KiloClawPowered by OpenClaw
Back to Cookbook
OpenClaw recipe

Rate-Limited Network Port Scanner Pipeline

aka “Safe Fast Scan Pipeline (MASSCAN → Verified Nmap)

High-speed discovery with guardrails and verification

Repeatable workflow for large-scope internal scanning. Rate-limited MASSCAN discovers open ports, then targeted Nmap verifies and enriches results. Reduces false positives, avoids accidental network disruption, and keeps scope tight with exclude files.

House RecipeWork8 min
Try in KiloClawFree 7-day trial

PROMPT

Create a skill called "Safe Fast Scan Pipeline". Inputs I will provide: - Target CIDR(s) and an explicit out-of-scope exclude list - Allowed scan windows (time) and whether I may use raw-socket scanners - Ports of interest for the engagement Task: 1) Generate a masscan discovery command with conservative defaults (rate-limited + excludefile). 2) Generate a verification plan with Nmap (service detection + safe output formats). 3) Provide a minimal parsing step to produce: hosts.txt, ip_port.txt, and final nmap.xml. 4) Include troubleshooting for packet loss, false positives, and scope guard failures.

What this fixes

Fast scanners are easy to misuse:

  • Too-fast rates can overwhelm your own network links or trip defenses.
  • Wide ranges without exclusions can hit out-of-scope addresses.
  • "Discovery" results often need verification before they are report-ready.

This recipe standardizes the pipeline: discover → dedupe → verify → export.

Prerequisites

  • Approved target CIDRs and an explicit exclusion list (out-of-scope ranges)
  • A scanning host with stable network connectivity
  • `masscan` and `nmap` installed (or available via containers)
  • Permission to store scan artifacts securely

Steps and commands

  1. Build an exclude file (one CIDR or IP per line):

`cat > exclude.txt << 'EOF'

10.0.0.0/8

192.168.0.0/16

EOF`

  1. MASSCAN discovery (rate-limited; output JSON or XML):
  • Conservative example (internal):

`sudo masscan -p80,443,445,3389 --rate 1000 --excludefile exclude.txt -oJ masscan.json`

  • Full port range (slower, safer rate):

`sudo masscan -p0-65535 --rate 500 --excludefile exclude.txt -oX masscan.xml`

  1. Parse ports per host and generate a verification target list:
  • Quick JSON extract (jq):

`jq -r '.[] | select(.ports) | "\(.ip):\(.ports[].port)"' masscan.json | sort -u > ip_port.txt`

  • Extract unique hosts:

`jq -r '.[] | select(.ports) | .ip' masscan.json | sort -u > hosts.txt`

  1. Verify with Nmap (service/version detection):
  • Single host:

`nmap -sV -Pn -n -p -oX nmap-.xml`

  • Many hosts with reasonable timing:

`nmap -sV -Pn -n -iL hosts.txt --top-ports 1000 -T3 -oX nmap.xml`

  1. Export report-friendly output:
  • HTML from Nmap XML:

`xsltproc nmap.xml -o nmap.html`

Expected outputs

  • `masscan.json` / `masscan.xml`: discovery results (host:port)
  • `hosts.txt` / `ip_port.txt`: parsed target lists for verification
  • `nmap.xml` (and optional `nmap.html`): verified ports + service fingerprints
  • A short audit note: scope + rate + exclusions + timestamps

Common errors and troubleshooting

  • Network "melting"/packet loss
  • Lower `--rate` and limit ports.
  • Scan fewer targets at once; prefer change windows.
  • Too many false positives
  • Always verify a sample with Nmap before declaring findings.
  • Check whether you are hitting load balancers or tarpits.
  • Out-of-scope risk
  • Use `--excludefile` and store scope files with the engagement artifacts.
  • If scope is hostname-based, resolve first and scan only resolved IPs.

References

  • https://github.com/robertdavidgraham/masscan
  • https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet
  • https://news.ycombinator.com/item?id=24728123
  • https://nmap.org/book/man-misc-options.html

Example inputs

  • ``: 172.16.0.0/16
  • Target ports: 80,443,445,3389
  • Rate: 500–2000 pps (start low; increase only if safe)
Tags:#pentesting#network#reconnaissance#masscan#nmap#scope#safety

Related Recipes

Rootless (or Almost) Network Scans in Containers

Fix raw-socket "Operation not permitted" without --privileged

Least-privilege setup for running Nmap, MASSCAN, or ZMap inside Docker/Podman/Kubernetes. Solves "requires root privileges" and "Operation not permitted" failures without reaching for --privileged. Includes fallbacks when raw sockets are unavailable.

Work10 min

Web Discovery Noise Filter (ffuf & gobuster)

Eliminate wildcard 200s and handle 429 rate limiting

Content discovery explodes with false positives when targets return soft-404 pages (200 for everything) or wildcard DNS responses. This recipe calibrates baselines, applies response filters (-fs/-fw/--exclude-length), and tunes request rates to avoid WAF throttling.

Work5 min

Travel With Kids Safety Planner

Reduce travel stress with checklists and realistic routines

Builds a travel plan that covers safety basics, sleep/meal routines, and packing checklists for car or air travel — so you're not improvising under pressure.

Home5 min

Fat-Finger Guard

Catches wrong quantity or off-market limit prices

Traders frequently report costly order entry mistakes (wrong limit price, wrong size), especially while rushed. This recipe blocks orders that look like outliers relative to current price and usual size.

Personal6 min setup