Discovering Port Scanner Threader3000 by Dievus
So.. I was looking for a fast port scanner , and came across many different port scanner such as rustscan , masscan , zenmap but ultimately most port scanner uses almost same function as nmap.
Then I came across Theader3000 by Dievus. In the repo he stated that A full port scan can take as little as 15 seconds, but at max should take less than 1 minute 30 seconds depending on your internet connection.
Is this black magic ? Upon reading the python3 source code here are the core functions
- Multi-Threading:
1 2 3 4 5
def threader(): while True: worker = q.get() portscan(worker) q.task_done()
Here, the
threaderfunction is responsible for creating and managing threads. It continuously retrieves tasks from the queue (q.get()), where each task represents a port to scan. Theportscanfunction is then called to scan the port, and once the task is completed, it signals that the task is done (q.task_done()). This setup allows for concurrent scanning of multiple ports using multiple threads, significantly speeding up the scanning process. - Socket Connection Handling:
1 2 3 4 5 6 7 8 9 10
def portscan(port): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: portx = s.connect((t_ip, port)) with print_lock: print("Port {} is open".format(port)) discovered_ports.append(str(port)) portx.close() except (ConnectionRefusedError, AttributeError, OSError): pass
The
portscanfunction attempts to establish a connection to the target IP address (t_ip) on the specified port. It quickly moves on to the next port if the connection attempt fails due to connection refused, attribute errors, or OS errors. This efficient handling of socket connections ensures that the scanner doesn’t waste time waiting for unresponsive ports. - Port Range:
1 2
for worker in range(1, 65536): q.put(worker)
The scanner iterates through a wide range of ports from 1 to 65535 (
range(1, 65536)), ensuring that it checks a large number of ports for openness. This comprehensive scanning approach contributes to the thoroughness of the scan and helps in identifying open ports quickly. - Timeout Settings:
1
socket.setdefaulttimeout(0.30)
The default timeout for socket operations is set to 300 milliseconds (
0.30seconds). This short timeout ensures that the scanner doesn’t waste time waiting for unresponsive ports to timeout, allowing it to move on to the next port swiftly.
Slight Modification
Since it requires interaction, and I have a fondness for automation, I decided to modify the code by removing segments that require user interaction. Now, it only requires supplying the IP or domain, after which it will automatically save the Nmap -oN output to the current working directory.
1
2
3
4
5
6
7
8
9
10
11
t2 = datetime.now()
total = t2 - t1
print("Port scan completed in "+str(total))
print("-" * 60)
print("Following Nmap command will be runned:")
print("*" * 60)
print("nmap -p{ports} -sV -sC -T4 -Pn -oN {ip}-nmap {ip}".format(ports=",".join(discovered_ports), ip=target))
print("*" * 60)
nmap = "nmap -p{ports} -sV -sC -T4 -Pn -oN {ip}-nmap {ip}".format(ports=",".join(discovered_ports), ip=target)
t3 = datetime.now()
total1 = t3 - t1
Modified script can be found here
Result
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
threader3000.py 192.168.222.13
Threader 3000 - Multi-threaded Port Scanner
( ) /\ _ (
\ | ( \ ( \.( ) _____
\ \ \ ` ` ) \ ( ___ / _ \
(_` \+ . x ( .\ \/ \____-----------/ (o) \_
- .- \+ ; ( O \____
) \_____________ ` \ /
(__ +- .( -'.- <. - _ VVVVVVV VV V\ \/
(_____ ._._: <_ - <- _ (-- _AAAAAAA__A_/ |
. /./.+- . .- / +-- - . \______________//_ \_______
(__ ' /x / x _/ ( \___' \ /
, x / ( ' . / . / | \ /
/ / _/ / + / \/
' (__/ / \
Version 1.0.8
A project by The Mayor
Modified by Jackmeister
Scanning target 192.168.222.13
Time started: 2024-05-28 02:24:01.213529
----------------------------------------------------------------------------------------------------
Port 22 is open
Port 80 is open
Port scan completed in 0:01:25.797966
------------------------------------------------------------
Following Nmap command will be runned:
************************************************************
nmap -p22,80 -sV -sC -T4 -Pn -oN 192.168.222.13-nmap 192.168.222.13
************************************************************
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 02:25 +08
Nmap scan report for 192.168.222.13
Host is up (0.011s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
| 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_ 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Wisdom Elementary School
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds
------------------------------------------------------------
Combined scan completed in 0:01:32.912067