take forever if there is more then 10 domains on the input. Amass takes forever and sometimes fails… help me to resolve it 🙂
* When scanning smaller network ranges, you can just use nmap directly, there is no need to use JFScan. You can reach up to 70% of the speed of JFScan using the following options:
nmap -Pn -n -v yourTargetNetwork/26 -p- --min-parallelism 64 --min-rate 20000 --min-hostgroup 64 --randomize-hosts -sS -sV
As always, expect some false positivies/negatives.