Art of Mass Scanning [SG]



3 days

Delivery Method



beginner / intermediate

Seats Available



3 days

Delivery Method



beginner / intermediate

ATTEND IN-PERSON: Onsite at Singapore

DATE: 20-22 November 2023

TIME: 09:00-17:00 SGT/GMT +8

Date Day Time Duration
20 Nov Monday 09:00 to 17:00 SGT/GMT +8 8 Hours
21 Nov Tuesday 09:00 to 17:00 SGT/GMT +8 8 Hours
22 Nov Wednesday 09:00 to 17:00 SGT/GMT +8 8 Hours

A lot of exclusive lab environment and a lot of content and labs would be designed specifically for HITB. (first time).

Mass scanning is the process of scanning a large number of hosts or IP addresses to identify potential security vulnerabilities or weaknesses. This type of scanning is often used by security professionals to identify and assess the security posture of large networks or infrastructures. Another key advantage of mass scanning is scalability. Mass scanning can automate the process of scanning a large number of hosts, IP addresses, and processes, which can be done in a relatively short amount of time. This can save security professionals a significant amount of time compared to manually scanning or even performing security research at scale.


What will the students get

The lab’s working code and applications will allow you to practice and experiment with the techniques and tools covered in the course. This access will help you build your skills and confidence in using these tools for security purposes. Course slides will provide you with an overview of the key concepts and topics covered in the course. These slides will help you review and understand the course material and provide you with a helpful reference tool for future work in this field. A ready-made, easy-to-install working setup that can be quickly spun up.

Topics Covered

Introduction to mass scanning

o What is mass scanning
o Why Mass scanning is needed Using python to enhance your exploits
o Python Threading o Python Multithreading
o Python Asynchronous Computation
o Speed up your exploits o Writing an XSS finder Python Script
o Enhancing the python script o Make it faster than your thought
o Automate the hell out of XSS


Bash Programming

o Introduction to Bash scripting
o Automating your boring tasks using bash
o Enhancing your bash scripts
o Speed up your bash scripts


Yaml templating

o Understanding the working of nuclei
o Creating your first nuclei template
o Enhancing execution of nuclei
o Parallel execution of nuclei
o Distributed nuclei execution Axiom
o Introduction to Axiom
o Why is Axiom needed?
o Demo


Creating your first Automation BOT on a multi-cloud environment

o Introduction to Python Flask
o Introduction to Microservices
o Building microservices-based applications
o Creating APIs over your security tools
o Deploying Microservices
o Slack Integration


Scanning 2.3m of npm packages

o Creating a single-threaded python/bash POC script
o Distributing the workload
o Doing magic
o Collecting results in just 3 hours for 2.3m packages

Why You Should Take This Course

This course is for you if you want to expand your knowledge and skills to explore the power of at scale scanning for security vulnerabilities on a massive scale. You would be able to scan millions of assets with limited resources and explore unexplored avenues

Who Should Attend

Software developers, security engineers, architects, researchers, bug bounty hunters, system administrators, students, and curious security professionals

Key Learning Objectives

  • Gain the ability to perform mass scanning at scale, allowing you to efficiently identify potential vulnerabilities and weaknesses in large networks or infrastructures.

  • Learn techniques for enhancing Bash and Python scripts, enabling you to automate boring and repetitive tasks, speed up your scripts, and improve efficiency and accuracy.

  • Develop the skills to create automation bots that can operate in multi-environment environments, streamlining and optimizing security processes.

  • Understand the potential of microservices-based applications, APIs, and Slack integration to improve communication and efficiency in security processes.
  • Prerequisite Knowledge

    To fully understand and implement the concepts covered in this course, some basic knowledge and experience in programming is required, particularly in Python and Bash. This includes an understanding of variables, data types, loops, and conditional statements in both languages. Additionally, knowledge of basic web development concepts such as HTML, CSS, and JavaScript will be helpful in understanding the mechanics of web application security. Familiarity with web application security, network scanning, and penetration testing will also be beneficial. This includes an understanding of common web application vulnerabilities such as Cross-Site Scripting (XSS), SQL injection, and CSRF, as well as techniques for scanning and exploiting these vulnerabilities.
    Experience with using security tools such as OWASP ZAP, Burp Suite, or similar tools will also be useful. Along with the other prerequisites, it is also helpful to have familiarity with Model-View-Controller (MVC) framework architecture. This is a common architecture used in web development, and understanding its principles can be helpful in building and testing web applications.

    Hardware / Software Requirements

    – Linux/Mac/Windows any laptop – Laptop with minimum 8GB RAM and 40GB free hard disk space with USB ports and virtualization enabled/available. – Students must have full control of the laptop (can install required software and tools) – Ability to connect to the internet (The class requires going online). – An active AWS account for each student (free tier or otherwise) is required.

    Your Instructor

    Hassan Khan Yusufzai is a highly experienced Security Researcher with a proven track record of internet-wide scanning and penetration testing. A sought-after speaker, Hassan recently presented at the BlackHatMEA 2022 conference. His expertise extends to Ruby security, where he has conducted extensive research over the past few years. As a certified OSCP (Offensive Security Certified Professional), Hassan has also made a name for himself as a successful bug bounty hunter on both HackerOne and Bugcrowd.

    Hassan’s achievements have earned him recognition in the industry, including inclusion in the Google Security Hall of Fame (2017), Twitter Security Hall of Fame (2017), and Microsoft Security Hall of Fame (2017). He has also conducted extensive research into WordPress security and won the HackFest CTF competition. In addition to his research, Hassan is also the developer of and an npm scanner for account hijacking, further demonstrating his commitment to the security field and his skills as a developer.

    Past speaking experience

    – Presented twice at an Arsenal stage of BlackHat MEA and once at a Briefing stage at BlackHat MEA 2022.

    – Hassan Khan has presented at local universities as well.

    Danish Tariq is a Security Engineer by profession and a Security researcher by passion. He has been working in Cyber Security for over 8 years and it all started out of a curiosity to break things and look deep down into those things (physical or virtual) back in his teenage years. His major expertise is Penetration Testing and Vulnerability Assessments.

    He was also involved in bug bounty programs as well, where he helped many companies by finding vulnerabilities at different levels. Companies include Microsoft, Apple, Nokia, Blackberry, Adobe, etc.

    – Spoke @ BlackHat MEA 2022 (Briefing: Supply-Chain Attacks)

    – Featured in “The Register” for an initial workaround for the NPM dependency attacks.

    – Certified Ethical Hacker, Certified Vulnerability Assessor (CVA), Certified AppSec Practitioner, Certified Network Security Specialist (CNSS), IBM Cyber Security Analyst

    – Ex-Chapter Leader @ OWASP

    – Ex-Top Rated freelancer (Information security category) on Upwork

    – Recent security research and CVEs include – CVE-2022-2848 & CVE-2022-25523

    – Served as a Moderator @ OWASP 2022 Global AppSec APAC.