KPortScan 3.0 is a specialized network scanning tool frequently employed by threat actors, including Magic Hound and ransomware affiliates, to discover open RDP, SMB, and LDAP services during lateral movement. Commonly identified as a Potentially Unwanted Application (PUA), this tool is extensively used for internal reconnaissance and is often featured in threat intelligence reports detailing ransomware attacks. For technical details on its use in ransomware attacks, read the analysis from The DFIR Report
for i in 1..254; do sudo kportscan 30 full 192.168.1.$i >> scan_results.txt; done
The story of KPortScan 3.0 is one rooted in the "gray" areas of the internet—starting as a simple administrative utility and evolving into a notorious tool used in major ransomware campaigns. The Origin: A Simple Utility kportscan 30 full
While the tool is GUI-based, "30 full" typically refers to the version and the scope of the scan being performed within the application's configuration: KPortScan 3
Pros: Incredible speed for bulk IP scanning; low resource footprint. The story of KPortScan 3
To use KPortScan 3.0, simply launch the tool and specify the target IP address or hostname:
If you need the depth of a full scan but are worried about time, combine the 30 timeout with the --rate parameter: