doscan is a tool to quickly scan your network for machines listening on a TCP port, opening thousands of TCP connections in parallel.
High scanning rate: five to ten minutes per 100,000 addresses (which are sparsely populated with hosts), with rather conservative timeouts.
doscan scans the addresses in a seemingly random order. If your scan host is connected to a central router, this ensures that the load is distributed across your network, and you are stress-tesing just a single router, and not your edge devices.
Low memory consumption: memory usage is proportional to the number of hosts which have responded so far, and to the number of parallel connections. The total number of addresses does not influence memory usage in any way.
Can collect responses:
doscan optionally records data which is sent by the hosts which are being scanned. You can even specify a regular expresson to extract part of a server banner, and a message to send to trigger a response (great for determining HTTP server versions).
Extensibility: It is possible to add special handlers for TCP-based protocols, using a straightforward interface.
doscan was written to scan whole networks on a single TCP port. If you want to check all TCP ports on a small number of hosts, other tools such as nmap are more useful.
The author uses
doscan exclusively on GNU/Linux systems. However, it should be straightforward to port it to other systems (as long as they support the
poll interface). The current version should also work on Solaris 8 and 9.
For its regular expression processing,
doscan uses Philip Hazel's PCRE library (see below).
Note: Development has been suspended.
doscan is distributed in source form only. It is released under the GNU General Public License, and comes with NO WARRANTY.
The source distribution contains a detailed manual page.
The program requires Philip Hazel's PCRE library, available via FTP:
There is a mailing list for announcements of new versions, and general discussions about
doscan. If you have a question, please send it to:
To subscribe to the mailing list, send a message with the subject "subscribe" to:
Note: This mailing list is archived publicly.
If you want to unsubscribe, put "unsubscribe" into the subject.
Use the public mailing list above, or report bugs to email@example.com. Suggestions for new features are also welcome.
2003-08-01: Released version 0.1.1. You can now use the
--output option to change the output format. A buffer underflow in the banner receive routine was fixed. (Responses consisting of multiple chunks were incorrectly processed, resulting in incorrect output.)
2003-08-02: Released version 0.1.2. This version fixes a few bugs, implements a framework for extensions, and an experimental module to scan for systems vulnerable to CAN-2003-0352 (the vulnerability in Microsoft's DCOM implementation, see also MS03-026).
2003-08-05: Released version 0.1.3. New
--style option, and you can include host names in the output. (Unfortunately, the
ms_rpc_dcom module still falsely reports Windows Me hosts as vulnerable.)
2003-09-13: Released version 0.1.5. New experimental DCOM scanner which scans for the MS03-039 vulnerability.
2003-09-19: Released version 0.1.6. Fixes known false positives for the MS03-039 vulnerability scanner, by porting the corresponding changes to the NASL script. (A disabled DCOM service on NT 4 was incorrectly flagged as vulnerable.)
2003-09-24: Released version 0.1.7. Fixes a bug in the MS03-039 vulnerability scanner. The results of the Windows 98/Me test was discarded, and such systems were incorrectly flagged as vulnerable.
2003-10-25: Released version 0.2.0. Adds a MS03-043 vulnerability scanner, a Windows version scanner, and lots of infrastructure.
2003-10-26: Released version 0.2.1, which uses the
epoll interface where available.
2003-11-01: Version 0.2.3 released, which supports reading targets from a file. This version also compiles on Solaris.
2003-11-14: Version 0.2.4 released.
2003-11-30: Version 0.2.5 released.
2004-02-16: Version 0.2.6 released. Includes a module to scan for the MS04-007 vulnerability on IIS web servers.
2004-04-27: Version 0.2.7 released. Development suspended.
2004-07-13: Version 0.2.8 released, which includes only packaging changes.
2004-08-28: Version 0.2.9 released, fixing a false positive with Windows XP Service Pack 2.
2005-01-22: Version 0.3.0 released, removes encumbered protocol modules.
2005-02-08: Version 0.3.1 released, fixes a bug in the
2014-10-23: Version 0.3.2 released, fixes bugs with current GCC versions.
2014-10-25: Version 0.3.3 released, with