1337skills.com

Appearance

Masscan - High-Speed Port Scanner

Masscan is an extremely fast port scanner designed to scan the entire Internet in under 6 minutes. It's asynchronous and can transmit packets at rates of 10 million packets per second, making it ideal for large-scale network reconnaissance and security assessments.

Basic Usage

Simple Port Scanning

bash
# Scan single host for specific port
masscan 192.168.1.1 -p80
masscan 192.168.1.1 -p443
masscan 192.168.1.1 -p22

# Scan subnet for specific port
masscan 192.168.1.0/24 -p80
masscan 10.0.0.0/8 -p443
masscan 172.16.0.0/12 -p22

# Scan multiple ports
masscan 192.168.1.0/24 -p80,443
masscan 192.168.1.0/24 -p80,443,22,21,25
masscan 192.168.1.0/24 -p1-1000

# Scan all ports
masscan 192.168.1.0/24 -p1-65535
masscan 192.168.1.0/24 -p0-65535

Rate Control

bash
# Set transmission rate (packets per second)
masscan 192.168.1.0/24 -p80 --rate 100
masscan 192.168.1.0/24 -p80 --rate 1000
masscan 192.168.1.0/24 -p80 --rate 10000

# Maximum rate limiting
masscan 192.168.1.0/24 -p80 --max-rate 1000

# Conservative scanning (slow)
masscan 192.168.1.0/24 -p80 --rate 10

# Aggressive scanning (fast)
masscan 192.168.1.0/24 -p80 --rate 100000

Output Formats

Standard Output Formats

bash
# XML output (nmap compatible)
masscan 192.168.1.0/24 -p80 -oX scan_results.xml

# Grepable output
masscan 192.168.1.0/24 -p80 -oG scan_results.gnmap

# JSON output
masscan 192.168.1.0/24 -p80 -oJ scan_results.json

# List output (simple format)
masscan 192.168.1.0/24 -p80 -oL scan_results.list

# Binary output (for resuming)
masscan 192.168.1.0/24 -p80 -oB scan_results.binary

# Multiple output formats
masscan 192.168.1.0/24 -p80 -oX results.xml -oG results.gnmap -oJ results.json

Output Processing

bash
# Parse XML output
cat scan_results.xml | grep "open"

# Parse JSON output
cat scan_results.json | jq '.[] | select(.ports[].status == "open")'

# Parse list output
cat scan_results.list | grep "open"

# Convert to nmap format
masscan 192.168.1.0/24 -p80 -oX results.xml
# Then use with nmap scripts: nmap -iL <(grep -oP '(?<=addr=")[^"]*' results.xml) -sV

Advanced Scanning Options

bash
# Enable banner grabbing
masscan 192.168.1.0/24 -p80,443,22,21 --banners

# Banner grabbing with specific source port
masscan 192.168.1.0/24 -p80 --banners --source-port 61000

# Banner grabbing with rate limiting
masscan 192.168.1.0/24 -p80,443 --banners --rate 1000

# Banner grabbing for web services
masscan 192.168.1.0/24 -p80,443,8080,8443 --banners

Network Interface Configuration

bash
# Specify network adapter
masscan 192.168.1.0/24 -p80 --adapter eth0
masscan 192.168.1.0/24 -p80 --adapter wlan0

# Set adapter IP address
masscan 192.168.1.0/24 -p80 --adapter-ip 192.168.1.100

# Set adapter MAC address
masscan 192.168.1.0/24 -p80 --adapter-mac 00:11:22:33:44:55

# Set router MAC address
masscan 192.168.1.0/24 -p80 --router-mac 00:11:22:33:44:55

Source Configuration

bash
# Specify source IP address
masscan 192.168.1.0/24 -p80 --source-ip 192.168.1.100

# Specify source port
masscan 192.168.1.0/24 -p80 --source-port 61000

# Random source port
masscan 192.168.1.0/24 -p80 --source-port 60000-65000

# Multiple source IPs
masscan 192.168.1.0/24 -p80 --source-ip 192.168.1.100,192.168.1.101

Timing and Performance

Connection Timing

bash
# Set connection timeout (seconds)
masscan 192.168.1.0/24 -p80 --connection-timeout 30
masscan 192.168.1.0/24 -p80 --connection-timeout 10

# Set wait time after scan completion
masscan 192.168.1.0/24 -p80 --wait 3
masscan 192.168.1.0/24 -p80 --wait 10

# Set number of retries
masscan 192.168.1.0/24 -p80 --retries 3
masscan 192.168.1.0/24 -p80 --retries 1

Performance Optimization

bash
# High-performance scanning
masscan 192.168.1.0/24 -p80 --rate 100000 --connection-timeout 5 --retries 1

# Balanced performance
masscan 192.168.1.0/24 -p80 --rate 10000 --connection-timeout 10 --retries 2

# Conservative scanning
masscan 192.168.1.0/24 -p80 --rate 1000 --connection-timeout 30 --retries 3

Large-Scale Scanning

Internet-Wide Scanning

bash
# Scan entire IPv4 space for HTTP
masscan 0.0.0.0/0 -p80 --rate 1000

# Scan for common web ports
masscan 0.0.0.0/0 -p80,443,8080,8443 --rate 10000

# Scan for common services
masscan 0.0.0.0/0 -p80,443,22,21,25,53,110,143,993,995 --rate 5000

# Scan specific regions
masscan 8.8.0.0/16 -p80,443 --rate 1000  # Google's range
masscan 1.1.0.0/16 -p80,443 --rate 1000  # Cloudflare's range

Private Network Scanning

bash
# Scan all RFC 1918 networks
masscan 10.0.0.0/8 -p80,443,22 --rate 10000
masscan 172.16.0.0/12 -p80,443,22 --rate 10000
masscan 192.168.0.0/16 -p80,443,22 --rate 10000

# Scan common enterprise ranges
masscan 10.0.0.0/8 -p80,443,22,21,25,53,135,139,445 --rate 5000

Stealth and Randomization

Host Randomization

bash
# Randomize host order
masscan 192.168.1.0/24 -p80 --randomize-hosts

# Set random seed for reproducible results
masscan 192.168.1.0/24 -p80 --seed 12345

# Combine randomization with rate limiting
masscan 192.168.1.0/24 -p80 --randomize-hosts --rate 100

Stealth Techniques

bash
# Slow scan to avoid detection
masscan 192.168.1.0/24 -p80 --rate 10 --randomize-hosts

# Use common source port
masscan 192.168.1.0/24 -p80 --source-port 53  # DNS
masscan 192.168.1.0/24 -p80 --source-port 80  # HTTP

# Fragmented scanning
masscan 192.168.1.0/24 -p80 --rate 100 --wait 5

Exclusions and Filtering

Exclude Targets

bash
# Exclude single host
masscan 192.168.1.0/24 -p80 --exclude 192.168.1.1

# Exclude multiple hosts
masscan 192.168.1.0/24 -p80 --exclude 192.168.1.1,192.168.1.2

# Exclude from file
echo "192.168.1.1" > exclude.txt
echo "192.168.1.2" >> exclude.txt
masscan 192.168.1.0/24 -p80 --excludefile exclude.txt

# Exclude ranges
masscan 192.168.1.0/24 -p80 --exclude 192.168.1.1-192.168.1.10

Target Lists

bash
# Scan from target file
echo "192.168.1.1" > targets.txt
echo "192.168.1.2" >> targets.txt
masscan -iL targets.txt -p80

# Combine ranges and files
masscan 192.168.1.0/24 -iL additional_targets.txt -p80

IPv6 Scanning

IPv6 Address Ranges

bash
# Scan IPv6 subnet
masscan 2001:db8::/32 -p80,443

# Scan entire IPv6 space (be very careful!)
masscan ::0/0 -p80 --rate 1000

# Scan specific IPv6 addresses
masscan 2001:db8::1 -p80,443,22

# Scan IPv6 with rate limiting
masscan 2001:db8::/64 -p80,443 --rate 100

Configuration Files

Creating Configuration Files

bash
# Generate configuration template
masscan --echo > masscan.conf

# Edit configuration file
# masscan.conf example:
# rate = 1000
# output-format = xml
# output-filename = scan_results.xml
# ports = 80,443,22
# range = 192.168.1.0/24

# Use configuration file
masscan -c masscan.conf

Resume Functionality

bash
# Create resumable scan
masscan 192.168.1.0/24 -p1-65535 --rate 1000 -oB scan.binary

# Resume interrupted scan
masscan --resume scan.binary

# Resume with different parameters
masscan --resume scan.binary --rate 2000

Integration with Other Tools

Combining with Nmap

bash
# Use masscan for discovery, nmap for detailed scanning
masscan 192.168.1.0/24 -p80,443 --rate 1000 -oL live_hosts.txt
nmap -iL live_hosts.txt -sV -sC

# Extract IPs from masscan XML output
masscan 192.168.1.0/24 -p80 -oX results.xml
grep -oP '(?<=addr=")[^"]*' results.xml > live_ips.txt
nmap -iL live_ips.txt -sV

Processing Results

bash
# Count open ports
masscan 192.168.1.0/24 -p1-1000 -oL results.txt
grep "open" results.txt | wc -l

# Extract unique IPs
masscan 192.168.1.0/24 -p80,443 -oL results.txt
grep "open" results.txt | awk '{print $4}' | sort -u

# Create target list for further scanning
masscan 192.168.1.0/24 -p80 -oL results.txt
grep "open" results.txt | awk '{print $4}' > web_servers.txt

Practical Examples

Web Server Discovery

bash
# Find web servers in network
masscan 192.168.1.0/24 -p80,443,8080,8443,8000,8888 --rate 1000

# Find web servers with banners
masscan 192.168.1.0/24 -p80,443 --banners --rate 500

# Comprehensive web service scan
masscan 192.168.1.0/24 -p80,443,8080,8443,8000,8888,9000,9090 --banners --rate 1000

Service Discovery

bash
# Find SSH servers
masscan 192.168.1.0/24 -p22 --banners --rate 1000

# Find mail servers
masscan 192.168.1.0/24 -p25,110,143,993,995 --rate 1000

# Find database servers
masscan 192.168.1.0/24 -p3306,5432,1433,1521,27017 --rate 1000

# Find file sharing services
masscan 192.168.1.0/24 -p21,22,139,445,2049 --rate 1000

Security Assessment

bash
# Quick network overview
masscan 192.168.1.0/24 -p1-1000 --rate 5000 -oX quick_scan.xml

# Comprehensive service discovery
masscan 192.168.1.0/24 -p1-65535 --rate 2000 --banners -oX full_scan.xml

# Focus on common vulnerable services
masscan 192.168.1.0/24 -p21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1433,3306,3389,5432 --banners --rate 1000

Performance Tuning

Rate Optimization

bash
# Test network capacity
masscan 192.168.1.1 -p80 --rate 1000   # Start conservative
masscan 192.168.1.1 -p80 --rate 10000  # Increase gradually
masscan 192.168.1.1 -p80 --rate 100000 # Maximum performance

# Adjust based on network conditions
# Local network: --rate 10000-100000
# WAN: --rate 1000-10000
# Internet: --rate 100-1000

Memory and CPU Optimization

bash
# Reduce memory usage for large scans
masscan 0.0.0.0/0 -p80 --rate 1000 --connection-timeout 5 --retries 1

# Balance CPU and network usage
masscan 192.168.1.0/24 -p1-65535 --rate 5000 --wait 1

Error Handling and Troubleshooting

Common Issues

bash
# Permission errors (need root for raw sockets)
sudo masscan 192.168.1.0/24 -p80

# Network interface issues
masscan --echo | grep adapter
masscan 192.168.1.0/24 -p80 --adapter eth0

# Rate limiting issues
masscan 192.168.1.0/24 -p80 --rate 100  # Reduce rate

# Timeout issues
masscan 192.168.1.0/24 -p80 --connection-timeout 30  # Increase timeout

Debugging

bash
# Verbose output
masscan 192.168.1.0/24 -p80 --echo

# Test configuration
masscan --selftest

# Check network configuration
masscan --echo | grep -E "(adapter|router-mac|source-ip)"

Security Considerations

  • Only scan networks you own or have explicit permission to test
  • Be aware of local laws and regulations regarding network scanning
  • Consider the impact on network performance and availability
  • Document your scanning activities for compliance

Defensive Measures

bash
# Detect masscan activity (on target systems)
# Look for high-rate SYN packets from single source
netstat -an | grep SYN_RECV | wc -l

# Monitor for scanning patterns
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0' | head -100

Best Practices

Scanning Strategy

  1. Start with small subnets to test performance
  2. Use appropriate rate limiting for your network
  3. Save results in multiple formats for analysis
  4. Combine with other tools for comprehensive assessment
  5. Document your methodology and findings

Performance Guidelines

  • Local networks: Use high rates (10,000-100,000 pps)
  • Remote networks: Use moderate rates (1,000-10,000 pps)
  • Internet scanning: Use conservative rates (100-1,000 pps)
  • Always test with small ranges first

Output Management

  • Use descriptive filenames with timestamps
  • Save in multiple formats for different analysis tools
  • Compress large output files to save space
  • Backup important scan results

Masscan is an incredibly powerful tool for network reconnaissance and security assessment. Its speed makes it ideal for large-scale scanning, but this power must be used responsibly and ethically. Always ensure you have proper authorization before scanning networks, and be mindful of the impact your scanning may have on network performance and security monitoring systems.