In this article:
SecurityScorecard scans approximately 1,500 ports in domains throughout the entire internet every one to two weeks. These scans detect open ports and vulnerabilities, and collect other security-relevant data. To accomplish this high-velocity task and produce accurate results, we use a two-step process.
How we use masscan and Nmap
First, we use the masscan port scanner to determine whether the ports are open. Masscan sends TCP SYN packets to request connections with internet ports and then analyzes the responses. Masscan can scan the entire Internet in less than five minutes, transmitting 10 million packets per second from a single machine.
Then, to test for vulnerabilities, we apply our own scanning framework, which incorporates a version of Nmap, a popular and widely trusted open-source scanner. Nmap collects more detailed information than masscan. Our threat research team writes custom scripts using the Nmap Scripting Engine (NSE) to probe network services without disrupting them and to find out:
- What services are running
- What versions of services are running
- What security-relevant information HTTP headers contain
- Whether scanned assets contain vulnerabilities, and what kind
- Whether assets contain evidence of "back doors", which threat actors install to gain network access
To increase our scanning speed and accuracy, we have deployed over 50 scanning agents on five continents. In addition, we continuously tune and augment our framework with customizations and new modules.